DNS-over-HTTPS vs DNS-over-TLS — Which Should You Use?

← Back to Blog

Traditional DNS is completely unencrypted. Every website you visit, every app you open, every service your device contacts — all of it is visible in plaintext to anyone on the network path: your ISP, your Wi-Fi provider, anyone on the same public hotspot. This has been the case since DNS was designed in 1987.

Encrypted DNS changes that. Two protocols have emerged as the dominant solutions: DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT). A third, newer protocol — DNS-over-QUIC (DoQ) — is also gaining traction. All three encrypt your DNS queries so that nobody between you and the DNS server can see what you are looking up.

But they work differently, and the right choice depends on what you care about most.

What Is DNS-over-HTTPS (DoH)?

DoH wraps DNS queries inside standard HTTPS traffic on port 443 — the same port used by every website. From a network perspective, a DoH query looks identical to regular web browsing. Your ISP or network administrator cannot distinguish a DNS lookup from a visit to any HTTPS website.

This is both its greatest strength and most debated feature. DoH makes DNS censorship and surveillance extremely difficult because there is no separate DNS traffic to identify and block. It also means that corporate firewalls and parental controls that rely on monitoring DNS traffic on port 53 cannot see DoH queries.

DoH is supported natively in all major browsers (Chrome, Firefox, Edge, Safari) and in Android 13+, iOS 14+, Windows 11, and macOS.

What Is DNS-over-TLS (DoT)?

DoT encrypts DNS queries using TLS (the same encryption used by HTTPS) but sends them on a dedicated port: 853. The encryption is equally strong — your DNS queries are just as private as with DoH. The difference is visibility.

Because DoT uses its own port, network administrators can identify and manage encrypted DNS traffic separately from web traffic. They can allow it, block it, or redirect it to a preferred DNS server. This makes DoT the preferred protocol in enterprise environments where the network team needs visibility into DNS usage.

DoT is supported natively in Android 9+ (as "Private DNS"), Linux (systemd-resolved), and most router firmware.

What About DNS-over-QUIC (DoQ)?

DoQ is the newest encrypted DNS protocol, built on the QUIC transport layer (the same protocol powering HTTP/3). It runs on UDP port 853 and offers two significant advantages: faster connection setup (0-RTT handshake) and better performance on unreliable networks (no head-of-line blocking).

In practical terms, DoQ can resolve DNS queries faster than DoH or DoT, especially on mobile connections where packet loss is common. It is still in the early adoption phase, but client support is growing.

Side-by-Side Comparison

Feature	DoH	DoT	DoQ
Port	443 (TCP)	853 (TCP)	853 (UDP)
Transport	HTTPS / HTTP/2	TLS over TCP	QUIC (UDP)
Encryption	TLS 1.2+ ✓	TLS 1.2+ ✓	TLS 1.3 ✓
Blends with web traffic	✓ Yes	✗ No (dedicated port)	✗ No (dedicated port)
Blockable by firewalls	Difficult (same as HTTPS)	Easy (block port 853)	Easy (block UDP 853)
Connection speed	Moderate (TCP + TLS)	Moderate (TCP + TLS)	Fast (0-RTT QUIC)
Browser support	✓ All major browsers	✗ Not in browsers	✗ Not in browsers
Android native	✓ Android 13+	✓ Android 9+ (Private DNS)	✗ Not yet
Router support	Some (OpenWrt, Merlin)	Some (FortiGate, MikroTik)	Rare

When to Use DoH

Choose DoH when privacy from network observers is your primary concern. Because DoH traffic is indistinguishable from normal HTTPS browsing, it is the best choice when:

You are on a public Wi-Fi network (airports, hotels, cafes) and do not want your DNS queries visible
Your ISP is known to monitor, log, or redirect DNS traffic
You are in a country that censors DNS and want to bypass restrictions
You want per-browser DNS configuration (each browser can use a different DoH server)

When to Use DoT

Choose DoT when you want encrypted DNS but also need network-level management. DoT is the better fit when:

You are setting up DNS for an Android device (Private DNS supports DoT natively since Android 9)
You are a network administrator who needs to identify and audit encrypted DNS traffic
Your router supports DoT forwarding (many enterprise routers do)
You want a system-wide encrypted DNS configuration on Linux

When to Use DoQ

Choose DoQ when speed matters most. DoQ is ideal when:

You are on a mobile connection with variable latency or packet loss
You want the fastest possible DNS resolution times
Your DNS client supports it (still limited, but growing)

Practical recommendation: For most users, DoH is the simplest choice — it works in every browser and on every modern operating system. For Android phones, DoT via Private DNS is the easiest to configure. If your client supports DoQ, use it for the speed advantage.

All Three Work with DNS Filtering

A common misconception is that encrypted DNS bypasses filtering. That depends on who is doing the filtering. If the filtering happens at the DNS resolver level (as with UnveilDNS), it works with all three protocols. Your queries are encrypted in transit, but the DNS server you chose still applies your filtering rules — blocking ads, malware, tracking, and unwanted services.

Encrypted DNS and DNS filtering are complementary: encryption protects your privacy from third parties, while filtering protects you from malicious and unwanted content.

Encrypted DNS with Built-In Filtering

UnveilDNS supports DoH, DoT, and DoQ — all with customizable ad blocking, malware protection, and parental controls.

Get Started Free

The Bottom Line

All three encrypted DNS protocols protect your privacy equally well. The difference is in how they interact with the network around them. DoH hides in plain sight, making it ideal for privacy-focused individuals. DoT is transparent and manageable, making it ideal for structured environments. DoQ is the fastest, making it ideal for performance-sensitive setups.

The most important step is to use any encrypted DNS protocol. Unencrypted DNS in 2026 is a privacy liability that no one should accept.