Your internet activity starts with DNS, but traditional DNS exposes your browsing habits. DNS over HTTPS (DoH) encrypts these requests, offering a significant boost to your online privacy and security.

Understanding the Basics: What is DNS?

Imagine the internet as a massive city, where every website is a building, and each building has a unique street address – an IP address. However, when you want to go somewhere, you usually know the building’s name (like whoip.tw), not its numerical address. That’s where a phonebook comes in handy to translate names into numbers.

In the world of the internet, this “phonebook” is the Domain Name System (DNS). When you type a website name into your browser, your computer sends a request to a DNS server to translate that domain name into its corresponding IP address. Once the IP address is obtained, your browser can then find and connect to the correct website server. All of this happens seamlessly in the background, but it’s a fundamental step for every internet connection you make.

If you’re curious to learn more about how this essential system works, delve into our comprehensive article: How DNS Works.

The Privacy Gap in Traditional DNS

While DNS is absolutely crucial for the internet to function, its traditional method of operation comes with a significant privacy vulnerability: your DNS queries are sent unencrypted.

What does this mean? It means that when your computer sends a request saying, “I’m looking for the IP address of example.com,” this request is transmitted in plain text. Anyone on your network who can listen to your traffic – including your Internet Service Provider (ISP), the operator of the Wi-Fi hotspot you’re using, or even government agencies – can easily see which websites you are trying to visit. This practice is known as “DNS snooping.”

Consider this: even if you eventually connect to a website securely using HTTPS (where the address shows https:// instead of http://), your initial DNS query for that website is still exposed. It’s like shouting out the phone number you’re about to dial to the switchboard operator; even if your subsequent conversation is private, everyone knows who you called.

Furthermore, unencrypted DNS queries are more susceptible to malicious attacks such as:

DNS Hijacking: Attackers can intercept your DNS requests and redirect you to malicious websites, even if you typed the correct URL.
DNS Spoofing: Attackers can impersonate a legitimate DNS server and send your computer incorrect IP addresses, leading you to fraudulent sites.

These issues highlight the shortcomings of traditional DNS in terms of privacy and security, which is precisely what DNS over HTTPS (DoH) aims to address.

What is DNS over HTTPS (DoH)?

DNS over HTTPS (DoH) is a modern protocol designed to tackle the privacy and security issues inherent in traditional DNS. Simply put, DoH encrypts DNS queries and their corresponding responses using the HTTPS protocol.

What’s the practical implication of this? Traditional DNS queries are typically sent over UDP or TCP port 53, a type of traffic that is easily identifiable and snooped upon. DoH, however, “wraps” DNS queries within standard HTTPS traffic, sending them over TCP port 443 – the very same port used for secure web browsing (think online banking or social media).

Imagine a traditional DNS query as a postcard openly displaying where you want to go, readable by anyone. A DoH query, on the other hand, is like a sealed, encrypted envelope. It looks just like any other secure web request you’d send to a website server, making it difficult for an eavesdropper to tell that it’s a DNS query, let alone read its contents.

[IMAGE: A diagram comparing the flow of Traditional DNS (unencrypted request to DNS server) with DoH (encrypted request to DoH server via an HTTPS tunnel).]

By operating in this manner, DoH effectively hides your DNS queries within a larger stream of encrypted HTTPS traffic, making them significantly harder to monitor, intercept, or tamper with. This provides a substantial boost to your online privacy and security.

Key Benefits of Using DoH

The introduction of DoH brings several compelling advantages to internet users, particularly concerning privacy and security.

Enhanced Privacy

Hides DNS queries from your ISP and local network eavesdroppers: This is DoH’s most significant advantage. When you use DoH, your Internet Service Provider (ISP) or anyone else monitoring your local network (e.g., public Wi-Fi) cannot easily see the specific websites you’re trying to visit based on your DNS queries. While they might still know you’re connecting to a DoH resolver (like Cloudflare or Google), they won’t know which specific domain names you’re requesting from that resolver. This significantly reduces your digital footprint.
Reduces the ability to build browsing profiles: By encrypting DNS queries, it becomes much harder for attackers or data aggregators to build profiles of your browsing habits based on your DNS traffic.
For broader context on protecting your online identity, you might find our article helpful: How to Protect Your IP Address.

