The Problem with Traditional DNS
Every time you type a website address into your browser, your device sends a DNS query — essentially asking "what is the IP address for example.com?" — to a DNS server. Traditionally, this query is sent in plain text over UDP port 53. That means:
- Your Internet Service Provider (ISP) can see every domain you look up
- Anyone on your local network (e.g., a coffee shop Wi-Fi) can sniff your DNS traffic
- Attackers can intercept and manipulate your DNS responses (DNS hijacking)
This is where DNS-over-HTTPS (DoH) comes in.
What Is DNS-over-HTTPS?
DNS-over-HTTPS is a protocol that sends your DNS queries encrypted inside regular HTTPS traffic — the same encryption that protects your bank login or email. Defined in RFC 8484, DoH wraps DNS requests in HTTPS, sending them to a DoH-capable resolver over port 443.
From the outside, a DoH query looks identical to any other HTTPS web traffic, making it extremely difficult for a third party to monitor or block your DNS lookups.
DoH vs. DoT: What's the Difference?
| Feature | DNS-over-HTTPS (DoH) | DNS-over-TLS (DoT) |
|---|---|---|
| Port | 443 (HTTPS) | 853 (dedicated) |
| Encryption | Yes (TLS inside HTTPS) | Yes (TLS) |
| Traffic blending | Blends with web traffic | Identifiable by port |
| Firewall bypass | Easier | Can be blocked on port 853 |
| Browser support | Firefox, Chrome, Edge | OS-level only |
Both protocols encrypt DNS traffic effectively. DoH is more common in browsers, while DoT is often preferred for system-level or router-level DNS encryption.
How to Enable DoH in Your Browser
Firefox
- Go to Settings → Privacy & Security
- Scroll to DNS over HTTPS
- Select Max Protection or Increased Protection
- Choose a provider (Cloudflare or NextDNS) or enter a custom DoH URL
Chrome / Edge
- Go to Settings → Privacy and security → Security
- Enable Use secure DNS
- Choose a provider or enter a custom DoH server URL
Popular DoH Providers
- Cloudflare (1.1.1.1):
https://cloudflare-dns.com/dns-query— fast and privacy-focused - Google:
https://dns.google/dns-query— reliable but logs queries - Quad9:
https://dns.quad9.net/dns-query— blocks malware domains - NextDNS:
https://dns.nextdns.io/<your-id>— customizable filtering - AdGuard DNS:
https://dns.adguard-dns.com/dns-query— built-in ad blocking
Does DoH Make You Completely Private?
Not entirely. DoH encrypts DNS queries, but your ISP can still see the IP addresses you connect to and the SNI (Server Name Indication) field in TLS handshakes, which often reveals the destination domain. For more complete privacy, DoH should be combined with a VPN or used alongside Encrypted Client Hello (ECH), which hides SNI data.
DoH in AdGuard Home
AdGuard Home supports DoH as both an upstream resolver and as a server for your clients. You can configure AdGuard Home to forward all queries to a DoH endpoint while also exposing its own DoH/DoT endpoint for clients on your network — giving you encrypted DNS both directions.
Final Thoughts
DNS-over-HTTPS is one of the simplest privacy upgrades you can make today. Enabling it in your browser or configuring it on your DNS resolver takes minutes and meaningfully reduces the amount of your browsing data exposed to third parties.