Secure DNS Connection Settings

Connect to our high-speed, no-logs encrypted DNS network. Use the connection details below for advanced setup, or select your device for a step-by-step configuration guide.

New to encrypted DNS? See how DoH, DoT and DoQ work before you pick one.

Standard
DNS-over-HTTPS
https://dnsdoh.art/dns-query
Turbo
DNS-over-HTTP/3
h3://dnsdoh.art/dns-query
TLS 1.3
DNS-over-TLS
dnsdoh.art
QUIC
DNS-over-QUIC
quic://dnsdoh.art
Legacy
Standard IPv4
194.180.189.33

Browser Configuration

Encrypt your DNS queries within Chrome, Firefox, or Edge.
Note: This only affects the browser, not other apps on your device.

Chrome, Edge & Brave

DNS-over-HTTPS
Step 1

Go to SettingsPrivacy and securitySecurity.

Step 2

Scroll to Use Secure DNS and select With Custom Provider.

Step 3

Enter the URL:
https://dnsdoh.art/dns-query

Mozilla Firefox

DNS-over-HTTPS
Step 1

Go to SettingsGeneral → scroll to Network Settings → click Settings.

Step 2

Check Enable DNS over HTTPS. Select Custom.

Step 3

Enter the URL:
https://dnsdoh.art/dns-query

Safari / macOS Note

Safari uses the operating system's DNS settings. Use the to download the configuration profile.

How to Verify

After setup, visit Dns Leak Test. You should see servers from our encrypted upstreams - typically Cloudflare or Quad9, sometimes Google. If you see your ISP's DNS instead, the setup isn't active yet.

ChromeOS (Chromebook)

Chromebooks support Secure DNS system-wide - it covers every app, not just the browser:

  1. Open Settings → Security and Privacy
  2. Enable Use secure DNS and select With custom provider
  3. Enter https://dnsdoh.art/dns-query

QUIC & HTTP/3

Lower latency, with no head-of-line blocking.
Modern browsers handle HTTP/3 automatically; DNS-over-QUIC needs a DoQ-capable client.

Mobile (Android / iOS)

Android needs no extra software for encrypted DNS - the built-in setting encrypts everything system-wide, and modern clients auto-upgrade to DoH3 (HTTP/3) because our server advertises it. Only DNS-over-QUIC (quic://, port 853) requires a DoQ-capable DNS client (AdGuard is one example):

  1. 1. In the client's DNS settings, choose Add Custom Server.
  2. 2. Enter Name: DNSDOH.ART
  3. 3. Enter Upstream URL (choose one):
  4. Recommended (QUIC): quic://dnsdoh.art
    Alternative (HTTP/3): h3://dnsdoh.art/dns-query
  5. 4. Save and select the new server.

Browser HTTP/3

Chrome and Edge automatically upgrade to HTTP/3 when the server advertises it via the Alt-Svc header (which we do).

Manual Override (optional) --enable-quic --quic-version=h3-29
  1. Set your Secure DNS provider to: https://dnsdoh.art/dns-query
  2. Add the flags above to your browser shortcut (optional - most browsers auto-upgrade).
  3. Verify at http3.is
Most modern browsers automatically upgrade to H3 if the server advertises it. No manual flags needed in most cases.

Router Configuration

Protect your entire home network. All devices connected to your router will use encrypted DNS automatically.

Keenetic

DoH / DoT
  1. Open router admin panel → InternetDNS.
  2. Enable DNS over HTTPS or DNS over TLS.
  3. DoH URL: https://dnsdoh.art/dns-query
  4. DoT Hostname: dnsdoh.art
  5. Click Save. All connected devices are now protected.

Requires KeeneticOS 3.6+ for DoH, 3.4+ for DoT.

ASUS / Merlin

DoT Ready
  1. Go to WANInternet Connection.
  2. Scroll to DNS Privacy Protocol.
  3. Select DNS-over-TLS (Strict).
  4. Address: 194.180.189.33
  5. Hostname: dnsdoh.art

Synology SRM

DoH Ready
  1. Network CenterLocal NetworkGeneral.
  2. Advanced Options → check Enable DoH.
  3. Click Custom.
  4. DoH URL: https://dnsdoh.art/dns-query

FRITZ!Box

DoT Ready
  1. InternetAccount InformationDNS.
  2. Check Use DNSv4 over TLS.
  3. Uncheck Fallback to unencrypted.
  4. Resolved Name: dnsdoh.art

MikroTik (v7+)

DoH CLI

Paste these commands into your MikroTik terminal:

/ip dns set use-doh-server="https://dnsdoh.art/dns-query" verify-doh-cert=yes /ip dns static add name=dnsdoh.art address=194.180.189.33

The static entry is needed so the router can resolve dnsdoh.art for the initial DoH connection.

OpenWrt

DoH via HTTPS-DNS-Proxy
opkg update && opkg install https-dns-proxy luci-app-https-dns-proxy # In LuCI: Services → HTTPS DNS Proxy → Add # URL: https://dnsdoh.art/dns-query

Standard IPv4 (Older Routers)

For routers that don't support encrypted DNS. This uses plain DNS - your ISP can see your queries, but ad blocking still works.

