How to Encrypt Your DNS Without Touching Your Router with DoH: A Complete Guide

¿How to encrypt your DNS without touching your router using DNS over HTTPS? If you are concerned about who can see what websites you connect to, Encrypt Domain Name System queries with DNS over HTTPS It's one of the easiest ways to increase your privacy without having to fight with your router. With DoH, the translator that converts domains to IP addresses stops traveling in the clear and goes through an HTTPS tunnel.

In this guide you will find, in direct language and without too much jargon, What exactly is DoH, how it differs from other options like DoT, how to enable it in browsers and operating systems (including Windows Server 2022), how to verify that it's actually working, supported servers, and, if you're feeling brave, even how to set up your own DoH resolver. Everything, without touching the router…except for an optional section for those who do want to configure it on a MikroTik.

What is DNS over HTTPS (DoH) and why you might care

When you type in a domain (for example, Xataka.com) the computer asks a DNS resolver what its IP is; This process is usually in plain text And anyone on your network, your Internet provider, or intermediate devices can snoop or manipulate it. This is the essence of classic DNS: fast, ubiquitous… and transparent to third parties.

This is where DoH comes in: It moves those DNS questions and answers to the same encrypted channel used by the secure web (HTTPS, port 443)The result is that they no longer travel "in the open," reducing the possibility of espionage, query hijacking, and certain man-in-the-middle attacks. Furthermore, in many tests latency does not worsen appreciably and can even be improved thanks to transport optimizations.

A key advantage is that DoH can be enabled at the application or system level, so you don't have to rely on your carrier or router to enable anything. That is, you can protect yourself "from the browser out," without touching any network equipment.

It is important to distinguish DoH from DoT (DNS over TLS): DoT encrypts DNS on port 853 directly over TLS, while DoH integrates it into HTTP(S). DoT is simpler in theory, but It is more likely to be blocked by firewalls that cut uncommon ports; DoH, by using 443, better circumvents these restrictions and prevents forced “pushback” attacks to unencrypted DNS.

On privacy: Using HTTPS does not imply cookies or tracking in DoH; the standards expressly advise against its use In this context, TLS 1.3 also reduces the need to restart sessions, minimizing correlations. And if you're concerned about performance, HTTP/3 over QUIC can provide additional improvements by multiplexing queries without blocking.

How DNS works, common risks, and where DoH fits in

The operating system normally learns which resolver to use via DHCP; At home you usually use the ISP's, in the office, the corporate network. When this communication is unencrypted (UDP/TCP 53), anyone on your Wi-Fi or on the route can see queried domains, inject fake responses, or redirect you to searches when the domain doesn't exist, as some operators do.

A typical traffic analysis reveals ports, source/destination IPs, and the domain itself resolved; This not only exposes browsing habits, it also makes it easier to correlate subsequent connections, for example, to Twitter addresses or similar, and deduce which exact pages you have visited.

With DoT, the DNS message goes inside TLS on port 853; with DoH, the DNS query is encapsulated in a standard HTTPS request, which also enables its use by web applications through browser APIs. Both mechanisms share the same foundation: server authentication with a certificate and an end-to-end encrypted channel.

The problem with new ports is that it is common for some networks block 853, encouraging software to “fall back” to unencrypted DNS. DoH mitigates this by using 443, which is common for the web. DNS/QUIC also exists as another promising option, although it requires open UDP and isn't always available.

Even when encrypting transport, be careful with one nuance: If the resolver lies, the cipher does not correct it.For this purpose, DNSSEC exists, which allows for validation of response integrity, although its adoption is not widespread and some intermediaries break its functionality. Even so, DoH prevents third parties along the way from snooping or tampering with your queries.

Activate it without touching the router: browsers and systems

The most straightforward way to get started is to enable DoH in your browser or operating system. This is how you shield queries from your team without depending on the router firmware.

Google Chrome

In current versions you can go to chrome://settings/security and, under “Use secure DNS”, activate the option and choose the provider (your current provider if they support DoH or one from Google's list such as Cloudflare or Google DNS).

In previous versions, Chrome offered an experimental switch: type chrome://flags/#dns-over-https, search for “Secure DNS lookups” and change it from Default to Enabled. Restart your browser to apply the changes.

Microsoft Edge (Chromium)

Chromium-based Edge includes a similar option. If you need it, go to edge://flags/#dns-over-https, locate “Secure DNS lookups” and enable it in EnabledIn modern versions, activation is also available in your privacy settings.

Mozilla Firefox

Open the menu (top right) > Settings > General > scroll down to “Network Settings”, tap on Configuration and mark “Enable DNS over HTTPS”. You can choose from providers like Cloudflare or NextDNS.

