DNS over HTTPS, explained — what changed when your name lookups got encrypted
Until 2018, every domain name you ever typed was visible in plaintext to your ISP, your hotel WiFi, and anyone with a packet capture. DNS-over-HTTPS quietly fixed that — and broke a few things along the way. Here's what changed, what it costs you, and which resolver to actually use.
When you type news.ycombinator.com into a browser, the very first thing that happens — before any HTTPS handshake, before any HTML loads — is a DNS lookup. Your computer asks "what's the IP address for news.ycombinator.com?" and waits for an answer. For thirty-five years that query went out over UDP port 53 in plain text. Anyone with a packet sniffer between your laptop and the DNS server could read every domain you ever asked about.
Not just your ISP — though they were the easy case. Anyone on the same WiFi. The hotel network. The conference router. The mobile carrier. The fiber operator one hop upstream from your ISP. Encrypted HTTPS protected what was inside your visit to news.ycombinator.com, but the fact that you visited it at all was visible to everyone in between.
DNS-over-HTTPS (DoH) changed that. Today, if you're using a modern browser with default settings, most of your DNS queries leave your laptop encrypted, look like generic HTTPS traffic to anyone watching, and end up at a privacy-aware resolver like Cloudflare's 1.1.1.1 or Google's 8.8.8.8 instead of whatever resolver your ISP wanted you to use.
This is one of the biggest internet privacy upgrades of the last decade. It's also broken a bunch of things — parental controls, corporate monitoring, ad-blocking that depends on DNS, captive portal detection. Here's the full picture.
How traditional DNS works (and why it's awful)
Your computer maintains a small cache of recently-resolved names. When that cache misses, it sends a UDP packet to your "resolver" — usually whichever DNS server your router told it about, which is usually your ISP's resolver, which they configured via DHCP when your router came online.
The query is plain text: QUERY news.ycombinator.com TYPE A. The response is plain text. UDP port 53. No encryption. No authentication of the resolver — your computer trusts whatever IP your router said to use, and the resolver trusts whatever upstream server it was configured with.
The privacy implications were known since the 1980s and ignored for thirty years. Every paper on internet privacy contained a paragraph that said "and of course DNS is a privacy disaster." But fixing it required coordinated changes from operating systems, browsers, resolver operators, and millions of network administrators — and there was no obvious vendor to organize the effort.
What DoH actually does
DoH wraps the DNS query in an HTTPS request to a known resolver. Instead of UDP port 53 to whatever IP your router said, your browser makes an HTTPS GET to https://cloudflare-dns.com/dns-query?name=news.ycombinator.com&type=A. The query is encrypted in transit. To a network observer, it looks like one more HTTPS request to a generic-looking domain.
The technical spec is RFC 8484, published in 2018. It defines two transport modes: an HTTPS GET with the query encoded in URL params (used by most consumer tools, including our DNS lookup), and an HTTPS POST with a binary DNS message body (used by libraries that want exact DNS protocol semantics).
Mozilla shipped DoH as the default in Firefox in 2019. Chrome followed in 2020. Apple shipped it in macOS Big Sur and iOS 14. Microsoft put it in Windows 11 (off by default, but easy to enable). Android has had DoT (the cousin protocol — DNS-over-TLS) as "Private DNS" since Android 9.
DoH vs DoT vs DNSCrypt
Three protocols solve the same problem differently.
DoT (DNS-over-TLS, RFC 7858): Same protocol as DNS, but wrapped in a TLS connection on port 853. Looks distinctly like "encrypted DNS" to a network observer (port 853 is reserved). Easy to block by network operators who want to ban encrypted DNS. Android calls this "Private DNS." Used by enterprise DNS resolvers.
DoH (DNS-over-HTTPS): Wrapped in HTTPS on port 443. Indistinguishable from generic web traffic to a network observer without deep packet inspection. Browsers chose this protocol precisely because it's hard to block — you can't ban DoH without banning HTTPS itself. Most modern consumer use is DoH.
DNSCrypt: Predates both. Originally launched by OpenDNS in 2011. Different cryptographic protocol; less standardised. Mostly used by die-hards and specific tools like dnscrypt-proxy. Still works, still secure, but not what mainstream browsers chose.
For a normal user, the relevant choice is "use DoH (your browser handles it)" vs "use the system resolver (your OS handles it, may or may not be encrypted depending on settings)." For an SRE configuring servers, DoT is often the easier deployment because it's just-TCP-with-TLS.