Primary DNS
194.180.189.33
Secondary DNS
Leave empty or 0.0.0.0

Works for: TP-Link, Netgear, D-Link, Linksys, and any router with DNS settings under Internet or LAN setup.

Smart TVs & Game Consoles

PlayStation, Xbox, Nintendo Switch, and most Smart TVs do not support encrypted DNS natively. The best option is to configure DoH/DoT on your router (above) - every device on your network is then covered automatically. Alternatively, set 194.180.189.33 as the Primary DNS in the device's own network settings: unencrypted, but you still get ad-blocking and filtering.

Android Configuration

Enable Private DNS to encrypt all DNS traffic on your device - both Wi-Fi and mobile data.

Step 1: Find the Setting

Stock Android / Pixel

SettingsNetwork & InternetPrivate DNS

Samsung (OneUI)

SettingsConnectionsMore connection settingsPrivate DNS

Xiaomi (MIUI / HyperOS)

SettingsConnection & sharingPrivate DNS

Oppo / Realme / OnePlus

SettingsConnection & sharingPrivate DNS

Step 2: Enter Hostname

Select Private DNS provider hostname.

Enter the following hostname exactly:

dnsdoh.art

Tap Save. A small lock icon may appear in the status bar confirming Private DNS is active.

How to Verify

Open your browser and visit our DNS Leak Test. You should see servers from our encrypted upstreams - typically Cloudflare or Quad9, sometimes Google - not your ISP's DNS. Android uses DNS-over-TLS (port 853), which encrypts all traffic system-wide.

Troubleshooting

"Couldn't connect" - Some networks (corporate, school, hotel Wi-Fi) block DNS-over-TLS on port 853. Switch to the Wi-Fi's DNS while on that network, or use a VPN.

Setting keeps resetting - Some Samsung devices reset Private DNS after reboot. Go to Settings → Battery → Battery Optimization and exclude the Settings app.

Android TV / Google TV

Private DNS also works on Android TV 9+ and Google TV devices (Chromecast, Nvidia Shield, Sony, TCL, Philips): go to Settings → Network & Internet → Private DNS (the exact path varies slightly by manufacturer), choose Private DNS provider hostname, and enter dnsdoh.art.

Configuration Profile (Recommended)

One-tap setup for iPhone, iPad, and Mac. Installs a system-wide encrypted DNS profile that works on both Wi-Fi and cellular data - something manual DNS settings in iOS cannot do.

Download Profile

Signed .mobileconfig · DNS over HTTPS · ~1 KB

What the profile configures:

✓ DNS over HTTPS → https://dnsdoh.art/dns-query

✓ Works on all networks (Wi-Fi + Cellular + VPN)

✓ Ad & tracker blocking via server-side filters

✓ No app required - uses Apple's native DNS framework

iPhone & iPad

Step 1 - Download

Tap Download Profile above in Safari. You'll see a prompt: "This website is trying to download a configuration profile." Tap Allow.

Step 2 - Install

Open SettingsGeneralVPN & Device Management. Tap DNSDOH.ART DNSInstall. Enter your passcode when prompted.

Step 3 - Verify

Go to SettingsGeneralVPN & Device ManagementDNS. You should see DNSDOH.ART as the active DNS provider.

macOS (Sequoia / Sonoma / Ventura)

Step 1 - Download

Click Download Profile above. The file dnsdoh.art.mobileconfig saves to your Downloads folder.

Step 2 - Install

Double-click the file. Open System SettingsPrivacy & SecurityProfiles. Select DNSDOH.ART DNS → click Install.

Step 3 - Verify

Open Terminal and run:
scutil --dns | head -20
You should see dnsdoh.art listed as the resolver.

How to remove the profile

iPhone/iPad: Settings → General → VPN & Device Management → DNSDOH.ART DNS → Remove Profile.

macOS: System Settings → Privacy & Security → Profiles → DNSDOH.ART DNS → remove (−).

Your device will instantly revert to your network's default DNS.

Alternative: DNSecure App

If you prefer an app to quickly toggle encrypted DNS on/off or manage multiple DNS providers, DNSecure is a free, open-source app for iOS and macOS.

1. Install

Download DNSecure from the App Store.

2. Add Server

Open the app → tap + → select DNS over HTTPS.
Enter URL: https://dnsdoh.art/dns-query

3. Activate

Toggle the server on. iOS will ask to allow a VPN configuration - tap Allow. All DNS traffic is now encrypted.

Troubleshooting

Q:

"This network is blocking encrypted DNS traffic"

Some corporate/hotel Wi-Fi networks block DoH. This is expected - the network administrator requires you to use their DNS. On cellular data, the profile will continue to work normally. You can also try switching to DNS over TLS (port 853), which some networks don't block.

Q:

Profile doesn't appear in Settings after download

Make sure you opened the download link in Safari, not Chrome or Firefox. Third-party browsers cannot install configuration profiles on iOS. If using macOS, double-click the .mobileconfig file to trigger the install prompt.

