Does DNS over HTTPS make me anonymous?

No. DoH encrypts your DNS queries so your ISP and network operators cannot see which domains you look up. But the DoH provider (like Cloudflare or Google) can still see your queries. It also does not hide your IP address or encrypt your actual web traffic. For full anonymity, you would need a VPN or Tor in addition to DoH.

Will DoH slow down my internet?

In most cases, no. DoH adds a small overhead from the HTTPS encryption, but modern DoH resolvers like Cloudflare and Google are highly optimized. Some users actually see faster DNS resolution with DoH because these providers often have lower latency than ISP resolvers.

What is the difference between DoH and DoT?

Both encrypt DNS queries, but they use different methods. DoH sends DNS queries over HTTPS on port 443, making them look like regular web traffic. DoT uses TLS encryption on a dedicated port (853), which is easier for network administrators to identify and manage. DoH is harder to block since it blends with normal HTTPS traffic.

Does DoH prevent DNS cache poisoning?

DoH protects the connection between your device and the DNS resolver, preventing anyone from tampering with queries in transit. However, if the resolver itself has a poisoned cache, DoH will not help because the encryption only covers the transport layer, not the data inside the resolver's cache. DNSSEC is needed to verify the actual DNS data.

Can my employer or school block DoH?

Yes. Network administrators can block known DoH resolver IPs or use firewall rules to prevent DoH connections. Some organizations disable DoH on managed devices to maintain visibility into DNS traffic for security monitoring. Browsers like Firefox have a canary domain check that automatically disables DoH on networks that signal they need DNS visibility.

What is DNS over HTTPS (DoH)? How It Works and How to Enable It

The Problem with Traditional DNS

Standard DNS sends every query as plain text over UDP. When you type a URL into your browser, the DNS request travels unencrypted across your network, through your ISP, and to the DNS resolver. Anyone with access to that path can read it.

This creates several problems. Your ISP can log every domain you visit and sell that data to advertisers. Public Wi-Fi operators can monitor your browsing habits. Attackers on the same network can intercept and modify DNS responses, redirecting you to malicious sites (this is DNS cache poisoning). In some countries, governments use DNS monitoring to censor websites.

DNS over HTTPS solves this by wrapping DNS queries inside encrypted HTTPS connections. The query still reaches a DNS resolver, but nobody between you and the resolver can see what you asked.

How DNS over HTTPS Works

With traditional DNS, your browser sends a plain text UDP packet to a DNS resolver on port 53. With DoH, the browser instead sends the DNS query as an HTTPS request to a DoH-compatible resolver on port 443.

Because port 443 is the same port used by every HTTPS website, DoH traffic is indistinguishable from normal web browsing. A network observer can see that you connected to Cloudflare's server, but they cannot tell whether you loaded a webpage or made a DNS query.

# Traditional DNS (plain text, port 53)

Browser -> UDP:53 -> DNS Resolver

Query: "What is the IP for example.com?"

Anyone on the network can read this

# DNS over HTTPS (encrypted, port 443)

Browser -> HTTPS:443 -> DoH Resolver

Query: [encrypted data]

Network sees HTTPS traffic, nothing else

DoH vs DoT: What is the Difference?

DNS over TLS (DoT) is another protocol that encrypts DNS queries. Both protect your queries from being read in transit, but they work differently.

	DNS over HTTPS (DoH)	DNS over TLS (DoT)
Port	443 (shared with HTTPS)	853 (dedicated)
Protocol	HTTPS (HTTP/2 or HTTP/3)	TLS
Visibility	Blends with web traffic, hard to block	Uses a unique port, easy to identify and block
Browser support	Chrome, Firefox, Edge, Brave, Safari	Android 9+, some Linux resolvers
Best for	Personal privacy, bypassing censorship	Enterprise networks, system-wide encryption

For most users, DoH is the easier option since it works directly in your browser without any system-level configuration. DoT is more common in enterprise and mobile device deployments where administrators manage DNS settings centrally.

How to Enable DNS over HTTPS

Chrome

Go to Settings > Privacy and Security > Security > scroll to "Use secure DNS". Toggle it on and select a provider (Cloudflare, Google, or custom).

Firefox

Go to Settings > Privacy & Security > scroll to "DNS over HTTPS". Select "Max Protection" or "Increased Protection" and choose a provider. Firefox uses Cloudflare by default for US users.

Edge

Go to Settings > Privacy, search, and services > Security > "Use secure DNS". Toggle it on and select a provider.

Windows 11

Go to Settings > Network & Internet > your connection > DNS server assignment > Edit. Enter a DoH-compatible DNS address (like 1.1.1.1) and set encryption to "Encrypted only (DNS over HTTPS)".

Android

Go to Settings > Network & Internet > Private DNS. Select "Private DNS provider hostname" and enter dns.google or one.one.one.one. Note: Android uses DoT, not DoH, but the privacy benefit is the same.

Note: Windows 10 does not support DoH natively. You need Windows 11 or a browser-level setting to use encrypted DNS on Windows 10.

Popular DoH Providers

Provider	DoH URL	Focus
Cloudflare	https://cloudflare-dns.com/dns-query	Speed + privacy
Google	https://dns.google/dns-query	Reliability
Quad9	https://dns.quad9.net/dns-query	Security + malware blocking
NextDNS	https://dns.nextdns.io	Customizable filtering

For a comparison of these providers and others, see our guide on best public DNS servers.

What DoH Does Not Protect

DoH is an important privacy improvement, but it is not a complete solution. Understanding its limits helps you make informed decisions about your security setup.

Your DoH provider can still see your queries

DoH encrypts the connection between you and the resolver, but the resolver itself sees every query. If you use Google's DoH, Google knows which domains you look up. Choose a provider whose privacy policy you trust.

IP addresses are still visible

After DNS resolves a domain to an IP address, your device connects to that IP. Network observers can see the destination IP in packet headers even with DoH enabled. They may not know the exact URL, but they can often infer the website from the IP.

Does not replace DNSSEC

DoH encrypts the transport but does not verify the authenticity of DNS data. DNSSEC is still needed to ensure that DNS records have not been tampered with at the source.

Can break enterprise security tools

Organizations that monitor DNS traffic for security (blocking malware domains, enforcing access policies) lose visibility when DoH is enabled. This is why some corporate networks disable DoH on managed devices.

How to Verify DoH is Working

After enabling DoH, verify that it is active:

Cloudflare test

Visit https://1.1.1.1/help in your browser. It shows whether your DNS queries are using DoH, DoT, or plain DNS.

Browsing Leak test

Visit https://browserleaks.com/dns to see which DNS resolver your browser is using. If it shows your DoH provider instead of your ISP, DoH is working.

You can also use DNSFly's DNS Propagation Checker to verify that your domain resolves consistently across global DNS servers, regardless of whether individual users have DoH enabled or not.

Check Your DNS Configuration

Verify your domain's DNS records are resolving correctly across 21 global servers.

Check DNS Records