DoH and DoT

DNS Queries

When you visit a website like https://www.private-stuff.com, a DNS query is made to resolve the server name into an actual IP address (e.g. 203.0.113.0 or 2001:db8:387c::a0). Your computer makes this query to a DNS server that it was told to use by its network provider.

Note that even though the actual communication between your browser and https://www.private-stuff.com will be encrypted, the DNS queries and responses are sent over UDP or TCP without encryption. This is vulnerable to DNS-based Internet filtering, eavesdropping and spoofing. An eavesdropper can’t see what you’re doing on the website, but they can block DNS queries for competitors or other sites they don’t want you to visit, and otherwise monitor your browsing habits (where you went, at what time, how often, etc.)

Encrypting DNS

DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) are protocols that ensure DNS queries from your browser are made over an encrypted connection so they can’t be eavesdropped upon by anyone between you and the DNS server performing the query. Still, if you use public DoH/DoT servers such as those provided by Google or Cloudflare, that provider can still see your DNS queries. This is why W3C TAG has our own, private DoH and DoT servers that don’t log (or otherwise leak) your DNS query information.

Setup

Both Google Chrome and Firefox support DoH.

Google Chrome

The Google Chrome browser version 85 for desktop and Android mobile both support a feature they call Secure DNS.

  1. In Chrome, tap the “kebob” menu at the upper right.

    Open the menu

  2. Tap Settings.

    Settings

  3. Tap Privacy and security.

    Privacy and security

  4. Tap Use secure DNS.

    Use secure DNS

  5. Select Choose another provider and enter the following URL: https://dns.w3ctag.org/dns-query.

    Provider URL

Firefox

  1. In Firefox, go to Preferences.

    Firefox Preferences

  2. In the General section, scroll down to Network Settings and click the Settings… button.

    Network Settings

  3. Scroll down and check Enable DNS over HTTPS.

    Enable DNS over HTTPS

  4. In the Use Provider drop-down, select Custom.

    Use a Custom Provider

  5. Enter the following URL in the Custom field: https://dns.w3ctag.org/dns-query.

    Specify Custom Provider URL

  6. Click OK to save your changes.

    Done