DNS over HTTPS (DoH) and VPNs both address network privacy, but at different layers. Many users who use a VPN don’t know what DoH is. Many who use DoH assume it replaces the need for a VPN. Neither assumption is right.
What DNS actually is
Every time you visit a website, your device sends a DNS query to find out which IP address corresponds to the domain name you typed. If you visit nordvpn.com, your device asks a DNS server: “what is the IP address for nordvpn.com?”
Traditionally, these queries are sent in plain text, unencrypted, to your ISP’s DNS servers. Your ISP can see every domain name you look up, even if the page content itself is encrypted via HTTPS. This is a significant privacy gap that exists even when you’re browsing securely.
What DNS over HTTPS does
DNS over HTTPS (DoH) encrypts DNS queries and sends them over HTTPS to a DoH-capable resolver (Cloudflare’s 1.1.1.1, Google’s 8.8.8.8, or others). Your ISP can no longer see which domain names you’re looking up.
What it changes:
- Your ISP can no longer read your DNS queries
- DNS queries are sent to a DoH provider instead of your ISP’s resolver
- Prevents local network observers from seeing your DNS activity
What it doesn’t change:
- Your real IP address is still visible to the websites you visit
- Your ISP can still see which IP addresses you connect to (even if not the domain names)
- Your traffic content is not encrypted by DoH (HTTPS handles that separately)
- You’re now trusting the DoH provider (Cloudflare, Google) with your DNS queries instead of your ISP
What a VPN does
A VPN encrypts all your traffic (not just DNS), routes it through a VPN server, and replaces your IP address with the server’s. Your ISP sees only encrypted data going to a VPN server. The websites you visit see the VPN server’s IP.
A well-configured VPN also routes your DNS queries through the VPN’s own DNS servers, providing DNS privacy as a side effect.
Comparing protection
| Threat | DoH only | VPN only | Both |
|---|---|---|---|
| ISP sees domain names | Protected | Protected | Protected |
| ISP sees IP connections | Not protected | Protected | Protected |
| Real IP visible to websites | Not protected | Protected | Protected |
| Traffic content from ISP | Not protected | Protected | Protected |
| DNS query privacy | Protected (from ISP) | Protected (routes through VPN DNS) | Protected |
| Trust required | DoH provider | VPN provider | Both |
When DoH alone is sufficient
If your only concern is DNS privacy from your ISP, and you trust Cloudflare or Google with your DNS queries more than you trust your ISP, DoH alone addresses that specific threat.
Example: you’re on a corporate or school network that filters websites using DNS interception. DoH bypasses this by sending queries to an external resolver over HTTPS.
When a VPN is necessary
Anytime you need more than DNS privacy: IP masking, encrypted traffic, protection on public networks, geo-restriction bypass. A VPN provides all the protection DoH provides (by routing DNS through the VPN) plus full traffic encryption and IP replacement.
DNS leaks: the intersection
One common problem with VPNs is DNS leaks: your device continues sending DNS queries outside the VPN tunnel to your ISP’s DNS server, even though your traffic goes through the VPN. This exposes which sites you’re visiting despite using a VPN.
Reputable VPN providers prevent this with DNS leak protection settings. But if you’re using DoH alongside a VPN that leaks DNS, DoH can actually help: your DNS queries go to a DoH provider rather than your ISP, preventing the leak from being useful.
Enable both DNS leak protection in your VPN and DoH in your browser as a defense-in-depth approach.
How to enable DNS over HTTPS
Firefox: Settings > Privacy & Security > DNS over HTTPS > Enable.
Chrome: Settings > Privacy and Security > Security > Use secure DNS > On (automatic) or choose a provider.
Windows 11: Settings > Network & Internet > Wi-Fi or Ethernet > DNS server assignment > Edit > Preferred DNS (enter 1.1.1.1 for Cloudflare) > toggle “DNS over HTTPS.”
iOS: Apple supports encrypted DNS profiles. Cloudflare offers a free profile at 1.1.1.1.
Which DoH provider to choose
Cloudflare (1.1.1.1): Fast, no-logs policy, audited by KPMG. Good default.
Quad9 (9.9.9.9): Swiss nonprofit, no-logs, blocks known malicious domains.
Google (8.8.8.8): Fast, but Google logs query data and uses it for advertising. Not recommended for privacy.
If you’re using a VPN, your DNS is already routed through the VPN’s servers. The DoH setting in your browser may not apply once the VPN is active, depending on how the VPN handles DNS routing.
Want to compare all VPNs side by side? Check our full VPN comparison table with scores across 18 criteria.
DoH and VPNs are complementary, not competing. DoH encrypts DNS queries. A VPN encrypts everything else and masks your IP. If you use a VPN with proper DNS leak protection, DoH adds marginal additional benefit. If you don't use a VPN, DoH is a meaningful improvement over standard DNS but leaves your IP and traffic content exposed.
Running both, and the configuration that makes sense
The tools don’t compete; they layer, with one configuration question worth getting right. Inside a VPN tunnel, your DNS should go to the VPN provider’s resolvers (the default in good apps), because routing DNS to a third party from inside the tunnel re-introduces a separate party who sees your lookups. Outside the tunnel, browser-level DoH to a trusted resolver is a strict improvement over the ISP’s default, encrypting the one signal that otherwise leaks your browsing map in plaintext.
So the sensible household stack reads: VPN on for the connections that matter, provider DNS inside it, and DoH configured in browsers and the OS for all the moments the tunnel is off. Each layer covers the other’s off-hours, and neither requires choosing a champion.
What each actually protects, one last table in prose
DoH encrypts the question “where is this site” between you and the resolver: your ISP loses the easy browsing log, but it still sees the IPs you then connect to, and the resolver you chose now holds the lookup history instead. A VPN encrypts the entire connection: ISP sees nothing but the tunnel, sites see the server’s IP, and the provider’s logging policy becomes the trust question. DoH is a privacy improvement of one protocol; the VPN is a privacy relocation of the whole connection. Confusing the two is how people end up believing a DNS toggle hid their traffic; pairing them properly is how each does the job it was actually built for.
The closing mental model: DNS encryption fixes one leak in the plumbing, the VPN replaces the plumbing, and a household that configures both has simply stopped donating its browsing map to whoever happens to be standing nearest the pipes.
(Resolver choice for the DoH half matters too: pick one whose logging policy you’d accept from a VPN, because the question “who sees my lookups” deserves the same answer either way.)
Keep reading: VPN vs Proxy: What’s the Actual Difference? and Does a VPN Hide Your Browsing from Your ISP?.