How to Disable DNS-over-HTTPS (DoH) in Browsers

When a browser enables DNS-over-HTTPS, it sends DNS queries directly to a third-party resolver (like Google's 8.8.8.8 or Cloudflare's 1.1.1.1) over an encrypted HTTPS connection. This means:

• Your network DNS is bypassed: The browser ignores your router's DNS settings entirely, including any CleanBrowsing configuration
• Queries are invisible: Because the DNS traffic is encrypted and sent over port 443 (the same as normal HTTPS), it's indistinguishable from regular web browsing
• Filtering stops working: Content categories you've blocked — adult content, social media, gaming — become accessible again
• SafeSearch is bypassed: SafeSearch enforcement via DNS no longer applies when the browser uses its own resolver

This is different from using CleanBrowsing's own DoH endpoint, which maintains filtering. The problem occurs when browsers use unfiltered DoH resolvers. For more on how encrypted DNS works, see our guide on What is Encrypted DNS?

The most effective approach on Windows is to disable DoH across all browsers simultaneously using registry settings. This prevents users from re-enabling the feature in browser settings.

CleanBrowsing provides a registry file that applies the correct policies for Chrome, Firefox, and Edge in one step:

• Download the registry file from the CleanBrowsing help center
• Extract the .zip file to access the .reg file inside
• Double-click the .reg file and confirm when prompted
• Reboot your computer to apply the changes

After the reboot, the "Use secure DNS" option will be grayed out and unavailable in all three browsers. Users will not be able to re-enable it without administrator access to the registry.

The registry entries set the following policies:
Chrome: HKLM\SOFTWARE\Policies\Google\Chrome\DnsOverHttpsMode = off
Firefox: HKLM\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled = 0
Edge: HKLM\SOFTWARE\Policies\Microsoft\Edge\DnsOverHttpsMode = off

If you need to disable DoH on individual browsers without registry changes, here are the manual steps. Note that users can re-enable these settings unless locked by policy.

Google Chrome

• Open Chrome and go to Settings
• Navigate to Privacy and Security → Security
• Find "Use secure DNS" and toggle it off

Mozilla Firefox

• Open Firefox and go to Settings
• Navigate to Privacy & Security
• Scroll to DNS over HTTPS and select "Off"

Microsoft Edge

• Open Edge and go to Settings
• Navigate to Privacy, Search, and Services → Security
• Find "Use secure DNS" and toggle it off

For organizations managing many devices, manual browser changes don't scale. Use these approaches instead:

• Google Workspace Admin Panel: Administrators can disable DoH across all managed Chrome browsers from the admin console. This applies the policy to every Chromebook and managed Chrome installation in your organization
• Windows Group Policy (GPO): Deploy the registry settings from Step 2 across all domain-joined machines using Group Policy Objects. This is the most reliable method for Windows-based school and office networks
• MDM solutions: For managed devices (including macOS and mobile), use your MDM platform to push DNS configuration profiles that override browser DoH settings
• Firewall rules: Block outbound DNS traffic to known DoH providers (Google, Cloudflare, etc.) at the network level as an additional layer of protection

For the strongest protection, combine browser-level DoH disabling with CleanBrowsing DNS filtering at the network level. This creates a layered defense where even if one control is bypassed, the other remains active.

For school-specific guidance, see our Schools solution and CIPA compliance pages.