DNS over HTTPS, usually shortened to DoH, wraps your domain name lookups inside an encrypted HTTPS connection instead of sending them as plain text. Every time you type a web address, your device has to ask a DNS resolver "what IP address is this domain at" before it can connect. Traditionally that question and answer traveled unencrypted, which meant your internet provider, and anyone else on the network path, could see a plain list of every domain you looked up, even if the page content itself was encrypted with HTTPS.
What changed in 2026
- DoH is now the default in most consumer browsers, not an opt-in setting buried in advanced preferences. Chrome, Firefox, and Edge all ship it turned on with a fallback resolver already configured.
- Operating systems caught up. Windows and Android both added system-level DoH support, so the protection now applies outside the browser too, to apps that use the OS resolver.
- ISPs and some governments pushed back. Because DoH moves DNS control away from the network operator, several regions have debated or passed rules requiring ISPs to be able to inspect or block DNS traffic, which conflicts with DoH by design.
- DNS over QUIC (DoQ) started gaining adoption as a faster alternative that gets similar privacy benefits with less connection overhead than DoH.
How DNS over HTTPS actually works
Normally, DNS queries go out over port 53 in plain text, using a protocol built in the 1980s with no encryption in mind. DoH instead sends the same query as an HTTPS request to a resolver that supports it, over port 443, the same port normal web traffic uses. That has two effects: the query content is encrypted, and the traffic is harder for a network operator to distinguish from regular web browsing, since it looks like any other HTTPS connection.
What DoH hides and what it does not
This is the part most explainers get wrong. DoH protects the DNS lookup step specifically. It does not make you anonymous.
- Hidden: the plain-text list of domains you look up, from your ISP or anyone snooping the local network.
- Not hidden: the destination IP address you ultimately connect to, which is visible in your network traffic regardless of DNS encryption.
- Not hidden: the domain name in the TLS handshake itself, unless you also use encrypted client hello (ECH), a separate and newer protection.
- Not hidden: your activity from the DNS resolver you chose — Cloudflare, Google, or whoever you picked can still see everything you look up.
DoH vs DNS over TLS vs plain DNS
| Method |
Encrypted |
Port |
Blockable by network admins |
| Plain DNS |
No |
53 |
Easily |
| DNS over TLS (DoT) |
Yes |
853 (dedicated) |
Yes, by blocking the port |
| DNS over HTTPS (DoH) |
Yes |
443 (shared with web traffic) |
Hard, without breaking other HTTPS |
DoT is functionally similar to DoH in the privacy it provides, but it uses a dedicated port, which makes it trivial for a network administrator or firewall to block outright. DoH's use of the standard HTTPS port is a deliberate design choice that makes selective blocking much harder.
Should you turn it on
For most people, leaving the browser default enabled is a reasonable choice with essentially no downside. The tradeoffs to actually think about:
- On a managed corporate or school network, DoH can break local DNS filtering and security tools that rely on inspecting DNS traffic. Many organizations disable it deliberately for this reason.
- Choosing a resolver matters more than turning DoH on. If you route encrypted DNS through the same company that already tracks your browsing, you have not gained much privacy, just moved who can see it.
- DoH is not a substitute for a VPN if your goal is hiding your IP address or browsing activity from your ISP entirely. It closes one specific leak, not the whole picture.
FAQ
Does DoH slow down browsing?
Marginally, and usually not noticeably. The first connection to a new domain has a small added latency from the encrypted handshake, but most browsers cache results aggressively enough that it is not a practical concern.
Can my ISP still see what sites I visit if I use DoH?
They can see the IP addresses you connect to and the TLS handshake details unless you also use encrypted client hello, but they can no longer read the plain-text DNS query itself.
Is Cloudflare or Google a safe default DoH resolver?
Both publish privacy policies limiting data retention, but you are still trusting a single company with your lookup history. If that concerns you, several privacy-focused resolvers exist as alternatives.
Does DoH work with a VPN kill switch?
They solve different problems and can be used together. A VPN kill switch, covered in our guide to VPN kill switches, stops all traffic if your VPN drops; DoH just encrypts the DNS layer.
Where to go next