What is the difference between DoH and DoT?

Both encrypt DNS queries between your client and the resolver. DoH (DNS over HTTPS, RFC 8484) tunnels the queries inside an HTTPS connection on port 443 — it looks like normal web traffic. DoT (DNS over TLS, RFC 7858) uses a dedicated port 853 with TLS. From a privacy perspective they're equivalent; from a network-policy perspective DoH is harder to identify and block, while DoT is friendlier to enterprises that want explicit visibility into DNS traffic.

Which encrypted DNS provider should I use?

Cloudflare 1.1.1.1 (fast, public, no-logs policy with annual audits), Quad9 9.9.9.9 (privacy-focused nonprofit, blocks known malicious domains by default), NextDNS (paid tier with extensive customization), or AdGuard DNS (filtering-focused). Picking is a trust decision — all of them see your queries; the question is which organization you'd rather have than your ISP.

Does my browser already use DoH?

Probably. Firefox enabled DoH by default for US users in 2020 and progressively for other regions since. Chrome uses DoH for users whose system DNS provider also offers DoH (mostly opt-in). Safari supports per-network DoH/DoT profiles installed via configuration. Check chrome://flags or about:networking in Firefox to see your current state. The 'using DoH' bit is independent of your OS-level resolver — your browser may be using DoH even when your OS is not.

Will my enterprise allow DoH?

Many block it. Corporate networks frequently inspect DNS for security policy reasons, and DoH undermines that by hiding the queries inside HTTPS. DoT is easier for enterprises to allow because they can block port 853 selectively if they need to. If your organization requires DNS visibility, configure browsers and OSes to use the corporate-approved DoH provider rather than the user's choice — Firefox and Chrome both support locked-down configurations.

DNS-over-HTTPS vs DNS-over-TLS — which to use, and why it matters

Why DNS encryption exists

Classic DNS, defined in RFC 1035 (1987), is plaintext UDP over port 53. Anyone on the network between your client and the resolver — your ISP, the coffee-shop router, the airport Wi-Fi, the state-level firewall — can read every query and every answer. They learn which websites you visit, which apps you use, and which services you depend on, all without seeing a byte of the actual application traffic.

That visibility has been quietly exploited for decades. ISPs sell DNS-query data to marketing aggregators. Some governments use unencrypted DNS to enforce censorship by returning false answers. Coffee-shop attackers can intercept and rewrite responses. Encrypted DNS — DoH or DoT — closes that hole.

DNS over HTTPS (DoH, RFC 8484)

DoH wraps DNS queries inside HTTPS requests. Each query is an HTTP POST (or GET with the query in a base64url parameter) to the resolver's /dns-queryendpoint on port 443. The response is an HTTP body containing the standard DNS wire format. The TLS layer encrypts everything.

What it looks like on the wire: indistinguishable from any other HTTPS connection to that resolver's domain. A network observer sees you talking to mozilla.cloudflare-dns.com or dns.google over TLS 1.3 on port 443 — exactly like millions of other web sessions.

Where it lives: built into Firefox (enabled by default in the US since 2020 and progressively in other regions), Chrome, Edge, and Brave. Available on every modern OS with various levels of system integration.

The 'looks like web traffic' property is the feature. A network that wants to block DoH cannot block port 443 — that breaks all of HTTPS. They have to block specific DoH provider IPs or domains, which is a moving target as new providers come online and old ones change addresses.

DNS over TLS (DoT, RFC 7858)

DoT puts DNS in a TLS stream on a dedicated port: 853. The protocol inside the TLS tunnel is the standard DNS wire format — same as classic UDP/53, just wrapped in TLS.

What it looks like on the wire: TLS to a known DoT provider IP on port 853. Identifiable as DNS traffic specifically, not "any HTTPS connection." Network operators can apply DNS-specific policies (allow, block, log) at the port level.

Where it lives: Android (default since version 9 / Pie), systemd-resolved on Linux, all major commercial routers, BIND, Unbound, dnsmasq. Less commonly used in browsers directly because Android handles it at the OS level.

The "explicit identification" property is also the feature — but from a different angle. Enterprises that want to enforce DNS policy can permit DoT to a corporate resolver and block other DoT IPs at the firewall. With DoH that policy is much harder to enforce because the traffic looks like normal HTTPS.

The choice in one paragraph

For end users: pick DoH if you want resilience against blocking and indistinguishable traffic; pick DoT if your operating system supports it natively and you don't have a specific reason to prefer DoH. Either is dramatically better than plaintext DNS. For network operators: DoT lets you enforce policy at the port level; DoH lets you push the policy decision to the application layer. Both have legitimate deployments.

The trade-offs in detail

Privacy from the local network

DoH and DoT both completely hide the DNS query content from anyone between your client and the resolver. Identical privacy guarantees against this threat.

