By default, DNS queries are sent in plain text over UDP port 53. Anyone on your network â including WiFi attackers â can see every domain you look up. DoH and DoT encrypt this traffic.
| DoT (DNS over TLS) | DoH (DNS over HTTPS) | |
|---|---|---|
| Port | 853 (explicit, easy to block) | 443 (looks like HTTPS traffic) |
| Privacy | Network can't see DNS queries | Network can't see DNS queries or content |
| Censorship resistance | Moderate (easy to block) | High (harder to distinguish from web traffic) |
| Firefox support | Limited | Native (since v62) |
| Enterprise detection | Easy | Very difficult |
Settings â Privacy & Security â DNS over HTTPS â Enable â Select provider (Cloudflare, Google, or NextDNS)
Chrome / Edge (System-Level DoH)Settings â Privacy and Security â Security â Advanced â Use secure DNS â Enable â Select provider
Windows 11Settings â Network & Internet â WiFi â Hardware properties â DNS server assignment â Edit â Select "Manual" and enter DoH addresses
Android 9+Settings â Network & Internet â Private DNS â Select "Private DNS provider hostname" and enter the provider's DoH hostname
DNS Filtering Services Compared| Provider | DoH Host | DoT Host | Malware Blocking | Custom Filtering | Logging |
|---|---|---|---|---|---|
| Cloudflare (1.1.1.1) | dns.cloudflare-dns.com | 1dot1dot1dot1.cloudflare-dns.com | Optional (1.1.1.2) | No | No (audited) |
| Google DNS | dns.google | dns.google | No | No | 24-hour temp |
| Quad9 (9.9.9.9) | dns.quad9.net | dns.quad9.net | Yes (blocks malware) | No | No (non-profit) |
| NextDNS | dns.nextdns.io | Custom | Yes | Full | Per plan |
| OpenDNS | dns.opendns.com | No | Yes (Home) | Yes | Optional |
For most users: NextDNS offers the best combination of malware blocking, custom filtering, and privacy. For simplicity: Cloudflare 1.1.1.1 or Quad9 are excellent one-click solutions. Do NOT use your ISP's DNS â they log everything and can redirect your traffic.
Detecting DNS Manipulation- Check with cmd.google: Open
https://cmd.google.comâ if your configured DNS is working, it shows a green result - DNS leak test: Use
dnsleaktest.comâ it shows which DNS server is actually answering your queries - Monitor for unexpected DNS changes: If your device suddenly starts using a different DNS server, investigate immediately
- Enterprise DNS monitoring: SIEM rules for DNS anomalies, NXDOMAIN spike detection, and known malicious domain blocks
- Deploy internal DNS resolvers and block external DNS except through approved DoH/DoT proxies
- Use DNS firewalls (like Cisco Umbrella/OpenDNS) to block known malicious domains
- Monitor for DNS over HTTPS â employees enabling DoH bypasses enterprise DNS filtering
- Consider implementing DNS-over-HTTPS for the enterprise itself via Cloudflare for Teams or similar