DNS over HTTPS on Your Router: What It Is, How to Enable It, and How It Affects WiFi Speed

Every time a device on your network loads a website, it first asks a DNS server to translate the domain name — like wifispeed.com — into an IP address. By default, that request travels in plain text, which means your ISP, your internet provider’s upstream network, and anyone monitoring traffic on a shared network can see every domain your household visits. DNS over HTTPS (DoH) fixes this by encrypting those lookups inside ordinary HTTPS traffic, making them indistinguishable from a regular web page load. Configuring it at the router level means every device on your network benefits automatically — phones, smart TVs, game consoles, and IoT gadgets that can’t run their own privacy software.

How DNS over HTTPS Works

Standard DNS queries use port 53 and send domain names in plaintext. DNS over HTTPS wraps those queries inside an encrypted HTTPS connection on port 443 — the same port used by every secure website. From the outside, a DoH query looks identical to loading a web page, which makes it much harder for ISPs or network observers to intercept or manipulate. The two competing standards are:

• DoH (DNS over HTTPS): Queries ride inside HTTPS on port 443. Traffic is camouflaged alongside regular web traffic. Best for environments where port filtering is a concern.
• DoT (DNS over TLS): Queries are encrypted with TLS but travel on a dedicated port 853. Easier to identify and potentially block, but introduces slightly less overhead than DoH. ASUS routers support DoT natively; TP-Link supports both.

Both protocols provide equivalent privacy protection. The choice of which to use depends mainly on what your router supports. For home networks, DoH is more widely available and equally effective.

Why Enable It at the Router Level?

Browsers like Firefox and Chrome include built-in DoH support, but browser-only DoH only protects traffic from that specific browser. Apps, streaming devices, smart home gadgets, and other browsers on the same network continue using your ISP’s unencrypted DNS resolver. Enabling DoH on your router pushes encryption to every connected device simultaneously. It also lets you choose a faster or more privacy-respecting DNS provider for your entire household in one place, rather than configuring each device individually.

Choosing a DoH Provider

When you enable DoH on your router, you select a third-party resolver to handle your DNS queries instead of your ISP’s default server. The most widely used options:

• Cloudflare (1.1.1.1): Consistently ranks as the fastest public DNS resolver globally. Cloudflare does not sell browsing data and purges all logs within 24 hours. DoH endpoint: https://cloudflare-dns.com/dns-query.
• Google (8.8.8.8): Highly reliable with excellent uptime. Google retains logs for up to 48 hours for debugging purposes. DoH endpoint: https://dns.google/dns-query.
• Quad9 (9.9.9.9): Privacy-focused, operated by a nonprofit. Automatically blocks known malicious domains, providing a layer of malware protection at the DNS level. DoH endpoint: https://dns.quad9.net/dns-query.
• NextDNS: Highly configurable. Offers per-device logs, ad blocking, parental controls, and threat filtering through a web dashboard. Free tier covers up to 300,000 queries per month; paid plans remove the cap. Ideal for households that want granular visibility into what every device is contacting.

For most households, Cloudflare offers the best balance of speed and privacy. For families with children or households that want ad blocking at the network level, NextDNS is worth the extra setup. See our guide on setting up parental controls on your WiFi router for how DNS-based filtering fits into a broader strategy.

Does DoH Slow Down Your WiFi?

In practice, the performance impact of DoH on browsing speed is negligible. The initial DoH connection requires a TLS handshake, which adds a small amount of latency to the first query. However, HTTP/2 connection reuse means subsequent queries within the same session are nearly as fast as unencrypted DNS. Real-world testing shows the difference between plain DNS and DoH is typically 1–5 ms — imperceptible during normal browsing. What matters more to your browsing speed is the raw performance of whichever DNS provider you choose. Cloudflare’s 1.1.1.1 regularly outperforms ISP-provided resolvers in independent benchmark tests, meaning switching to DoH with Cloudflare can actually improve perceived browsing responsiveness rather than hurt it. Run a speed test before and after enabling DoH to confirm there’s no meaningful difference on your connection.

How to Enable DoH on Your Router

TP-Link (Archer and Deco Series)

Log in to your TP-Link router at tplinkwifi.net or its IP address. Navigate to Advanced > Network > Internet. In the DNS section, look for a “DNS Mode” dropdown. Select DNS over HTTPS (DoH) or DNS over TLS (DoT). Enter your preferred provider’s DoH URL in the server fields — for Cloudflare, use https://cloudflare-dns.com/dns-query. TP-Link recommends leaving “Default Mode” enabled as a fallback, which automatically reverts to unencrypted DNS if the DoH server becomes unreachable.

ASUS (Merlin and Stock Firmware)

ASUS stock firmware supports DNS over TLS (DoT) natively but not DoH directly. Navigate to WAN > Internet Connection and look for the “DNS Privacy Protocol” setting. Select “DNS-over-TLS (DoT)” and enter your resolver’s TLS hostname — for Cloudflare, use cloudflare-dns.com with server IP 1.1.1.1. For true DoH on ASUS, routers running Merlin firmware can install the stubby or dnscrypt-proxy packages via Entware. Alternatively, setting your LAN DHCP to distribute Cloudflare’s IP (1.1.1.1) as the DNS server provides a significant privacy improvement over ISP-provided DNS even without encryption at the router level.

Netgear (Nighthawk and Orbi)

Recent Netgear Nighthawk and Orbi routers include a “DNS over HTTPS” toggle under Advanced > Setup > Internet Setup. Enable the toggle and enter your preferred DoH provider URL. Netgear’s implementation supports Cloudflare and Google out of the box with preset entries, or you can enter a custom DoH URL for providers like Quad9 or NextDNS.

D-Link (Aquila Pro AI and Current Models)

On supported D-Link routers, go to Settings > Internet and enable the “Secure DNS” toggle. A dropdown lets you select Google or Cloudflare as the DoH provider directly from the interface without manually entering a URL.

What DoH Cannot Do

DoH encrypts DNS lookups but does not hide the content of your web traffic — that’s HTTPS’s job, and it already handles it for most sites. DoH also does not prevent your ISP from seeing which IP addresses you connect to (only a VPN hides that). It does not stop traffic monitoring within your own network. If your goal is full traffic encryption, a router-level VPN is the appropriate tool — our guide on setting up a VPN on your home router covers that setup. DoH is best understood as a targeted fix for one specific privacy gap: the plain-text DNS request that reveals your browsing destinations to your ISP and anyone monitoring your connection.

Quick Setup Checklist

1. Log in to your router’s admin interface
2. Find the DNS or Internet Connection settings
3. Select DNS over HTTPS (DoH) or DNS over TLS (DoT) if available
4. Enter your chosen provider’s endpoint (Cloudflare: https://cloudflare-dns.com/dns-query)
5. Save and reboot your router
6. Visit 1.1.1.1/help from any device to confirm DoH is active
7. Run a speed test to verify no performance regression

Enabling DoH at the router level is one of the quickest, lowest-friction privacy improvements you can make to your home network. It takes under five minutes on most modern routers and provides immediate protection for every device on your network without requiring any per-device configuration.