Privacy from the network operator's policy

DoH is harder to block. DoT is easier to allow selectively. In a coffee shop or a censorious country, DoH bypasses more interference. In a corporate network with legitimate DNS-policy needs, DoT is friendlier.

Privacy from the resolver itself

Neither protocol changes this. The resolver you pick (Cloudflare, Google, Quad9, NextDNS, your own) sees every query you make. You are trusting them with whatever your ISP used to see. Resolver choice matters more than DoH vs DoT — they're equivalent against on-path observers but their privacy posture against the resolver itself depends on the provider's logging and data-sharing policies.

Performance

DoH adds modest overhead — TLS handshake (often amortized via 0-RTT resumption on repeat connections), HTTP headers per request. Modern implementations are within a few milliseconds of plaintext UDP for individual queries. DoT is slightly faster than DoH because it skips the HTTP layer. Both are dominated by the round-trip time to the resolver, which makes geography matter more than protocol choice. Cloudflare's anycast network typically puts the resolver within ~10 ms of you anywhere on Earth.

Censorship resistance

DoH wins. A state-level firewall that wants to block "DoH" has to block specific provider IPs and domains, and new providers can come online faster than blocklists update. DoT to port 853 is trivially blocked by a single firewall rule. Real-world deployments in censored regions favor DoH for this reason.

Enterprise visibility

DoT wins from the operator perspective. A company with a security policy that requires DNS visibility can run their own DoT resolver, mandate it via system configuration, and block port 853 to other destinations at the firewall. DoH undermines this entirely — if a user can reach any HTTPS site, they can probably run DoH to a public resolver.

Operating-system integration

DoT has better OS support today — Android handles it transparently since 2018, systemd-resolved supports it, Windows DNS Client supports it (Windows 11). DoH is better in browsers and is gradually being added to OS-level resolvers (macOS Big Sur added DoH/DoT profiles in 2020; Windows 11 added DoH in 2021).

How to configure each

Browser-level DoH

Firefox: Settings → Privacy & Security → DNS over HTTPS → "Max Protection." Choose Cloudflare, NextDNS, or Custom.
Chrome / Edge / Brave: Settings → Privacy & Security → Security → "Use secure DNS." Pick provider from the dropdown or enter a custom URL.
Safari: macOS-level profile (Network → DNS) rather than in-app.

OS-level DoT or DoH

Android (9+): Settings → Network & Internet → Private DNS → Provider hostname (e.g. 1dot1dot1dot1.cloudflare-dns.com for Cloudflare DoT).
iOS / macOS: Install a Configuration Profile from the provider's website. Cloudflare, Quad9, and NextDNS all publish .mobileconfig files.
Linux (systemd-resolved): Edit /etc/systemd/resolved.conf, set DNS=1.1.1.1, DNSOverTLS=yes, restart the service.
Windows 11: Settings → Network & Internet → Properties on the active adapter → Edit DNS server assignment → enable Encrypted-only.
Router-level: Configure your router's DNS to a DoH/DoT-capable local proxy (Pi-hole + Unbound, AdGuard Home, NextDNS router profile). Every device on the LAN benefits automatically.

Which resolver to pick

Cloudflare 1.1.1.1 / 1.0.0.1 — fastest in most regions thanks to anycast; published no-logs policy with annual KPMG audits; supports DoH, DoT, and DNS-over-QUIC.
Google 8.8.8.8 / 8.8.4.4 — very reliable, very fast, but Google sees the queries (which most privacy-focused users would rather not).
Quad9 9.9.9.9 — Swiss-based nonprofit. Blocks queries to known malware/phishing domains by default. Trade-off is occasional false positives on legitimate sites.
NextDNS — paid (small fee per month), configurable filter lists, per-device routing, query logs for the user only. The choice for power users who want fine control.
AdGuard DNS — free public service that blocks ads and trackers at the DNS level. Significant breakage on sites that load via tracker domains.
Your own. Pi-hole + Unbound recursing to the root servers gives you encrypted-DNS-equivalent privacy (no third party sees your queries) at the cost of running it yourself.

Common pitfalls

Captive portals. Coffee-shop Wi-Fi often redirects HTTP traffic to a sign-in page until you accept terms. With DoH, the captive-portal detection in your browser may fail because the DoH query can't resolve their portal domain. Most modern browsers handle this; some embedded devices don't.
Internal corporate hostnames. Your company's internal finance.corp.example only resolves via the corporate DNS. If your browser uses public DoH, internal lookups fail. The fix is split DNS — use corporate DNS for the internal zone, public DoH for everything else.
"DNS is working but DoH isn't" failures. Hard to diagnose because the fallback to OS resolver is often silent. Verify with the DNS leak test.

DoH vs DoT — DNS encryption, two flavors