Q:

Does it work with iCloud Private Relay?

No - Private Relay overrides custom DNS profiles. If you use Private Relay, it handles DNS internally via Apple's servers. You must choose one: Private Relay or DNSDOH.ART. For ad blocking and custom filtering, disable Private Relay and use our profile instead.

Q:

Can I use this alongside a VPN?

It depends on the VPN. Most commercial VPNs (NordVPN, ExpressVPN, Mullvad) override DNS settings when active. When the VPN disconnects, the DNSDOH.ART profile takes over again automatically. WireGuard-based VPNs can be configured to use your DNS alongside.

Apple TV (tvOS)

tvOS has no on-screen setting for encrypted DNS. The practical route is to configure DoH on your router (see the Routers tab) so the Apple TV is covered automatically. Advanced users can install the same configuration profile via Apple Configurator from a Mac.

Windows 11

Native DoH

Windows 11 supports DNS-over-HTTPS natively - everything is done in Settings, no command line needed.

Configure DNS in Settings

1. Open SettingsNetwork & internetEthernet (or Wi-Fi → your network → Hardware properties).

2. Find DNS server assignment and click Edit.

3. Change from Automatic (DHCP) to Manual and turn on IPv4.

4. Preferred DNS: 194.180.189.33

5. Preferred DNS encryption: Encrypted only (DNS over HTTPS)

6. DNS over HTTPS template: select Manual Template and enter
https://dnsdoh.art/dns-query

7. Click Save.

No template field? (original Windows 11, 21H2)

On the first Windows 11 release the Settings UI only offered the built-in providers. Register our server once via PowerShell as Administrator, then repeat the steps above:

Add-DnsClientDohServerAddress -ServerAddress "194.180.189.33" -DohTemplate "https://dnsdoh.art/dns-query" -AllowFallbackToUdp $False -AutoUpgrade $True

How to Verify

Open PowerShell and run: Resolve-DnsName google.com | Select-Object Name,Type,IPAddress
Or visit DNS Leak Test - you should see servers from our encrypted upstreams - typically Cloudflare or Quad9, sometimes Google. If you see your ISP's DNS instead, the setup isn't active yet.

Windows 10

No Native DoH

Windows 10 has no built-in encrypted DNS - the Settings app only accepts plain DNS servers. You have two choices: plain DNS (simple, unencrypted) or a small helper app for full DoH encryption.

Option A: Plain DNS (No Encryption)

Ad blocking and filtering work, but your ISP can still see your queries.

  1. Control PanelNetwork and Sharing Center.
  2. Change adapter settings → right-click your adapter → Properties.
  3. Select Internet Protocol Version 4 (TCP/IPv4)Properties.
  4. Select Use the following DNS server addresses.
  5. Preferred DNS: 194.180.189.33 - leave Alternate empty.
  6. Click OK, then run ipconfig /flushdns in a command prompt.

Option B: Encrypted DoH (Free Software)

Two free ways to get the encryption Windows 10 itself lacks:

Browser DoH EASIEST

Chrome, Edge, and Firefox have built-in DoH - covers browsing only. See the .

dnscrypt-proxy SYSTEM-WIDE

Free, open-source local resolver. Install from GitHub and add https://dnsdoh.art/dns-query as a DoH server in dnscrypt-proxy.toml.

systemd-resolved (Ubuntu / Fedora / Arch)

The default DNS resolver on most modern Linux distributions. Supports DNS-over-TLS natively.

# Edit the resolved config sudo nano /etc/systemd/resolved.conf # Add these lines under [Resolve]: [Resolve] DNS=194.180.189.33 DNSOverTLS=yes
# Restart the service sudo systemctl restart systemd-resolved # Verify it's working resolvectl status | grep -A2 "DNS Server"

You should see 194.180.189.33 with +DNSOverTLS in the output.

NetworkManager (Desktop GUI)

For GNOME, KDE, and other desktop environments with a network manager GUI.

Step 1

Open SettingsNetwork → click the gear icon next to your connection.

Step 2

Go to the IPv4 tab. Set DNS to Manual. Enter: 194.180.189.33

Step 3

Click Apply. Toggle the connection off and on to activate.

Note: NetworkManager does not support DNS-over-TLS natively. For encrypted DNS, use the systemd-resolved method above or install stubby.

Stubby (Advanced - Any Distro)

A dedicated DNS-over-TLS resolver. Works on any Linux distribution, even older ones without systemd-resolved.

sudo apt install stubby # Debian/Ubuntu sudo dnf install stubby # Fedora
# Edit /etc/stubby/stubby.yml - add under upstream_recursive_servers: - address_data: 194.180.189.33 tls_auth_name: "dnsdoh.art"
sudo systemctl enable --now stubby # Then set your system DNS to 127.0.0.1 (stubby listens locally)

After setup

Verify it works

Run a DNS leak test - you should see our encrypted upstreams, not your ISP.
Troubleshooting

"Couldn't connect", port 853 blocked, or a broken site - answers in the knowledge base.
How it works

The protocols behind each option, with benchmarks and trade-offs.