What Is DNS over HTTPS?
Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
DNS over HTTPS (DoH) is a protocol that sends DNS queries through encrypted HTTPS connections instead of traditional plaintext DNS. DNS over HTTPS improves privacy by making domain lookups harder for intermediaries to read or modify, but it also changes how security teams monitor, filter, and govern DNS activity.
For users, that can be a privacy benefit. For defenders, it is also a policy and visibility question.
DNS over HTTPS definition
Normally, when a device wants to visit a domain like example.com, it asks a DNS resolver for the corresponding IP address. Traditional DNS is often easy for local networks, internet providers, and other intermediaries to observe because the lookup is not protected like HTTPS web traffic.
DNS over HTTPS changes that by wrapping DNS requests inside HTTPS sessions. The result is encrypted DNS traffic that blends into standard secure web traffic rather than traveling as ordinary DNS queries.
How DNS over HTTPS works
At a high level, DoH replaces a traditional DNS request with an HTTPS-based request to a DoH-compatible resolver.
A client needs to resolve a domain
A browser, operating system, or app needs the IP address for a domain. Instead of sending a standard DNS query directly, it prepares the lookup for a DoH resolver.
The DNS query is sent over HTTPS
The client connects to a DoH server over HTTPS. Because HTTPS is encrypted, the DNS request is also encrypted in transit.
That means people or devices on the local network can often see that the client is connecting somewhere, but they may not be able to read the exact domain being queried inside that encrypted session.
The DoH resolver returns the answer
The DoH resolver performs the DNS lookup and sends the response back over the same HTTPS connection. From the client’s perspective, it still gets the IP address it needs, but the exchange happened through encrypted web traffic.
The client connects to the destination
Once the IP address is returned, the browser or application can connect to the destination service as usual.
Why DNS over HTTPS matters
DNS is an important control point in both privacy and security. Encrypting it changes who can observe or influence lookups.
Privacy benefits
DNS over HTTPS can help with:
- preventing casual observation of DNS lookups on local networks
- reducing some forms of DNS tampering in transit
- improving privacy on public Wi-Fi and other shared networks
- making it harder for intermediaries to inspect plaintext DNS activity
For individuals using untrusted networks, that can be a meaningful improvement.
If you often connect on hotel, airport, or café Wi-Fi, a consumer VPN such as Check NordVPN pricing → or Try Proton VPN → may also help protect broader traffic privacy, though VPNs and DoH solve different problems.
Security tradeoffs
For organizations, DoH can also create challenges:
- reduced visibility into DNS lookups at the network layer
- difficulty enforcing DNS filtering through approved resolvers
- risk that browsers or apps bypass enterprise DNS policy
- gaps in investigations if teams depend heavily on DNS logs
This is why DNS over HTTPS is not simply a yes-or-no security feature. It is a design choice that changes where control and visibility live.
What DNS over HTTPS does not do
A common misunderstanding is that DoH hides all browsing activity. It does not.
DNS over HTTPS specifically protects the DNS lookup portion of a connection. Other signals may still be visible depending on the environment, including:
- destination IP addresses
- proxy logs
- endpoint telemetry
- firewall events
- TLS-related metadata
So DoH improves DNS privacy, but it is not the same thing as full anonymity.
DNS over HTTPS vs traditional DNS
The practical difference is straightforward:
- Traditional DNS: Queries are typically visible to local observers unless other protections are in place.
- DNS over HTTPS: Queries are sent inside encrypted HTTPS sessions.
That encryption helps with privacy, but it also means legacy DNS monitoring and filtering approaches may become less effective unless organizations manage DoH intentionally.
For a related privacy protocol, see what is a vpn.
When you’ll encounter DNS over HTTPS
You will most often run into DoH where browser behavior, privacy, and enterprise DNS controls intersect.
Browser and endpoint settings
Modern browsers and operating systems may support or automatically prefer DoH. Security and IT teams often encounter it while setting browser baselines or endpoint policies.
Enterprise DNS filtering
Organizations that use DNS-layer security controls need to decide whether endpoints are allowed to use external DoH resolvers or must use approved internal ones.
Remote work and public Wi-Fi
DoH is often discussed as a user privacy improvement for employees working from home or on untrusted networks.
Detection and incident response
Security teams may notice DoH when DNS logs become less complete or when malware begins using encrypted DNS channels to reduce visibility. In those cases, defenders often rely more on endpoint or proxy telemetry.
For broader thinking on limiting trust and visibility gaps across users and devices, see what is zero trust.
DNS over HTTPS and enterprise policy
In business environments, the main question is usually not whether DoH is good or bad. It is whether DoH is aligned with the organization’s resolver, logging, and filtering strategy.
Some organizations want DoH enabled only through approved resolvers. Others disable browser-controlled DoH to preserve centralized DNS controls. The right approach depends on how the environment handles:
- DNS logging
- domain filtering
- secure web gateway inspection
- endpoint management
- privacy requirements
- regulatory obligations
The important point is consistency. Unmanaged DoH can create visibility gaps. Managed DoH can improve privacy while preserving policy.
Final takeaway
DNS over HTTPS encrypts DNS lookups by sending them through HTTPS connections. That improves privacy and can reduce some forms of DNS interception, especially on untrusted networks.
At the same time, DoH changes how defenders monitor and control DNS activity. For organizations, it is best treated as both a privacy feature and a governance decision, not just a protocol toggle.