DNS queries are the backbone of every internet connection, yet most people send them in plain text for anyone on the network to intercept. DNS-over-HTTPS (DoH) encrypts your DNS traffic inside standard HTTPS connections, making it indistinguishable from regular web traffic. Self-hosting your own DoH resolver gives you full control over DNS resolution, filtering policies, and logging — no third-party provider can see what domains you resolve.
Why Self-Host a DNS-over-HTTPS Resolver
Running your own DoH resolver sits at the intersection of privacy, performance, and control. When you rely on your ISP’s default DNS server, every domain lookup is visible to your provider, subject to manipulation, and potentially throttled. Even switching to a public DoH provider like Cloudflare or Google means trusting them with your full browsing history.
Self-hosting solves these problems in one step. Your resolver handles all DNS lookups locally, encrypts them via HTTPS for upstream queries, and gives you the power to block ads, trackers, and malicious domains at the DNS layer. For homelab operators, small businesses, and privacy-conscious individuals, a self-hosted DoH resolver is one of the highest-impact infrastructure upgrades you can make.
The benefits are concrete:
- End-to-end encryption: DNS queries are wrapped in TLS, preventing ISP snooping, public Wi-Fi interception, and on-path manipulation.
- Custom filtering: Block ads, malware, and adult content before requests ever leave your network.
- Zero third-party logging: Your DNS data never touches a provider’s servers unless you configure it to.
- Improved performance: Local caching reduces lookup latency from 50-200ms down to sub-millisecond for repeated queries.
- Full auditability: Every DNS decision is transparent and logged on your own infrastructure.
Understanding DNS-over-HTTPS
DNS-over-HTTPS works by sending DNS queries over standard HTTPS (port 443) instead of traditional DNS (port 53). The protocol uses HTTP POST or GET requests to transmit DNS wire-format data, encrypted with TLS. This approach has several advantages over DNS-over-TLS (DoT):
- Port 443 blending: DoH traffic looks identical to regular HTTPS traffic, making it harder to block or throttle.
- HTTP/2 multiplexing: Multiple queries can share a single TCP connection, reducing overhead.
- Browser-native support: Firefox, Chrome, and Edge all have built-in DoH configuration.
- Flexible routing: You can route DoH through any HTTP proxy, CDN, or load balancer.
The trade-off is that DoH gives control to the browser or OS-level resolver rather than the system DNS stack, which can complicate network-wide deployment. That’s where a self-hosted DoH resolver shines — it acts as a central point for your entire network, translating encrypted DoH queries from clients into recursive DNS lookups.
Top Self-Hosted DoH Resolver Options
Cloudflared (Cloudflare’s DoH Proxy)
Cloudflared is Cloudflare’s official daemon that acts as a local DoH proxy. It listens on a local address, accepts standard DNS queries from your network, and forwards them to Cloudflare’s DoH endpoint over HTTPS.
Pros: Extremely easy to set up, actively maintained, built-in DNS caching, automatic failover to multiple upstream DoH providers.
Cons: Tied to Cloudflare’s ecosystem by default, limited built-in filtering (requiadguard home tools like AdGuard Home).
Docker Compose Setup:
| |
Once running, point your router’s DNS or individual devices to your-server-ip:5053. Cloudflared will handle all DoH forwarding transparently.
AdGuard Home
AdGuard Home is a full-featured network-wide ad and tracker blocker that supports DoH, DoT, and DNSCrypt as both client and server protocols. It’s the most ppi-holeself-hosted DNS solution for homelabs. For a detailed comparison with Pi-hole, see our AdGuard Home vs Pi-hole guide.
Pros: Beautiful web dashboard, comprehensive filtering (adlists, custom blocklists), DoH/DoT/DNSCrypt support, DNS caching, per-client configuration, query logging with analytics.
Cons: More resource-intensive than a simple proxy, filtering rules require maintenance.
Docker Compose Setup:
| |
After the initial setup wizard on port 3000, configure your upstream DNS servers in the settings. You can point AdGuard Home to multiple DoH providers:
| |
AdGuard Home will automatically select the fastest upstream and failover on errors. The built-in filtering engine supports over 100 public blocklist sources and custom rules.
Technitium DNS Server
Technitium DNS Server is a lesser-known but powerful option that supports DoH, DoT, and standard DNS with a clean web interface. It’s written in C# and runs on .NET, making it cross-platform.
