How to Enable DNS over HTTPS (DoH) on Windows, macOS, and Browsers

TL;DR — Quick Summary

Enable DNS over HTTPS (DoH) to encrypt DNS queries and prevent ISP snooping. Step-by-step setup for Windows 11, macOS, Firefox, Chrome, and custom DNS providers like Cloudflare and Quad9.

Why DNS over HTTPS?

Your ISP sees every domain you visit through DNS queries. DoH encrypts them:

Encrypted queries — ISP can’t see your DNS lookups.
Uses port 443 — Looks like normal HTTPS, hard to block.
Fast — Cloudflare and Google DoH are faster than most ISP DNS.
Built into browsers — Firefox and Chrome support it natively.

Setup by Platform

Windows 11

Settings > Network & Internet > Wi-Fi (or Ethernet).
Click your connection > DNS server assignment > Edit.
Set Preferred DNS to 1.1.1.1.
Under DNS over HTTPS, select On (manual template).
Set Alternate DNS to 1.0.0.1.

macOS

macOS doesn’t have a native DoH toggle. Options:

# Option 1: Install dnscrypt-proxy
brew install dnscrypt-proxy
# Edit /usr/local/etc/dnscrypt-proxy.toml to use DoH servers
sudo brew services start dnscrypt-proxy

# Option 2: Install Apple configuration profile for Cloudflare DoH
# Download from https://1.1.1.1/dns/ and install the .mobileconfig

Firefox

Settings > Privacy & Security > scroll to DNS over HTTPS.
Select Max Protection.
Choose provider: Cloudflare (default) or Custom.

Chrome / Edge

Settings > Privacy and Security > Security.
Toggle Use secure DNS.
Select Cloudflare (1.1.1.1) or custom.

DNS Provider Comparison

Provider	Primary	Secondary	DoH URL	Features
Cloudflare	1.1.1.1	1.0.0.1	`https://cloudflare-dns.com/dns-query`	Fastest, privacy-first, no logging
Google	8.8.8.8	8.8.4.4	`https://dns.google/dns-query`	Reliable, wide availability
Quad9	9.9.9.9	149.112.112.112	`https://dns.quad9.net/dns-query`	Blocks malware domains
NextDNS	Custom	Custom	`https://dns.nextdns.io/ID`	Custom filtering, ad blocking
AdGuard	94.140.14.14	94.140.15.15	`https://dns.adguard-dns.com/dns-query`	Ad + tracker blocking

DoH vs DoT vs Plain DNS

Feature	Plain DNS	DNS over TLS (DoT)	DNS over HTTPS (DoH)
Encryption	None	TLS	HTTPS
Port	53	853	443
Blockable?	No (needed)	Yes (port 853)	Hard (blends with HTTPS)
Browser support	N/A	N/A	Firefox, Chrome, Edge
ISP can see queries	Yes	No	No
Best for	Legacy	Enterprise control	Privacy

Troubleshooting

Problem	Solution
DNS resolution slower after DoH	Try a different provider; Cloudflare is usually fastest
Corporate network blocks DoH	IT may require plain DNS for monitoring; use DoT as compromise
Some sites not resolving	Quad9 blocks malware domains by default; switch to Cloudflare for unfiltered
Can’t verify DoH is working	Visit 1.1.1.1/help to check if DoH is active

Summary

Encrypt your DNS to prevent ISP snooping.
Windows 11 + Firefox + Chrome have built-in DoH support.
Cloudflare 1.1.1.1 is the fastest and most private provider.
Combine with a VPN for complete traffic privacy.

Frequently Asked Questions

What is DNS over HTTPS (DoH) and why use it?

DNS over HTTPS encrypts your DNS queries using HTTPS, preventing your ISP, network admin, or anyone on your network from seeing which websites you visit. Without DoH, DNS queries are sent in plain text — anyone monitoring your traffic can see every domain you look up.

Does DoH slow down browsing?

Negligible impact. DoH adds a tiny overhead for encryption, but modern DNS providers like Cloudflare (1.1.1.1) and Google (8.8.8.8) are so fast that the difference is unnoticeable. Some users even see faster resolutions because these providers have better caching than their ISP.

DoH vs DoT (DNS over TLS) — which is better?

Both encrypt DNS. DoH uses port 443 (same as HTTPS) so it blends with normal web traffic and is harder to block. DoT uses port 853, which is easy for firewalls to identify and block. DoH is better for privacy; DoT is better for network administrators who want to control DNS.

Can my ISP still see my traffic with DoH?

They can't see your DNS queries, but they can still see the IP addresses you connect to. For full privacy, combine DoH with a VPN like [NetBird](/netbird-self-hosted-wireguard-mesh-vpn-zero-config/) or [WG-Easy](/wg-easy-self-hosted-wireguard-vpn-web-ui-client-management/).