In this article

This article explains the differences between DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH), including how DNSFilter security settings interact with these protocols.

Why DNS Encryption matters

Traditional DNS traffic is sent in plain text, which allows attackers to:

• Eavesdrop on queries and see which sites users visit

• Manipulate DNS responses for malicious purposes

Both DoT and DoH solve this problem by encrypting communication between DNS clients and resolvers, protecting the privacy and integrity of DNS queries.

DNS over TLS (DoT)

• Established in 2016

• Encrypts DNS traffic over a dedicated port (853) instead of the standard port 53

• After a secure TLS handshake, DNS queries and responses flow through a persistent encrypted channel

• Connection setup usually takes 5–10 seconds and remains active for subsequent queries

Key takeaway: DoT operates at the Transport Layer and encrypts DNS traffic for the entire operating system once configured.

DNS over HTTPS (DoH)

• Introduced in 2018

• Encrypts DNS queries inside regular HTTPS traffic over port 443

• Looks like standard HTTPS traffic, making it harder for network devices to block

• Responses are encrypted and decoded by the client application

Key takeaway: DoH operates at the Application Layer and is often configured on a per-application basis (e.g., browsers like Firefox, Chrome, Opera).

Differences between DoT and DoH

Using DoT and DoH with DNSFilter

• DoT with DNSFilter

  • Fully supported via Roaming Clients and DNS Relay

  • Provides OS-level coverage, encrypting DNS traffic system-wide

• DoH with DNSFilter

  • Supported via Network Deployments as well as some client applications

  • Because DoH runs over port 443, it can bypass traditional DNS controls if unmanaged

  • Administrators can block or control access to third-party DoH endpoints. DNSFilter maintains a community list of DoH resolvers to help enforce policies