DNS over HTTPS (DoH) is a new privacy technology that is quickly catching on. The protocol adds encryption to Domain Name System (DNS) queries, shielding them from prying eyes. At the same time, it has attracted some skepticism from the industry.

Let’s take a quick look at the pros and cons of DoH and learn how to turn it on in your favorite browser.

What Is DNS?

Devices communicate over the internet using unique IP addresses, which are strings of digits separated by periods like 172.217.1.174 (in the case of IPv4) or strings of letters and digits separated by colons like 2607:f8b0:400b:809::200e (IPv6).

(These particular addresses belong to Google.)

Luckily, you don’t have to memorize any IP addresses to browse the web. Instead, you enter easy-to-remember domains like google.com into your browser’s address bar.

Related: What Is a Domain Name?

That’s where DNS comes in. The Domain Name System is essentially a worldwide directory of domain names and their associated IP addresses. Behind the scenes, your browser queries a DNS server, which translates domain names into IP addresses that your computer understands.

What’s Wrong With Regular DNS?

The main problem with conventional DNS is that queries are sent completely unencrypted over the network, making it easy for snoopers to see what sites you visit.

The screenshot below contains some output from the popular network analysis tool WireShark, captured while browsing MUO.

WireShark capturing DNS queries

Notice how the domain makeuseof.com shows up in plain text. The same information would be available to anyone with a tap on your connection. That could include your ISP, the government, or anyone on the same Wi-Fi network running a packet sniffer like WireShark.

How Does DNS Over HTTPS Help?

With DoH, your DNS traffic is sent over an encrypted tunnel using HTTPS, the same technology used to encrypt the actual content of your browsing sessions. The capture below shows how DoH communications look to potential snoopers.

WireShark encrypted DNS

We can see that the browser is talking to the IPv6 address 2606:4700::6810:f8f9, which belongs to Cloudflare’s public DNS service. But the queries themselves are encrypted, appearing as random junk data to anyone who intercepts them.

Enabling DNS Over HTTPS in Your Browser

Since DoH is a developing technology, its implementation is slightly different in each browser.

Google and Mozilla have been slowly rolling it out to users over the last several months, so as you follow the steps below, you may find that it is enabled already.

How to Enable DNS Over HTTPS in Chrome

  1. Click on the three vertical dots in the top-right corner and select Settings.
  2. Click on Security under the Privacy and security heading.
  3. Enable the Use secure DNS option under the Advanced heading.
  4. Leave the radio button beside With your current service provider selected to use your current provider*, or select With and choose from the available alternatives.
    Chrome DNS over HTTPS settings

*Note that most DNS providers don't support DoH at this time, so you shouldn't rely on your default provider unless you can confirm it supports the protocol.

How to Enable DNS Over HTTPS in Firefox

  1. Click the hamburger icon in the top-right corner and select Options.
  2. Scroll to the bottom of the page and click on Settings under the Network Settings heading.
  3. Tick the checkbox labeled Enable DNS over HTTPS.
  4. Choose your desired DNS provider from the list labeled Use Provider, or select Custom to use a custom server.
  5. Click OK to save your changes.
    Firefox DNS over HTTPS settings

How to Enable DNS Over HTTPS in Microsoft Edge

  1. Click on the three horizontal dots in the top-right corner and select Settings.
  2. Click on Privacy, search, and services in the left-hand menu.
  3. Scroll down to the Security header.
  4. Leave the Use current service provider radio button selected to use your current provider, or select Choose a service provider to use a custom server.
    Edge DNS over HTTPS settings

Which Provider Should You Choose?

Google and Cloudflare are the most popular options at the moment. If you prefer to avoid them, you can consult a list of alternative DoH providers.

Why Is DNS Over HTTPS Controversial?

Some IT experts have criticized DoH for making it harder to monitor DNS traffic for legitimate purposes, such as detecting malicious software or enforcing parental controls.

Google has addressed some of these concerns, stating in a blog post that such controls will still work with their implementation of DoH, and that organizations can disable DoH altogether if necessary.

It comes down to what we value more---user privacy or visibility for administrators. With major browsers planning to eventually roll out DoH by default to everyone, it looks like the former has won out in this case.

Shortcomings of DNS Over HTTPS

Cybersecurity Hand

There are a few other concerns about DNS over HTTPS that you should keep in mind.

It Doesn’t Prevent All Forms of Snooping

DoH only encrypts DNS queries, leaving some other parts of your web traffic vulnerable to eavesdropping:

  • IP addresses are still unencrypted.
  • Due to a feature of HTTPS called Server Name Indication (SNI), websites’ hostnames are transmitted unencrypted

IP leakage is alleviated a bit by the fact that multiple sites can coexist at the same IP address, making it harder to determine which site you visited. There’s also reason to be optimistic about SNI, as a forthcoming technology called Encrypted Client Hello (ECH) promises to encrypt it.

For the time being, if you need a more robust privacy solution, consider using a VPN or the Tor network.

Related: Really Private Browsing: An Unofficial User’s Guide to Tor

Fallback to Unencrypted DNS

Another potential snag occurs when the DNS provider is unable to resolve a query, such as when you misspell a domain.

What happens in this case depends on the particular DoH implementation. Currently, Chrome falls back to your system’s default DNS server, which would be unencrypted for most people. That could result in a privacy leak.

An Evolving Technology

DNS over HTTPS is a promising approach for adding some extra security to your web surfing.

While there are still some kinks to be worked out, it’s worth enabling DoH in your browser to help protect against man-in-the-middle attacks and other invasions of your privacy.