AnonymFlow
privacy-best-practicesINFO

DNS over HTTPS: Browser Setup Guide for 2026 (Chrome, Firefox, Edge, Safari)

DoH encrypts your DNS queries inside HTTPS so your ISP can't read your browsing history. Step-by-step setup for Chrome, Firefox, Edge, Safari + comparison of NextDNS, Cloudflare, Quad9 + how it interacts with your VPN tunnel.

By Eric Gerard · Editor · AnonymFlow14 min readPhoto via Unsplash

DNS over HTTPS (DoH) encrypts your DNS queries inside generic HTTPS tunnel (port 443) instead of letting them travel plaintext on UDP/53 to your ISP's resolver. Concretely: your ISP no longer sees the list of domains you visit, your public Wi-Fi hotspot can no longer silently redirect your queries to a compromised resolver, and your corporate network operator loses fine-grained visibility into your activity. It's a significant privacy improvement - but configuring it correctly in 2026 requires understanding interactions with VPN, parental control, and the new ECH standard. Here's the step-by-step setup for Chrome, Firefox, Edge, Safari, plus comparison of the three main DoH resolvers (Cloudflare, NextDNS, Quad9) and known pitfalls.

Why configure DoH in 2026?

Classic DNS (RFC 1035, 1987) sends each domain resolution over UDP on port 53, in plaintext. When you type nordvpn.com in Chrome, your browser asks your DNS resolver (typically the ISP's: Comcast, Verizon, Spectrum, BT, Deutsche Telekom) to translate that name into an IP address. This query is readable by:

  • Your ISP (US ISPs sell anonymized browsing data since 2017; UK ISPs retain DNS logs 12 months under Investigatory Powers Act 2016).
  • Public Wi-Fi operator (café, hotel, airport - trivial passive capture).
  • Your router (consumer models log queries for built-in parental controls).
  • Your employer on corporate networks (Cisco Umbrella, Zscaler intercept UDP/53).
  • Any intermediary on the network path (trivial MITM on unencrypted UDP).

DoH (RFC 8484, 2018) solves this: the DNS query is encapsulated in HTTP/2 or HTTP/3 on port 443 (standard HTTPS), so end-to-end encrypted between your browser and the DoH resolver. To an observer on the path, it's generic HTTPS traffic indistinguishable from a Gmail or Wikipedia visit. No way to extract the list of visited domains without breaking TLS - economically and technically unrealistic at scale.

DoH does not solve all privacy problems. The destination IP remains visible (the subsequent TLS connection to nordvpn.com shows you connecting to nordvpn.com's IP - Cloudflare in this case - visible network-side). And the SNI (Server Name Indication) in the TLS handshake reveals the destination hostname plaintext by default. That's where ECH (Encrypted Client Hello) comes in - detailed below. Winning combo 2026: DoH + ECH + no-log VPN = web traffic practically anonymous against passive surveillance. For the broader context of why this defense in depth matters, see why digital privacy matters in 2026.

DoH setup by browser

Chrome / Edge / Brave / Opera (Chromium engine)

All Chromium-based browsers share the same DoH implementation since 2020. Setup is identical.

  1. Open chrome://settings/security (or edge://settings/privacy under Edge).
  2. Security section → find "Use secure DNS".
  3. Enable the toggle. Two options appear:
    • With your current service provider: Chrome uses DoH if system DNS supports it (rare - most consumer ISPs don't expose DoH).
    • With: manual provider selection from dropdown (Cloudflare 1.1.1.1, Google 8.8.8.8, NextDNS, Quad9, OpenDNS) or custom DoH URL entry.
  4. Choose Custom → paste DoH URL by resolver:
    • Cloudflare: https://1.1.1.1/dns-query
    • NextDNS: https://dns.nextdns.io/[your-personal-id] (ID available in your NextDNS dashboard)
    • Quad9: https://dns.quad9.net/dns-query
  5. Save. Page reloads automatically with DoH active.

Verification: go to 1.1.1.1/help. If "Using DNS over HTTPS (DoH)" shows Yes, validated. If No, check local firewall (Windows Defender, Little Snitch) that may block port 443 to Cloudflare IPs in restrictive mode. To validate that no DNS leaks slip out despite DoH being active, follow our complete DNS leak testing methodology.