Improved Security

Protects against DNS tampering and spoofing: Encrypted DoH requests make it considerably more difficult for attackers to intercept or alter DNS responses. This means malicious actors are less likely to redirect you to fake or malicious websites, protecting you from phishing attempts and other DNS-based manipulation threats.
Resistance to Man-in-the-Middle (MITM) attacks: Since DoH requests are protected by TLS/SSL certificates, they effectively verify the identity of the DNS resolver, preventing attackers from impersonating legitimate DNS servers and further enhancing the integrity and security of your communications.

Circumvention of Censorship and Geo-blocking

Bypasses DNS-level internet censorship: In certain regions, governments or network operators might implement internet censorship by blocking specific DNS queries. Because DoH traffic looks just like regular HTTPS web traffic (both use port 443), it is much harder to selectively identify and block. This can, in some cases, allow users to access websites that are otherwise restricted at the DNS level.
Overcoming geographical restrictions: While DoH doesn’t directly change your IP address to spoof your location, it can offer some assistance in minor geo-restriction scenarios where limitations are implemented via DNS-level blocking.

Potential Drawbacks and Considerations

While DoH offers significant advantages, it’s not without its potential drawbacks and considerations that users should be aware of.

Centralization Concerns

Reliance on a few large DoH resolvers: Currently, most users tend to gravitate towards a few large and well-known DoH resolvers, such as Cloudflare (1.1.1.1) or Google Public DNS (8.8.8.8). This can lead to a centralization of DNS query services, raising concerns about the potential power and data handling practices of these major providers. While these providers generally promise to protect user privacy, routing such a large volume of internet traffic through a handful of entities warrants careful consideration.

Bypassing Local Network Controls

Potential to bypass local network filtering policies: For home network parental controls, corporate network content filters, or ad blockers, many of these controls are implemented through local DNS servers. If a user enables DoH in their browser or operating system and points it to an external resolver, these local DNS filters might be bypassed. While this can be beneficial for individual privacy, it could also undermine local network security or content management policies.

Performance Overhead

Slightly increased performance overhead: Because DoH involves a TLS handshake and HTTPS encryption, it introduces a minor amount of additional overhead compared to traditional plain-text DNS queries. However, for most modern hardware and network connection speeds, this overhead is usually negligible and won’t noticeably impact daily browsing experience.

DoH and VPNs

VPNs offer more comprehensive protection: It’s important to note that DoH is a tool for enhancing DNS privacy. If you’re already using a Virtual Private Network (VPN), all of your internet traffic (including DNS queries) is typically already encrypted and routed through the VPN tunnel. In such cases, DoH provides an additional, but potentially redundant, layer of protection. However, when a VPN is not in use, DoH remains a highly effective way to significantly boost your DNS privacy. To learn more about how VPNs compare to other privacy tools, check out: VPN vs. Proxy: What’s the Difference?.

DoH vs. DoT: What’s the Difference?

When discussing DNS encryption, another commonly mentioned protocol alongside DoH is DNS over TLS (DoT). Both protocols aim to encrypt DNS traffic to enhance privacy and security, but they differ in their implementation:

DNS over TLS (DoT):
- DoT encrypts DNS queries over a dedicated TLS connection on TCP port 853.
- Its advantage lies in its dedicated port, which makes the DNS traffic easily identifiable as encrypted DNS, ensuring all traffic over that port is treated as DNS traffic.
- The downside is that because it uses a distinct port, network firewalls and regulators can relatively easily identify and potentially block all DoT traffic.
DNS over HTTPS (DoH):
- DoH encapsulates DNS queries within HTTPS traffic, transmitting them over the standard TCP port 443.
- Its main advantage is that since it uses the same port as regular HTTPS web traffic, it’s indistinguishable from other secure web traffic. This makes it much harder for network observers and censors to block or differentiate DoH traffic.
- The downside is that because it’s blended with other HTTPS traffic, network administrators or security tools might find it challenging to apply granular control or inspection to DoH traffic.

In summary: DoT is like a clearly labeled, encrypted mailbox – the contents are secure, but the mailbox itself is visible. DoH is more like hiding your mail inside an encrypted package that looks like any other secure parcel, making it harder to identify. Both protocols offer significant privacy and security improvements over traditional DNS.

How to Enable DNS over HTTPS

Enabling DNS over HTTPS is a relatively straightforward process, with built-in support available in many popular web browsers and operating systems.

In Web Browsers

For most users, enabling DoH in their browser is the quickest and most direct way to encrypt all DNS queries originating from that browser.

