Every time you open a website, DNS asks in the background where that page is located. Traditionally these queries happen unencrypted, so everyone along the way can see them. DNS over HTTPS changes that. Let us explain what it is and why it is worth it.

A short reminder: what DNS is

DNS is the phone book of the internet that translates website names (for example tiptech.sk) into server IP addresses. Without it we would have to remember numbers. More in the article on what DNS is.

The problem with classic DNS

Traditional DNS queries go openly, without encryption. This means your operator, the WiFi provider or anyone along the way can see which websites you are asking about. The queries can also be eavesdropped or altered to redirect you to a fraudulent page.

What DNS over HTTPS is

DNS over HTTPS (DoH for short) encrypts your DNS queries and sends them over an ordinary secure HTTPS connection, the same one websites use. Thanks to this:

  • No one along the way sees which websites you are asking about.
  • Queries cannot easily be spoofed and redirect you elsewhere.
  • Privacy and security improve, especially on unfamiliar networks.

A similar function is served by DNS over TLS (DoT), which encrypts queries in a different way, but with the same goal. The main difference is where they go: DoH sends queries on port 443 together with ordinary web traffic, so it is harder to spot and block. DoT uses its own port 853, which makes it easier for network admins to manage. For an ordinary user both do the same thing.

Public DNS servers that support DoH

You usually do not use encrypted DNS through your operator’s DNS, but through a public service. The best known are:

  • Cloudflare 1.1.1.1 - focused on speed and privacy; the 1.1.1.2 variant also blocks malicious domains.
  • Google 8.8.8.8 - reliable and widespread, with no content filtering.
  • Quad9 9.9.9.9 - automatically blocks known malicious and fraudulent domains (phishing, malware), which is good extra protection.

All three support both DoH and DoT and are free.

How to turn it on

  • In the browser. Modern browsers have DoH in the security or privacy settings, just turn it on and choose a provider.
  • In the operating system. Windows and mobile systems can set encrypted DNS system-wide for all apps.
  • Across the whole network. On the router or a local DNS server, DoH can be set for all devices at once.

What to keep in mind

  • DoH protects queries, not all browsing. For protection on public WiFi a VPN is still useful, more in the article on the risks of public WiFi.
  • In a company encrypted DNS can bypass corporate filters, so it is set up deliberately and centrally.
  • It complicates parental controls and filtering. If you filter content via DNS (for example blocking unsuitable sites for children), a browser with DoH turned on can bypass it. The solution is to set encrypted DNS centrally on the router, not just in the browser.
  • DoH hides which websites you ask about, but not the connection itself. Who you finally connect to is still visible from the IP address. Full privacy only comes from combining it with a VPN.

Want safer and more private DNS at home or in your company? Get in touch, we will set it up correctly for the whole network.

This article is part of our Computer networks overview.