Firefox

Firefox deployed DoH by default in the US since 2020, manually in Europe.

  1. Open about:preferences#privacy.
  2. Scroll to bottom → DNS over HTTPS Settings section.
  3. Click Enable secure DNS using → three modes:
    • Max Protection: DoH forced, fails if unavailable (recommended for privacy).
    • Increased Protection: DoH active, fallback to classic DNS if DoH fails (compromise).
    • Off: System DNS (ISP).
  4. Choose the resolver: Cloudflare (default), NextDNS, or "Custom" (enter DoH URL).
  5. Save.

Firefox has a major advantage: ECH (Encrypted Client Hello) is active by default since version 118 (October 2023). Nothing to configure - Firefox automatically negotiates ECH with Cloudflare and other compatible CDNs. To verify: about:config → search network.dns.echconfig.enabled → must be true.

Safari (macOS / iOS)

Safari doesn't support native DoH like Chrome or Firefox. Configuration happens at the system level.

macOS Sonoma/Sequoia: Install a signed DoH configuration profile.

  1. NextDNS provides a signed profile on nextdns.io after account creation. Download the .mobileconfig profile.
  2. Open the profile → System Preferences → Profiles → Install.
  3. Enter admin password. DoH profile is active system-wide, so Safari (and all apps) use it automatically.

iOS 14+: Settings → Wi-Fi → tap active network → Configure DNS → Manual → add DoH URL. Simpler: install NextDNS profile from Safari mobile, accept installation. All iOS apps then use DoH (except those forcing their own resolver - TikTok, some Chinese apps).

For Cloudflare DoH iOS: install the free "1.1.1.1" app that configures system DoH and optionally proposes WARP (Cloudflare's free VPN, not to confuse with a strict privacy VPN).

Comparison of the three dominant DoH resolvers

Preinstalled provider lists in Chrome and Firefox (Cloudflare first) make default adoption easy, but the resolver choice is still yours.

ResolverLocationLog policyBuilt-in filteringPrice
Cloudflare 1.1.1.1US (global PoP, EU included)No-log audited KPMG 2024None (1.1.1.2 adds malware)Free
NextDNSFrance/Ireland/globalNo-log default, opt-in logAds, trackers, malware, parental, custom listsFree <300k req/month, $1.99/month unlimited
Quad9 9.9.9.9Switzerland (PCH consortium)Strict no-log, non-profit orgAutomatic malwareFree
Google 8.8.8.8US24-48h anonymized logNoneFree
OpenDNS FamilyUS (Cisco)Enterprise logParental, malwareFree personal / paid pro

On speed, independent public rankings (such as DNSPerf) continuously measure these resolvers' latency from many vantage points: Cloudflare and Google regularly rank among the fastest, while NextDNS and Quad9 stay competitive in Europe. Real-world gaps depend on your location, your ISP, and the nearest point of presence - check a public benchmark for your specific situation.

Practical recommendation 2026:

  • Privacy maximalist, simplicity: Cloudflare 1.1.1.1 (fastest, KPMG audit, zero configuration).
  • Custom filtering (block ads, trackers, parental): NextDNS, free plan sufficient for personal use <300k queries/month (a normal household consumes ~50-150k queries/month).
  • Organizational trust, Swiss jurisdiction: Quad9, non-profit, no ties to US Big Tech.

To avoid for strict privacy: Google 8.8.8.8 (US jurisdiction, 24-48h log, obvious advertising commercial interest) and DoH resolvers offered by ISPs (Comcast, Verizon - log policy = ISP policy, so no privacy gain).

DoH ↔ VPN conflict: the most frequent leak in 2026

This is the #1 problem identified in DNS leak audits post-2022. When Chrome/Firefox/Edge enable DoH by default at the browser level, DNS queries exit the browser directly to Cloudflare via HTTPS, bypassing system DNS. But the VPN manages DNS at the system level (routes UDP/53 queries through the tunnel). Consequence: your HTTP/HTTPS traffic travels through the VPN, but your DNS queries travel through HTTPS direct outside the VPN - the list of domains you visit remains visible to Cloudflare (potentially logged) and to the ISP network (which sees HTTPS connections to Cloudflare alongside the VPN).

