Browser Configuration

Encrypt your DNS queries within Chrome, Firefox, or Edge.
Note: This only affects the browser, not other apps on your device.

Chrome, Edge & Brave

DNS-over-HTTPS

Step 1

Go to Settings → Privacy and security → Security.

Step 2

Scroll to Use Secure DNS and select With Custom Provider.

Step 3

Enter the URL:
https://dnsdoh.art/dns-query

Mozilla Firefox

DNS-over-HTTPS

Step 1

Go to Settings → General → scroll to Network Settings → click Settings.

Step 2

Check Enable DNS over HTTPS. Select Custom.

Step 3

Enter the URL:
https://dnsdoh.art/dns-query

Safari / macOS Note

Safari uses the operating system's DNS settings. Use the to download the configuration profile.

How to Verify

After setup, visit Dns Leak Test. You should see servers from Cloudflare, Quad9, or NWPS.fi (our encrypted upstreams). If you see your ISP's DNS instead, the setup isn't active yet.

Next-Gen Protocols (QUIC & H3)

Ultra-low latency with zero head-of-line blocking.
Requires compatible clients like AdGuard or latest browser builds.

AdGuard App (Android / iOS)

The easiest way to use DNS-over-QUIC on mobile devices.

1. Open AdGuard app → DNS Protection.
2. Tap DNS Server → Add Custom Server.
3. Enter Name: DNSDOH.ART
4. Enter Upstream URL (choose one):
Recommended (QUIC): quic://dnsdoh.art

Alternative (HTTP/3): h3://dnsdoh.art/dns-query
5. Tap Save & Select.

Browser HTTP/3

Chrome and Edge automatically upgrade to HTTP/3 when the server advertises it via the Alt-Svc header (which we do).

Manual Override (optional) --enable-quic --quic-version=h3-29

Set your Secure DNS provider to: https://dnsdoh.art/dns-query
Add the flags above to your browser shortcut (optional — most browsers auto-upgrade).
Verify at http3.is

Most modern browsers automatically upgrade to H3 if the server advertises it. No manual flags needed in most cases.

Router Configuration

Protect your entire home network. All devices connected to your router will use encrypted DNS automatically.

Keenetic

DoH / DoT

Open router admin panel → Internet → DNS.
Enable DNS over HTTPS or DNS over TLS.
DoH URL: https://dnsdoh.art/dns-query
DoT Hostname: dnsdoh.art
Click Save. All connected devices are now protected.

Requires KeeneticOS 3.6+ for DoH, 3.4+ for DoT.

                    
                         ASUS / Merlin
                    
                    DoT Ready
                
Go to WAN → Internet Connection.
Scroll to DNS Privacy Protocol.
Select DNS-over-TLS (Strict).
Address: 194.180.189.33
Hostname: dnsdoh.art

                    
                         Synology SRM
                    
                    DoH Ready
                
Network Center → Local Network → General.
Advanced Options → check Enable DoH.
Click Custom.
DoH URL: https://dnsdoh.art/dns-query

FRITZ!Box

DoT Ready

Internet → Account Information → DNS.
Check Use DNSv4 over TLS.
Uncheck Fallback to unencrypted.
Resolved Name: dnsdoh.art

MikroTik (v7+)

DoH CLI

Paste these commands into your MikroTik terminal:

/ip dns set use-doh-server="https://dnsdoh.art/dns-query" verify-doh-cert=yes /ip dns static add name=dnsdoh.art address=194.180.189.33

The static entry is needed so the router can resolve dnsdoh.art for the initial DoH connection.

OpenWrt

DoH via HTTPS-DNS-Proxy

opkg update && opkg install https-dns-proxy luci-app-https-dns-proxy # In LuCI: Services → HTTPS DNS Proxy → Add # URL: https://dnsdoh.art/dns-query

Standard IPv4 (Older Routers)

For routers that don't support encrypted DNS. This uses plain DNS — your ISP can see your queries, but ad blocking still works.

