Technical·12 min read

DNS-over-HTTPS (DoH) & Secure DNS: The Complete Configuration Guide 🔒

Every time you open a website, your device first sends a DNS query — asking "where is this site?" — in plaintext that your ISP, network admin, and anyone on the same Wi-Fi can read. DoH, DoT, and DNSCrypt fix this. Here's exactly how to configure encrypted DNS on every device you own.

Key Takeaways

• Plain DNS (port 53) sends your browsing history to your ISP in the clear — encrypted DNS stops this entirely.
• DoH and DoT both use TLS 1.3; DoH is harder to block because it blends with regular HTTPS on port 443.
• You can enable encrypted DNS in under 2 minutes on Windows, macOS, Android, and iOS — no technical expertise required.
• Encrypted DNS alone does not hide your IP address or encrypt your traffic — pair it with a VPN for full privacy.
• After configuration, always run a DNS leak test to verify your setup is actually working.

1. What Is DNS-over-HTTPS? The Technical Foundation

Every internet connection starts with DNS. When you type shieldhand.net into your browser, your device sends a Domain Name System query to translate that human-readable name into a machine-routable IP address. Traditional DNS (UDP port 53) sends this query as completely unencrypted plaintext. Any intermediary — your ISP, the coffee shop Wi-Fi operator, your corporate IT department, or an attacker on the same network — can see every domain you resolve. This is not a theoretical privacy concern: ISPs in the United States, UK, and Australia have been documented selling DNS query logs to advertisers and data brokers, while authoritarian governments use DNS monitoring for surveillance and censorship.

DNS-over-HTTPS (DoH) solves this by encapsulating DNS queries inside standard HTTPS traffic on port 443 — the same encrypted channel your browser uses to load secure websites. The DNS query becomes indistinguishable from regular web traffic. RFC 8484, published in October 2018 by the IETF, standardized the protocol. Major public DoH resolvers include:

  • Cloudflare (1.1.1.1): The fastest resolver globally, averaging ~14ms response time across 330+ cities. DoH endpoint: https://cloudflare-dns.com/dns-query. Independently audited by KPMG for their 1.1.1.1 service, with a strict policy of never storing query logs to disk.
  • Google (8.8.8.8): Vast global infrastructure with predictable performance. DoH endpoint: https://dns.google/dns-query. Google retains transient query logs for 24-48 hours for debugging, then deletes them.
  • Quad9 (9.9.9.9): Privacy-focused with automatic malicious domain blocking via threat intelligence feeds from 20+ security vendors. DoH endpoint: https://dns.quad9.net/dns-query. Based in Switzerland with strong privacy laws.
  • NextDNS: Highly customizable — per-device filtering, blocklists, analytics dashboard, and parental controls. Free tier includes 300,000 queries/month. Ideal for users who want to block trackers and malware at the DNS level in addition to encrypting queries.

💡 Pro Tip: Test your current DNS speed at DNSPerf.com before switching. In most regions, Cloudflare and Google are significantly faster than ISP default resolvers — you get both better privacy AND better performance.

2. DoH vs. DoT vs. DNSCrypt: Choosing the Right Protocol

Three encrypted DNS protocols are in active use today. They provide equivalent cryptographic security (all use TLS 1.3), but their network behavior and deployability differ significantly:

ProtocolPortBlockabilityBest For
DoH (DNS-over-HTTPS)443Hardest to blockGeneral users, restrictive networks
DoT (DNS-over-TLS)853Easy to blockEnterprise networks, Android
DNSCrypt443 (variable)ModerateLegacy setups, specific tooling

DoH is the recommended choice for most users. By operating on port 443 and conforming to the HTTP/2 wire format, DoH traffic is functionally identical to any other HTTPS request. Your ISP cannot block it without also blocking every HTTPS website on the internet — which is not practically possible. DoT uses a dedicated port (853), making it trivially identifiable and blockable: many public Wi-Fi networks, mobile carriers in China and the Middle East, and some enterprise firewalls already do so. DNSCrypt predates both protocols and still has a loyal user base, but it lacks the broad OS-level integration that DoH and DoT enjoy. It remains viable through the dnscrypt-proxy tool on Linux and as a fallback if both DoH and DoT are blocked.

The practical recommendation: enable DoH everywhere you can, and fall back to DoT on Android (where the built-in Private DNS feature uses DoT). On networks where port 853 is blocked, switch to DoH.