Test your situation: open dnsleaktest.com in Extended mode → if you see Cloudflare responding (not your VPN IP), browser DoH is active and bypassing the VPN. That's technically a residual DNS leak.

Three solutions by preference order:

  1. Disable browser DoH when VPN is active (Chrome settings → secure DNS → off). VPN manages DNS at OS level and tunnels all queries. Standard approach. Drawback: requires reconfiguring at each VPN/non-VPN switch.
  2. Use a VPN with native integrated DoH. NordVPN Threat Protection includes its own DoH resolver since 2024, which tunnels DoH queries inside the WireGuard tunnel - no leaks, consistent navigation. ExpressVPN and Mullvad adopted the same approach.
  3. Configure the browser on the VPN's DoH resolver (advanced). NordVPN exposes its internal resolvers on 103.86.96.X (confirm with support - IP varies by server). Not the recommended solution - too much friction.
Editorial pick
4.6 / 5

NordVPN Threat Protection - Native DoH integrated

Resolves DoH/VPN conflict without manual setup · Deloitte 2024 audit · 30-day money back

Deloitte audit 202430-day guarantee14M+ users
See the offer

DoH on mobile: iOS and Android

iOS 14+

Three approaches depending on the desired configuration level:

  • Per-Wi-Fi: Settings → Wi-Fi → active network → Configure DNS → Manual → add DoH URL. Drawback: per-network configuration, doesn't apply on cellular.
  • System profile (recommended): install a .mobileconfig profile from Safari mobile. Cloudflare provides 1.1.1.1 that preconfigures system-wide DoH. NextDNS generates a personalized profile from the user dashboard, including account ID and filtering rules.
  • Third-party app: 1.1.1.1, AdGuard, NextDNS app. Configure DoH at local VPN level - all iOS apps automatically use DoH.

Android 9+

Android officially uses DoT (DNS over TLS) under the "Private DNS" label in Settings → Network & Internet → Private DNS. Setup:

  1. Select Private DNS provider hostname.
  2. Enter hostname (not full URL):
    • Cloudflare: 1dot1dot1dot1.cloudflare-dns.com
    • NextDNS: [your-id].dns.nextdns.io
    • Quad9: dns.quad9.net
  3. Save. DoT active system-wide.

For strict DoH on Android (instead of DoT), install a dedicated app: AdGuard Android, NextDNS app, 1.1.1.1 by Cloudflare. They create a local VPN that intercepts DNS and sends it via DoH. Compatible with external VPN (NordVPN) via VPN chaining if the app supports it.

ECH: the complementary layer in 2026

A login screen with a password field
A login screen with a password field

DoH encrypts the DNS query. But once resolved, your browser establishes a TLS connection to the site's IP - and sends the SNI (Server Name Indication) in plaintext in the TLS ClientHello to indicate to the server which specific site is requested (useful for servers hosting multiple HTTPS sites). This SNI is visible to your ISP and any network intermediary, even if everything else is encrypted. Consequence: despite DoH, your ISP can reconstruct the visited site list via SNI.

ECH (Encrypted Client Hello, RFC draft 2023) fixes this flaw by encrypting the SNI itself. The ClientHello is split into two parts: an "outer" sent in plaintext (with a generic fake SNI like cloudflare.com) and an "inner" encrypted with the resolver's public key. For an observer: impossible to know which specific site is requested.

Before ECH, your ISP could correlate destination IP with plaintext SNI to reconstruct your browsing history. Combining DoH + ECH + VPN kill switch remains the best 2026 practice precisely to neutralize this residual leak - each layer covers the gaps of the other two.

Deployment state in May 2026:

  • Firefox 118+: ECH active by default since October 2023. No configuration needed.
  • Chrome / Edge / Brave: ECH available behind flag since Chrome 117, enabled by default in Chrome 124 (April 2026). Check chrome://flags/#encrypted-client-hello → Default or Enabled.
  • Safari: ECH in preview since macOS Sequoia, progressive rollout in 2026.

Server side, Cloudflare deploys ECH across its entire CDN since 2023 (covers ~20% of the global web). Fastly and Akamai in progressive deployment. Self-hosted sites: requires Nginx 1.27+ with ECH module or experimental Caddy.

