DNS over HTTPS (DoH) Explained

DNS queries reveal every site you visit, every app that phones home, every curiosity you follow. And since the 1980s, they've traveled across the Internet in plain text.

This wasn't a design flaw—it was a design assumption. DNS was built when the Internet was a small network of universities and research institutions. Trust was implicit. Encryption was expensive. The idea that someone would harvest DNS queries to build advertising profiles or censor content wasn't on anyone's radar.

Traditional DNS sends queries over UDP port 53, completely unencrypted. Your ISP sees them. Your network administrator sees them. Anyone monitoring network traffic sees them. They can be logged, analyzed, sold, used for censorship, or intercepted and modified by attackers.

DNS over HTTPS (DoH) wraps DNS queries in the same encryption that protects your banking transactions. Your queries travel inside HTTPS connections on port 443—indistinguishable from regular web browsing.

How DoH Works

With traditional DNS, your device sends an unencrypted query to a resolver (usually your ISP's), which responds with an IP address. Both question and answer travel in plain text.

With DoH, your device establishes an encrypted HTTPS connection to a DoH-enabled resolver. DNS queries become HTTPS requests, encrypted before leaving your device and decrypted only by the resolver you've chosen. Network observers can see you're connecting to a DoH resolver, but the contents of your queries remain hidden.

The protocol was standardized as RFC 8484 in October 2018. It uses TLS—the same encryption protecting every secure website—and supports connection reuse, allowing multiple queries through a single encrypted session.

What DoH Actually Protects

DoH prevents passive surveillance of your DNS queries. Your ISP can no longer build a profile of every site you visit based on DNS alone.

It also blocks DNS manipulation. Man-in-the-middle attacks that intercept and modify DNS responses fail because the traffic is encrypted. DNS spoofing—injecting fake responses to redirect you to malicious sites—fails because DoH verifies responses using TLS certificates.

The Central Question: Who Do You Trust?

DoH doesn't eliminate surveillance—it lets you choose your surveillor.

When browsers implement DoH, they typically default to a specific provider. Firefox uses Cloudflare. Chrome upgrades to DoH if your current DNS provider supports it. Your DNS queries, previously visible to your ISP, now flow to a different company.

Your ISP can no longer see your queries. But the DoH provider sees all of them—and you're trusting their privacy policy, their security practices, and their resistance to government requests. You haven't eliminated the trust requirement. You've moved it.

This also concentrates a fundamental piece of Internet infrastructure with a handful of large companies. Whether that's better or worse than thousands of ISPs depends on your threat model and your politics.

DoH vs. DNS over TLS

Both DoH and DNS over TLS (DoT) encrypt DNS queries. The difference is visibility.

DoT uses TCP port 853—a dedicated port for encrypted DNS. Network administrators can easily identify, monitor, or block DoT traffic. Everyone can see that encrypted DNS is happening, even if they can't see the contents.

DoH uses port 443, blending with all other HTTPS traffic. Network administrators can't distinguish DoH from regular browsing without deep packet inspection. This makes DoH harder to block but also harder to manage.

The choice reflects priorities: DoT for networks that want encrypted DNS while maintaining visibility. DoH for users who want their DNS queries to disappear into the noise of web traffic.

Why DoH Is Controversial

DoH sparked genuine conflict because it shifts control over DNS from networks to browsers.

Many organizations use DNS filtering for security—blocking malicious domains, preventing phishing, enforcing policies. Parental control software often works by filtering DNS. When browsers bypass system DNS with DoH, these protections stop working.

The implementation approach matters. Firefox's approach—enabling DoH by default, overriding system settings—created the most friction. Chrome's approach—upgrading to DoH only if your existing provider supports it—preserves existing configurations.

Some countries see DoH as circumventing legal content restrictions. ISPs argue it breaks their ability to troubleshoot issues or block malware at the network level.

The underlying question: who controls DNS? The network operator? The browser vendor? The DoH provider? The user? DoH shifts that control, and not everyone agrees about where it should land.

Current Support

Firefox enabled DoH by default in the US in 2020, using Cloudflare. Users can change providers or disable it. Firefox checks for enterprise policies and disables DoH on managed networks.

Chrome upgrades to DoH automatically if your existing DNS provider supports it—your configuration stays the same, but gains encryption. It respects enterprise policies.

Safari (iOS 14+, macOS 11+) supports DoH but doesn't enable it by default. Apps can request encrypted DNS, and administrators can configure it through device management.

Windows 11 supports system-wide DoH configuration, letting you encrypt DNS for all applications rather than just browsers.

Android 9+ supports DNS over TLS (not DoH) through the Private DNS setting—similar protection, different protocol.

Linux support varies by resolver. systemd-resolved supports both DoH and DoT.

Key Takeaways

DNS has broadcast your browsing habits in plain text since the 1980s—a design assumption from when the Internet was a trusted academic network.

DoH encrypts DNS queries using the same HTTPS that protects web traffic. Your ISP and network observers can no longer see which domains you're querying.

But DoH shifts trust rather than eliminating it. Your queries move from your ISP to your DoH provider. Choose that provider deliberately.

DoH blends with web traffic on port 443, making it hard to detect. DoT uses dedicated port 853, making it visible but manageable. The choice depends on whether you prioritize stealth or transparency.

The controversy is real: DoH can bypass security filters, parental controls, and enterprise policies. The tension between user privacy and network management reflects a genuine disagreement about who should control DNS.