DNS-over-TLS (DoT) vs. DNS-over-HTTPS (DoH) ​
DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) are two protocols that encrypt DNS queries to protect your online privacy and security. Both serve the same purpose but differ in how they operate and where they are most effective. This page will help you understand the differences and decide which protocol is right for you.
Why Use Encrypted DNS? ​
DNS queries are typically unencrypted, making them vulnerable to eavesdropping and tampering. Encrypting DNS traffic with DoT or DoH prevents third parties, such as ISPs, from seeing your browsing history or hijacking DNS responses.
Key Differences Between DoT and DoH ​
Protocol and Port Usage ​
- DoT uses TCP port 853 for encrypted DNS traffic, distinct from regular web traffic.
- DoH uses HTTPS on port 443, blending in with standard web traffic. This makes DoH harder to block or differentiate from regular web traffic.
DoH is less likely to be blocked in environments that restrict non-web traffic, while DoT can be easily identified and filtered if desired.
Speed and Performance ​
- DoT can offer faster responses in controlled environments due to its dedicated port and focus on DNS traffic only.
- DoH has slightly more overhead since it shares the same transport mechanism as standard HTTPS, which may add latency, especially on high-latency networks.
In practice the speed difference is minimal for most users. For advanced use cases—like performance-critical infrastructure—DoT may be preferred.
Integration and Usability ​
- DoT is typically configured at the system or network level, making it ideal for securing all devices on a network. Supported on many modern operating systems (e.g., Android, Linux, and routers).
- DoH is often configured at the application level. Supported in most modern browsers (Chrome, Firefox, Edge, Brave, etc.), allowing for easy adoption by individual users.
TIP
Use DoT for full-device protection or network-wide security. Use DoH for individual apps or browsers.
Privacy Considerations ​
Both DoT and DoH encrypt your DNS queries, but there are some differences in how privacy policies are enforced.
- DoH traffic is indistinguishable from HTTPS, providing additional privacy in environments with potential surveillance.
- DoT offers direct DNS encryption without mixing with other web traffic, reducing metadata exposure.
IMPORTANT
Use a trusted DNS resolver like the UK DNS Privacy Project, which prioritizes privacy and supports both protocols.
When to Use DoT or DoH? ​
| Scenario | Recommended Protocol |
|---|---|
| Full-device encryption (system-wide) | DoT |
| Browser-only encryption | DoH |
| Bypassing network restrictions | DoH |
| Performance-critical applications | DoT |
| Simplified configuration | DoH |
Compatibility and Adoption ​
- DoT: Supported natively by Android (9+), Linux distributions, and some routers.
- DoH: Widely supported in browsers and modern operating systems like Windows 11 and macOS.
For most users, DoH is easier to configure, while DoT is better for network-wide DNS encryption.
Which One Should You Choose? ​
The answer depends on your needs. Privacy-conscious individuals may prefer DoH for its ease of setup in browsers, whereas advanced users and network administrators may opt for DoT for full control and lower-level system integration. However, many modern systems such as AdGuard Home support simultaneous use of DoH and DoT, giving you the best of both worlds.