Which resolver should you actually use
The DoH protocol decouples the choice of resolver from your ISP. You can route your DNS to anyone who offers DoH. The choice matters: a privacy-oriented resolver helps; a snooping one hurts.
| Resolver | Endpoint | Stance | What's good |
|---|---|---|---|
| Cloudflare | 1.1.1.1 | No logs (independently audited) | Fastest globally for most users. Default in Mozilla Firefox. |
| 8.8.8.8 | Logs queries for 24-48 hours | Reliable, fast in most regions. You're giving Google your DNS. | |
| Quad9 | 9.9.9.9 | No logs, blocks known malware domains | Adds free DNS-level malware blocking. Run by a non-profit. |
| NextDNS | configurable | Logs ONLY what you opt-in to | Per-device customizable filtering, parental controls, analytics. Free up to 300k queries/mo. |
| AdGuard DNS | configurable | No logs | Blocks ads + trackers at the DNS layer. |
| OpenDNS / Cisco Umbrella | 208.67.222.222 | Logs queries | Mature enterprise filtering. Now owned by Cisco. |
For pure privacy: Cloudflare or Quad9. For privacy + ad blocking: AdGuard or NextDNS. For families: NextDNS with the safesearch + parental-control filters enabled. For "I just want it to work fast": Cloudflare.
You can test how each performs on your network from our DNS leak test — it probes all six providers in parallel and shows latency. Surprisingly often, the resolver closest to you geographically isn't the fastest.
How to enable DoH on your devices
macOS (system-wide)
Apple supports DoH via Configuration Profiles. The easiest way: download a profile from your chosen resolver (Cloudflare provides one at 1.1.1.1/dns/apple), open it on the Mac, install it from System Settings → Privacy & Security → Profiles. Once active, all apps (not just browsers) route DNS through the chosen DoH endpoint.
Windows 11
Settings → Network & Internet → Properties (of your active connection) → DNS server assignment → Manual. Set the IP to your resolver's DoH server (e.g. 1.1.1.1 for Cloudflare). Set "DNS over HTTPS" to "On (manual)." Repeat for IPv6.
iOS / iPadOS
Same profile approach as macOS. Cloudflare and Quad9 both have official iOS profiles. Install via Settings → General → VPN & Device Management → Configuration Profiles.
Android
Settings → Network & Internet → Private DNS → "Private DNS provider hostname" → enter 1dot1dot1dot1.cloudflare-dns.com (or your chosen resolver's hostname). Note: this is DoT, not DoH, but achieves the same encryption goal.
Browsers (overrides system)
Firefox: Settings → Privacy & Security → DNS over HTTPS → Increased Protection. Chrome: Settings → Security → Use secure DNS → choose provider. Edge: Settings → Privacy → Use secure DNS.
What DoH breaks (and the rebuttal)
DoH is occasionally controversial because it bypasses things some people relied on:
Network-level ad-blocking (Pi-Hole, etc.) — Pi-Hole works by being a DNS server that refuses to resolve ad domains. If your browser bypasses your local DNS and uses DoH directly to Cloudflare, Pi-Hole sees nothing. Fix: turn off DoH in your browser, point your Pi-Hole at a DoH-capable upstream like cloudflared, or use NextDNS instead (it does both encryption AND filtering).
Parental controls — Most consumer parental-control products work by filtering DNS. DoH bypasses them. Fix: use a parental-control product that's DoH-aware (most modern ones are), or block port 443 to known DoH endpoints on your router.
Corporate monitoring — Enterprises rely on DNS logs to detect malware C2 traffic, data exfiltration, and policy violations. DoH bypasses corporate DNS. Fix: most enterprise OSes (managed macOS, Intune Windows) have policies to disable browser DoH. For BYOD, enterprises use mobile device management.
Captive portals (hotel WiFi splash pages) — Captive portals work by intercepting DNS responses. With DoH, the interception fails. Modern OSes detect "I can resolve cloudflare.com but I can't reach the internet" and pop a captive portal browser. Works fine in practice but feels janky the first time.
What you lose, what you gain
The trade is clear: you gain privacy from your ISP and any network you transit. You lose the ability for your local network to inspect or filter your DNS queries. For the median internet user, the gain is enormous and the loss is invisible.
The exception is corporate networks, where DNS monitoring is a real security feature. Those networks should enforce policy explicitly (managed devices, MDM-controlled browsers) rather than relying on the OS default.
The bigger picture
DNS-over-HTTPS is part of a broader shift in internet protocols — the same shift that gave us QUIC, TLS 1.3 with encrypted SNI, and Encrypted Client Hello. The trend is clear: every protocol that used to be visible to network operators is becoming opaque. Network operators don't like this. Users mostly do. Browser vendors and chipmakers are aligned with users.
The next protocol on this list is Encrypted Client Hello (ECH), which encrypts the TLS handshake itself so even the destination hostname is hidden. ECH has been deployed by Cloudflare since 2023, by Firefox since 2025. When it reaches majority adoption — probably in the next 2-3 years — the only thing a network observer will be able to see is "this user made an HTTPS connection somewhere." Not which site. Not which DNS. Just opaque traffic.
This is good for privacy and bad for surveillance, in roughly that order of magnitude.