DNS-over-HTTPS is one of the most important privacy upgrades to internet infrastructure in recent years.
Standardized as RFC 8484 in 2018, DoH prevents your DNS (Domain Name System) queries – the requests your device makes to translate website names into IP addresses – from being sent in plain text across the network.
Instead, it wraps those queries in HTTPS, the same encryption used to secure websites. This makes it harder for snoops, Internet Service Providers (ISPs), and attackers to see what sites you're visiting.
This article breaks down what DoH is, how it works, why it matters, and how you can use it with Control D to take control of your online privacy and security.
Summary:
- DoH encrypts DNS queries – Wraps DNS requests in HTTPS encryption (port 443), preventing ISPs and network observers from seeing what websites you visit
- Improves privacy and security – Stops DNS eavesdropping, hijacking, and spoofing attacks while making your DNS traffic indistinguishable from regular web browsing
- Built into major browsers – Firefox, Chrome, and Edge support DoH natively, making it easy to enable with just a few clicks
- Can bypass network controls – DoH traffic is harder to block or monitor, which may circumvent enterprise firewalls, parental controls, and ISP filtering
- Works with DNS filtering services – Solutions like Control D combine DoH encryption with malware blocking and content filtering, giving you both privacy and security without losing control
What Is DNS-over-HTTPS (DoH)?
DNS-over-HTTPS (DoH) is a network security protocol that encrypts DNS queries using the HTTPS protocol. Instead of sending DNS requests in plain text over port 53, DoH tunnels DNS traffic through encrypted HTTPS connections on port 443, making them indistinguishable from regular web traffic.
This prevents eavesdropping, interception, or modification by third parties to enhance your privacy and security during web browsing – it’s like sending your DNS queries in an armored truck instead of a postcard.
The result:
- Network observers can't see what domains you're querying, making surveillance more difficult
- DNS hijacking and man-in-the-middle attacks (where someone intercepts and modifies your DNS requests) become significantly harder
- ISPs and network administrators lose visibility into your DNS queries
Before we explain how it works, let’s take a step back and quickly explain what DNS is.
What Is DNS: How the Internet Looks Up Sites
Every time you type a website like example.com into your browser, your device sends a DNS query to find the matching IP address so it can load the web page.
But here’s the problem: Traditional DNS queries are unencrypted. Anyone watching your traffic, like your ISP, a network admin, a government, or even a nearby hacker, can see what domain names you look up.
This makes DNS a major weak point in internet privacy.
How Does DNS-over-HTTPS Work? (Simplified)
Let’s break it down step-by-step:
- You open your browser and type example.com
- Your browser needs to find the IP address for that domain
- If DoH is enabled, it sends the DNS query over an HTTPS-encrypted connection to a DoH-compatible resolver
- The resolver replies with the IP address, also over HTTPS
- Your browser loads the site using the returned IP address
This is all done over an encrypted connection.
What Are the Benefits of DNS-over-HTTPS (DoH)?
Here’s why DNS-over-HTTPS is a big deal for privacy and security:
✅ Encryption of DNS Queries
No more plain text DNS lookups. The DoH protocol hides your queries from anyone who might be monitoring your connection, including your ISP or people on public Wi-Fi, preventing them from seeing which domains you’re looking up.
✅ Defends Against DNS Spoofing
Some attackers or shady networks alter DNS responses to redirect you to fake versions of real sites, where they attempt to steal sensitive and personal data or install malware. This is called DNS spoofing.
Since DoH encrypts DNS traffic and uses HTTPS certificate validation, it makes DNS response tampering more difficult by ensuring the authenticity and integrity of the DNS resolver.
✅ Easy Setup
Major browsers like Firefox, Chrome, and Edge support DoH natively, letting you improve security in just a few clicks.
✅ Bypasses Strict Internet Rules
Using a third-party DoH resolver lets you bypass your ISP’s DNS servers. This limits tracking, logging, and can help users protect against censorship.
What Are the Downsides of DNS-over-HTTPS (DoH)?
While DoH has useful benefits, it’s not perfect. Here are a few things to keep in mind:
❌ Centralization
By shifting DNS to a few large DoH providers (like Google or Cloudflare), traffic can become centralized in the hands of big tech. That’s a risk for privacy, especially if data is logged or sold to third parties (which often occurs even if they say they don’t).
❌ Harder to Audit & Monitor
For IT teams and businesses, DoH can make network traffic harder to inspect or manage, especially when DNS queries are encrypted and don’t go through the corporate resolver.
This is a problem when trying to block traffic to inappropriate or malicious domains or trying to identify illegal activities and malware communication on your network, as it creates a blind spot.
❌ Can Bypass Enterprise and Parental Controls
DoH can bypass local DNS filtering tools, including parental controls and enterprise firewalls. This might break things or create blind spots.
❌Slightly Slower Speeds
Because of the extra encryption, DoH might be slower than regular DNS. But it’s minimal; most users won’t notice the difference.
