DNS over HTTPS vs DNS over TLS — Which Should You Use?
DNS over HTTPS and DNS over TLS both encrypt your DNS queries, but they work differently. This guide explains what each protocol does, how they compare, and which one to use.
Why encrypt DNS?
Traditional DNS sends queries in plain text over UDP port 53. Every device between you and the DNS server — your ISP, the Wi-Fi operator, anyone on the same network — can see exactly which domains you look up. Worse, they can modify the responses to redirect you to a different IP address.
This is not a theoretical risk. ISPs routinely log DNS queries for analytics. Public Wi-Fi hotspots can inject ads or redirect lookups. State-level actors use DNS to censor content.
Encrypted DNS fixes both problems. Your queries are wrapped in TLS, so they cannot be read or tampered with in transit. The two main protocols for this are DNS over HTTPS (DoH) and DNS over TLS (DoT).
DNS over HTTPS (DoH)
DoH sends DNS queries inside standard HTTPS connections on port 443 — the same port used by every website. From a network perspective, a DoH query looks identical to any other HTTPS traffic.
This makes DoH very hard to block. A network operator would have to block all HTTPS traffic to stop it, which is not practical.
DoH endpoints use a URL format:
https://dns.example.com/dns-query
Browser support is strong. Firefox, Chrome, and Edge all have built-in DoH settings. Windows 11, iOS, and Android also support DoH at the OS level.
The trade-off: DoH adds the HTTP layer on top of TLS, which introduces slightly more overhead per query compared to DoT. In practice, the difference is negligible.
DNS over TLS (DoT)
DoT sends DNS queries directly over a TLS connection on a dedicated port: 853. There is no HTTP layer — just raw DNS wrapped in TLS.
The dedicated port makes DoT easy to identify on a network. A firewall can block port 853 to disable DoT entirely. This is both an advantage (network admins can manage it) and a disadvantage (censors can block it).
DoT endpoints are specified as a hostname:
dns.example.com
DoT is well supported at the operating system level. Android's "Private DNS" feature uses DoT. On Linux, systemd-resolved and Unbound both support DoT natively. Browser support, however, is nonexistent — no major browser implements DoT directly.
DoH vs DoT comparison
| Feature | DoH | DoT |
|---|---|---|
| Port | 443 (HTTPS) | 853 |
| Protocol | HTTPS / HTTP/2 | TLS |
| Blocking | Hard to block (same as web traffic) | Easy to block (dedicated port) |
| Privacy from network | High (blends with HTTPS) | Moderate (port 853 is identifiable) |
| Browser support | Yes (Firefox, Chrome, Edge) | No (OS-level only) |
| Android Private DNS | No | Yes |
| Performance | Slightly higher overhead (HTTP layer) | Slightly lower overhead |
Which should you use?
Use DoH if you want encrypted DNS that is difficult to block. It is the right choice when you are on a network you do not control — corporate Wi-Fi, hotel networks, countries with DNS censorship. It is also the easiest to set up if you just want to flip a switch in your browser.
Use DoT if you want system-wide encrypted DNS on Android or Linux. Android's Private DNS feature is DoT-only and covers all apps on the device, not just the browser. On Linux, systemd-resolved makes DoT straightforward to configure.
Both protocols encrypt your queries with TLS. Both prevent eavesdropping and tampering. The best choice depends on your threat model and what your operating system supports. If you are unsure, start with DoH in your browser — it takes 30 seconds to enable.
How to enable DoH
Firefox: Open Settings, go to Privacy & Security, scroll to DNS over HTTPS. Select your preferred provider or enter a custom URL.
Chrome: Go to Settings, then Privacy and security, then Security. Under "Use secure DNS," toggle it on and pick a provider.
Edge: Settings, then Privacy, search, and services. Under Security, enable "Use secure DNS" and choose a provider.
Windows 11: Open Settings, go to Network & internet, click your connection, then click DNS. Set DNS encryption to "Encrypted only (DNS over HTTPS)."
iOS / iPadOS: Install a DNS profile from your provider (Cloudflare and NextDNS offer free apps), or configure it under Settings, VPN & Device Management.
How to enable DoT
Android (9+): Open Settings, go to Network & internet, then Private DNS. Select "Private DNS provider hostname" and enter the hostname, e.g. one.one.one.one for Cloudflare or dns.google for Google.
Linux (systemd-resolved): Edit /etc/systemd/resolved.conf and set:
DNS=1.1.1.1DNSOverTLS=yes
Then restart the service: sudo systemctl restart systemd-resolved
Unbound: Add a forward-zone with forward-tls-upstream: yes and point it to your DoT server on port 853.
Providers that support both DoH and DoT
Most major public DNS providers support both protocols. Here are the endpoints:
| Provider | DoH endpoint | DoT hostname |
|---|---|---|
| Cloudflare | https://cloudflare-dns.com/dns-query |
one.one.one.one |
https://dns.google/dns-query |
dns.google |
|
| Quad9 | https://dns.quad9.net/dns-query |
dns.quad9.net |
| NextDNS | https://dns.nextdns.io/{config-id} |
{config-id}.dns.nextdns.io |
For a full list of public DNS servers and their features, browse our complete directory.
Recommended DNS servers
We maintain a live-tested directory of public DNS resolvers worldwide, checked for reliability and response time. Whether you choose DoH, DoT, or plain DNS, you need a fast and trustworthy server.
Browse the full directory to find the best servers for your location.
Frequently asked questions
Is DoH or DoT more secure?
Both use TLS encryption and provide the same level of security for your DNS queries. The difference is transport, not encryption strength. DoH wraps DNS in HTTPS; DoT sends DNS directly over TLS.
Can my ISP still see which websites I visit if I use DoH or DoT?
Encrypted DNS hides your DNS queries, but your ISP can still see the IP addresses you connect to and may use SNI (Server Name Indication) in TLS handshakes to identify domains. Encrypted Client Hello (ECH) addresses the SNI issue but is not yet widely deployed.
Does encrypted DNS slow down my connection?
The overhead is minimal. The initial TLS handshake adds a small delay, but subsequent queries reuse the connection and are fast. Most users will not notice any difference.
Can I use DoH and DoT at the same time?
Not on the same device for the same queries. You pick one transport per resolver configuration. However, you could run DoH in your browser and DoT at the OS level — the browser setting typically takes priority for browser traffic.
What happens if my encrypted DNS server goes down?
Most clients fall back to the next configured resolver. If you only have one encrypted resolver and no fallback, DNS resolution will fail until the server recovers or you switch to another one. Always configure at least two resolvers.