DNS over HTTPS (DoH) is a protocol that encrypts Domain Name System (DNS) queries by transmitting them inside HTTPS connections. This prevents third parties from intercepting or observing which websites a user is trying to reach. Instead of sending DNS queries in cleartext, DoH wraps them in encrypted web traffic, shielding them from surveillance or manipulation.
DoH operates at the Application Layer (Layer 7) of the OSI model, meaning it integrates directly into apps—most commonly, web browsers. Its primary purpose is to protect user privacy and prevent DNS-based tracking or interference by securing the DNS lookup process alongside regular internet traffic.
Traditional DNS queries travel unencrypted, making them visible to ISPs, public Wi-Fi operators, or malicious actors. DoH addresses this by routing those same queries through the same encrypted channel used for secure websites.
Here's what happens in a typical DoH query:
This process hides DNS traffic within the flow of typical encrypted web browsing, making it harder to intercept or block.
The primary benefit of DoH is enhanced privacy. By encrypting DNS queries, it ensures that observers like: ISPs, government entities, or attackers on public networks can’t see or tamper with which domains a user is visiting.
Use cases include:
However, DoH is not a one-size-fits-all solution. While individuals may benefit from its privacy protections, network administrators may need broader visibility into DNS traffic to enforce security and policy controls.
It depends.
One challenge with DoH is that it can bypass network-level DNS policies if the browser sends queries directly to an external DoH resolver. That’s why secure DNS filtering platforms, like DNSFilter, offer ways to retain visibility and control, even when DoH is active.
Organizations can:
DoH enhances privacy, but without DNS filtering, it doesn’t prevent users from reaching malicious or inappropriate sites.
There are multiple ways to secure DNS traffic. Each has different implications depending on the user and environment.
| Feature / Concern | DoH (DNS over HTTPS) | DoT (DNS over TLS) | PDNS (Protective DNS) | DNS Filtering |
| Traffic Visibility |
Obscures DNS in HTTPS traffic; harder to monitor |
Easier to manage at network level |
Policy-enforced; full traffic logging optional |
Transparent query logging and reporting |
| Control for IT/Admins |
Limited, unless DoH traffic is redirected or blocked |
High—system-wide and router-level configuration |
High—centrally managed with threat intelligence |
High—rules, allow/deny lists, custom policies |
| Deployment Scope |
Browser/app-specific |
Device-wide or network-wide |
Org-wide; often includes endpoint agents |
Org-wide; supports roaming clients, networks |
| Bypass Risk |
High—users/apps can select external resolvers |
Low—requires system-level changes |
Low—admin-enforced resolver and policies |
Low—when deployed at network and device level |
| Primary Benefit |
Privacy for individual apps |
Privacy and integrity for all DNS traffic |
Security-first: blocks risky domains pre-resolution |
Threat prevention and content control |
| Best For |
Consumers, BYOD users, privacy apps |
Enterprises, MSPs, remote teams |
Organizations with Zero Trust strategies |
Any org needing DNS-layer security |
If you're building a secure network for a business or remote workforce, DoH should be used in tandem with filtering and device-level controls—not as a standalone solution.
As of 2025, DoH is supported by most major browsers including Firefox, Chrome, Edge, and Safari. When enabled, DNS queries made through the browser are automatically encrypted, even if the underlying operating system does not support DNS encryption.
Real-world examples include:
Your DNS should be as private as your browsing. See how DNSFilter supports encrypted DNS protocols like DoH while giving you full control over network security. Start your free trial today.