DNS — the Domain Name System — translates human-readable names like havenmessenger.com into IP addresses that routers can act on. It was designed in the early 1980s with no encryption whatsoever, and for decades that wasn't a major concern: the web was a different place, and the threat model didn't include ISPs selling browsing data or state-level adversaries doing bulk collection of DNS traffic.
The landscape changed substantially. Unencrypted DNS queries are visible to anyone on the network path between your device and the DNS resolver — your ISP, network operators at coffee shops and airports, and anyone doing passive collection of internet traffic at scale. The domain you're looking up reveals the sites you intend to visit, even if the subsequent HTTPS connection is encrypted.
DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) both encrypt the lookup itself. Understanding what that achieves — and doesn't — requires being specific about the threat.
Why Unencrypted DNS Is a Privacy Problem
When your browser needs to reach a site, it sends a DNS query to a resolver — typically one configured by your ISP or network. That query travels in plaintext over UDP port 53. Anyone observing network traffic can see it.
The implications are more significant than they might appear. Even if a connection is HTTPS-encrypted, the initial DNS lookup reveals the domain. Bulk collection of DNS queries across a network segment builds a detailed profile of browsing behavior: which news sites, health resources, financial services, and communication tools a person uses, and when. This is metadata surveillance — not content interception, but behavioral mapping that can be nearly as revealing.
US ISPs have been legally permitted to sell anonymized (and in practice, pseudonymized) browsing data to third parties since a 2017 Congressional action repealing FCC privacy rules. DNS query logs are among the most valuable data they collect. Encrypting DNS queries removes this collection vector at the ISP level.
How DoH Works
DNS-over-HTTPS wraps DNS queries inside standard HTTPS requests sent to a DoH resolver. To a passive network observer — including your ISP — the query looks like ordinary HTTPS traffic to the DoH server's IP address. The domain you're looking up is not visible. The resolver that receives the query does see it, which is the key trade-off.
DoH operates on port 443, the same port used for all HTTPS traffic. This makes it difficult to block without breaking general web traffic — a significant advantage over earlier encrypted DNS approaches that used distinct ports easily blocked by network operators.
Major browsers — Firefox, Chrome, Safari, Edge — now support DoH natively and enable it by default in many regions, routing queries through resolvers operated by Cloudflare (1.1.1.1), Google (8.8.8.8), or others depending on configuration.
What DoH Actually Protects
Enabling DoH provides protection against a specific set of adversaries on a specific part of the network path:
- Your ISP's passive DNS logging — queries are no longer visible to the ISP in plaintext
- Network-level eavesdroppers — on public Wi-Fi, corporate networks, and other shared infrastructure
- ISP-level DNS manipulation — some ISPs redirect or modify DNS responses for commercial or regulatory purposes; DoH bypasses this
- Basic traffic analysis — an observer sees HTTPS traffic to a DoH resolver IP, not the domains you're looking up
DoH doesn't eliminate DNS surveillance — it moves it. Your ISP can no longer see your queries, but your DoH resolver can. You're trading one party's visibility for another's. Whether that's an improvement depends entirely on whom you trust more: your ISP or your DoH resolver operator.
What DoH Doesn't Protect
Several common misconceptions are worth correcting directly.
DoH does not hide which IP addresses you connect to. After the DNS lookup, your device makes a TCP/TLS connection to the resolved IP. That connection is visible to network observers, even if the domain name lookup was encrypted. For popular sites with dedicated IPs, the IP alone often identifies the destination.
DoH does not prevent SNI leakage. TLS connections include a Server Name Indication field — sent in plaintext during the TLS handshake — that identifies the hostname. An eavesdropper who can't see the DNS lookup can often still see the SNI from the subsequent connection. Encrypted Client Hello (ECH, formerly ESNI) addresses this, but it requires both client and server support and is not yet universally deployed.
DoH does not protect against your DoH resolver logging your queries. The resolver you choose sees every domain you look up. A DoH provider with a logging policy that contradicts its privacy claims represents a weaker protection than no DoH at all relative to that specific adversary.
DoH does not provide anonymity. Your DoH resolver knows your IP address. Combined with timestamps and query patterns, a resolver operator can build a profile equivalent to what your ISP could build with traditional DNS.
DoT vs. DoH: What's the Difference?
DNS-over-TLS uses TLS encryption over a dedicated port (853) rather than wrapping queries in HTTPS. Both protocols provide equivalent privacy protection for the DNS query itself. The practical differences are in deployment and blocking resistance.
| Property | DNS-over-HTTPS (DoH) | DNS-over-TLS (DoT) |
|---|---|---|
| Port | 443 (shared with HTTPS) | 853 (dedicated, distinct) |
| Blocking resistance | High — hard to block without breaking HTTPS | Low — port 853 is easy to block or filter |
| Network visibility | Looks like HTTPS traffic | Clearly identifiable as DNS traffic |
| Corporate network compatibility | Can conflict with network inspection | Easier for network admins to manage |
| Privacy provided | Equivalent to DoT | Equivalent to DoH |
For personal use, DoH is generally preferable because it's harder to block and is built into major browsers. For network administrators managing infrastructure, DoT's dedicated port makes it more visible and controllable. Both are a substantial improvement over unencrypted DNS.
Choosing a DoH Resolver
The resolver choice matters because it's the entity that will see your DNS queries. Options worth considering:
- Cloudflare (1.1.1.1) — Publishes a privacy policy committing to no query logging beyond 24 hours for debugging, audited by KPMG. Fastest resolver in most geographic benchmarks.
- NextDNS — Configurable filtering, optional query logs, privacy-focused. Free tier with query limit; paid tier for unlimited use.
- Mullvad — No-log resolver, operated by the VPN provider. No account required. Good option if you already use their VPN.
- Your VPN provider's resolver — If you're using a VPN, routing DoH through the VPN's resolver gives you one fewer party with query visibility.
Avoid using public resolvers operated by advertising companies without reading their data retention policies carefully. The resolver's privacy policy is load-bearing for the entire protection model.
How to Enable It
Firefox: Settings → Privacy & Security → scroll to "DNS over HTTPS" → Enable, select a provider or enter a custom URL.
Chrome/Edge: Settings → Privacy and security → Security → "Use secure DNS" → With a custom provider if you prefer something other than the default.
System-wide (Windows 11, macOS 13+): Both now support DoH at the OS level, which covers all applications rather than just browsers.
Android: Settings → Network & Internet → Private DNS → enter a DoT hostname (e.g., dns.nextdns.io). Android uses DoT rather than DoH at the system level.
Enabling DoH in your browser encrypts DNS for browser traffic. System-wide configuration covers all network traffic from the device, which is meaningfully more comprehensive.
DoH is a practical improvement with real limits. It eliminates passive ISP surveillance of your DNS queries, protects against local network eavesdropping, and reduces one of the most common vectors for unencrypted behavioral data collection. Understanding where the protection ends — at your resolver, at the subsequent TLS handshake — helps you avoid treating it as more than it is.