factually

Does DuckDuckGo use DNS over HTTPS (DoH) or DNS over TLS (DoT) by default in its apps and extensions?

Checked on February 4, 2026
Disclaimer: Factually can make mistakes. Please verify important information or breaking news. Learn more.
DuckDuckGo
Google Groups
Super User
GitHub
Searched for:
"DuckDuckGo default DNS protocol"
Found 12 sources

Executive summary

DuckDuckGo’s VPN and related privacy products route DNS queries to DuckDuckGo-operated DNS servers by default and apply a DNS blocklist to block harmful sites [1]. The assembled reporting provided does not state whether those DNS queries are transported using DNS over HTTPS (DoH) or DNS over TLS (DoT), and public issue threads show users asking for an in-app “Secure DNS” feature for the DuckDuckGo browser—suggesting the transport-level detail is not documented in the sources at hand [1] [2].

1. What the company says about default DNS behavior

DuckDuckGo’s help pages explicitly describe that its VPN is pre-configured to send DNS queries to DuckDuckGo’s own DNS servers while the VPN is connected, and that a DNS blocklist is applied so blocklisted names won’t resolve [1]. The same documentation explains users can opt to set a third‑party DNS server under VPN Settings > DNS Server if they prefer, which shows the product defaults to the vendor’s DNS but allows user override [1]. These are concrete product-config statements from DuckDuckGo’s support pages, not third‑party conjecture [1].

2. What the available reporting does not show: DoH vs DoT

Nowhere in the provided DuckDuckGo help content or the other collected snippets is there a declaration that DuckDuckGo’s DNS servers are accessed specifically via DNS over HTTPS (DoH) or DNS over TLS (DoT); the materials discuss DNS endpoints, blocklists, and user-configurable DNS but omit the transport protocol [1]. A public GitHub issue requesting a “Secure DNS” feature in the DuckDuckGo Privacy Browser indicates user demand for an explicit secure-DNS setting, which further implies that the browser’s DNS transport behavior is not clearly exposed to users in the sources reviewed [2]. Because the supplied sources do not specify DoH or DoT, it is not possible from this reporting to assert which, if either, is used by default.

3. Signals from community threads and diagnostic pages — hints, not confirmations

Community troubleshooting and DNS lookup pages included in the search results demonstrate typical DNS resolution behaviors, IP-address listings, and occasional resolver interactions with DuckDuckGo domains, but these materials focus on record values and resolver responses rather than the encryption layer of DNS transport [3] [4] [5] [6]. Such diagnostic posts can show where queries resolved and that DuckDuckGo’s domains have standard DNS records, yet they do not document whether a client-to-resolver session was encrypted using DoH or DoT [3] [4] [5] [6].

4. Best interpretation and the limits of these sources

Given DuckDuckGo’s documented default of using its own DNS servers for the VPN and the ability for users to switch to third‑party DNS, the firm controls the resolver endpoint but the reporting here stops short of describing the transport protocol [1]. The absence of explicit DoH/DoT statements in DuckDuckGo’s help pages and the presence of user feature requests on GitHub constitute the strongest evidence available in this set: the product default is a DuckDuckGo resolver with blocklisting, and the documentation provided does not confirm whether that resolver is accessed via DoH or DoT [1] [2]. Any definitive claim beyond that would require authoritative product documentation or engineering statements not included among the supplied sources.

Want to dive deeper?
Does DuckDuckGo document the transport protocol (DoH/DoT) for its DNS service in official engineering or privacy whitepapers?
How do DuckDuckGo’s DNS privacy guarantees compare to Cloudflare and Quad9 with respect to DoH/DoT and logging policies?
What changes in the DuckDuckGo Privacy Browser or VPN release notes have addressed secure DNS features since 2023?