What Is DNS over HTTPS (DoH)?

Q: What is DNS over HTTPS (DoH)?

DNS over HTTPS is a protocol that encrypts your DNS lookups by sending them inside an ordinary HTTPS connection. Traditional DNS travels in plaintext, so anyone on the network can see and tamper with the domains you resolve. DoH wraps the query in encryption so it cannot be read or altered in transit. It is defined in RFC 8484.

Q: What is the difference between DoH and DoT (DNS over TLS)?

Both encrypt DNS but differently. DoH sends DNS inside HTTPS on port 443 so it blends in with web traffic, while DoT encrypts DNS over TLS on its own dedicated port 853, which is easier for a network to identify and manage. They give the same privacy result and differ mainly in how visible the encrypted DNS is on the network.

Q: Is DNS over HTTPS more secure?

It is more private on the local path because it stops your ISP or anyone on your network from seeing or modifying your DNS queries. But it is not full anonymity: the DoH resolver you choose still sees your queries, so you shift trust to that resolver, and the destination IP you connect to afterward is still visible. It is a targeted improvement, not a complete privacy solution.

Q: What port does DNS over HTTPS use?

DNS over HTTPS uses port 443, the same port as normal encrypted web traffic, because it sends DNS queries inside an HTTPS connection. Traditional plaintext DNS uses port 53. Using port 443 is also why DoH is hard for a network to single out and block, since it looks like ordinary browsing.

Q: How do I enable DNS over HTTPS in my browser?

Modern versions of Firefox, Chrome, and Edge support DoH in their settings, usually under a Secure DNS or DNS over HTTPS option where you choose a provider. You can also enable it at the operating-system level on recent Windows and on many routers to cover every app. After enabling it, confirm with a DNS leak test that your DNS is going where you expect.

~/sheets/what-is-dns-over-https.md

Encrypting the Lookups Behind Every Click
Every time you visit a site, your device first does a DNS lookup to turn the domain name into an IP address. Traditionally that lookup travels in plaintext on port 53, meaning anyone on the path — your ISP, a Wi-Fi operator, a network snooper — can see every domain you resolve and even tamper with the answer. DNS over HTTPS (DoH) fixes that by wrapping the DNS query inside an ordinary encrypted HTTPS connection, so the lookup looks like normal web traffic and cannot be read or altered in transit.
DoH is defined in RFC 8484. Because it rides on HTTPS, it uses port 443 — the same port as the rest of your encrypted web browsing — which is also why it is hard for a network to single out and block. Test whether your resolver is leaking with our DNS Leak Test and look up records directly with the DNS Lookup tool.
DoH vs DoT (DNS over TLS)
Both encrypt DNS, but differently. DoH sends DNS inside HTTPS on port 443, blending in with web traffic. DoT (DNS over TLS, RFC 7858) encrypts DNS over TLS on its own dedicated port 853. DoT is easier for network administrators to see and manage as DNS traffic, while DoH is harder to distinguish from normal browsing and so is favored when the goal is to resist blocking. They achieve the same privacy result; they differ in how visible the encrypted DNS is on the network.
Is DNS over HTTPS More Secure?
It is more private on the local path: it stops your ISP or anyone on your network from seeing or modifying your DNS queries, which closes a real eavesdropping and tampering gap. But it is not total anonymity. Whatever DoH resolver you use (for example a public one) still sees your queries, so you are shifting trust from your ISP to that resolver. And DoH protects the DNS lookup only — the destination IP you then connect to is still visible. It is a meaningful, targeted improvement, not an all-in-one privacy solution.
How to Enable DNS over HTTPS
Modern versions of Firefox, Chrome, and Edge all support DoH in their settings, usually under a "Secure DNS" or "DNS over HTTPS" option where you can pick a provider. You can also enable it at the operating-system level on recent Windows and on many routers, which then covers every app on the device or network rather than just the browser. After enabling it, confirm your DNS is actually going where you expect — and not leaking to your ISP's resolver — with our DNS Leak Test.
Frequently Asked Questions
What is DNS over HTTPS (DoH)?
DNS over HTTPS is a protocol that encrypts your DNS lookups by sending them inside an ordinary HTTPS connection. Traditional DNS travels in plaintext, so anyone on the network can see and tamper with the domains you resolve. DoH wraps the query in encryption so it cannot be read or altered in transit. It is defined in RFC 8484.
What is the difference between DoH and DoT (DNS over TLS)?
Both encrypt DNS but differently. DoH sends DNS inside HTTPS on port 443 so it blends in with web traffic, while DoT encrypts DNS over TLS on its own dedicated port 853, which is easier for a network to identify and manage. They give the same privacy result and differ mainly in how visible the encrypted DNS is on the network.
Is DNS over HTTPS more secure?
It is more private on the local path because it stops your ISP or anyone on your network from seeing or modifying your DNS queries. But it is not full anonymity: the DoH resolver you choose still sees your queries, so you shift trust to that resolver, and the destination IP you connect to afterward is still visible. It is a targeted improvement, not a complete privacy solution.
What port does DNS over HTTPS use?
DNS over HTTPS uses port 443, the same port as normal encrypted web traffic, because it sends DNS queries inside an HTTPS connection. Traditional plaintext DNS uses port 53. Using port 443 is also why DoH is hard for a network to single out and block, since it looks like ordinary browsing.
How do I enable DNS over HTTPS in my browser?
Modern versions of Firefox, Chrome, and Edge support DoH in their settings, usually under a Secure DNS or DNS over HTTPS option where you choose a provider. You can also enable it at the operating-system level on recent Windows and on many routers to cover every app. After enabling it, confirm with a DNS leak test that your DNS is going where you expect.
Last updated: April 2026