What's the deal with DNS over [BLANK]?

Published Nov 22, 2025

Tags: dns security info

Note: This blog post was meant to cover my experience layering and messing with DNS, but I just did not have the time. So enjoy this piece for the while!

What’s up with DNS over [BLANK]? What is a DoH? and what is a DoT? Is it a weird dictionary autocorrect from “dot” and people are merely talking about punctuation? Or is there something more to it? Well, to actually understand what any of that (vague hand gesturing) means, you’ll need to learn about DNS.

DNS (Short for “Domain Name System”) is a way for computers to associate text (domain names) with IP addresses, you can think of it as a phonebook for the Internet. If you want to call “John Smith”, you’d browse the phonebook until you’ve found him and then dial in his phone number and have a nice conversation about quantum mechanics or whatever. 

DNS is the same thing but it’s with your computer and websites, when you want to go to google.com or wikipedia.org, your device uses DNS (the phonebook) to find out what that actually means and where to find it, and then it goes there. If you want more information about DNS in the form of a comic that takes about 10 minutes to read, then go to howdns.works

Anyway, the problem with DNS, besides being a pain for software developers at times, is that it was, for the longest time, unencrypted. Your networking traffic actually goes through multiple computers, owned by different people, and unencrypted traffic is ridiculously easy to snoop on and track. So, yeah! Your computer has been publicly shouting out into a megaphone about which websites you’ve been visiting!

That’s quite concerning! And also, because DNS is unencrypted, it means that people can easily change whatever information your computer is receiving! Going back to the phonebook analogy, DNS is more like if you had to go drive to a phonebook store, going through multiple police checkpoints along the way in which the officers could, very easily, change the phonebook itself, so that you were calling someone else other than John Smith! And you were discussing quantum mechanics with his rival, who will now publish this revealed information in a scientific paper and take over the world!

Ok the analogy is clearly falling apart, but this technique of switching what your computer receives as an address is called “DNS hijacking”, it has some “legitimate uses” (it depends on if you think censorship is legitimate) but it also has plenty of morally questionable, and indeed dangerous, uses such as phishing. All of this is the reason why we’ve been moving away from unencrypted DNS and towards DNS protocols where some other underlying protocol is used for transport.

Here are the two most common examples of DNS over [BLANK] you’ll encounter.

1. DNS over HTTPS (Shortened to DoH) uses HTTPS, the same thing responsible for showing this page and pretty much every other page on the Internet. HTTPS is basically an encrypted version of HTTP, so in other words, it’s actually double-layered. (DNS → HTTP → TLS)
2. DNS over TLS (Shortened to DoT) uses TLS, which is just encryption. There’s not much to say about this one, it works.

Others have experimented with other protocols, and other ways to make DNS more secure, but these two are quite common, efficient and practical and will probably stay with us for decades to come, so, which one should you, dear reader, use? Well, let’s start off with this simple fact: It really does not matter as much as some people think, they both fix the fundamental problem of DNS being unencrypted, so, the takeaway of this article is that if you have the option of using DoH or DoT, then take the option!

There are minor privacy gains with DoH and minor performance gains with DoT, and when I say minor, I mean the difference does not really matter and anyone who considerably delays the progress of either protocols, in favor of their own beloved protocol or their desired one, is just bikeshedding and wasting time!

Fundamentally, DoT is always going to be faster than DoH and this is because DoH is layered on top of HTTPS, which has TLS layered on top of it. So, with DoT, it’s simply one less layer than DoH. Does that actually make a difference? I don’t know, but I hardly think it does, it’s just a couple more requests back and forth. DoH is not going to be a performance bottleneck.

Also, one more thing to remember is that miniscule performance is a moot point anyway because of the purpose of DNS. It is just the phonebook, and you’ll stop using DNS when you know who to call.

What about DoH? DoH has the minor privacy benefit of “blending in”

Alright, it’s time to get just a bit more technical, your computer uses “ports” for communicating, HTTP uses 80, HTTPS uses 443, DNS uses 23 and so on. DoT, however, uses 853, whereas DoH uses port 443 (same as HTTPS).

If you were looking to block access to encrypted DNS, because you wanted to control where all DNS queries are directed. (Presumably so you can either spy or censor certain website), then DoT is ridiculously easy to block, since it runs on a unique port which you can, really easily, block.

DoH using the same port as HTTPS means that it is harder to block, because blindly blocking port 443 will block all encrypted web traffic. Encrypted web traffic is actually quite useful though so people don’t do that!

DoH can still be blocked, I am not sure how or why but it can be. Maybe something to do with the SNI exposing domain names and thus easily exposing what website someone is using.¹ But this is getting far too technical for a simple blog post, and there are dozens of ways to block Internet traffic.

As for me, I’ll take DoH where I can because of this minor privacy benefit, I believe it outweighs the latency of laying two protocols on top of each other. But it sucks that Android only supports DoT, I thought it would’ve supported both. Anyway, as said before, the takeaway is to not argue endlessly about which protocol but to simply inform you and make you aware about it. Turn on encrypted DNS!