What is DNS over HTTPS (DoH)?

What is DNS over HTTPS?

DNS over HTTPS (DoH) is a protocol that encrypts DNS queries by sending them over the HTTPS protocol — the same encryption used by secure websites. Standardized in RFC 8484 (October 2018), DoH wraps DNS requests inside regular HTTPS traffic on port 443.

Without encryption, traditional DNS queries are sent in plaintext. This means anyone monitoring your network — your ISP, a public Wi-Fi operator, or a malicious actor — can see every domain you visit. DoH solves this by encrypting the query and response between your device and the DNS resolver.

Because DoH uses the same port as all other HTTPS traffic, DNS queries blend in with normal web browsing. This makes it difficult for third parties to identify, intercept, or block DNS traffic specifically.

How DNS over HTTPS Works

When you type a domain name into your browser, a DNS lookup is required to resolve it to an IP address. With DoH, this process is encrypted:

1. Your browser or application initiates a DNS query (e.g., example.com).
2. The query is wrapped inside an HTTPS request using HTTP/2.
3. The encrypted request is sent to a DoH-compatible DNS resolver on port 443.
4. The resolver processes the query and returns the answer over the same encrypted channel.
5. Your application uses the resolved IP address to connect to the website.

DoH supports both GET and POST request methods, and works over both IPv4 and IPv6. The entire exchange looks like normal HTTPS traffic to anyone observing the network.

Benefits of DNS over HTTPS

• Privacy: ISPs and network operators can no longer see which domains you are resolving. Your browsing activity is hidden from passive surveillance.
• Security: Encrypting DNS prevents man-in-the-middle attacks, DNS spoofing, and DNS poisoning — where attackers redirect you to malicious sites by altering DNS responses.
• Censorship resistance: Because DoH uses port 443 (the same as HTTPS), it is difficult for firewalls to block DNS traffic without also blocking all secure web browsing.
• Public Wi-Fi safety: On open networks (cafes, airports, hotels), DNS queries are easily intercepted. DoH protects these queries from being read or modified.
• Content filtering enforcement: When paired with a DNS filtering service like CleanBrowsing, DoH ensures that filtering rules are applied consistently and cannot be tampered with in transit.

DoH vs DoT: What's the Difference?

Both DoH and DNS over TLS (DoT) encrypt DNS queries, but they differ in implementation:

	DNS over HTTPS (DoH)	DNS over TLS (DoT)
Port	443 (same as HTTPS)	853 (dedicated port)
Protocol	HTTPS / HTTP/2	TLS over TCP
Visibility	Blends with web traffic — hard to identify or block	Uses a dedicated port — easier to identify and manage
Best for	Individual browsers, privacy-focused users	Network-wide policies, enterprise/MDM environments
Browser support	Chrome, Firefox, Edge, Safari, Brave	Android 9+ (Private DNS), some routers

In short: DoH is typically configured per-browser or per-app, while DoT is better suited for device-wide or network-wide deployment. Many organizations use both. Learn more in our Encrypted DNS overview.

Limitations of DoH

DoH is not a silver bullet. It's important to understand what it does and doesn't protect:

• Does not hide destination IPs: DoH encrypts the DNS query, but the IP address you connect to is still visible in packet headers. Your ISP can still see which servers you communicate with.
• Centralization risk: If all DNS traffic goes to a single DoH provider, that provider has visibility into all your queries. Choose a provider you trust.
• Can bypass network policies: Because DoH runs in the browser, it can bypass network-level DNS filtering if not managed properly. This is why organizations should deploy DoH through managed configurations (e.g., Google Workspace) rather than leaving it to individual users.
• Not end-to-end encrypted: DoH encrypts the hop between your device and the DNS resolver. The resolver itself decrypts the query to process it.

DoH and DNS Filtering

A common concern is that DoH can bypass DNS-based content filtering. This happens when a browser uses a DoH resolver that doesn't enforce your organization's filtering rules.

The solution is to point DoH at a filtering-aware resolver like CleanBrowsing. When you configure DoH to use CleanBrowsing's endpoints, you get both encryption and content filtering — DNS queries are encrypted in transit but still filtered at the resolver.

For managed environments, you can push DoH settings via:

• Google Workspace Admin Console (Chrome browsers)
• Chrome browser policies (GPO or registry)
• Microsoft Edge policies

CleanBrowsing DoH Endpoints

CleanBrowsing supports DoH across all filters with a global anycast network for fast, reliable performance. Both HTTP/2 GET and POST formats are supported.

Free Filters

• Family Filter: https://doh.cleanbrowsing.org/doh/family-filter/
  Blocks adult content, proxies, VPNs, and mixed-content sites. Enforces SafeSearch.
• Adult Filter: https://doh.cleanbrowsing.org/doh/adult-filter/
  Blocks adult and explicit content. Allows proxies and mixed-content sites.
• Security Filter: https://doh.cleanbrowsing.org/doh/security-filter/
  Blocks phishing, malware, and malicious domains only.

Paid Customers

Paid customers get a private DoH endpoint unique to their filtering configuration:

Custom DoH URL: https://doh.cleanbrowsing.org/doh/custom-filter/[code]

Replace [code] with the unique key from your CleanBrowsing dashboard. This ensures your specific filtering preferences apply across all devices that support DoH.

For a full walkthrough of all encrypted DNS protocols we support (DoH, DoT, and DNSCrypt), see our Encrypted DNS setup guide.

How to Enable DNS over HTTPS

DoH is supported by all major browsers and most modern operating systems. Here are our setup guides:

• Enable DoH in Chrome (Secure DNS setting)
• Enable DoH in Microsoft Edge
• Configure DoH on Windows 11 (system-wide)
• Deploy DoH via Google Workspace (fleet management)

You can verify your DoH configuration is working by visiting our DNS Leak Test — the results should show CleanBrowsing as your DNS provider.