What is DNS over HTTPS (DoH) and how does it work?

DNS over HTTPS (DoH) is a protocol that encrypts your DNS queries by sending them through HTTPS connections, preventing third parties like ISPs or hackers from seeing which websites you're looking up. It works by routing your DNS requests through the same secure channel used for regular HTTPS web traffic, making them indistinguishable from normal browsing activity.

What is the difference between DNS over HTTPS (DoH) and a regular VPN?

DoH only encrypts your DNS queries, meaning it hides which domain names you look up but does not encrypt all of your internet traffic like a VPN does. A VPN provides broader protection by tunneling and encrypting all network traffic, whereas DoH specifically addresses DNS privacy.

Does using DNS over HTTPS (DoH) completely protect my privacy online?

No, DoH alone does not provide complete online privacy because it only encrypts DNS queries and does not hide your actual IP address or encrypt other internet traffic. For more comprehensive privacy protection, DoH is best used in combination with a full VPN service.

Is DNS over HTTPS (DoH) enabled by default in web browsers?

Many modern browsers, including Mozilla Firefox and Google Chrome, have begun enabling DoH by default or offering it as an easily configurable option in their privacy and security settings. However, default availability varies by browser version and region.

DNS over HTTPS (DoH)

DNS over HTTPS (DoH): What It Is and Why It Matters

Every time you type a website address into your browser, your device sends out a question: "What's the IP address for this domain?" That question is called a DNS query, and for decades it traveled across the internet in plain text — completely exposed to anyone watching the network. DNS over HTTPS (DoH) was built to fix that.

What It Is

DNS over HTTPS is a protocol that wraps your DNS queries inside encrypted HTTPS traffic — the same type of encryption used when you log into your bank or shop online. Instead of your DNS requests being sent in the open, they're bundled inside secure HTTPS connections and sent to a DoH-compatible DNS resolver. To outside observers, the traffic looks like ordinary web browsing.

DoH was standardized by the Internet Engineering Task Force (IETF) in RFC 8484 in 2018 and has since been built into major browsers like Firefox, Chrome, and Edge, as well as operating systems like Windows 11 and Android.

How It Works

Here's the basic flow:

You type `example.com` into your browser.
Instead of sending a plaintext UDP request to your ISP's DNS server on port 53, your device sends an encrypted HTTPS request to a DoH resolver (like Cloudflare's `1.1.1.1` or Google's `8.8.8.8`) on port 443.
The resolver looks up the IP address and sends the answer back — still encrypted over HTTPS.
Your browser connects to the website.

Because the query uses port 443 (the standard HTTPS port), it blends in with normal web traffic. A passive observer on your network — whether that's your ISP, a network administrator, or someone running a rogue Wi-Fi hotspot — cannot easily distinguish your DNS lookups from any other HTTPS traffic.

Why It Matters for VPN Users

You might wonder: if I'm already using a VPN, do I need DoH? It's a fair question, and the answer depends on your setup.

Without a VPN, DoH is a significant privacy improvement. Your ISP can no longer easily log every domain you visit. This is especially relevant given that ISPs in many countries are permitted — or even required — to collect and sell browsing data.

With a VPN, your DNS queries should already be routed through the VPN tunnel and resolved by the VPN provider's own DNS servers. However, if your VPN connection drops or is misconfigured, a DNS leak can occur — your device falls back to sending DNS queries outside the tunnel, exposing your activity. Using DoH alongside a VPN (or choosing a VPN that implements DoH internally) adds an extra layer of protection against those leaks.

It's also worth noting that DoH alone is not a replacement for a VPN. DoH only encrypts the domain lookup phase. Your actual IP address remains visible to the websites you visit, and your ISP can still see which IP addresses you're connecting to — just not necessarily which domain names triggered those connections.

Practical Examples and Use Cases

Public Wi-Fi: When connected to a coffee shop or airport network, DoH prevents the network operator from logging your DNS queries or redirecting them to a manipulated server.
Bypassing basic censorship: Some ISPs block websites by intercepting DNS queries. DoH can bypass DNS-level blocks because the queries are encrypted and sent to an external resolver. (Note: determined censors can still block DoH resolvers by IP.)
Browser-level protection: Firefox and Chrome let you enable DoH directly in settings, giving you encrypted DNS even when you're not on a VPN.
Enterprise environments: Network admins often debate DoH because it can bypass internal DNS controls. Many organizations configure DoH to route through approved internal resolvers instead of public ones.

DoH vs. DoT

DoH is often compared to DNS over TLS (DoT), another DNS encryption protocol. Both encrypt DNS traffic, but DoT uses a dedicated port (853) that's easy for network administrators to identify and filter. DoH blends into regular HTTPS traffic, making it harder to block — which is both its strength for privacy and a concern for network control.

DNS over HTTPS (DoH)Intermediate