DNS-over-HTTPS vs. DNS-over-TLS
DNS-over-TLS (DoT) is another encrypted DNS protocol. Here’s how it compares:
| Feature | DNS-over-HTTPS (DoH) | DNS-over-TLS (DoT) |
|---|---|---|
| Protocol Used | HTTPS (port 443) | TLS (port 853) |
| Easy to Block | No | Yes |
| Works in Browsers | Yes (built-in) | No (OS-level only) |
| Easily Hidden | Yes (blends with web traffic) | No (distinct traffic type) |
| Centralization Risk | Moderate (based on provider) | Moderate (same risk) |
| System-wide Support | Limited without custom config | Widely supported in routers |
| Enterprise Management | Can bypass corporate controls | Easier to monitor and control |
Both encrypt DNS queries, and both are secure. The key difference is where and how they operate. DoH is more common in browsers and easier to hide.
How DoH Affects DNS Filtering
One of DoH’s biggest controversies is how it breaks traditional DNS filtering tools:
- Network Security: Firewalls that monitor DNS queries can’t see encrypted DoH traffic unless they're using DPI (deep packet inspection).
- Compliance Risks: Enterprises may lose visibility into user behavior, making threat detection and reporting harder.
- Parental Controls: Most home routers use DNS filtering to block adult content. DoH can bypass this by routing DNS queries through the browser.
Control D solves this problem by offering encrypted DNS with filtering, logging, and custom rules, so you don’t have to choose between privacy and control.
Why Control D and DNS-over-HTTPS (DoH) Are the Best Combo for Secure Browsing
Control D is more than just a DNS service. It’s a complete DNS filtering platform that gives you control, visibility, and security over all your internet traffic. By combining Control D’s filtering with DNS-over-HTTPS, you get:
- Encrypted DNS lookups to keep your activity private.
- Malware, phishing, and ad & tracker blocking to keep you safe.
- Content filtering to block specific apps, sites, or categories.
- Powerful analytics to understand your network usage.
- Per-device or whole-network enforcement with flexible setup options.
This gives you the privacy of DoH without losing visibility or control.
Control D’s DoH support:
Every Control D endpoint supports DoH out of the box. You can apply it:
- To one device (like your phone or laptop).
- To your entire office or home network using your router.
- To remote employees and client devices.
Control D also supports DoT (DNS-over-TLS) and traditional DNS, so you can choose what works best for your setup.
How to Set Up DNS-over-HTTPS (DoH) with Control D: Complete Guide
You don’t need to be a tech expert to implement DoH with Control D. Here's how to do it step by step.
Step 1: Sign Up
Go to Control D and sign up for a free trial account. No credit card is required.
Once you're in, you'll have full access to everything: filtering, analytics, encrypted DNS settings (including DoH), and more.
Step 2: Create a Profile and Enable Filters
In the sidebar, go to Profiles → Add Profile.
Give your profile a name – something like “Secure Internet” – and click Save.
Then, navigate to the Filters screen. Here, you can block entire categories of harmful content. For better protection, we recommend enabling:
- Malware – Blocks domains known to distribute viruses, ransomware, and spyware
- Phishing – Blocks fake sites that try to steal your passwords or personal info
- Adult Content – Blocks explicit websites across all categories
- Ads and Trackers – Blocks ads and tracking scripts from loading
Toggle the filters you want. This Profile now acts as a secure ruleset you’ll later apply to one or more devices.
Step 3: Create an Endpoint and Copy Your DoH Address
Now that your Profile is ready, it’s time to apply it to your device using DoH.
Go to Endpoints → Add Endpoint.
Name your device, for example “Work-PC”, and assign it the profile you just created.
Once created, you’ll see a list of resolver options for that endpoint, including your DoH address. Copy the DoH resolver URL listed under the endpoint.
You’ll now use this DoH URL to configure your device to use Control D over DNS-over-HTTPS.
Step 4: Configure Your Device
How to Enable DoH on Firefox:
- Go to Settings > Privacy & Security
- Scroll to DNS over HTTPS
- Select Increased Protection
- Click on Choose provider and select Custom
- Enter your Control D DoH resolver URL
✅ Easy to enable
❌ Doesn’t protect non-browser apps
How to Enable DoH on Chrome (and Edge):
- Go to chrome://settings/security
- Scroll to Use Secure DNS
- Enable it and choose Add custom DNS service provider
- Paste your Control D DoH resolver URL
✅ Easy to enable
❌ Doesn’t protect non-browser apps
How to Enable DoH on Windows / MacOS:
You have two options: use the Control D Setup App or manual configuration.
Control D Setup App:
- Download the Control D Setup App
- Input the configuration code.
Manual Configuration:
- Access your network settings and look for DNS configuration.
- Enter the Control D DoH URL.
✅ System-wide coverage
❌ Requires a little technical know-how
How to Enable DoH on a Router:
For businesses, families, or power users, you can set Control D’s DoH resolver on your router or firewall to protect every device on the network. Most modern routers allow you to set a custom DNS server. Some even support DoH directly.
