Regular DNS queries are sent in plain text. Anyone on the network path between you and the resolver - your ISP, your coffee shop's WiFi, whoever - can see exactly which domains you're looking up. That's not great for privacy.
Two protocols fix this: DNS over HTTPS (DoH) and DNS over TLS (DoT). Both encrypt your queries. But they work differently and the choice between them isn't just technical - it's political.
What DoT does
DNS over TLS wraps regular DNS queries in a TLS tunnel on port 853. It's straightforward: same DNS protocol, just encrypted.
Your device --[TLS encrypted, port 853]--> DNS resolver
Your ISP can see you're connecting to a DNS server on port 853 (so they know you're using DoT), but they can't see what you're looking up.
Pros
- Clean separation - DNS stays on its own dedicated port
- Network admins can see that DNS traffic exists (useful for monitoring and policy)
- Slightly lower overhead than DoH in some implementations
- Easier to implement in DNS-specific software
Cons
- Easy to block - a network admin just blocks port 853 and DoT stops working
- Not supported in most web browsers natively
- Requires OS-level or resolver-level configuration
What DoH does
DNS over HTTPS sends DNS queries inside regular HTTPS traffic on port 443. From the outside, it looks identical to normal web browsing.
Your device --[HTTPS, port 443]--> DNS resolver (looks like any web traffic)
Your ISP can't tell DNS queries apart from you browsing a website. That's the whole point.
Pros
- Nearly impossible to block without breaking all HTTPS traffic
- Supported in Firefox, Chrome, Edge, and most modern browsers
- Works through corporate firewalls that allow HTTPS
- Harder for ISPs to detect and interfere with
Cons
- Mixes DNS with web traffic, which complicates network monitoring
- Corporate/school network admins lose visibility into DNS queries
- Adds HTTP overhead to every DNS lookup
- Browsers may bypass the system DNS resolver entirely, which can break split-horizon DNS setups
The political angle
This is where it gets interesting. DoH and DoT aren't just technical choices - they represent different philosophies about who should control DNS.
I've found that i learned this the hard way on a job in Salthill, and DoT says: "DNS should be encrypted, but network administrators should still be able to see that DNS is happening and apply policy to it."
DoH says: "DNS should be encrypted AND invisible. Nobody between you and the resolver should be able to interfere, including your network admin."
ISPs generally dislike DoH because it takes away their ability to monitor, filter, or monetise DNS queries. Network admins in enterprises dislike it because it bypasses their security policies. Privacy advocates love it because it makes DNS surveillance much harder.
Neither position is wrong. It depends on your context.
When to use which
Use DoT when:
- You control the full network (your homelab, your business)
- You run Pi-hole, AdGuard Home, or Unbound as a local resolver
- You want encrypted DNS but also want your network admin to be able to monitor DNS traffic patterns
- You're configuring DNS at the OS or router level
Use DoH when:
- You're on someone else's network (hotel WiFi, coffee shop, airport)
- Your ISP is known to hijack or snoop on DNS queries
- You want maximum privacy and minimum interference
- You're fine with browser-level DNS configuration
Use both when:
- You run a local resolver (Pi-hole/Unbound) with DoT upstream, and also enable DoH in browsers as a fallback
- This is actually what I set up for most clients. Belt and braces.
How to set them up
DoH in Firefox
- Settings > Privacy & Security > scroll to DNS over HTTPS
- Select "Max Protection" or "Increased Protection"
- Choose a provider (Cloudflare, NextDNS, or custom)
DoH in Chrome
- Settings > Privacy and security > Security
- "Use secure DNS" > select a provider
DoT on Android
- Settings > Network > Private DNS
- Enter a hostname like
dns.quad9.netorone.one.one.one
DoT with systemd-resolved (Linux)
# /etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com
DNSOverTLS=yes
DoT with Pi-hole + Unbound
This is the setup I use in my own homelab and recommend to clients. Pi-hole handles ad blocking, Unbound does recursive resolution with DoT to a trusted upstream. You get filtering, privacy, and full control.
How to test if it's working
After setting up encrypted DNS, verify it's actually encrypting:
- Cloudflare test: Visit 1.1.1.1/help - it tells you if you're using DoH/DoT
- DNS leak test: Use a DNS privacy checker to see if your queries are encrypted and whether they're leaking through other paths
- Wireshark: If you want to be thorough, capture traffic and confirm there's no plaintext DNS on port 53
Performance considerations
Both DoH and DoT add a small amount of latency to the first query (TLS handshake). After that, the connection stays open and subsequent queries are about the same speed as plain DNS.
In practice, the difference is negligible for normal browsing. If you're running a high-throughput DNS resolver handling thousands of queries per second, DoT has marginally less overhead because it doesn't have the HTTP layer.
From what I've seen, for home users and small businesses? You won't notice the difference. Pick based on your privacy and control needs, not performance.
My recommendation
For most people: turn on DoH in your browser. It takes 30 seconds, it's free, and it stops your ISP from logging every domain you visit. Cloudflare or Quad9 are both solid choices.
For anyone running their own network: set up DoT at the resolver level (Pi-hole, Unbound, or your router if it supports it). This gives you encrypted upstream queries while keeping full visibility and control over your own network's DNS.
And if you want to check whether your setup is actually private, run it through a DNS privacy check. No point configuring encrypted DNS if something else is leaking your queries out the side door.
Top comments (0)