VPN and DNS over HTTPS: Why Your Browser May Bypass VPN DNS and What to Check in 2026

If a website opens "differently" in your browser, Telegram or Discord behaves oddly, and your VPN is still connected, the cause isn't always the VPN itself. In 2026, a separate layer is increasingly getting involved — DNS over HTTPS, or "Secure DNS" inside the browser. Below is a practical breakdown of how to tell useful protection apart from a settings conflict — without breaking your privacy.

In Short: What DNS over HTTPS Is and How It Relates to VPN

DNS is the system that turns a website name into a network address. A regular DNS query may go to a DNS server of your ISP, router, corporate network, or VPN service. DNS over HTTPS, or DoH for short, sends those queries inside an HTTPS connection to a chosen DNS provider. In the interfaces of Chrome, Edge, and some other browsers this is often called Secure DNS or "protected DNS".

A VPN solves a different problem: it creates an encrypted tunnel for the traffic of a device or an app. A good VPN usually also pushes its own DNS settings so that queries don't leak outside the tunnel. The conflict starts when the browser decides, "I'll pick my own DNS over HTTPS," while the VPN client expects DNS to go through its route.

As a result, the user sees strange symptoms: the IP in a checker has changed, but some sites still open the old way; an app doesn't see the same thing as the browser; a corporate domain stops resolving; the router-level filter no longer works only inside the browser. This isn't magic, and it isn't necessarily "a full traffic leak" — more often it's a mismatch of DNS routes.

When DoH Helps and When It Gets in the Way

DNS over HTTPS is useful when you're connected to a random Wi‑Fi network, don't trust the local DNS, or want to reduce the risk of DNS spoofing. Official Google Public DNS materials describe DoH as DNS queries over HTTPS, with IPv4 and IPv6 support. Cloudflare separately publishes instructions for configuring DoH in browsers. Microsoft's Edge documentation describes the DnsOverHttpsMode policy and DoH resolver templates for managed devices.

But DoH has a flip side: it can bypass the DNS pushed by your VPN, home router, parental filter, or work network. So the question isn't "turn it on or off forever," but who should manage DNS in a given scenario.

Main Symptoms of a VPN and DNS over HTTPS Conflict

1. The Site Opens in the Browser but Not in the App

This is a classic sign of a difference between browser DNS and system DNS. A browser with Secure DNS enabled can resolve domains through its own provider, while an app uses the DNS issued by the VPN or the network. So the web version of a service works, while the desktop or mobile app shows a connection error.

A similar pattern is analyzed in the related article "VPN works in the browser but not in apps". The difference here is that we're looking not just at app routes, but specifically at the DNS layer inside the browser.

2. VPN Is Connected, but the DNS Test Shows a Different Provider

If your IP address has changed but the DNS test shows Google, Cloudflare, Quad9, or another public resolver, don't jump to the conclusion that the VPN "isn't working." The browser may be sending DoH queries to the chosen resolver. This can be fine if you configured your browser that way on purpose. But if your goal is a unified DNS policy through the VPN, that setup needs to be revisited.

More on basic DNS diagnostics is in the article "VPN DNS settings".

3. Work or Local Domains Stop Opening

Corporate networks often use internal domains that don't exist in public DNS. Home networks may also use local names for a NAS, printer, router admin panel, or media server. If the browser sends queries to an external DoH provider, it may simply not know such names.

For a work device, it's safer not to change the Secure DNS policy on your own. If it's a personal laptop, test carefully: disable Secure DNS in one browser, check only the problematic domain, and revert the setting if the cause isn't confirmed.

4. YouTube, Telegram Web, or Discord Web Behave Differently After a DNS Change

Media and calls depend not only on DNS but also on routing, UDP/TCP, MTU, QUIC, and network quality. Still, DNS can be the first link: if the browser picks one address for a service and the app picks another, behavior diverges. For such cases it helps to check the chain in order: DNS → VPN route → protocol → network quality.

If the issue is specifically with calls, the dedicated piece "VPN for video calls" is helpful.

How to Check the Settings in Chrome, Edge, and Firefox

Menu item names may differ slightly between versions and interface languages, so go by meaning: security, privacy, DNS, Secure DNS, DNS over HTTPS.

Chrome

In Chrome the setting is usually in the security section. Look for "Use secure DNS" or Secure DNS. It may offer automatic selection or a specific provider. If a specific external provider is selected, the browser may resolve domains separately from the VPN.

A practical test: temporarily switch Chrome to the system DNS or turn Secure DNS off, then restart the browser and check only the problematic site. If the behavior changes, the cause is most likely the DoH route. If not, revert the setting and look for the problem in the VPN profile, DNS inside the VPN, IPv6, or MTU.

Microsoft Edge

For Edge, two areas matter: regular privacy settings and corporate policies. Microsoft Learn has dedicated DnsOverHttpsMode and DnsOverHttpsTemplates policies. That means on a work device the option may be set by an administrator and locked from changes.

If Edge is managed by your organization, don't try to bypass the restrictions. The right path is to record the symptom: which domain fails to open, whether it works outside the VPN, what another browser shows — and pass that to the administrator.

Firefox

Firefox uses its own DNS over HTTPS protection levels. The official Mozilla support page may be inaccessible due to anti-bot checks, but the principle is the same: Firefox can use DoH independently of the system DNS. If the issue appears only in Firefox, compare its DNS setting with Chrome or Edge.

Android and iPhone

On phones, confusion is more often caused not by the browser but by system features: Private DNS on Android, iCloud Private Relay in Safari, VPN profiles, "always-on VPN" mode, data saver, and background activity limits. If the browser and apps behave differently, check not only the VPN client but also system DNS/privacy settings.

A Low-Risk Diagnostic Checklist

• Check whether the VPN is on and whether your external IP changes.
• Compare the same site in two browsers — for example, Chrome and Firefox.
• Open Secure DNS / DNS over HTTPS settings in the problematic browser.
• If an external DNS provider is selected, switch temporarily to the system DNS.
• Restart the browser, not just the tab.
• Check whether the browser is managed by an organization.
• For a work laptop, don't change policies without your IT admin.
• If the issue is only in apps, check split tunneling and DNS inside the VPN.
• If local devices break, check local network access and the router's DNS.
• After the test, revert to the safer setting that matches your goal.

How to Configure It Safely: Three Working Strategies

Strategy 1. Everything Through the VPN

This fits if a unified logic matters to you: IP, DNS, and routes should all go through the VPN. In this mode it's better to disable separate DoH in the browser or set it to a mode that uses the system DNS. Then make sure the VPN client itself pushes DNS and doesn't allow DNS queries outside the tunnel.

For FoliVPN, start with the main page https://folivpn.org/ and use the current profile for your device. Don't mix several VPN clients and DNS utilities at the same time — it makes it harder to tell who's actually changing the route.

Strategy 2. VPN for Traffic, DoH Only in the Browser

Approach