Glossary
What is DNS-over-HTTPS (DoH)
Encrypts DNS queries between your client and the resolver. Hides queries from your ISP. Standardised in RFC 8484. Different from VPN but complementary.
DNS-over-HTTPS (DoH) is a protocol that encrypts DNS queries between your client and the DNS resolver. Standardised in RFC 8484 in 2018, widely deployed by 2020. Solves a specific privacy problem: DNS queries are plaintext by default and reveal every domain you visit to your ISP and to anyone who can observe your network traffic.
DoT (DNS-over-TLS) is the related standard that does the same thing using a different transport (TLS over port 853 instead of HTTPS over port 443). Both achieve the same goal; DoH is more widely supported because it works through firewalls that allow HTTPS.
What problem DoH solves
Standard DNS sends queries unencrypted. Your computer asks "what is the IP for example.com?" and the answer comes back in plaintext. Anyone observing the network — your ISP, the local Wi-Fi operator, network monitors — can see the queries.
Even if your other traffic is HTTPS-encrypted, your DNS queries reveal the domains you visit. The site itself is unreadable; the metadata of which sites you visit is fully visible.
DoH wraps DNS queries in HTTPS. Your computer makes an HTTPS POST to a DoH-supporting DNS resolver. The query and response are encrypted between your computer and the resolver. The ISP sees only encrypted HTTPS traffic to a DNS resolver; they cannot see what domains you queried.
Trust shift
DoH changes who sees your DNS queries:
- Without DoH: ISP sees all your DNS queries
- With DoH to Cloudflare 1.1.1.1: Cloudflare sees your DNS queries; ISP does not
- With DoH to Google 8.8.8.8: Google sees your DNS queries; ISP does not
- With DoH to NextDNS or self-hosted resolver: that party sees the queries
The privacy gain is real but conditional on trusting the DoH provider. Major DoH providers publish privacy policies; some (Cloudflare, Quad9, Mullvad) have stronger no-logs commitments than others. The trust shift is the trade-off.
Where DoH fits with VPN
Layered:
Without VPN, with DoH. Your ISP sees encrypted HTTPS to a DNS resolver. They cannot see your queries. They can still see the destinations you connect to (via SNI in TLS handshakes, IP-level connection metadata) — DoH only encrypts DNS, not the rest of your traffic.
With VPN, no DoH. Your VPN provider's DNS resolves your queries inside the tunnel. Your ISP sees only the encrypted VPN tunnel. The VPN provider sees your DNS queries.
With VPN + DoH inside tunnel. Layered protection. The VPN provider sees encrypted DoH traffic instead of cleartext DNS. Useful if you want to limit even your VPN provider's visibility into your DNS queries. Most users do not need this depth.
For most users, VPN alone is sufficient. The VPN encrypts the whole tunnel; DNS routes inside it; the VPN's no-logs commitment covers the DNS visibility. DoH layered inside is belt-and-suspenders.
DoH in browsers
Firefox enables DoH by default in some regions. Chrome supports DoH in advanced settings. Edge supports it. iOS and macOS support DoH at the OS level since iOS 14 / macOS Big Sur.
Browser-level DoH bypasses the OS DNS resolver. This means:
- Your VPN's DNS resolver may not be used (the browser is going direct via DoH)
- Your VPN may not see the DNS queries (potentially a leak in some configurations)
- The browser's chosen DoH provider sees the queries
For users running VPN with browser DoH enabled, the configuration interaction matters. Most modern VPN clients (Fexyn, Mullvad, ProtonVPN) handle this correctly by intercepting DoH traffic at the network layer. Older VPN clients may have leak conditions.
DoT vs DoH
DNS-over-TLS (DoT) does the same thing using TLS on port 853. Compared to DoH:
- DoT: dedicated port (853), explicit DNS service, easier for network operators to identify and potentially block
- DoH: runs over HTTPS port 443, blends with normal web traffic, harder to selectively block
For privacy from ISPs, DoH's harder-to-block property is an advantage. For network administrators wanting visibility into DNS use, DoT is easier to monitor.
Common providers
Major DoH-supporting public resolvers:
- Cloudflare 1.1.1.1. Strong no-logs claim. Ad-blocking variant available at 1.1.1.2. Family-safe variant at 1.1.1.3.
- Google 8.8.8.8. No-logs for personal user data; Google does retain aggregate.
- Quad9 9.9.9.9. Privacy-focused; non-profit operation.
- NextDNS. Configurable; user-specific filtering. Subscription model with strong privacy.
- Mullvad DNS. Privacy-focused; paired with Mullvad VPN service.
For users wanting browser-level DoH without VPN, Cloudflare 1.1.1.1 is the standard recommendation. Fast, reliable, no-logs.
What DoH does not solve
- The destination is still visible. Your ISP cannot see the DNS query but can see the IP you connect to and the SNI in the TLS handshake. They learn the domain anyway, just from a different vector.
- Application-level tracking continues. Browser fingerprinting, cookies, logged-in services — all still work.
- The DoH provider sees the queries. Trust shifts to them.
For comprehensive DNS privacy, DoH + VPN + a no-logs DNS provider inside the VPN tunnel covers the major vectors. For ISP-only privacy, DoH alone is partial; VPN is more complete.
Try Fexyn free for 7 days — VPN with no-logs DNS resolution inside the tunnel; layered DoH support available.
Related terms
Try Fexyn free for 7 days
Windows app available now in Beta. WireGuard, VLESS Reality, and OpenVPN with no browsing-history, DNS-query, or traffic-content logs.
See pricing