Every time you type a URL into a browser, your device sends a DNS query: "what's the IP address for example.com?" By default, that query travels unencrypted across the internet. Your ISP sees it. Anyone on your network sees it. A coffee shop router, a public library, a man-in-the-middle attacker — they all see every domain name you resolve, even if the actual connection is HTTPS.
HTTPS only encrypts the content of the connection. The DNS lookup that precedes it has historically been completely open.
DNS over HTTPS (DoH) and DNS over TLS (DoT) fix this. Here's what each protocol actually does, how they differ in practice, and how to enable them on every major platform.
Why Plain DNS Is a Privacy Problem
Standard DNS runs over UDP port 53 and is unencrypted. What this means in practice:
- Your ISP can see every domain you resolve and, in many countries, legally logs and sells this data.
- Network operators — at hotels, airports, corporate offices — can see your DNS traffic and use it for filtering or monitoring.
- DNS hijacking is trivial without encryption. Attackers or compromised routers can return false DNS responses, redirecting you to phishing sites. This is called DNS spoofing.
- Deep packet inspection can build a complete profile of your browsing activity from DNS alone — even without seeing actual page content.
Your ISP likely already sells anonymized browsing data built from DNS logs. This is legal in the US and many other countries.
What DNS over HTTPS Does
DNS over HTTPS (DoH) wraps DNS queries inside standard HTTPS requests. Instead of sending a plain-text UDP packet to port 53, your device sends an encrypted HTTPS request to a DoH resolver, typically on port 443.
The practical result: your DNS queries are completely indistinguishable from any other HTTPS traffic. Your ISP sees that you made an HTTPS connection to a Cloudflare or Google server, but cannot see which domains you queried.
DoH is defined in RFC 8484 (2018) and is now supported natively by Chrome, Firefox, Edge, and Safari.
What DNS over TLS Does
DNS over TLS (DoT) also encrypts DNS queries, but uses a dedicated connection on port 853 rather than riding inside HTTPS. It's a TLS-wrapped version of the standard DNS protocol.
The key difference: because DoT uses a dedicated port, it's easy to identify and either allow or block at a network level. A corporate firewall can permit port 853 traffic while still applying DNS filtering via its own resolver. Or it can block port 853 entirely to prevent DoT.
DoT is the standard used by Android's Private DNS feature (Settings > Network > Private DNS). You enter a hostname like dns.cloudflare.com or dns.quad9.net and Android automatically connects over DoT.
DoH vs DoT: Which Should You Use?
| DoH | DoT | |
|---|---|---|
| Port | 443 (HTTPS) | 853 (dedicated) |
| Blends with normal traffic | Yes — hard to block | No — easily blocked |
| Network admin visibility | Very low | Can see that you're using DoT |
| Browser-level support | Yes (Chrome, Firefox, etc.) | No — OS/app level only |
| Best for | Personal devices, public Wi-Fi | Android Private DNS, corporate environments that allow it |
| NSA enterprise recommendation | Use with caution | Preferred for managed networks |
For most personal users, DoH is the better choice because it's harder to block and works directly in browsers. For Android, Private DNS (DoT) is built in and requires no third-party app.
ODoH: The Next Step (2026)
Cloudflare and Apple have been developing Oblivious DoH (ODoH) — a more private variant. The problem with standard DoH: even though your ISP can't see your queries, the DoH resolver (e.g., Cloudflare) can. They know both your IP address and the domains you're querying.
ODoH adds a proxy layer. Your queries go through a proxy that strips your IP, then forwards the anonymous query to the resolver. The resolver sees the query but not your IP. The proxy sees your IP but not the query. Neither has the full picture.
ODoH is not yet widely deployed in consumer products, but it's the direction the protocol is heading for maximum privacy.
Public DoH and DoT Resolvers
| Provider | DoH URL | DoT Hostname | Privacy Policy |
|---|---|---|---|
| Cloudflare | https://1.1.1.1/dns-query |
one.one.one.one |
No query logging after 24h |
| Cloudflare (malware blocking) | https://1.1.1.2/dns-query |
security.cloudflare-dns.com |
Same + blocks malware |
https://8.8.8.8/dns-query |
dns.google |
Logs kept up to 48h | |
| Quad9 | https://dns.quad9.net/dns-query |
dns.quad9.net |
No logging, blocks threats |
| NextDNS | Unique per account | Unique per account | Configurable filtering + logging |
Cloudflare 1.1.1.1 and Quad9 are generally considered the best choices for privacy. Quad9 also blocks known malicious domains at the DNS level.