- Follow Steps 1 and 2 above
- In Step 3, select ‘Server’ when creating your endpoint
- Access Router Settings: Open a web browser and enter your router's IP address in the address bar to access the admin panel.
- Navigate to DNS Settings: Look for a section like "DNS" or "Internet Settings." It may require advanced settings to be enabled.
- Enter DoH Resolver URL: If your router supports DoH, enter the unique DoH URL provided by Control D in the appropriate field
✅ Universal coverage
✅ Works for IoT devices, TVs, and consoles
✅ Keeps logs and filters in one place
Step 5: Verify It’s Working
Once set up, all DNS requests from that app or device will be encrypted and filtered through your custom Control D policy.
To verify it’s working, on the device where you set up DoH, visit: https://controld.com/status
You should see your Resolver ID and a Using Control D sign. This means DoH is enabled and filtering traffic securely through Control D.
You can also check the Analytics section in the Control D dashboard to confirm that traffic is flowing. You’ll start seeing real-time logs showing allowed and blocked domains.
When Should You Use DoH?
DNS-over-HTTPS is a great choice for:
- Public Wi-Fi: Keeps your DNS queries safe from snoopers
- ISP Privacy: Stops ISPs from logging or monetizing your DNS activity
- Remote Work Setups: Teams using DoH with Control D can stay secure without exposing their activity to ISPs or shared Wi-Fi networks.
- Censorship Circumvention: Helps bypass DNS-based blocks in some regions
But if you’re managing a network (home or business), you may want a system-wide DNS solution that includes policy control, like Control D running at the router level.
Security Myths About DoH
Let’s clear up a few common misconceptions:
- DoH does not make you anonymous. While it encrypts DNS lookups, your IP address, SNI (Server Name Indication), and actual web traffic remain visible to network observers. DoH only protects the DNS resolution phase, not the subsequent connection to websites.
- DoH does not block malware by default. You still need filtering to stop malicious domains, like Control D offers.
- DoH does not guarantee privacy. Some DoH providers log everything. Choose a provider that respects privacy.
Final Thoughts
DNS-over-HTTPS is a big win for internet privacy. It closes a major gap in how DNS works by encrypting your queries and shielding them from prying eyes. But not all DoH providers are equal, and privacy isn't just about encryption.
Control D combines the protection of DoH with full visibility, advanced filtering, and granular policy management. If you want encrypted DNS that doesn’t trade privacy for control, Control D is the clear choice.
Frequently Asked Questions (FAQ)
DoH vs VPN: What’s the difference?
DoH only encrypts DNS lookups, not your full internet traffic. A VPN encrypts all traffic and hides your IP address. For full privacy, pair a VPN with a DNS solution like Control D.
How is DoH different from regular DNS?
Traditional DNS sends queries in plaintext, allowing anyone monitoring the network to see what websites you're visiting. DoH wraps those queries in HTTPS encryption, making them invisible to prying eyes. It also uses a different port (443) that’s harder to block or filter.
Is DoH secure?
Yes. DoH encrypts DNS queries, protecting them from snooping, tampering, and interception. It’s a major upgrade over traditional DNS, but true privacy depends on using a trustworthy DoH provider.
Why should I use DNS-over-HTTPS?
If you value privacy, want to prevent ISP tracking, or regularly use public Wi-Fi, DoH is a strong layer of protection. It also defends against DNS hijacking and spoofing.
Is DNS-over-HTTPS better than DNS-over-TLS?
It depends on your use case. DoH works directly in browsers and blends with normal HTTPS traffic, making it harder to block. DoT, on the other hand, operates at the system level and may be better for router-wide enforcement.
Does DoH hide my IP address?
No. DoH encrypts DNS lookups but doesn’t mask your IP address. For complete privacy, use a VPN that doesn’t log traffic.
Can DNS-over-HTTPS block ads or malware?
Not by itself. DoH only encrypts DNS traffic. To block malicious domains, ads, trackers, or adult content, you need filtering on top. Control D offers encrypted DNS and powerful filtering, so you can block threats while keeping your lookups private.
Will DoH slow down my internet?
Slightly, but usually not noticeably. Because DoH adds encryption overhead, DNS lookups may take a fraction of a second longer. But modern DoH resolvers are optimized for performance, and the privacy gains are worth it.
Does using DoH break parental controls or corporate firewalls?
It can. Because DoH bypasses local DNS resolvers, it may circumvent router-level filtering or enterprise monitoring tools. This is why some organizations block DoH entirely.
How do I set up DNS-over-HTTPS with Control D?
Just create a profile, apply Filters, and generate a DoH endpoint URL from your Control D dashboard. Then paste that URL into your browser or system settings. It works with Firefox, Chrome, Edge, Windows, macOS, routers, and more. See the full guide above for step-by-step instructions.
