Originally published on the Copahost Blog. Cross-posted here for the Dev.to community.
You already know that DNS translates domain names into IP addresses — the internet's phone book, as the classic analogy goes.
But here is something most website owners don't know: every DNS query your visitors make is sent in plain text by default. That means your ISP, network administrators, and anyone monitoring the connection can see exactly which domains are being resolved — even when the page content itself is protected by HTTPS. This is the problem that encrypted DNS was designed to solve.
In practice, there are four protocols that replace unencrypted DNS: DNS over HTTPS (DoH), DNS over TLS (DoT), DNS over QUIC (DoQ), and DNS over HTTPS/3 (DoH3). Each one encrypts your DNS queries using a different transport layer, with different tradeoffs in performance, privacy, and compatibility. If you have ever searched for DoH vs DoT and found conflicting answers, this article explains why — and gives you real benchmark data from over 3,000 resolvers to help you decide which encrypted DNS protocol is right for your website.
Why Unencrypted DNS Is Still a Problem in 2026
When a visitor types your domain name into their browser, their device sends a DNS query before any connection to your server is established. That query travels over the network in plain text on port 53 — visible to:
- The visitor's ISP
- Anyone monitoring the local network (coffee shop Wi-Fi, corporate proxies)
- Government-level surveillance infrastructure
- Attackers conducting DNS hijacking
This happens regardless of whether your site uses HTTPS. The HTTPS encryption protects the content of the page. The DNS query that happens before the connection is made is a completely separate, unprotected step.
DNS hijacking exploits this gap: an attacker intercepts the plain-text DNS query and returns a false IP address, redirecting the visitor to a malicious site that looks identical to yours. For websites in sensitive sectors — banking, healthcare, e-commerce — this is a real attack vector with documented incidents.
The encrypted DNS protocols solve this by wrapping the DNS query in a secure transport layer. The question is which one to use, and for what purpose.
The Five DNS Protocols You Need to Know
Do53 — Classic DNS (Unencrypted)
- Port: 53 (UDP and TCP)
- Encryption: None
- Status: Still dominant, but declining for privacy-sensitive use cases
The original DNS protocol, defined in RFC 1035 in 1983. Fast, simple, universally supported. The problem is that it was designed in an era when the internet was a small academic network — privacy was not a design concern. Every query is sent in plain text.
For server-to-server communication in controlled environments (internal networks, data centers), Do53 is still reasonable. For client-facing DNS — the queries your visitors make from their browsers — it should be replaced by one of the encrypted alternatives.
DoT — DNS over TLS
- Port: 853
- Transport: TCP + TLS 1.3
- RFC: 7858 (2016)
- Encryption: Yes
- Status: Widely deployed, supported by most major resolvers
DoT wraps DNS queries in TLS — the same encryption layer used by HTTPS. It runs on a dedicated port (853), which makes it easy for network administrators to identify, filter, or block encrypted DNS traffic.
The advantage is simplicity: it is essentially the same encryption model that secures web traffic, applied to DNS. The disadvantage is that the dedicated port makes it easy to detect and block — which is why it has seen limited browser adoption but strong adoption in enterprise and mobile operating systems.
Android 9+ and iOS 14+ support DoT natively as "Private DNS." If a visitor is using a modern mobile device, there is a reasonable chance their DNS queries are already using DoT — regardless of what your server does.
Performance consideration: DoT requires a TCP three-way handshake plus a TLS handshake before the first query — adding approximately 2 round-trip times of latency compared to Do53.
DoH — DNS over HTTPS
- Port: 443
- Transport: HTTPS (HTTP/2 or HTTP/3)
- RFC: 8484 (2018)
- Encryption: Yes
- Status: Default in Firefox and Chrome; widely adopted
DoH tunnels DNS queries inside standard HTTPS traffic on port 443 — the same port used for all web traffic. This makes it indistinguishable from regular browsing traffic, which means it cannot be selectively blocked without blocking all HTTPS.
This is both its greatest strength and the source of its most significant controversy. Enterprise network administrators who need to monitor and filter DNS traffic cannot do so when DNS is hidden inside HTTPS. This has led to ongoing tension between browser vendors (who favor DoH) and enterprise security teams (who prefer DoT or local resolvers).
Firefox enabled DoH by default in 2020. Chrome followed with a flexible approach — using DoH if the user's existing DNS resolver supports it.
DoQ — DNS over QUIC
- Port: 853
- Transport: QUIC (UDP)
- RFC: 9250 (2022)
- Encryption: Yes (TLS 1.3 integrated into QUIC)
- Status: Emerging — growing resolver support, limited browser adoption
DoQ is the newest major encrypted DNS protocol. It uses QUIC as its transport — the same protocol that powers HTTP/3 — instead of TCP. The transport and TLS handshakes are combined into a single 1-RTT operation (compared to 2 RTTs for DoT and DoH over TCP).
The performance numbers are significant:
- DoQ outperforms DoT and DoH by approximately 33% in single query response time with Session Resumption enabled
- Page load times with DoQ are 10% faster compared to DoH
- Compared to plain UDP DNS, DoQ performs only 2% slower, even with full encryption overhead
Current adoption: Quad9, NextDNS, and AdGuard DNS all support DoQ. Cloudflare and Google do not yet offer production DoQ resolvers.
DoH3 — DNS over HTTPS/3
- Port: 443
- Transport: HTTP/3 (QUIC)
- Status: Emerging, backed by major browser vendors
DoH3 is DoH running over HTTP/3 instead of HTTP/2. Since HTTP/3 itself runs on QUIC, DoH3 gets the same connection performance benefits as DoQ — 1-RTT handshake, connection migration, no head-of-line blocking — while maintaining the censorship-resistance advantage of running on port 443.
