What is DNS over HTTPS (DoH)?
DNS over HTTPS (DoH) is a protocol that encrypts Domain Name System (DNS) queries by transmitting them inside HTTPS connections. This prevents third parties from intercepting or observing which websites a user is trying to reach. Instead of sending DNS queries in cleartext, DoH wraps them in encrypted web traffic, shielding them from surveillance or manipulation.
DoH operates at the Application Layer (Layer 7) of the OSI model, meaning it integrates directly into apps—most commonly, web browsers. Its primary purpose is to protect user privacy and prevent DNS-based tracking or interference by securing the DNS lookup process alongside regular internet traffic.
How DNS over HTTPS Works
Traditional DNS queries travel unencrypted, making them visible to ISPs, public Wi-Fi operators, or malicious actors. DoH addresses this by routing those same queries through the same encrypted channel used for secure websites.
Here's what happens in a typical DoH query:
- A browser or app initiates a DNS query (e.g., example.com).
- The query is wrapped inside an HTTPS request using the HTTP/2 protocol.
- The encrypted request is sent to a DoH-compatible DNS resolver, such as one operated by a secure DNS filtering provider.
- The resolver responds over the same encrypted channel, and the application uses the result to load the requested site.
This process hides DNS traffic within the flow of typical encrypted web browsing, making it harder to intercept or block.
Why Use DNS over HTTPS?
The primary benefit of DoH is enhanced privacy. By encrypting DNS queries, it ensures that observers like: ISPs, government entities, or attackers on public networks can’t see or tamper with which domains a user is visiting.
Use cases include:
- Protecting user activity on unsecured networks like cafés, airports, and hotels.
- Preventing DNS injection attacks or censorship in restrictive regions.
- Maintaining user anonymity by hiding DNS traffic from local networks and service providers.
However, DoH is not a one-size-fits-all solution. While individuals may benefit from its privacy protections, network administrators may need broader visibility into DNS traffic to enforce security and policy controls.
Should You Enable DoH?
It depends.
- For individual users, especially those using public networks or concerned about ISP tracking, enabling DoH in browsers or devices can improve privacy without much setup.
- For enterprises and managed environments, DoT (DNS over TLS) is typically a better choice, offering network-wide coverage and easier policy enforcement.
DNS over HTTPS and DNS Filtering
One challenge with DoH is that it can bypass network-level DNS policies if the browser sends queries directly to an external DoH resolver. That’s why secure DNS filtering platforms, like DNSFilter, offer ways to retain visibility and control, even when DoH is active.
Organizations can:
- Use device-level agents or roaming clients to route DoH traffic through secure resolvers.
- Configure firewalls or proxies to block unmanaged DoH traffic and enforce use of approved resolvers.
- Apply policies at the resolver level, ensuring that encrypted DNS queries are still evaluated against threat intelligence and content rules.
DoH enhances privacy, but without DNS filtering, it doesn’t prevent users from reaching malicious or inappropriate sites.
DoH vs Other Encrypted DNS Protocols
There are multiple ways to secure DNS traffic. Each has different implications depending on the user and environment.
| Feature / Concern | DoH (DNS over HTTPS) | DoT (DNS over TLS) | PDNS (Protective DNS) | DNS Filtering |
| Traffic Visibility |
Obscures DNS in HTTPS traffic; harder to monitor |
Easier to manage at network level |
Policy-enforced; full traffic logging optional |
Transparent query logging and reporting |
| Control for IT/Admins |
Limited, unless DoH traffic is redirected or blocked |
High—system-wide and router-level configuration |
High—centrally managed with threat intelligence |
High—rules, allow/deny lists, custom policies |
| Deployment Scope |
Browser/app-specific |
Device-wide or network-wide |
Org-wide; often includes endpoint agents |
Org-wide; supports roaming clients, networks |
| Bypass Risk |
High—users/apps can select external resolvers |
Low—requires system-level changes |
Low—admin-enforced resolver and policies |
Low—when deployed at network and device level |
| Primary Benefit |
Privacy for individual apps |
Privacy and integrity for all DNS traffic |
Security-first: blocks risky domains pre-resolution |
Threat prevention and content control |
| Best For |
Consumers, BYOD users, privacy apps |
Enterprises, MSPs, remote teams |
Organizations with Zero Trust strategies |
Any org needing DNS-layer security |
If you're building a secure network for a business or remote workforce, DoH should be used in tandem with filtering and device-level controls—not as a standalone solution.
DoH Adoption and Use
As of 2025, DoH is supported by most major browsers including Firefox, Chrome, Edge, and Safari. When enabled, DNS queries made through the browser are automatically encrypted, even if the underlying operating system does not support DNS encryption.
Real-world examples include:
- Mozilla enabling DoH by default in U.S. versions of Firefox.
- Mobile apps incorporating DoH to secure queries without altering OS-level settings.
- Enterprises deploying DoH-aware agents to maintain filtering policies across BYOD devices.
Who Might Use DoH?
- Consumers who want to keep their browsing private on shared or public networks.
- Developers embedding secure DNS in their applications.
- MSPs seeking to deliver DNS-layer privacy alongside content filtering.
- Privacy advocates operating in environments where DNS traffic is routinely monitored or modified.
Related Terms
Your DNS should be as private as your browsing. See how DNSFilter supports encrypted DNS protocols like DoH while giving you full control over network security. Start your free trial today.