You can check which DNS server your device is currently using at our DNS server checker.
How to Enable DoH on Every Platform
Firefox
Firefox has had DoH support since version 62 and enables it by default in the US.
- Open Settings > Privacy & Security
- Scroll to DNS over HTTPS
- Select Max Protection (always use DoH, fail if unavailable) or Increased Protection
- Choose a provider from the list, or enter a custom DoH URL
Chrome / Edge / Brave
- Open Settings > Privacy and security > Security
- Find Use secure DNS
- Toggle it on and select a provider, or enter a custom URL
Edge uses the same setting but labels it Use secure DNS to specify how to lookup the network address for websites.
Windows 11
Windows 11 supports DoH at the OS level, so all apps benefit — not just browsers.
- Open Settings > Network & internet > Wi-Fi (or Ethernet) > your network > Hardware properties
- Click Edit next to DNS server assignment
- Set DNS to manual, enter a DoH resolver IP (e.g.,
1.1.1.1) - Under DNS over HTTPS, select On (automatic template) or enter the DoH URL
Windows Server 2025 (February 2026 update) now also supports DoH for client traffic — the first Windows Server release to do so. If you manage servers, check Microsoft's DNS security documentation.
macOS
macOS doesn't have built-in DoH settings yet (as of 2026). Options:
- Use a browser-level setting in Firefox or Chrome as above
- Install a configuration profile — Cloudflare's 1.1.1.1 app installs a network extension that enables DoH/DoT system-wide
- Use NextDNS — provides a configuration profile that enables DoH for all system traffic
iOS / iPadOS
Same as macOS — no native DoH in Settings yet. Use:
- The 1.1.1.1 app from Cloudflare (free, installs a VPN-like config profile)
- NextDNS app for more filtering control
- Safari and Chrome on iOS both support DoH through their own settings
Android
Android 9+ has Private DNS built in (this uses DoT, not DoH, but the privacy result is the same).
- Open Settings > Network & Internet > Advanced > Private DNS
- Select Private DNS provider hostname
- Enter:
one.one.one.one(Cloudflare) ordns.quad9.net(Quad9) ordns.google(Google)
This applies to all DNS queries on the device, across all apps.
The Enterprise Caveat
The NSA has warned enterprises against using external DoH resolvers. The reasoning: corporate DNS filtering is a security control — it blocks malicious domains, enforces content policies, and provides audit logs for incident response. If employees use DoH to bypass the corporate DNS server, those controls disappear.
If you manage a corporate network, the solution isn't to ban DoH — it's to deploy your own DoH/DoT resolver that enforces your policies while still encrypting queries. Microsoft's Windows Server 2025 DoH support is aimed exactly at this use case: internal encrypted DNS that stays under your control.
Does DoH Prevent DNS Leaks?
Partially. DNS leaks happen when your VPN tunnel leaks DNS queries through your regular network interface, exposing them to your ISP. DoH helps because it encrypts those queries even if they leak outside the VPN tunnel — but your ISP can still see that you're making DNS requests to Cloudflare or Google (they just can't see what you're querying).
For complete DNS leak prevention while using a VPN, you need a VPN with built-in DNS leak protection and its own encrypted DNS resolver. How to test your VPN for DNS leaks.
Quick Summary
- Standard DNS is plain text. Your ISP and anyone on your network can see every domain you look up.
- DoH wraps DNS in HTTPS — impossible to distinguish from normal web traffic, works in browsers.
- DoT uses dedicated port 853 — used by Android Private DNS, easier to allow/block on networks.
- Both give you the same privacy benefit: your ISP no longer sees your DNS queries.
- Enable DoH in Firefox or Chrome settings (2 minutes). Enable DoT on Android via Private DNS (30 seconds).
- Check which DNS server you're currently using at our DNS server tool.