Both DoT and DoH encrypt DNS traffic so it can’t be intercepted or tampered with. They just go about it in slightly different ways:

• DNS-over-TLS (DoT): Runs over port 853 and operates at the transport layer. Once enabled, it encrypts DNS traffic for the whole operating system.
• DNS-over-HTTPS (DoH): Runs over port 443 (the same port used for HTTPS) and operates at the application layer. It’s often enabled in specific apps, like web browsers.

Neither is “better” than the other — they’re just different approaches with their own trade-offs. The good news is that either way, your DNS traffic is encrypted and more secure than traditional plain-text DNS.