Research across more than 3,000 DoE resolvers demonstrates that DoQ and DoH3 perform comparably, with DoQ slightly outperforming on average.
Performance Comparison: What the Research Says
The most comprehensive independent benchmark (PAM 2026, Springer, March 2026) analyzed more than 3,000 resolvers across multiple continents:
| Protocol | Handshake RTTs | Latency vs Do53 | Page Load vs DoH | Connection Migration |
|---|---|---|---|---|
| Do53 (UDP) | 0 | Baseline | — | No |
| DoT | 2 | +15–25% | Slightly slower | No |
| DoH (HTTP/2) | 2 | +15–25% | Baseline | No |
| DoQ | 1 | +2% | 10% faster | Yes |
| DoH3 | 1 | +2–3% | Comparable to DoQ | Yes |
Key takeaway: DoQ and DoH3 have essentially closed the performance gap with unencrypted DNS. A 2% latency penalty for full encryption is negligible in the context of real-world page load times.
What This Means for Web Hosting and Website Performance
DNS resolution happens before any connection to your server — it is part of your Time to First Byte (TTFB) from the visitor's perspective:
DNS protocol → handshake latency → DNS lookup time → TTFB → LCP/FCP → Core Web Vitals score
Practical recommendations for website owners:
- Point your domain at nameservers with global anycast infrastructure — Cloudflare, AWS Route 53, or your hosting provider's DNS
- Configure reasonable TTLs (3600s for stable records; 300s when planning changes)
- Enable DNSSEC on your domain to prevent DNS spoofing at the authoritative level
How to Test Your DNS Encryption
Check which protocol your browser is using
In Chrome: chrome://settings/security → "Use secure DNS"
In Firefox: about:config → network.trr.mode
-
0= off -
2= DoH with fallback -
3= DoH only
Test your DNS leak
Visit dnsleaktest.com and run the extended test. If results show your ISP's resolver, your DNS is not fully encrypted.
Benchmark DNS protocols yourself
# Install dnsdiag
pip install dnsdiag
# Compare protocols for the same query
dnsping -s 1.1.1.1 -c 10 copahost.com # Do53
dnsping -s https://1.1.1.1/dns-query -c 10 copahost.com # DoH
dnsping -s tls://1.1.1.1 -c 10 copahost.com # DoT
dnsping -s quic://dns.nextdns.io -c 10 copahost.com # DoQ
Configuring Encrypted DNS on Your Server
nginx — DNS over HTTPS via resolver
# nginx.conf — use Cloudflare's encrypted resolver for upstream lookups
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;
Cloudflare DNS resolver reference
| Protocol | Address |
|---|---|
| Do53 | 1.1.1.1 and 1.0.0.1 |
| DoT | tls://1.1.1.1 (port 853) |
| DoH | https://1.1.1.1/dns-query |
| DoH3/DoQ | Supported via browser auto-upgrade |
Enabling DNSSEC on your domain (cPanel)
cPanel → Zone Editor → select your domain → DNSSEC → Enable.
Note: DNSSEC protects data integrity at the authoritative level. It is separate from encrypted transport — which protects query privacy.
Limits of Encrypted DNS
Encrypted DNS is not a complete privacy solution:
What it protects: the content of DNS queries from passive observers on the network path between client and resolver.
What it does NOT protect:
- Destination IP addresses — visible after DNS resolution regardless
- SNI (Server Name Indication) — domain name leaks in the TLS handshake unless Encrypted Client Hello (ECH / RFC 9849) is also deployed
- Traffic analysis — volume and timing of connections can still reveal browsing patterns
Which Protocol Should You Use?
| Scenario | Recommended protocol |
|---|---|
| Personal privacy on public Wi-Fi | DoQ (Quad9 or NextDNS) or DoH (Cloudflare) |
| Enterprise network with monitoring needs | DoT to controlled resolver |
| Browser default (no configuration) | DoH — already default in Chrome/Firefox |
| Mobile devices (Android/iOS) | DoT via system Private DNS setting |
| Maximum performance + privacy | DoQ via NextDNS or Quad9 |
| Website/server DNS resolver | Anycast Do53 with DNSSEC (Cloudflare or Route 53) |
The short answer for most website owners: you don't need to configure anything for your visitors' DNS queries — modern browsers handle this automatically. What you can control is the authoritative DNS for your domain (use Cloudflare's nameservers for best performance) and DNSSEC (enable it in your registrar or cPanel).
Summary
The four encrypted DNS protocols — DoT, DoH, DoQ and DoH3 — each solve the plain-text DNS problem with different tradeoffs:
- DoH is the current browser standard
- DoQ and DoH3 are the performance-optimized next generation, with research showing they have essentially closed the gap with unencrypted DNS while adding full privacy protection
For website owners, the most actionable steps are DNSSEC activation and using an authoritative DNS provider with global anycast infrastructure. For end users who care about privacy, DoQ via Quad9 or NextDNS is the best option available today.
Sources
- PAM 2026 — The Future of DNS Privacy: A Comparison of DNS over QUIC and DNS over HTTP/3: https://link.springer.com/chapter/10.1007/978-3-032-18268-5_10
- RFC 9250 — DNS over Dedicated QUIC Connections: https://datatracker.ietf.org/doc/html/rfc9250
- RFC 9849 — TLS Encrypted Client Hello: https://datatracker.ietf.org/doc/html/rfc9849
- Catchpoint — DNS over QUIC Working and Implementation Guide: https://www.catchpoint.com/http2-vs-http3/dns-over-quic
- NextDNS Help Center — What is DoT, DoQ and DoH: https://help.nextdns.io/t/x2hmvas
- State of Surveillance — Best Encrypted DNS May 2026: https://stateofsurveillance.org/guides/technical/encrypted-dns-comparison/****
Top comments (0)