Set Up DNS-over-HTTPS (DoH)

Encrypt your DNS queries over HTTPS

DNS-over-HTTPS wraps your DNS queries inside regular HTTPS traffic. From the outside it looks identical to loading a webpage — it can’t be distinguished or blocked without breaking all HTTPS. This makes it the most resilient encrypted DNS option available.

Firefox

Firefox has built-in DoH support with a custom provider option:

1. Open Settings → Privacy & Security
2. Scroll to DNS over HTTPS
3. Select Max Protection
4. Choose Custom from the provider dropdown
5. Enter: https://ledns.eu/dns-query
6. Click Save changes

Firefox will now route all DNS through le_dns over HTTPS.

Chrome / Chromium

1. Open Settings → Privacy and security → Security
2. Scroll to Use secure DNS
3. Enable it and select With Custom
4. Enter: https://ledns.eu/dns-query

Chrome applies this to all DNS resolution in the browser, including for extensions and background requests.

Edge

Microsoft Edge follows the same pattern as Chrome:

1. Open Settings → Privacy, search, and services
2. Scroll to Security
3. Turn on Use secure DNS to specify how to lookup the network address for websites
4. Select Choose a service provider
5. Enter: https://ledns.eu/dns-query

Windows 11

Windows 11 supports system-wide DoH natively, so every app benefits — not just your browser. See the Windows setup guide for step-by-step instructions.

macOS / iOS

macOS and iOS use DNS configuration profiles (.mobileconfig files) to apply DoH at the system level. You can create one using Apple’s profile format with DNSSettings type HTTPS and the URL https://ledns.eu/dns-query, then install it via System Settings → Privacy & Security → Profiles (macOS) or Settings → General → VPN & Device Management (iOS).

Linux (systemd-resolved)

systemd-resolved doesn’t support DoH natively — it supports DoT but not HTTPS-based DNS. For DoH on Linux, the most straightforward approach is a local proxy that forwards queries upstream:

Using dnscrypt-proxy:

# Install dnscrypt-proxy (Debian/Ubuntu)
sudo apt install dnscrypt-proxy

# Edit /etc/dnscrypt-proxy/dnscrypt-proxy.toml
[sources]
# Comment out or remove the default sources block

[static]
  [static.ledns]
  stamp = 'sdns://AgcAAAAAAAAADTUxLjc1Ljk2LjgyC2xlZG5zLmV1Cgov...'

Or configure it to forward directly:

# /etc/dnscrypt-proxy/dnscrypt-proxy.toml
listen_addresses = ['127.0.0.1:53']
server_names = ['ledns']

[static]
  [static.ledns]
  stamp = 'sdns://...'  # use the ledns stamp

Then set 127.0.0.1 as your system resolver.

Using cloudflared as a forward proxy:

cloudflared proxy-dns --upstream https://ledns.eu/dns-query --port 5053

Then point your system DNS to 127.0.0.1:5053.

If you’re already using systemd-resolved and prefer an easier setup, consider DoT instead — it’s natively supported.

DoH3 (HTTP/3 over QUIC)

le_dns also supports DoH over HTTP/3 for even lower latency. HTTP/3 uses the QUIC transport protocol, which eliminates TCP’s connection overhead and handles packet loss more gracefully.

Endpoint: h3://ledns.eu/dns-query

Browser support for HTTP/3 DoH is limited — most use standard HTTPS (HTTP/2). Clients like dnscrypt-proxy can be configured to prefer H3.

Verify it works

curl -s -H 'accept: application/dns-json' \
  'https://ledns.eu/dns-query?name=example.com&type=A'

You should get a JSON response with an Answer array containing an A record for example.com. If you see that, le_dns is handling your queries over HTTPS.

For a full leak check, visit dnsleaktest.com and confirm the DNS servers shown are le_dns servers.