Verify ECH active: cloudflare.com/ssl/encrypted-sni. Result "Encrypted SNI" must be green. If red, check that you're using Firefox 118+ or Chrome 124+ with DoH enabled (ECH depends on DoH to retrieve the server's public key via HTTPS DNS record).

Performance and real impact

DoH adds a slight overhead compared to classic UDP DNS: the time to establish the TLS connection, then the HTTP encapsulation of each query. On a fast resolver with a persistent connection, this overhead shrinks to a few milliseconds per query after the first handshake - negligible in practice, since DNS represents less than 1% of total page load time. The browser DoH cache (Chrome keeps a cache of recent entries by default) further speeds up repeated queries, rivaling classic UDP DNS.

On degraded networks (cellular while mobile, saturated public Wi-Fi hotspot), DoH can even behave better than UDP DNS in some cases - UDP packets are sometimes lost without an aggressive retransmission mechanism on saturated networks, while DoH benefits from native TCP retry that compensates for packet loss. The exact impact depends on the network, the resolver, and the nearest point of presence.

Known pitfalls in 2026

Pitfall #1 - Broken parental control. If your children enable DoH in their browser (Chrome, Firefox), DNS-based parental control (OpenDNS Family, Cleanbrowsing at router, carrier-side) is completely bypassed. 2026 solution: block DoH at router via firewall rule (Asus AiProtection, Pi-hole + dnsmasq forcing local DNS), or install family NextDNS supporting DoH with parental filtering.

Pitfall #2 - Enterprise filtering bypassed. Corporate DLP (Data Loss Prevention) and URL filtering policies rely on DNS interception. DoH enabled on employee workstations bypasses IT policy. Solution: deploy Cloudflare Gateway or Zscaler with DoH-compatible policy (corporate agent intercepts DoH instead of DNS).

Pitfall #3 - DoH blocked in certain countries. Russia, Iran, China intermittently block Cloudflare 1.1.1.1 and other public DoH resolvers. Solution: NextDNS rotating IPs, or DoH via VPN (VPN tunnels DoH, becomes invisible to country filtering).

Pitfall #4 - Conflict with Pi-hole. If you use Pi-hole to block ads at network level, browser DoH bypasses Pi-hole. Solution: configure Pi-hole with cloudflared as DoH upstream (Pi-hole becomes local DoH resolver), block browser DoH via firewall rules, and force browser to use system DNS (Pi-hole).

Pitfall #5 - Apps forcing their DNS. TikTok, certain Chinese OEM apps (Xiaomi, Huawei), banking apps with anti-MITM force their own resolver regardless of system DoH config. No clean solution - intrinsic mobile ecosystem limitation.

Recap: DoH setup in 2026

LevelToolDifficultyCoverage
Browser onlyChrome / Firefox DoH1 minuteBrowser traffic only
Mobile app1.1.1.1, NextDNS app2 minutesAll mobile apps
macOS system.mobileconfig profile3 minutesAll macOS apps
Android systemNative private DNS1 minuteAll Android apps
Local networkPi-hole + cloudflared30 minutesAll household devices
Integrated VPNNordVPN Threat Protection0 minutesAll VPN traffic

2026 recommendation: for personal use, enable browser DoH (Cloudflare or NextDNS) + combine with no-log VPN that handles DoH at tunnel level. NordVPN Threat Protection resolves DoH/VPN conflict without manual configuration. Verify ECH active on Firefox 118+ or Chrome 124+. For households with children, add family NextDNS that filters inappropriate domains while respecting DoH encryption.

Editorial pick
4.6 / 5

NordVPN with native DoH - DNS privacy without setup

Threat Protection included · Deloitte 2024 audit · 30-day money back guarantee

Deloitte audit 202430-day guarantee14M+ users
See the offer

Key takeaways

DoH isn't magical protection, it's a foundational brick of 2026 web privacy - just as HTTPS became after 2018. Encrypting DNS resolution prevents trivial passive surveillance (ISP, hotspot, employer) but masks neither IP nor SNI without ECH. Winning combo: DoH (Cloudflare or NextDNS) + ECH (Firefox 118+ or Chrome 124+) + audited no-log VPN = triple layer making personal-use surveillance practically impossible without direct device access.