Mozilla Firefox:
1. Open Firefox.
2. Click the menu icon (three horizontal lines) in the top-right corner, then select “Settings.”
3. In the left-hand menu, click “General.”
4. Scroll down to the “Network Settings” section and click the “Settings…” button.
5. Check the “Enable DNS over HTTPS” option.
6. You can choose a default provider (like Cloudflare or NextDNS) or select “Custom” and enter the URL of your preferred DoH server.
7. Click “OK” to save your changes.
Google Chrome:
1. Open Chrome.
2. Click the menu icon (three dots) in the top-right corner, then select “Settings.”
3. In the left-hand menu, click “Privacy and security,” then select “Security.”
4. Scroll down to the “Advanced” section and find the “Use secure DNS” option.
5. Toggle the switch to the “On” position.
6. You can choose to “With your current service provider” or “Choose another provider” from the dropdown menu (e.g., Cloudflare or Google Public DNS), or enter a custom URL.
Microsoft Edge:
1. Open Edge.
2. Click the menu icon (three dots) in the top-right corner, then select “Settings.”
3. In the left-hand menu, click “Privacy, search, and services.”
4. Scroll down to the “Security” section and find the “Use secure DNS to specify how to lookup the network address for websites” option.
5. Toggle the switch to the “On” position.
6. You can choose “Use current service provider” or “Choose a service provider” from the dropdown, or enter a custom template.

In Operating Systems (System-Wide)

Enabling DoH at the operating system level allows all applications (not just your browser) to benefit from encrypted DNS. However, this is generally more complex than enabling it in a browser, and support and configuration methods vary across operating systems.

Windows 10/11:
- Native DoH support in Windows is continually improving. For recent Windows versions, you can attempt the following steps, though manual DNS server configuration may be required.
1. Go to “Settings” > “Network & Internet” > “Advanced network settings” > “More network adapter options.”
2. Right-click on the network adapter you are using (e.g., Wi-Fi or Ethernet), and select “Properties.”
3. Select “Internet Protocol Version 4 (TCP/IPv4)” and click “Properties.”
4. Choose “Use the following DNS server addresses” and enter the IP addresses of a DoH-compatible DNS server (e.g., Cloudflare’s 1.1.1.1 or Google’s 8.8.8.8).
5. Click the “Advanced…” button, then switch to the “DNS” tab.
6. Look for and enable “Enable DNS over HTTPS” or a similar option. This option might only be available in certain Windows versions or configurations.
- Tip: If native support isn’t ideal, third-party tools like YogaDNS can offer more flexible DoH configuration.
macOS:
- macOS currently does not offer a direct, simple system-wide DoH toggle. While macOS does have some underlying support for DoH within its discoveryd service, configuring it for general users typically requires more technical setup (e.g., via plist files or command-line tools).
- For system-wide DoH, users often resort to third-party applications or tools like dnscrypt-proxy.
Linux:
- Setting up DoH in a Linux environment also typically requires manual configuration. Different Linux distributions and DNS resolvers (e.g., systemd-resolved, dnsmasq, or unbound) have varying setup methods.
- For example, if using systemd-resolved, you can specify DoH servers in its configuration file.
- For a simpler solution, dnscrypt-proxy can be installed and configured.
- Similar to macOS, for non-technical users, enabling DoH in the browser often remains the most convenient option on Linux.

Overall, enabling DoH in your browser is the easiest and often sufficient starting point for most individuals. If you require system-wide DoH protection, it may involve more technical operations or assistance from third-party tools.

Conclusion

DNS over HTTPS (DoH) represents a significant advancement in the realm of internet privacy and security. By encrypting your DNS queries, DoH effectively closes the privacy gap left by traditional DNS protocols, shielding your browsing habits from the watchful eyes of your Internet Service Provider and other intermediaries. It not only bolsters your personal privacy but also helps defend against malicious DNS tampering and man-in-the-middle attacks, and in some cases, can even help users bypass DNS-based content censorship.

While it’s important to consider potential issues like centralization and the impact on local network controls, the benefits offered by DoH are clear. For every user seeking a more secure and private internet experience, enabling DoH is a simple yet powerful choice. Whether through browser settings or more advanced operating system configurations, taking action to encrypt your DNS traffic is an important step towards a safer online world.

Remember, while DoH dramatically improves your DNS privacy, it is not a complete internet privacy solution. It primarily protects the content of your DNS queries. For more comprehensive network traffic encryption and to mask your true IP address, a VPN remains an indispensable tool. However, integrating DoH into your cybersecurity habits is undoubtedly a worthwhile measure.