DNS over TLS vs DNS over HTTPS

Article author
Minetta Gould
  • Updated

One of the most common vulnerabilities of the DNS protocol attackers exploit is the plain text format in which communication between DNS clients and servers is performed. This allows attackers to eavesdrop on a network and know details about a DNS query, then manipulate it for malicious purposes. 

This is the problem that DNS encryption aims to solve. With DNS encryption in place, communication between DNS clients and servers is encrypted from end to end thus preventing attackers from making sense of the information being transferred.

In this guide, you will learn about the two most common DNS encryption methods, their strengths, drawbacks, and level of adoption by the top operating systems and platforms.

DNS over TLS (DoT)

DNS-over-TLS (DoT), released in 2016, is the first DNS encryption solution to be established.

DoT channels the original client requests through a secure TLS channel on port 853 instead of the common port 53 used for unencrypted DNS communication. This prevents attackers from seeing or manipulating information about the DNS request. 

Once an authenticated handshake is made and a secure channel is established with the DNS resolver, the DNS client and resolver can start exchanging messages over a secure channel. The secure connection created is mostly persisted for other DNS requests that the client will need to make during that session.

DNS over HTTPS (DoH)

The newer alternative to encrypting DNS traffic is DNS-over-HTTPS (DoH). DoH was introduced in 2018, and even though it uses TLS to encrypt messages between the client and the DNS resolver, it uses a different strategy.

Instead of opening a new port for secure communication, it uses the same port 443 used for HTTPS requests to send a DNS query to a DNS server that supports DoH. The DNS query is sent encrypted just like a regular HTTPS request and the response is also encrypted. The client decodes the response which contains the DNS information required to reach the site.

Some devices avoid DNS encryption by blocking the secure DNS port used by DoT, this is mostly done for ill-intented purposes. Because DoH does not require a special port for encrypted DNS communication, it cannot be bypassed.

Differences between DoT and DoH

  DoT DoH


Opens a new port (853) for creating a secure connection for encrypted communication

Reuses the HTTPS port 443 for encrypted communication

OSI Layer of operation

Encrypted communication takes place at the Transport Layer (layer 4) of the OSI model

Encrypted communication takes place at the Application Layer (layer 7) of the OSI model

Operating System / Application Coverage

It is either supported natively or can be configured for various operating systems (macOS, Windows, and Linux). Once in place, it encrypts DNS communication for any application that uses DNS on the operating system.

Needs to be configured for each application/client that needs to use it (e.g. browsers like Firefox, Google Chrome, Opera, etc)

Packet Size

Because it operates at a lower level, its packet sizes are light

Packet sizes are larger than DoT because it operates at the Application layer (two layers above DoT)


Minimal latency in DNS requests

Higher latency compared to DoT

Was this article helpful?

6 out of 8 found this helpful

Have more questions? Submit a request



Article is closed for comments.