Configuring DoH takes 5 minutes per browser, 0 minutes with a VPN that includes it natively. Verify parental control and enterprise filtering still work after activation. For strict privacy, disable browser DoH when a VPN already manages DNS at system level - otherwise redundant double layer that can create leaks.

Going further. Related reading: Tor over VPN.

Deepen DNS and browser privacy

Editorial pick
4.4 / 5

Privacy-first VPN → Proton VPN

Audited no-logs · Swiss jurisdiction · open-source · free tier

SEC Consult audit 2024Swiss jurisdictionOpen-source
See the offer
Everything you need to know.

Frequently asked questions

Is DNS over HTTPS (DoH) enough to protect my privacy?

No. DoH encrypts the DNS query between your browser (or OS) and the chosen DoH resolver (Cloudflare, NextDNS, Quad9). That's a significant improvement: your ISP no longer sees the list of domains you visit in plaintext (before DoH, DNS queries traveled on UDP port 53 unencrypted, readable by any intermediary). But DoH masks neither your public IP address (visible to web servers) nor the TCP connection itself (visible to the ISP via the TLS SNI - unless ECH is enabled, see below). For full privacy, DoH combines with an audited no-log VPN that masks the IP and tunnels all traffic. DoH alone is useful against passive surveillance (ISP, public Wi-Fi hotspot, corporate network operator), insufficient against IP/SNI correlation.

Which DoH resolver should I choose in 2026: Cloudflare, NextDNS, or Quad9?

Three distinct profiles. **Cloudflare 1.1.1.1**: generally among the fastest in Europe (independent public rankings such as DNSPerf consistently place it near the top), no-log policy audited by KPMG 2024, US-based (unfavorable jurisdiction but transparent audit). **NextDNS**: most configurable (ad filtering, tracking, parental, custom blocklists), free up to 300,000 queries/month, France/Ireland-based, optional opt-in logs. **Quad9 9.9.9.9**: security-focused with automatic malware filtering, Swiss non-profit organization, strict no-log (session cookies only). For personal use: NextDNS if custom filtering matters, Cloudflare if pure speed, Quad9 if Swiss organizational trust. For pro use: NextDNS paid account ($1.99/month) unlocks unlimited + analytics.

Does browser DoH conflict with my VPN?

Yes - it's the #1 cause of residual DNS leaks despite active VPN. When Chrome or Firefox enable DoH by default, they send DNS queries directly to the DoH resolver (Cloudflare, NextDNS) bypassing system DNS - therefore bypassing the VPN tunnel. Three solutions: (1) **disable browser DoH** when VPN is active (settings → privacy → secure DNS → off), letting the VPN handle DNS at the system level; (2) **configure the browser on the VPN's DNS** (NordVPN exposes 103.86.96.X, ExpressVPN has its own resolvers) - possible but requires manual lookup; (3) **use a VPN with native DoH integrated** that routes DoH through the tunnel. NordVPN Threat Protection includes its own DoH resolver since 2024. Then test via dnsleaktest.com - no DNS outside the VPN should appear.

Does DoH work on iOS and Android?

Yes, natively on both since 2021. **iOS 14+**: Settings → Wi-Fi → current network → Configure DNS → Manual → add a DoH URL (`https://dns.nextdns.io/[your-id]` or `https://1.1.1.1/dns-query`). For universal application, install a signed configuration profile (NextDNS provides one Apple-signed). **Android 9+**: Settings → Network & Internet → Private DNS → Private DNS provider hostname → enter the hostname (`dns.nextdns.io` or `1dot1dot1dot1.cloudflare-dns.com`). Note: Android uses DoT (DNS over TLS) under the 'Private DNS' label, not strictly DoH - equivalent functionality, different encapsulation. Enabling this option encrypts all phone DNS queries except apps that force their own resolver.

Does DoH improve or degrade performance?

Slight theoretical degradation but imperceptible in normal use. Classic DNS UDP/53 responds in a few milliseconds to the ISP resolver. DoH adds the cost of establishing a TLS connection (initial handshake), then each query travels in HTTP/2 or HTTP/3. On a fast resolver like Cloudflare 1.1.1.1, the TLS connection is persistent and the handshake amortized - the marginal cost per query after warmup is small. Note: browser DoH cache (Chrome, Firefox) speeds up repeated queries so the total can become comparable to or faster than uncached UDP DNS. In practice, DNS represents a negligible fraction of page load time, so the DoH overhead is unnoticeable to the user.

