The Domain Name System (DNS) is a foundational element of the internet. It translates human-readable domain names into IP addresses so users can access websites and online services. Traditionally, DNS queries are sent in plaintext, leaving them vulnerable to interception, manipulation, and surveillance. To address these concerns, two protocols have been introduced: DNS over TLS (DoT) and DNS over HTTPS (DoH). Both aim to encrypt DNS traffic and improve privacy and security, but they differ significantly in implementation and impact.
Understanding Traditional DNS Vulnerabilities
DNS queries are typically transmitted using the User Datagram Protocol (UDP) over port 53. These queries are unencrypted, meaning that any intermediary between the client and the DNS resolver—such as internet service providers (ISPs), network administrators, or malicious actors—can observe and even manipulate the traffic. This creates several risks, including:
- Monitoring user behavior and web activity
- DNS spoofing or cache poisoning
- Redirection to malicious domains
- Targeted censorship or filtering
DoT and DoH were developed to mitigate these risks by securing the DNS transport layer.
What Is DNS over TLS (DoT)?
DNS over TLS is a security protocol that encrypts DNS queries using Transport Layer Security (TLS). It establishes a secure communication channel between the DNS client (resolver) and server, thereby ensuring confidentiality and integrity.
DoT operates over TCP port 853. The process involves a TLS handshake between the client and the resolver, after which encrypted DNS queries are exchanged.
Key Characteristics of DoT
- Uses a dedicated port (853), making it distinguishable from other traffic
- Encrypts DNS queries and responses using standard TLS
- Generally implemented at the system or network level (e.g., on routers, operating systems)
Benefits of DoT
- Ensures that DNS queries cannot be read or modified in transit
- Provides better integration with enterprise network security policies
- Allows network-level control and monitoring of DNS traffic
Limitations of DoT
- May be blocked in environments where port 853 is restricted
- Requires TCP and TLS handshakes, introducing minimal additional latency
- Less effective at bypassing censorship compared to DoH
What Is DNS over HTTPS (DoH)?
DNS over HTTPS performs the same function as DoT—encrypting DNS traffic—but encapsulates DNS queries within HTTPS packets. This allows DNS requests to be transmitted over TCP port 443, the same port used for standard secure web traffic.
DoH uses the same HTTP/2 or HTTP/3 protocol stack and integrates directly with web browsers and applications.
Key Characteristics of DoH
- Uses port 443, making DNS traffic indistinguishable from regular HTTPS traffic
- Typically operates at the application level (e.g., browsers such as Firefox, Chrome)
- Enables DNS resolution even in restrictive network environments
Benefits of DoH
- Harder to block or filter due to its use of HTTPS
- Provides a high level of privacy for end-users
- Helps bypass restrictive DNS-based content filtering
Limitations of DoH
- Can override local DNS settings, reducing administrative control
- Complicates enterprise DNS filtering, monitoring, and logging
- May introduce additional processing overhead due to the HTTP layer
Comparing DoT and DoH
| Feature | DNS over TLS (DoT) | DNS over HTTPS (DoH) |
|---|---|---|
| Port | 853 | 443 |
| Transport | TLS over TCP | HTTPS over HTTP/2 or HTTP/3 |
| Visibility | Easily identifiable | Obfuscated in HTTPS traffic |
| Use Case | System or network-level | Application-level |
| Control | Supports DNS policy | Can bypass DNS policies |
| Privacy | High | Very high |
Performance Considerations
Both DoT and DoH introduce additional latency due to the overhead of establishing a secure connection. The extent of this latency depends on several factors, including resolver performance, network conditions, and implementation efficiency. DoH may add slightly more overhead because of the HTTP layer, but the difference is typically negligible for most users.
Additionally, modern implementations support session reuse, multiplexing, and optimized TLS configurations, helping reduce performance impact.
Operating System and Browser Support
Support for DoT and DoH varies across platforms:
- Android 9 and newer include native DoT support under “Private DNS” settings.
- Windows 11, macOS, and Linux distributions have begun integrating native support for DoH and DoT.
- Firefox and Chrome include built-in DoH resolvers (e.g., Cloudflare, Google) that operate independently of system settings.
This variability can lead to conflicting configurations, especially in enterprise environments where central DNS policy enforcement is important.
Security and Privacy Implications
DoT and DoH significantly improve the security of DNS by preventing eavesdropping and tampering. However, they also introduce new challenges:
- Enterprises may lose visibility into DNS traffic unless DoT/DoH is managed at the gateway level.
- Malware can leverage encrypted DNS to communicate with command-and-control servers undetected.
- Centralized DoH resolvers may become single points of surveillance if privacy policies are not transparent.
Therefore, while these protocols enhance privacy, proper configuration and resolver trust are critical.
Deployment and Implementation
Organizations looking to adopt encrypted DNS should evaluate their specific needs and infrastructure. Available options include:
- Using public DoT/DoH resolvers such
- Deploying local resolvers (e.g., Unbound, BIND) that support DoT/DoH upstream
- Configuring secure DNS at the network perimeter (e.g., firewalls, routers)
- Monitoring encrypted DNS traffic with specialized tools or SIEM integrations
Conclusion
DoT and DoH represent a major advancement in DNS privacy and security. By encrypting DNS queries, they protect user activity from surveillance and tampering. While both protocols offer strong protections, they differ in terms of visibility, control, and deployment complexity.
Organizations must weigh the trade-offs between privacy, performance, and policy enforcement when choosing to implement DoT, DoH, or a combination of both. Ultimately, adopting encrypted DNS is a necessary step toward a more secure and private internet.