DNS Over HTTPS vs DNS Over TLS Which Is More Secure

The traditional Domain Name System was never designed with privacy in mind. When a user queries a website by name, their DNS resolver translates that human-friendly domain into an IP address, but historically this process has occurred in plaintext. This means anyone along the network path—whether an ISP, a malicious actor, or a surveillance system—could intercept or manipulate DNS traffic. To address these vulnerabilities, two prominent protocols have emerged to encrypt DNS queries in transit: DNS over HTTPS (DoH) and DNS over TLS (DoT). While both provide significant security improvements over standard DNS, they differ in how they operate, how they are deployed, and what threats they protect against, leading to ongoing debate about which is more secure.

DNS over HTTPS functions by encapsulating DNS queries and responses within the same encrypted HTTP/2 or HTTP/3 sessions used for regular web traffic. This means DNS queries are indistinguishable from standard HTTPS requests to network observers. As a result, DoH effectively masks DNS traffic within the broader pool of encrypted web activity, making it difficult for middleboxes, firewalls, or deep packet inspection systems to detect and block. This obfuscation is one of DoH’s strongest privacy features, as it thwarts censorship and eavesdropping by blending in with typical web traffic. Additionally, DoH can take advantage of existing content delivery networks and proxy infrastructure, making it easy to integrate into web browsers and operating systems without specialized configuration.

DNS over TLS, on the other hand, encrypts DNS traffic using the TLS protocol, the same cryptographic foundation used by HTTPS, but maintains DNS’s traditional port-based and transport-layer behavior. DoT typically runs over TCP port 853 and is designed to function like standard DNS with an added encryption layer. While this makes DoT easier to integrate with existing DNS resolvers and infrastructure, its dedicated port also makes it more conspicuous. Unlike DoH, which is camouflaged among other HTTPS traffic, DoT can be identified and potentially blocked by network operators who wish to restrict encrypted DNS. This visibility can be seen as either a drawback or a benefit depending on the context—while it may hinder use in restrictive environments, it also makes DoT traffic more manageable for enterprises seeking to monitor and control DNS resolution for compliance or security purposes.

From a pure cryptographic standpoint, both DoH and DoT offer similar levels of protection. They use TLS to encrypt DNS queries and responses, preventing third parties from snooping on domain lookups or injecting malicious replies. Both support modern ciphers and forward secrecy, ensuring that even if a key is compromised in the future, past sessions remain protected. Authentication is also a core feature, as both protocols rely on certificate validation to ensure the client is communicating with the intended DNS resolver. This is a crucial defense against man-in-the-middle attacks, especially on untrusted networks like public Wi-Fi.

The real differences in security between DoH and DoT arise not from encryption strength but from deployment models and ecosystem maturity. DoH has been rapidly adopted by major web browsers such as Firefox and Chrome, often using centralized public resolvers like Cloudflare or Google. This centralization introduces new security and privacy considerations. For instance, when a browser redirects all DNS queries to a single DoH provider, it places immense trust in that provider not to log or misuse query data. While leading DoH providers have strong privacy policies and third-party audits, the consolidation of DNS resolution into a few major players creates a single point of observation, which some argue undermines decentralization and could be exploited if those providers are compelled by government orders or breached by adversaries.

DoT, by contrast, is more commonly used at the system or network level, such as by routers, mobile devices, or operating systems. It allows organizations to implement encrypted DNS using their own infrastructure or trusted resolvers without relying on browser-level controls. This gives network administrators more flexibility and visibility, which can be essential in enterprise settings where DNS plays a role in security monitoring, content filtering, and access control. Additionally, DoT fits more naturally into existing DNS resolver chains, making it easier to implement in recursive resolvers or forwarders that already support traditional DNS protocols.

Security also depends on how resolvers handle data after decryption. Neither DoH nor DoT prevents the DNS resolver itself from logging or selling user data. If a resolver collects and stores DNS logs, encrypted transport becomes moot from a privacy perspective. Therefore, the policies and practices of the resolver operator are just as critical as the protocol in use. In some scenarios, organizations may even choose to deploy both DoH and DoT in tandem or fallback modes, offering encrypted DNS at both browser and system levels to maximize coverage and resilience.

One area where DoH may have a slight edge in real-world security is its resistance to censorship and traffic shaping. Because it operates over port 443 and uses standard HTTPS protocols, it is less likely to be blocked or throttled by oppressive regimes or networks that attempt to intercept or rewrite DNS traffic. This makes DoH a more robust option for users in environments with heavy internet censorship or surveillance. However, it also poses challenges for enterprises trying to enforce DNS policies, since DoH can bypass local DNS filters or parental controls by routing queries to external resolvers that are not under the organization’s governance.

In conclusion, both DNS over HTTPS and DNS over TLS represent significant advancements in securing DNS traffic against interception, manipulation, and surveillance. They share the same fundamental encryption technology but differ in how they integrate with existing systems, how they interact with network policies, and how they impact user privacy. DNS over HTTPS offers superior resistance to network-based censorship and is better suited for individual users seeking maximum anonymity in hostile environments. DNS over TLS provides a more transparent and manageable solution for organizations that require policy enforcement and integration with existing infrastructure. Determining which is more secure depends heavily on the context, threat model, and operational requirements of the user or organization. Rather than choosing one over the other, a layered approach that incorporates both protocols strategically may offer the best balance of privacy, control, and resilience in an increasingly complex internet landscape.

The traditional Domain Name System was never designed with privacy in mind. When a user queries a website by name, their DNS resolver translates that human-friendly domain into an IP address, but historically this process has occurred in plaintext. This means anyone along the network path—whether an ISP, a malicious actor, or a surveillance system—could…