Traditional DNS queries travel in plain text over UDP port 53. That means your ISP, the cafe Wi-Fi owner, or anyone in the middle of the network can see which sites you visit. DoH (DNS over HTTPS) was created to fix that, and today it is supported by Firefox, Chrome, Edge and iOS.
How DoH works
DoH wraps DNS queries inside an HTTPS session and sends them over port 443. They are indistinguishable from ordinary web traffic, so an ISP cannot separate DNS from the HTTPS stream. The list of sites you visit stays private and the exchange with the DoH server is encrypted.
The most popular public DoH providers are Cloudflare (1.1.1.1), Google Public DNS (8.8.8.8) and Quad9 (9.9.9.9). Each has its own policy: Cloudflare promises to delete logs after 24 hours, Quad9 automatically blocks malicious domains. Users can pick any provider in their browser or OS.
Privacy and security
DNS queries paint a complete picture of your browsing. Even when pages inside HTTPS are encrypted, the domain you visit leaks through plain DNS. DoH closes that leak and your browsing history is not sold by the ISP.
DoH also protects from man-in-the-middle attacks. Since plain DNS is open, an attacker can inject a fake reply and route you to a phishing site (DNS spoofing). With DoH this is practically impossible.
Difference from DoT
A close relative is DoT (DNS over TLS). Both encrypt DNS, but DoT uses a separate port 853 while DoH uses the standard 443. DoT is easier to manage in a corporate network. DoH is indistinguishable from normal web traffic and fits individual privacy better.
The choice depends on who you are. For a corporate admin, DoT is better — easier to govern. For a regular user or journalist, DoH wins because it is harder to block.
Drawbacks and warnings
DoH is not always great. In corporate networks it bypasses DNS-based security filtering — if the company blocks malicious domains at DNS level, DoH renders those filters useless. Many admins disable DoH on their networks.
Another point — the DoH server itself sees your queries. If you do not trust Cloudflare or Google, the alternative is to host your own DoH server. It is complex but the only path to full privacy.
Sayt.uz practice
11 percent of our clients run a private DoH server on our VPS. In 2032, 89 percent of 67 installed servers answered on average 28 ms faster than Cloudflare or Quad9 because they sit closer to Uzbek networks. DoH server setup service costs 280,000 UZS and includes certificate, nginx config and monitoring. On the VPS plan (from 95,000 UZS per month) a free setup guide is included. Customer DoH servers handle around 2.3 million queries per day on average.