What is DNS over HTTPS (DoH)?

DNS over HTTPS sends the queries a device makes to a DNS resolver inside an encrypted HTTPS session instead of as plain-text packets. To anyone watching the network, the traffic looks like an ordinary secure web request, and the names being looked up are hidden inside the encryption.

A closely related approach is DNS over TLS, or DoT, which encrypts the same queries but over its own dedicated connection rather than disguising them as web traffic. Both exist to solve the same underlying problem, that classic DNS offers no privacy and no protection against tampering.

Plain DNS was built without security in mind, which leaves two clear weaknesses that encryption addresses:

• Privacy. Every plain-text lookup reveals which sites you visit to your network operator, your internet provider, and anyone able to observe the traffic. Encrypting the queries keeps that browsing history private on the path to the resolver.
• Integrity. An attacker on the network can alter unencrypted answers to send you to a malicious server. By protecting the connection, DoH stops a middle party from quietly rewriting responses, a defense against DNS spoofing on that segment.

The two encrypted-DNS protocols differ mainly in how visible their traffic is on the network:

• DNS over TLS runs on a dedicated port reserved for the purpose, so it is plainly identifiable as DNS. That makes it straightforward for a network to permit, block, or apply policy to.
• DNS over HTTPS rides the same port as normal web traffic and blends in with it, which maximizes privacy because the queries are hard to single out, but also makes them difficult for a network to manage separately.

Neither is strictly better. DoT favors manageability while DoH favors blending in, and the right choice depends on whether you are optimizing for network control or for resisting observation.

Encrypted DNS is a clear win for individual privacy, but it changes the picture for network operators:

• Benefit — lookups stay private and tamper-resistant on the path to the resolver, raising the bar for surveillance and on-path attacks.
• Loss of visibility — because DoH hides inside web traffic, security teams that rely on inspecting DNS can lose a valuable signal for spotting malware and exfiltration.
• Filtering and policy — content filtering, parental controls, and split-horizon internal DNS often depend on seeing or intercepting queries, which application-level DoH can bypass.
• Centralization — routing all lookups to a handful of large DoH providers concentrates a great deal of browsing data with those operators.

DoH can be turned on in several places, and where you enable it determines how broadly it applies:

• In a browser — major browsers offer a secure-DNS setting where you pick a provider, affecting only that browser.
• At the operating system — modern systems can use encrypted DNS for the whole device, covering every application.
• On the network — a router or resolver can be configured to use encrypted upstream DNS on behalf of everyone connected.

Encryption protects the path to your resolver, but it does not tell you whether your own published records are still correct. ZoneWatcher monitors your authoritative DNS continuously and alerts you the instant a record changes, so encrypted or not, you always know your zone is intact.