DoH and DoT Explained: Encrypted DNS Setup Guide
DoH and DoT Explained: Encrypted DNS Setup Guide
Every time you visit a website, your device sends a DNS query to translate the domain name into an IP address. By default, this query travels across the network in plaintext — visible to anyone who can observe your traffic. DNS over HTTPS (DoH) and DNS over TLS (DoT) solve this problem by encrypting your DNS queries. This guide explains how both protocols work and walks you through enabling them on every major browser and operating system.
The Security Problem with Traditional DNS
Standard DNS uses UDP port 53 and transmits queries without any encryption. This creates several serious vulnerabilities:
- Traffic interception: Anyone on the same network — a coffee shop Wi-Fi operator, your ISP, or a malicious actor — can see every domain you visit.
- DNS spoofing: Attackers can inject forged DNS responses, redirecting you to phishing sites without your knowledge.
- ISP logging: Internet providers can record your complete browsing history through DNS queries alone.
These risks are why encrypted DNS protocols were developed. If you need a refresher on DNS fundamentals, see our guide to how DNS works.
What Is DoH (DNS over HTTPS)?
DoH wraps DNS queries inside HTTPS requests on port 443 — the same port and encryption used by every secure website. Because DoH traffic is indistinguishable from regular web browsing, network observers cannot tell that a DNS lookup is happening.
https://cloudflare-dns.com/dns-query?name=example.com&type=AA DoH request is a standard HTTPS GET or POST request. The response is returned in application/dns-message format, encrypted with TLS 1.3. Since DoH piggybacks on existing HTTPS infrastructure, it is easy to deploy and very difficult for firewalls to block without also blocking all web traffic.
What Is DoT (DNS over TLS)?
DoT encrypts DNS queries using TLS on a dedicated port (853). Unlike DoH, it uses a separate port, which means network administrators can clearly identify DNS traffic and apply policies to it.
DoT preserves the standard DNS wire format and only encrypts the transport layer. Its protocol structure is simpler than DoH, making implementation straightforward. The trade-off is that port 853 can be easily blocked by firewalls that want to prevent encrypted DNS.
DoH vs. DoT Comparison
| Feature | DoH | DoT |
|---|---|---|
| Port | 443 (HTTPS) | 853 (dedicated) |
| Blocking difficulty | Hard (blends with web traffic) | Easy (dedicated port) |
| Browser support | Chrome, Firefox, Edge, Safari | Limited |
| OS support | Windows 11, macOS, iOS, Android | Android 9+, iOS 14+ |
| Performance | HTTP/2 multiplexing | Requires TCP handshake |
| Network management | Difficult to identify | Easy to identify and control |
How to Enable DoH: Browser-by-Browser Guide
Chrome
- Navigate to
chrome://settings/security - Enable Use secure DNS
- Select a provider: Cloudflare (
1.1.1.1) or Google (8.8.8.8)
Firefox
- Go to Settings > Privacy & Security > DNS over HTTPS
- Choose Max Protection or Default Protection
- Set the provider to Cloudflare or enter a custom URL
Edge
- Navigate to
edge://settings/privacy - Enable Use secure DNS to specify how to look up the network address for websites
- Choose your preferred DNS provider
Safari
Safari uses the system-level DNS configuration on macOS and iOS. Go to System Settings > Network > DNS to install an encrypted DNS profile, or use the Cloudflare 1.1.1.1 app for automatic setup.
How to Enable DoT: Mobile Setup
Android (9.0 and later)
- Open Settings > Network & Internet > Private DNS
- Select Private DNS provider hostname
- Enter
dns.googleorone.one.one.one
iOS (14 and later)
Enabling DoT on iOS requires installing a DNS configuration profile. The simplest approach is to install the Cloudflare 1.1.1.1 app, which automatically configures DoH/DoT. For manual setup, you can create a .mobileconfig profile using Apple Configurator and install it on your device.
Public Encrypted DNS Servers
| Service | DoH URL | DoT Hostname | IP |
|---|---|---|---|
| Cloudflare | https://cloudflare-dns.com/dns-query | one.one.one.one | 1.1.1.1 |
https://dns.google/dns-query | dns.google | 8.8.8.8 | |
| Quad9 | https://dns.quad9.net/dns-query | dns.quad9.net | 9.9.9.9 |
Cloudflare leads in speed and privacy commitments. Quad9 includes automatic blocking of known malicious domains. Google offers the broadest global infrastructure with Anycast routing across hundreds of locations.
Limitations and Controversies
Encrypted DNS is not a silver bullet. Several important caveats exist:
- Enterprise network management: DoH can bypass internal DNS filtering and threat-detection systems, making it difficult for IT teams to enforce security policies.
- ISP and government regulation: Some countries view DoH as a censorship-evasion tool. ISPs may block port 853 or restrict access to known DoH servers.
- Centralization concerns: Most DoH traffic flows through a handful of large providers (Cloudflare, Google), raising questions about a new form of centralization in DNS infrastructure.
- SNI exposure: Even with encrypted DNS, the server name can still be leaked during the TLS handshake via the Server Name Indication (SNI) field. Encrypted Client Hello (ECH) is an emerging standard designed to close this gap.
To verify your DNS configuration or inspect specific records, check out our DNS lookup guide.
Wrapping Up
DoH and DoT represent a meaningful step forward for internet privacy. The setup takes just a few minutes, but the protection is substantial — especially if you frequently use public Wi-Fi or want to keep your browsing activity private from your ISP.
Want to see which DNS server your queries are hitting right now? Try our lookup tool below.