Pros: Built-in ad blocking, DoH server mode (clients connect directly to it via HTTPS), self-signed or Let’s Encrypt TLS certificate support, recursive DNS resolver, blocklist management, DNS-over-QUIC support.
Cons: Smaller community than AdGuard Home, .NET runtime dependency.
Docker Compose Setup:
| |
Technitium’s standout feature is its ability to act as a full DoH server — clients can connect directly to https://your-server:53443/dns-query without needing a separate proxy. This makes it ideal for remote clients or mobile devices that need encrypted DNS outside your local network.
Dnscrypt-Proxy
Dnscrypt-Proxy is a flexible DNS proxy that supports DoH, DNSCrypt, and DoT. It’s designed to be lightweight and highly configurable, running as a single binary with no external dependencies.
Pros: Minimal resource usage, supports multiple encrypted protocols simultaneously, anonymized DNS relays, local caching, DNSCloak mobile app support, extensive configuration options.
Cons: No built-in web dashboard (configuration via text file), steeper learning curve.
Docker Compose Setup:
| |
The configuration file is where the magic happens. A typical dnscrypt-proxy.toml for DoH:
| |
Nginx + Unbound (DIY DoH Server)
For maximum control, you can build a DoH server from scratch using Nginx as the HTTPS frontend and Unbound as the recursive resolver. This approach gives you complete ownership of every layer. If you want to learn more about configuring Unbound as a standalone resolver, check out our self-hosted DNS resolvers guide.
Pros: Full control over TLS configuration, no third-party DNS dependency, auditable at every layer, supports any DNS backend.
Cons: Requires manual setup and maintenance, deeper networking knowledge needed.
Docker Compose Setup:
| |
The Nginx configuration for DoH forwarding:
| |
This setup uses Unbound as the recursive resolver (it performs root server lookups directly, not forwarding to any provider) and Nginx as the DoH endpoint. Clients connect to https://dns.example.com/dns-query over HTTPS, Nginx decrypts and forwards to Unbound, and Unbound resolves the query from root servers.
Comparison Table
| Feature | Cloudflared | AdGuard Home | Technitium | Dnscrypt-Proxy | Nginx + Unbound |
|---|---|---|---|---|---|
| Setup Difficulty | Easy | Easy | Moderate | Moderate | Advanced |
| DoH Client Support | Yes | Yes | Yes | Yes | Yes |
| DoH Server Mode | No | Yes | Yes | No | Yes |
| Built-in Ad Blocking | No | Yes | Yes | Partial | No |
| Web Dashboard | No | Yes | Yes | No | No |
| DNS Caching | Yes | Yes | Yes | Yes | Yes |
| Resource Usage | Low | Moderate | Moderate | Very Low | Low |
| Multi-Protocol | DoH only | DoH/DoT/DNSCrypt | DoH/DoT/DNSCrypt/DoQ | DoH/DNSCrypt/DoT | DoH only |
| Per-Client Config | No | Yes | Yes | No | No |
| Query Logging | Basic | Full | Full | Full | Via Unbound |
| Best For | Quick proxy | Full-featured homelab | Remote DoH server | Lightweight setups | Maximum control |
Choosing the Right Upstream DoH Provider
Even with a self-hosted resolver, you need to decide which upstream DoH endpoints to query (unless using Unbound for full recursion). Here are the most trusted providers:
| Provider | DoH Endpoint | Logging Policy | Best Feature |
|---|---|---|---|
| Cloudflare | https://1.1.1.1/dns-query | No persistent logs | Speed and global CDN |
https://dns.google/dns-query | 24-48 hour temp logs | Largest infrastructure | |
| Quad9 | https://dns.quad9.net/dns-query | No persistent logs | Malware blocking |
| AdGuard | https://dns.adguard-dns.com/dns-query | No persistent logs | Built-in ad filtering |
| NextDNS | https://random-id.dns.nextdns.io/dns-query | Configurable | Customizable blocklists |
| Mullvad | https://dns.mullvad.net/dns-query | No logs | Strong privacy stance |
For maximum privacy, configure your resolver to use multiple upstream providers with round-robin or fastest-response selection. This way, no single provider sees your full DNS query history.