If you prefer fine control, in about:config adjusts network.trr.mode: 2 (opportunist) uses DoH and makes fallback if not available; 3 (strict) mandates DoH and fails if there is no support. With strict mode, define a bootstrap resolver as network.trr.bootstrapAddress=1.1.1.1.

Opera

Since version 65, Opera includes an option to enable DoH with 1.1.1.1. It comes disabled by default and operates in opportunistic mode: if 1.1.1.1:443 responds, it will use DoH; otherwise, it falls back to the unencrypted resolver.

Windows 10/11: Autodetect (AutoDoH) and Registry

Windows can automatically enable DoH with certain known resolvers. In older versions, you can force the behavior from the Registry: run regedit and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters.

Create a DWORD (32-bit) called EnableAutoDoh with value 2 y restart the computerThis works if you are using DNS servers that support DoH.

Windows Server 2022: DNS client with native DoH

The built-in DNS client in Windows Server 2022 supports DoH. You will only be able to use DoH with servers that are on their “Known DoH” list. or that you add yourself. To configure it from the graphical interface:

1. Open Windows Settings > Network and Internet.
2. Sign in Ethernet and choose your interface.
3. On the network screen, scroll down to DNS configuration and press Edit.
4. Select “Manual” to define preferred and alternate servers.
5. If those addresses are on the known DoH list, it will be enabled “Preferred DNS Encryption” with three options:
   • Encryption only (DNS over HTTPS): Force DoH; if the server does not support DoH, there will be no resolution.
   • Prefer encryption, allow unencrypted: Attempts DoH and if it fails, falls back to unencrypted classic DNS.
   • Unencrypted only: Uses traditional plaintext DNS.
6. Save to apply changes.

You can also query and extend the list of known DoH resolvers using PowerShell. To see the current list:

Get-DNSClientDohServerAddress

To register a new known DoH server with your template, use:

Add-DnsClientDohServerAddress -ServerAddress "<IP-del-resolutor>" -DohTemplate "<URL-plantilla-DoH>" -AllowFallbackToUdp $False -AutoUpgrade $True

Note that the cmdlet Set-DNSClientServerAddress does not control itself the use of DoH; encryption depends on whether those addresses are in the table of known DoH servers. You cannot currently configure DoH for the Windows Server 2022 DNS client from Windows Admin Center or with sconfig.cmd.

Group Policy in Windows Server 2022

There is a directive called “Configure DNS over HTTPS (DoH)” en Configuración del equipo\Directivas\Plantillas administrativas\Red\Cliente DNS. When enabled, you can choose:

• Allow DoH: Use DoH if the server supports it; otherwise, query unencrypted.
• Ban DoH: never uses DoH.
• Require DoH: forces DoH; if no support, resolution fails.

Important: Do not enable “Require DoH” on domain-joined computersActive Directory relies on DNS, and the Windows Server DNS Server role does not support DoH queries. If you need to secure DNS traffic within an AD environment, consider using IPsec rules between clients and internal resolvers.

If you are interested in redirecting specific domains to specific resolvers, you can use the NRPT (Name Resolution Policy Table). If the destination server is on the known DoH list, those consultations will travel through DoH.

Android, iOS and Linux

On Android 9 and higher, the option Private DNS allows DoT (not DoH) with two modes: “Automatic” (opportunistic, takes the network resolver) and “Strict” (you must specify a hostname that is validated by certificate; direct IPs are not supported).

On iOS and Android, the app 1.1.1.1 Cloudflare enables DoH or DoT in strict mode using the VPN API to intercept unencrypted requests and forward them through a secure channel.

On Linux, systemd-resolved supports DoT since systemd 239. It is disabled by default; it offers opportunistic mode without validating certificates and strict mode (since 243) with CA validation but without SNI or name verification, which weakens the trust model against attackers on the road.

On Linux, macOS, or Windows, you can opt for a strict mode DoH client such as cloudflared proxy-dns (by default it uses 1.1.1.1, although you can define upstreams alternatives).

Known DoH Servers (Windows) and how to add more

Windows Server includes a list of resolvers that are known to support DoH. You can check it with PowerShell and add new entries if you need to.

