Your DNS queries are basically a complete log of every website you visit. Every domain you type, every link you click, every embedded resource your browser loads — all of it generates DNS lookups. And until recently, every single one of those queries was sent in plaintext across the network.

DNS-over-HTTPS (DoH) encrypts those queries by wrapping them in standard HTTPS traffic. It’s been around since 2018, but adoption has accelerated sharply. As of early 2026, the landscape looks meaningfully different from even two years ago.

Current Adoption Status

Firefox enabled DoH by default in the US back in 2020 and has since expanded to most regions. Chrome followed with a more cautious approach — upgrading existing DNS providers to their DoH equivalents when available. Safari added DoH support in iOS 14 and macOS Big Sur, though Apple’s implementation is more selective.

The real shift in 2026 is at the OS level. Windows 11 now supports DoH natively in its DNS settings, and recent builds have made it straightforward to configure. Android has supported DNS-over-TLS (a related protocol) since Android 9, and newer versions handle DoH as well.

What this means practically: if you’re using a modern browser on a modern OS, there’s a decent chance your DNS queries are already encrypted. But “decent chance” isn’t “definitely.”

What DoH Actually Protects

We ran tests across several network configurations to verify what DoH does and doesn’t protect.

What it protects:

Your ISP can no longer read your DNS queries when DoH is active. We verified this by monitoring traffic on a test network — with DoH enabled, DNS queries were indistinguishable from regular HTTPS traffic. Your ISP sees you connecting to a DoH resolver (like Cloudflare’s 1.1.1.1 or Google’s 8.8.8.8), but can’t read the query content.

Coffee shop networks, hotel wifi, and other shared networks can’t snoop on your DNS queries either. This is a genuine improvement — open wifi DNS snooping was trivially easy before DoH.

What it doesn’t protect:

Server Name Indication (SNI) still leaks the domain you’re connecting to during the TLS handshake. Even with encrypted DNS, your ISP can see which server you’re connecting to. Encrypted Client Hello (ECH) addresses this, but adoption is still patchy.

Your DoH resolver can see all your queries. You’ve shifted trust from your ISP to your DNS provider. If you’re using Cloudflare or Google, you’re trusting their privacy policies instead of your ISP’s. Whether that’s an improvement depends on your threat model.

IP addresses themselves reveal destinations. Even without DNS or SNI, traffic analysis of IP connections reveals a lot about browsing behaviour.

Testing Methodology

We tested DoH across four browsers (Firefox, Chrome, Brave, Safari) on three operating systems, using Wireshark to capture network traffic and verify that DNS queries were actually encrypted.

Results: Firefox was the most consistent — DoH was active by default with Cloudflare as resolver. Chrome upgraded to DoH when the system DNS provider supported it, but didn’t force DoH when using a provider without DoH support. Brave behaved similarly to Chrome. Safari’s implementation worked but required more deliberate configuration.

The most common failure case was corporate networks running their own DNS servers. These typically don’t support DoH, and browsers fall back to unencrypted DNS rather than breaking connectivity. This is by design — network administrators need to maintain visibility for security purposes — but it means DoH protection disappears on many work networks.

The ISP Perspective

Australian ISPs are required to retain metadata under the Telecommunications (Interception and Access) Act. DNS queries fall under this metadata collection. DoH doesn’t eliminate metadata retention — ISPs can still see IP addresses you connect to — but it removes one data source.

Some ISPs have pushed back against DoH adoption, arguing it undermines parental controls and security filtering. There’s validity to this concern for network-level filtering, though browser-level alternatives exist.

Choosing a DoH Resolver

Your choice of resolver matters. Options include:

Cloudflare (1.1.1.1): Fast, privacy-focused, claims to purge logs within 24 hours. Independently audited.

Google (8.8.8.8): Reliable and fast. Google’s privacy record is… complicated. They log anonymised query data.

Quad9 (9.9.9.9): Non-profit, blocks known malicious domains. Good balance of privacy and security.

NextDNS: Configurable filtering with privacy focus. Free tier available.

Self-hosted: Running your own DoH resolver (via Pi-hole or similar) gives maximum control but requires technical skill and doesn’t help on mobile networks.

Does DoH Matter Enough?

Honestly? DoH is one layer in a larger privacy stack. By itself, it’s meaningful but not transformative. Your browsing destinations leak through multiple channels — SNI, IP addresses, traffic patterns. Encrypting DNS alone doesn’t make you invisible.

But it raises the bar. It eliminates the easiest, most passive form of browsing surveillance. An ISP or network operator can no longer run a simple DNS log to see every site you visit. They need more sophisticated (and more expensive) traffic analysis.

For most people, enabling DoH in their browser settings and choosing a reputable resolver like Cloudflare or Quad9 is a worthwhile five-minute privacy improvement. It won’t protect you from a determined adversary, but it stops casual snooping.

How to Verify Your DoH Status

Cloudflare’s diagnostic page at 1.1.1.1/help shows whether your browser is using DoH. The test takes seconds and tells you definitively whether your DNS is encrypted.

Firefox users can check Settings > Privacy & Security > DNS over HTTPS. Chrome users can check Settings > Privacy and security > Security > Use secure DNS.

If you’re not using DoH yet, enabling it is straightforward. If you are, verify that it’s actually working — misconfigured DoH can silently fall back to unencrypted DNS without warning.

The broader push toward encrypted DNS is a net positive for privacy, even with its limitations. It’s not a silver bullet, but it removes a genuinely invasive surveillance vector that’s been exploited for decades.