Can my ISP block DoH?

Technically difficult, politically possible. DoH runs on HTTPS port 443 - blocking port 443 would block 95% of the web. But an ISP can specifically block known DoH resolver IPs (1.1.1.1, 9.9.9.9, published NextDNS IPs) if regulation allows it. In Western Europe, no widespread DoH blocking is documented as of May 2026. In Russia and Iran, Cloudflare 1.1.1.1 is intermittently blocked since 2022 - solution: NextDNS rotating IPs or DoH via VPN that hides DoH from the ISP. In enterprise, the corporate ISP can block Cloudflare DoH to force internal DNS (audit, URL filtering) - legitimate and negotiable with IT. The resolver remains operational via private VPN bypassing corporate DNS.

Does ECH (Encrypted Client Hello) replace DoH?

No, ECH complements DoH without replacing it. DoH encrypts the **DNS query** (domain → IP resolution). ECH encrypts the **TLS SNI** (Server Name Indication, which reveals which site is requested at TLS handshake time - visible without DoH or ECH even with HTTPS enabled). Without ECH, your ISP still sees which site you visit via plaintext SNI during the TLS handshake, even with DoH active. ECH partially deployed at Cloudflare since 2023 and enabled by default in Firefox 118+ (October 2023). To verify ECH active: go to [cloudflare.com/ssl/encrypted-sni](https://www.cloudflare.com/ssl/encrypted-sni/), 'Encrypted SNI' result should be green. Winning combo 2026: browser DoH + ECH active + no-log VPN. Triple layer that makes user ↔ domain correlation practically impossible.

How does DoH impact parental control and enterprise filtering?

Major impact to anticipate. DNS-based parental control solutions (OpenDNS Family Shield, Cleanbrowsing, carrier-side controls) work by intercepting UDP/53 DNS queries to block inappropriate domains. If a child enables browser DoH, filtering is **completely bypassed** - queries travel to Cloudflare instead of the family resolver. 2026 parental solutions: (1) block DoH at the router via firewall rule (Asus AiProtection, Pi-hole + dnsmasq), (2) configure NextDNS with family account on all devices (NextDNS supports DoH with filtering), (3) use a parental VPN forcing the filtering DNS. Enterprise side, same principle: force Cloudflare Gateway or Zscaler with DoH-compatible policy. Simply blocking UDP/53 is no longer enough.

DoH or DoT: what's the practical difference?

Encapsulation difference, not encryption. **DoT (DNS over TLS, RFC 7858, 2016)** sends DNS queries on TCP port 853 with direct TLS - easy detection (dedicated port), trivial blocking. **DoH (DNS over HTTPS, RFC 8484, 2018)** encapsulates DNS queries in HTTP/2 or HTTP/3 on port 443 - indistinguishable from normal web traffic, filtering bypass. Browser side, DoH dominates (Chrome, Firefox, Edge support it natively). Android system side, DoT is used under the 'Private DNS' label. Linux side, systemd-resolved supports DoT since 2020, DoH manually via cloudflared or dnsdist. 2026 recommendation: DoH client-side (browser, app) for blocking resistance, DoT server-side (home recursive resolver) for configuration simplicity.

How do I verify DoH is active in my browser?

Three independent tests to confirm. (1) **Cloudflare test**: go to [1.1.1.1/help](https://1.1.1.1/help) - the page lists 'Using DNS over HTTPS (DoH)' Yes/No. If Yes, DoH is active. (2) **Mozilla test**: [test.dnsleak.com](https://test.dnsleak.com/) shows which resolver responds and its protocol. (3) **Wireshark test** (advanced): capture network traffic and observe absence of outgoing UDP/53 queries after a browser search - only HTTPS/443 to the DoH resolver should appear. If plaintext DNS still leaks, it's because (a) another app bypasses browser DoH (extension, plugin, other browser open), (b) system responds before browser (Windows Smart Multi-Homed). Disable bypasses for DoH-only setup.