Why Encrypting DNS Matters
Traditional DNS queries travel across the internet in plain text. Anyone on the same network — your ISP, a coffee shop Wi-Fi operator, or a malicious actor — can see every domain you look up. This is a significant privacy and security risk. Two modern protocols solve this: DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT).
Both encrypt DNS traffic, but they take different approaches. Understanding the distinction helps you pick the right one for your situation.
DNS-over-TLS (DoT)
DoT wraps DNS queries inside a TLS (Transport Layer Security) tunnel — the same encryption technology used for HTTPS websites. It operates on a dedicated port: TCP port 853.
How DoT Works
- Your device establishes a TLS connection with the DNS resolver on port 853.
- DNS queries and responses are sent encrypted within that connection.
- The resolver decrypts, processes, and returns results over the same secure channel.
DoT Pros & Cons
- Pro: Network administrators can easily identify and monitor DoT traffic (it has its own port), which is useful in enterprise environments.
- Pro: Clear separation from regular web traffic makes it easier to manage.
- Con: Because it uses a dedicated port, it can be blocked by firewalls or restrictive networks.
- Con: Slightly less universal browser support compared to DoH.
DNS-over-HTTPS (DoH)
DoH sends DNS queries disguised as regular HTTPS web traffic, operating on port 443 — the same port used by every secure website. From a network perspective, DoH traffic is indistinguishable from normal web browsing.
How DoH Works
- Your browser or OS sends a DNS query formatted as an HTTPS request to a DoH endpoint (e.g.,
https://cloudflare-dns.com/dns-query). - The request travels encrypted over port 443.
- The resolver processes the query and returns the response as an HTTPS reply.
DoH Pros & Cons
- Pro: Nearly impossible to block without also blocking all HTTPS traffic.
- Pro: Natively supported in major browsers (Firefox, Chrome, Edge) and modern operating systems.
- Con: Network administrators have less visibility, which can be a challenge in managed environments.
- Con: DNS traffic mixed with web traffic makes network-level monitoring harder.
Side-by-Side Comparison
| Feature | DoT | DoH |
|---|---|---|
| Port used | 853 | 443 |
| Encryption | TLS | TLS (via HTTPS) |
| Traffic visibility | Identifiable as DNS | Blends with HTTPS |
| Firewall bypass | Easier to block | Very hard to block |
| Browser support | Limited | Wide (Chrome, Firefox, Edge) |
| OS-level support | Android, Linux | Windows 11, macOS, iOS |
| Best for | Routers, enterprise | Individual users, browsers |
Which Should You Choose?
The answer depends on your context:
- For everyday users: DoH is usually the easiest option. Enable it directly in your browser or OS settings without any additional configuration.
- For home routers and network-wide setups: DoT is well-supported by router firmware like OpenWrt and is a natural fit for device-level configuration.
- For maximum privacy on restrictive networks (corporate, school, travel): DoH is harder to block and therefore more reliable.
- For enterprise/IT admins: DoT gives you better network monitoring capabilities.
What About DNSCrypt?
A third option, DNSCrypt, is an older protocol that also encrypts DNS but is less widely supported. It remains popular with advanced users and Pi-hole setups but hasn't seen the same mainstream adoption as DoH and DoT. If you're just getting started, stick with DoH or DoT.
Whichever protocol you choose, using any form of encrypted DNS is dramatically better than sending queries in plain text.