3. Step-by-Step Configuration Guide: Every Platform

3.1 Windows 11

Enable built-in DoH support (available since Windows 11 21H2):
1. Open Settings > Network & Internet > Wi-Fi (or Ethernet for wired connections).
2. Click your active connection, then Hardware Properties.
3. Find DNS Server Assignment and click Edit.
4. Switch from "Automatic (DHCP)" to Manual.
5. Toggle IPv4 on. Under Preferred DNS, enter 1.1.1.1 and select Encrypted only (DNS over HTTPS) from the dropdown. Under Alternate DNS, enter 1.0.0.1 with the same encrypted setting.
6. Repeat for IPv6 if your network uses it: 2606:4700:4700::1111 and 2606:4700:4700::1001.
7. Click Save. Verify by visiting 1.1.1.1/help — you should see "Using DNS over HTTPS (DoH): Yes."

3.2 macOS (Ventura and Later)

macOS supports encrypted DNS natively via configuration profiles:
1. The simplest approach: visit apple.nextdns.io in Safari, sign in with your Apple ID, and download the NextDNS configuration profile. This auto-configures DoH across all apps system-wide.
2. For manual DoH configuration without profiles: Open System Settings > Network > select your active connection > Details > DNS. Click the + button and add 1.1.1.1 and 1.0.0.1. Note that this only encrypts DNS if a configuration profile enforcing DoH is also installed — adding IPs alone does not enforce encryption on macOS.
3. Alternative: Use dnsproxy CLI tool or the AdGuard for Mac app, both of which can force DoH system-wide.
4. Verify: Install the dnsview app from the Mac App Store or run scutil --dns | grep nameserver in Terminal.

3.3 iOS / iPadOS (iOS 14+)

iOS supports encrypted DNS profiles natively — no jailbreak or app required:
1. Install the NextDNS app from the App Store or download a .mobileconfig profile from my.nextdns.io.
2. For Cloudflare: Download the official DoH profile from one.one.one.one on your iPhone.
3. After installation, go to Settings > General > VPN & Device Management > DNS. You should see your encrypted DNS profile listed with a green checkmark.
4. Verify: Visit 1.1.1.1/help in Safari. Look for "Using DNS over HTTPS: Yes."

3.4 Android (Android 9+)

Android's built-in Private DNS feature uses DoT, not DoH:
1. Open Settings > Network & Internet > Private DNS.
2. Select Private DNS provider hostname.
3. Enter a DoT hostname. Recommended options:
1dot1dot1dot1.cloudflare-dns.com (Cloudflare)
dns.quad9.net (Quad9)
dns.google (Google)
4. Tap Save. The change applies immediately — no reboot needed.
5. Verify: Visit 1.1.1.1/help in Chrome.
6. If you specifically need DoH on Android rather than DoT, install Nebulo (open source, F-Droid) or Intra (by Alphabet/Jigsaw) from Google Play.

3.5 Browser-Level Configuration

Firefox (most DoH-forward browser — enabled by default since 2019):
1. Go to Settings > Privacy & Security > scroll to DNS over HTTPS.
2. Select Increased Protection (default) or Max Protection (always enforce DoH, fallback to system DNS if the provider is unavailable).
3. Choose your provider: Cloudflare (default), NextDNS, or Custom (enter any DoH endpoint URL).
4. Important: Firefox's DoH setting only encrypts DNS for Firefox — other apps on your system still use plain DNS. For system-wide protection, configure DoH at the OS level (steps above), not just in the browser.

3.6 Router-Level Configuration

Encrypt DNS for every device on your network in one configuration:
1. ASUS routers: Firmware 3.0.0.4.388+ includes built-in DoT support. Go to WAN > Internet Connection > DNS Privacy Protocol > select "DNS over TLS." Enter your provider's DoT hostname.
2. GL.iNet routers: All models running OpenWrt 21.02+ support DoH natively. Go to Network > DNS > toggle "DNS over HTTPS (DoH)" > select provider.
3. OpenWrt / DD-WRT: Install https-dns-proxy package via opkg. Configure with your DoH endpoint and set the router's DNS forwarder to localhost.
4. Pi-hole + cloudflared: Run cloudflared proxy-dns as a DoH-to-DNS bridge on your Pi-hole server. All local DNS queries go through Pi-hole (ad blocking) and then out via DoH to Cloudflare (encrypted).
5. After router-level configuration, every phone, laptop, smart TV, and IoT device on your network automatically benefits — no per-device setup required.

💡 Pro Tip: Combining router-level DoH with a Pi-hole gives you encrypted DNS + network-wide ad and tracker blocking. Even smart TVs and IoT devices that do not support encrypted DNS natively get protected. This is the most powerful privacy setup you can configure at home without running a full firewall appliance.