Advanced Configuration Tips
Running DoH with TLS Certificates
If you’re exposing your DoH resolver to the internet (for remote access), you need valid TLS certificates. Use Let’s Encrypt with Certbot:
| |
DNS-over-HTTPS with Load Balancing
For high-availability setups, run multiple resolver instances behind a load balancer:
| |
HAProxy configuration for DoH load balancing:
| |
Monitoring Your DNS Resolver
Set up basic monitoring to track query volume, cache hit rates, and upstream response times:
| |
Firewall Rules for DNS
Ensure your DNS traffic flows correctly while blocking unencrypted DNS leaks:
| |
Browser and OS Configuration
Once your DoH resolver is running, configure clients to use it:
Firefox
- Go to
about:preferences#privacy - Scroll to “DNS over HTTPS”
- Select “Custom”
- Enter your resolver URL:
https://dns.example.com/dns-query
Chrome/Edge
- Go to
chrome://settings/security - Under “Use secure DNS”, toggle on
- Select “Custom” and enter your DoH endpoint
macOS
macOS natively supports DoH in System Settings > Network > DNS. Add your resolver’s DoH URL in the DNS over HTTPS section.
Windows 11
Settings > Network & Internet > Ethernet/Wi-Fi > DNS server assignment > Edit > set to “Automatic (DNS over HTTPS)” and point to your resolver.
Android
Android 9+ supports Private DNS (which uses DoT, not DoH). For DoH on mobile, use apps like Intra or configure it through a VPN profile that routes DNS to your resolver.
Conclusion
Self-hosting a DNS-over-HTTPS resolver is one of the most impactful privacy upgrades you can make to your network infrastructure. The barrier to entry is low — AdGuard Home or Cloudflared can be running in Docker within minutes — and the benefits compound over time as you fine-tune filtering rules and monitoring.
For most users, AdGuard Home offers the best balance of features and usability. For those who want a pure DoH proxy with zero configuration, Cloudflared is the quickest path. Advanced operators who need full control and zero upstream dependency should consider the Nginx + Unbound combination.
Whatever you choose, the result is the same: your DNS queries are encrypted, your browsing data stays private, and you control every aspect of name resolution on your network.
For a broader perspective on building a privacy-focused stack, see our complete privacy stack guide. If you need DNS filtering and ad blocking in addition to encrypted DNS, our DNS filtering with Pi-hole and AdGuard guide covers that in detail.
FAQ
What is the difference between DNS-over-HTTPS and DNS-over-TLS?
DNS-over-HTTPS (DoH) wraps DNS queries inside standard HTTPS connections on port 443, making them indistinguishable from regular web traffic. DNS-over-TLS (DoT) uses a dedicated port (853) with TLS encryption. DoH is harder for ISPs to block because it blends with HTTPS traffic, while DoT is easier to detect and firewall. Both encrypt your queries end-to-end.
Can I use my self-hosted DoH resolver for my entire home network?
Yes. Configure your router’s DNS settings to point to your DoH resolver’s local IP address (e.g., 192.168.1.10:53). All devices on the network will then route their DNS through your resolver, which encrypts upstream queries via DoH. Alternatively, configure individual devices to use the resolver directly.
Does a self-hosted DoH resolver improve browsing speed?
It can. Local DNS caching means repeated queries are resolved in under 1ms instead of the 50-200ms typical for external DNS lookups. Tools like Cloudflared and AdGuard Home include built-in caching. The first lookup for a new domain will still take the normal time, but subsequent lookups are nearly instant.
Is it legal to run my own DNS-over-HTTPS resolver?
Yes, running your own DNS resolver is legal in virtually all jurisdictions. You are simply resolving domain names for your own use. However, some countries or ISPs may attempt to block or throttle DoH traffic. If you expose your resolver to the public internet, ensure you have appropriate rate limiting in place.
Which DoH provider is the most privacy-focused?
Among the major providers, Quad9 and Mullvad have the strongest privacy policies — both commit to zero persistent logging of DNS queries. Cloudflare also maintains a no-logs policy backed by annual KPMG audits. For maximum privacy, avoid Google DNS (which retains 24-48 hours of temporary logs) and consider running Unbound for full recursive resolution with zero upstream dependency.
How do I block ads and trackers with my DoH resolver?
AdGuard Home and Technitium DNS Server include built-in ad blocking. You can add public blocklists like EasyList, StevenBlack’s hosts file, or OISD. Dnscrypt-Proxy supports cloaking rules, and Cloudflared can be paired with AdGuard Home for filtering. For a deeper dive into DNS-based filtering, check out dedicated content-blocking guides.