Skip to content
Technology

DNS-over-HTTPS explained: how DoH stops your lookups leaking

Every website you visit starts with a DNS lookup — and by default, those lookups are sent in plain text for anyone to read. DNS-over-HTTPS encrypts them. Here's why that matters.

By Veilock Team · Updated May 19, 2026

Quick answer

DNS-over-HTTPS (DoH) is a standard, defined in IETF RFC 8484, that encrypts your DNS lookups by sending them inside ordinary HTTPS traffic. Normally, DNS queries — the requests that turn 'veilock.com' into an IP address — travel in plain text, so your ISP, network operator or anyone snooping the connection can see every domain you visit. DoH hides those lookups inside encrypted HTTPS, so observers can no longer read or tamper with them. Veilock resolves all DNS over HTTPS through its own Vortex filtering resolvers, so lookups never leak to your ISP.

Before your browser can load a single web page, it has to ask a question: “What’s the IP address for this domain?” That question is a DNS lookup, and by default it’s sent in plain text — readable by your ISP, the network you’re on, and anyone else along the way. DNS-over-HTTPS fixes that. Here’s what it protects you from, and how.

First, what DNS actually does

The Domain Name System (DNS) is the internet’s phone book. Humans remember names like veilock.com; computers route traffic using numeric IP addresses like 203.0.113.7. DNS is the translation layer in between.

Every time you visit a site, tap a link, or an app phones home, your device fires off a DNS query to a resolver — usually the one run by your ISP — asking it to look up the matching IP. The resolver answers, and only then does the actual connection begin. It happens hundreds of times a day, invisibly.

Why plain DNS is a privacy problem

Here’s the catch: traditional DNS is unencrypted. Those lookups travel in the clear, which creates two serious problems.

  1. Everyone can see where you’re going. Even if the websites you visit use HTTPS (so the content is encrypted), the DNS lookup itself reveals the domain. Your ISP can log that you looked up a health clinic, a dating site, a political forum or a competitor’s website — and many ISPs monetize exactly this data. On public Wi-Fi, the network operator sees it too.

  2. Lookups can be tampered with. Because plain DNS isn’t authenticated, an attacker on the network can spoof or hijack responses — sending you to a fake login page instead of the real one. This is a classic tactic on untrusted networks.

Think of plain DNS like mailing every letter on a postcard. Even if the message inside your envelopes is sealed, the postcard’s address panel tells every postal worker exactly who you’re writing to.

What DNS-over-HTTPS changes

DNS-over-HTTPS (DoH), standardized by the IETF in RFC 8484, seals those postcards inside envelopes. Instead of sending your queries as open text, DoH wraps them inside ordinary HTTPS — the same encrypted protocol that secures your online banking — and sends them over port 443.

This delivers two big wins:

  • Privacy. Your ISP and local network can no longer read which domains you’re resolving. To them, your DNS traffic looks identical to any other HTTPS connection.
  • Integrity and stealth. Because the queries are encrypted and authenticated, they’re extremely hard to tamper with. And because they blend in with normal web traffic on port 443, they’re much harder for a network to single out and block than older encrypted-DNS methods.

DoH vs DoT: a quick clarification

You may also see DNS-over-TLS (DoT), defined in RFC 7858. Both encrypt your DNS. The difference is where the traffic goes:

  • DoT uses a dedicated port (853). This makes it easy for a network operator to recognize and block encrypted DNS wholesale.
  • DoH rides on port 443 alongside all your other HTTPS traffic, so it’s much harder to isolate or censor.

For privacy and censorship resistance, DoH usually wins — which is why it’s Veilock’s default.

Why DoH alone isn’t enough

DoH is powerful, but it only protects DNS. It doesn’t encrypt the rest of your traffic, and it doesn’t hide your IP address — the network can still see the IPs you ultimately connect to, and websites still see where you’re coming from. If you want to understand what your IP gives away, see our IP address explainer.

That’s why the strongest privacy comes from combining a VPN with DoH: the VPN encrypts all your traffic and masks your IP, while DoH ensures the DNS lookups inside that tunnel are also protected and never leak out to your ISP.

The DNS leak trap

Here’s a subtle risk even VPN users hit: the DNS leak. If your VPN encrypts your traffic but your device still sends DNS lookups to your ISP’s default resolver outside the tunnel, your browsing history leaks anyway — the VPN’s protection is quietly undermined. Many free and poorly configured VPNs have exactly this flaw.

How Veilock handles DNS

Veilock closes the leak by design. Every DNS lookup is:

  • Resolved over HTTPS (DoH), so queries are always encrypted end to end.
  • Forced through Veilock’s own resolvers inside the VPN tunnel — never your ISP’s — so there’s nothing to leak.
  • Filtered by Vortex, Veilock’s DNS filtering system, which can block known malware, phishing and tracker domains at the lookup stage before your device ever connects to them. That’s the same mechanism behind malware blocking.

And because Veilock runs a strict no-logs policy, those encrypted lookups aren’t stored or sold either. The query is resolved and forgotten.

The bottom line

Plain DNS is one of the quietest privacy leaks on the internet: even with HTTPS everywhere, your unencrypted lookups hand your ISP a running list of every site you visit. DNS-over-HTTPS seals those queries inside encrypted HTTPS, so observers can’t read or hijack them. On its own it’s a big upgrade; combined with a VPN that forces all lookups through its own DoH resolvers — as Veilock does with Vortex — it closes the DNS leak for good. Encrypt the tunnel, encrypt the lookups, and there’s nothing left in plain text for your ISP to harvest.

Plain DNS vs DNS-over-HTTPS

PropertyPlain DNS (default)DNS-over-HTTPS
Lookups encryptedNo — plain textYes — inside HTTPS
ISP can read domainsYesNo
Can be tampered withYes (spoofing/hijacking)Very difficult
Easy to block/filterYesHard (blends with HTTPS)
Port used53 (open)443 (HTTPS)

Related reading

Frequently asked questions

What is a DNS leak?

A DNS leak happens when your device sends DNS lookups outside the encrypted VPN tunnel — usually to your ISP's default resolver. Even though your traffic is encrypted, the leaked lookups reveal every domain you visit, undermining your privacy. A VPN with built-in encrypted DNS, like Veilock's DoH resolution, prevents this.

What is the difference between DoH and DoT?

Both encrypt DNS. DNS-over-HTTPS (DoH) sends queries inside normal HTTPS traffic on port 443, so they blend in with regular web browsing and are hard to block. DNS-over-TLS (DoT) uses a dedicated port (853), which is easier for network operators to identify and filter. DoH is generally better for privacy and censorship resistance.

Does DoH replace a VPN?

No. DoH only encrypts your DNS lookups — it hides which domains you request. It does not encrypt the rest of your traffic or hide your IP address. A VPN encrypts everything and masks your IP. The strongest setup uses both: a VPN tunnel for all traffic, with DoH handling DNS inside it, which is exactly how Veilock works.

Can my ISP still see my DNS with a VPN?

Only if DNS leaks. A properly configured VPN routes DNS lookups through its own encrypted resolvers inside the tunnel, so your ISP sees nothing but encrypted VPN traffic. Veilock forces all DNS through its own DoH resolvers, so your ISP can't harvest your browsing history from your lookups.

Ready to reclaim the open internet?

Get started in minutes. Encrypted, no-logs, and built to beat censorship.