4. DNS Leak Testing: Verify Your Encryption Is Actually Working

Configuring encrypted DNS is step one. Verifying it works is step two — and it is the step most people skip. A DNS leak occurs when some queries bypass your encrypted resolver and go out over plain DNS (port 53) instead. Common causes include:

  • Multi-homed DNS configurations: You set DoH on your primary connection, but your system also has a secondary DNS server (from DHCP, a VPN client, or a previous manual configuration) that still uses plaintext.
  • VPN kill-switch gaps: If your VPN disconnects momentarily and your system falls back to the default DNS server, queries leak in that window.
  • IPv6 leaks: You configured DoH for IPv4 but your network also has IPv6 DNS servers advertising themselves via router advertisements (RAs) — those IPv6 queries go out unencrypted.
  • Browser vs. OS mismatch: Firefox uses DoH but curl, wget, and system-level apps still use plain DNS.

Run these three tests after every DNS configuration change:

  1. dnsleaktest.com — Click "Extended Test." You should see ONLY your chosen DoH resolver's servers (e.g., "Cloudflare" or "NextDNS"). If you see your ISP's name, you have a leak.
  2. 1.1.1.1/help — Cloudflare's checker page. Look for "Connected to 1.1.1.1: Yes" and "Using DNS over HTTPS (DoH): Yes." If both show "No," your DoH configuration is not active.
  3. ipleak.net — Shows your DNS servers, WebRTC leaks, and IP address. Check that all DNS servers listed belong to your chosen provider.

A clean test result: all DNS servers listed are from Cloudflare/Quad9/NextDNS, the DNS-over-HTTPS indicator shows "Yes," and zero ISP servers appear in the extended test. If you see any ISP addresses, revisit your configuration and ensure no secondary DNS servers are set.

5. Beyond DoH: Building a Complete DNS Privacy Stack

Encrypted DNS is a critical privacy layer — but it is only one layer. A complete DNS privacy strategy combines multiple protections:

5.1 DNSSEC for Integrity

DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records, ensuring that the response you receive has not been tampered with en route. Without DNSSEC, an attacker can poison a DNS cache and redirect you to a fake website even if you are using DoH — because DoH encrypts the transport but does not validate the answer. All major DoH resolvers (Cloudflare, Google, Quad9) validate DNSSEC automatically — you get this protection by default when using their services. If you run your own resolver (Unbound, Knot Resolver), ensure DNSSEC validation is enabled: it is disabled by default in some configurations.

5.2 Encrypted Client Hello (ECH)

DoH hides which domains you are looking up. But once your browser connects to that domain, the TLS handshake reveals the Server Name Indication (SNI) — the domain name in plaintext — to anyone watching the connection. Encrypted Client Hello (ECH), formerly called Encrypted SNI (ESNI), encrypts the SNI field so that even the initial connection to a website does not reveal the domain name to intermediaries. ECH is now supported in Chrome 117+, Firefox 118+, and Edge 117+, and is enabled by default when connecting to servers that advertise ECH support. As of mid-2026, approximately 45% of the top 1 million websites support ECH — and adoption is growing rapidly as CDNs like Cloudflare and Akamai roll it out.

5.3 VPN as the Ultimate DNS Privacy Layer

Even with DoH, DNSSEC, and ECH fully configured, your ISP can still see which IP addresses you connect to and how much data you transfer. A VPN encrypts your entire internet connection — DNS queries, SNI, IP destinations, and payload data — in a single tunnel. When you use a VPN with its own DNS resolver (as Shield VPN does by default), your DNS traffic is doubly protected: encrypted by the VPN tunnel and routed through the VPN's resolver, which can itself use DoH. This eliminates DNS leaks entirely because your device never touches your ISP's DNS servers — it cannot, because the VPN routes all traffic through the encrypted tunnel before it reaches the internet.

🔒 The Privacy Stack Hierarchy: Plain DNS (no protection) → DoH/DoT (DNS queries encrypted) → +DNSSEC (integrity verified) → +ECH (SNI hidden) → +VPN (all traffic encrypted, IP hidden, DNS doubly protected). Each layer reduces the attack surface. None is redundant.

Related guides: spot a fake VPN (DNS leaks are the #1 red flag) · 10-step digital privacy guide (encrypted DNS is step 3) · VPN buyer's guide (check DNS leak protection before buying) · clear your digital footprint (DNS data feeds the data broker ecosystem).

Encrypt Everything — Not Just DNS

Shield VPN routes all your traffic — DNS, browsing, streaming — through an encrypted tunnel with WireGuard & AES-256. Built-in DoH resolver. Independently audited. No logs. Ever. 30-day money-back guarantee.

Download on Google Play