Primary DNS

194.180.189.33

Secondary DNS

Leave empty or 0.0.0.0

Works for: TP-Link, Netgear, D-Link, Linksys, and any router with DNS settings under Internet or LAN setup.

Android Configuration

Enable Private DNS to encrypt all DNS traffic on your device — both Wi-Fi and mobile data.

Step 1: Find the Setting

Stock Android / Pixel

Settings → Network & Internet → Private DNS

Samsung (OneUI)

Settings → Connections → More connection settings → Private DNS

Xiaomi (MIUI / HyperOS)

Settings → Connection & sharing → Private DNS

Oppo / Realme / OnePlus

Settings → Connection & sharing → Private DNS

Step 2: Enter Hostname

Select Private DNS provider hostname.

Enter the following hostname exactly:

dnsdoh.art

Tap Save. A small lock icon may appear in the status bar confirming Private DNS is active.

How to Verify

Open your browser and visit our DoH Tester. You should see DNSDOH.ART listed as your resolver. Android uses DNS-over-TLS (port 853), which encrypts all traffic system-wide.

Troubleshooting

"Couldn't connect" — Some networks (corporate, school, hotel Wi-Fi) block DNS-over-TLS on port 853. Switch to the Wi-Fi's DNS while on that network, or use a VPN.

Setting keeps resetting — Some Samsung devices reset Private DNS after reboot. Go to Settings → Battery → Battery Optimization and exclude the Settings app.

Configuration Profile (Recommended)

One-tap setup for iPhone, iPad, and Mac. Installs a system-wide encrypted DNS profile that works on both Wi-Fi and cellular data — something manual DNS settings in iOS cannot do.

Download Profile

Signed .mobileconfig · DNS over HTTPS · ~1 KB

What the profile configures:

✓ DNS over HTTPS → https://dnsdoh.art/dns-query

✓ Works on all networks (Wi-Fi + Cellular + VPN)

✓ Ad & tracker blocking via server-side filters

✓ No app required — uses Apple's native DNS framework

iPhone & iPad

Step 1 — Download

Tap Download Profile above in Safari. You'll see a prompt: "This website is trying to download a configuration profile." Tap Allow.

Step 2 — Install

Open Settings → General → VPN & Device Management. Tap DNSDOH.ART DNS → Install. Enter your passcode when prompted.

Step 3 — Verify

Go to Settings → General → VPN & Device Management → DNS. You should see DNSDOH.ART as the active DNS provider.

macOS (Sequoia / Sonoma / Ventura)

Step 1 — Download

Click Download Profile above. The file dnsdoh.art.mobileconfig saves to your Downloads folder.

Step 2 — Install

Double-click the file. Open System Settings → Privacy & Security → Profiles. Select DNSDOH.ART DNS → click Install.

Step 3 — Verify

Open Terminal and run:
scutil --dns | head -20
You should see dnsdoh.art listed as the resolver.

How to remove the profile

iPhone/iPad: Settings → General → VPN & Device Management → DNSDOH.ART DNS → Remove Profile.

macOS: System Settings → Privacy & Security → Profiles → DNSDOH.ART DNS → remove (−).

Your device will instantly revert to your network's default DNS.

Alternative: DNSecure App

If you prefer an app to quickly toggle encrypted DNS on/off or manage multiple DNS providers, DNSecure is a free, open-source app for iOS and macOS.

1. Install

Download DNSecure from the App Store.

2. Add Server

Open the app → tap + → select DNS over HTTPS.
Enter URL: https://dnsdoh.art/dns-query

3. Activate

Toggle the server on. iOS will ask to allow a VPN configuration — tap Allow. All DNS traffic is now encrypted.

Troubleshooting

"This network is blocking encrypted DNS traffic"

Some corporate/hotel Wi-Fi networks block DoH. This is expected — the network administrator requires you to use their DNS. On cellular data, the profile will continue to work normally. You can also try switching to DNS over TLS (port 853), which some networks don't block.

Profile doesn't appear in Settings after download

Make sure you opened the download link in Safari, not Chrome or Firefox. Third-party browsers cannot install configuration profiles on iOS. If using macOS, double-click the .mobileconfig file to trigger the install prompt.