These are the known DoH servers out of the box:

Server Owner	DNS server IP addresses
Cloudflare	1.1.1.1 1.0.0.1 2606: 4700: 4700 :: 1111 2606: 4700: 4700 :: 1001
Google	8.8.8.8 8.8.4.4 2001: 4860: 4860 :: 8888 2001: 4860: 4860 :: 8844
Quad9	9.9.9.9 149.112.112.112 2620: fe :: fe 2620: fe :: fe: 9

To see the list, run:

Get-DNSClientDohServerAddress

To add a new DoH resolver with its template, uses:

Add-DnsClientDohServerAddress -ServerAddress "<IP-del-resolutor>" -DohTemplate "<URL-plantilla-DoH>" -AllowFallbackToUdp $False -AutoUpgrade $True

If you manage multiple namespaces, the NRPT will allow you to manage specific domains to a specific resolver that supports DoH.

How to check if DoH is active

In browsers, visit https://1.1.1.1/help; there you will see if your traffic is using DoH with 1.1.1.1 or not. It's a quick test to see what status you're in.

In Windows 10 (version 2004), you can monitor for classic DNS traffic (port 53) with pktmon from a privileged console:

pktmon filter add -p 53
pktmon start --etw -m real-time

If a constant stream of packets appears on the 53, it is very likely that you're still using unencrypted DNS. Remember: the parameter --etw -m real-time requires 2004; in earlier versions you will see an “unknown parameter” error.

Optional: configure it on the router (MikroTik)

If you prefer to centralize encryption on the router, you can easily enable DoH on MikroTik devices. First, import the root CA which will be signed by the server you will connect to. For Cloudflare you can download DigiCertGlobalRootCA.crt.pem.

Upload the file to the router (by dragging it to “Files”), and go to System > Certificates > Import to incorporate it. Then, configure the router's DNS with the Cloudflare DoH URLsOnce active, the router will prioritize the encrypted connection over the default unencrypted DNS.

To validate that everything is in order, visit 1.1.1.1/help from a computer behind the router. You can also do everything via terminal in RouterOS if you prefer.

Performance, additional privacy and limits of the approach

When it comes to speed, two metrics matter: resolution time and actual page load. Independent tests (such as SamKnows) They conclude that the difference between DoH and classic DNS (Do53) is marginal on both fronts; in practice, you shouldn't notice any slowness.

DoH encrypts the “DNS query,” but there are more signals on the network. Even if you hide DNS, an ISP could infer things via TLS connections (e.g., SNI in some legacy scenarios) or other traces. To enhance privacy, you can explore DoT, DNSCrypt, DNSCurve, or clients that minimize metadata.

Not all ecosystem supports DoH yet. Many legacy resolvers do not offer this., forcing reliance on public sources (Cloudflare, Google, Quad9, etc.). This opens the debate on centralization: concentrating queries on a few actors entails privacy and trust costs.

In corporate environments, DoH may clash with security policies that are based on DNS monitoring or filtering (malware, parental controls, legal compliance). Solutions include MDM/Group Policy to set a DoH/DoT resolver to strict mode, or combined with application-level controls, which are more precise than domain-based blocking.

DNSSEC complements DoH: DoH protects the transport; DNSSEC validates the responseAdoption is uneven, and some intermediate devices break it, but the trend is positive. Along the path between resolvers and authoritative servers, DNS traditionally remains unencrypted; there are already experiments using DoT among large operators (e.g., 1.1.1.1 with Facebook's authoritative servers) to enhance protection.

An intermediate alternative is to encrypt only between the router and the resolver, leaving the connection between devices and the router unencrypted. Useful on secure wired networks, but not recommended on open Wi-Fi networks: other users could spy on or manipulate these queries within the LAN.

Make your own DoH resolver

If you want complete independence, you can deploy your own resolver. Unbound + Redis (L2 cache) + Nginx is a popular combination for serving DoH URLs and filtering domains with automatically updatable lists.

This stack runs perfectly on a modest VPS (for example, one core/2 wires for a family). There are guides with ready-to-use instructions, such as this repository: github.com/ousatov-ua/dns-filtering. Some VPS providers offer welcome credits for new users, so you can set up a trial at low cost.

With your private resolver, you can choose your filtering sources, decide retention policies and avoid centralizing your queries to third parties. In return, you manage security, maintenance, and high availability.

Before closing, a note of validity: on the Internet, options, menus and names change frequently; some old guides are outdated (For example, going through “flags” in Chrome is no longer necessary in recent versions.) Always check with your browser or system documentation.

If you've made it this far, you already know what DoH does, how it fits into the puzzle with DoT and DNSSEC, and most importantly, how to activate it right now on your device to prevent DNS from traveling in the clear. With a few clicks in your browser or adjustments in Windows (even at the policy level in Server 2022) you'll have encrypted queries; if you want to take things to the next level, you can move the encryption to the MikroTik router or build your own resolver. The key is that, Without touching your router, you can shield one of the most gossiped-about parts of your traffic today..