Does it work with iCloud Private Relay?

No — Private Relay overrides custom DNS profiles. If you use Private Relay, it handles DNS internally via Apple's servers. You must choose one: Private Relay or DNSDOH.ART. For ad blocking and custom filtering, disable Private Relay and use our profile instead.

Can I use this alongside a VPN?

It depends on the VPN. Most commercial VPNs (NordVPN, ExpressVPN, Mullvad) override DNS settings when active. When the VPN disconnects, the DNSDOH.ART profile takes over again automatically. WireGuard-based VPNs can be configured to use your DNS alongside.

Windows 11

Native DoH

Windows 11 supports DNS-over-HTTPS natively. First, register the DoH server, then enable it in network settings.

Step 1 — Register DoH Server (PowerShell)

Open PowerShell as Administrator and paste this command:

Add-DnsClientDohServerAddress -ServerAddress "194.180.189.33" -DohTemplate "https://dnsdoh.art/dns-query" -AllowFallbackToUdp $False -AutoUpgrade $True

This tells Windows that 194.180.189.33 supports DoH. You only need to run this once.

Step 2 — Configure DNS in Settings

1. Open Settings → Network & internet → Ethernet (or Wi-Fi → your network → Hardware properties).

2. Find DNS server assignment and click Edit.

3. Change from Automatic (DHCP) to Manual.

4. Turn on IPv4.

5. Preferred DNS: 194.180.189.33

6. Under DNS encryption, select:
Encrypted only (DNS over HTTPS)

7. Click Save.

How to Verify

Open PowerShell and run: Resolve-DnsName google.com | Select-Object Name,Type,IPAddress
Or visit DNS Leak Test — you should see servers from Cloudflare, Quad9, or NWPS.fi (our encrypted upstreams). If you see your ISP's DNS instead, the setup isn't active yet.

Windows 10

Option A: Standard DNS (No Encryption)

Ad blocking works, but your ISP can see your queries.

Control Panel → Network and Sharing Center.
Change adapter settings → right-click your adapter → Properties.
Select Internet Protocol Version 4 (TCP/IPv4) → Properties.
Select Use the following DNS server:
Preferred DNS: 194.180.189.33

Option B: Encrypted (DoH)

Windows 10 requires a third-party client for DNS-over-HTTPS.

Download YogaDNS Free DoH/DoT client for Windows

After installing, add https://dnsdoh.art/dns-query as a DoH resolver in YogaDNS settings.

systemd-resolved (Ubuntu / Fedora / Arch)

The default DNS resolver on most modern Linux distributions. Supports DNS-over-TLS natively.

# Edit the resolved config sudo nano /etc/systemd/resolved.conf # Add these lines under [Resolve]: [Resolve] DNS=194.180.189.33 DNSOverTLS=yes

# Restart the service sudo systemctl restart systemd-resolved # Verify it's working resolvectl status | grep -A2 "DNS Server"

You should see 194.180.189.33 with +DNSOverTLS in the output.

NetworkManager (Desktop GUI)

For GNOME, KDE, and other desktop environments with a network manager GUI.

Step 1

Open Settings → Network → click the gear icon next to your connection.

Step 2

Go to the IPv4 tab. Set DNS to Manual. Enter: 194.180.189.33

Step 3

Click Apply. Toggle the connection off and on to activate.

Note: NetworkManager does not support DNS-over-TLS natively. For encrypted DNS, use the systemd-resolved method above or install stubby.

Stubby (Advanced — Any Distro)

A dedicated DNS-over-TLS resolver. Works on any Linux distribution, even older ones without systemd-resolved.

sudo apt install stubby # Debian/Ubuntu sudo dnf install stubby # Fedora

# Edit /etc/stubby/stubby.yml — add under upstream_recursive_servers: - address_data: 194.180.189.33 tls_auth_name: "dnsdoh.art"

sudo systemctl enable --now stubby # Then set your system DNS to 127.0.0.1 (stubby listens locally)