DOH vs DOT The Battle for Encrypted DNS

As awareness of digital privacy and data protection surged in the wake of pervasive surveillance revelations and rising cybersecurity threats, one of the internet’s oldest and most critical protocols came under renewed scrutiny: the Domain Name System. Traditional DNS, though functionally effective, transmitted queries and responses in plaintext, making it trivial for any intermediary—be it an ISP, network administrator, or malicious actor—to monitor, log, or manipulate DNS traffic. This lack of confidentiality turned DNS into a weak link in the privacy chain, especially as other web traffic increasingly moved to HTTPS. In response, the internet engineering community developed two prominent protocols to encrypt DNS queries: DNS over HTTPS (DoH) and DNS over TLS (DoT). What followed was not only a technical innovation but a fundamental debate over control, architecture, and user rights—setting the stage for what has often been described as the battle for encrypted DNS.

DNS over TLS, standardized in RFC 7858 in 2016, was the first major push to secure DNS at the transport layer. It builds directly upon the existing DNS protocol, wrapping it in a TLS session similar to how HTTPS protects HTTP. DoT maintains the traditional structure of DNS messages but ensures that they are encrypted between the client and the recursive resolver. Typically running over port 853, DoT establishes a dedicated connection solely for DNS traffic. Its straightforward design appealed to network administrators and privacy advocates alike. It offered encryption without drastically altering the DNS model or overloading general web infrastructure. Furthermore, DoT allowed for easier implementation of firewall and network security policies, since DNS traffic remained identifiable and segregated from regular web traffic.

In contrast, DNS over HTTPS, standardized later in RFC 8484 in 2018, takes a more radical approach by encapsulating DNS queries inside standard HTTPS connections. This allows DNS queries to travel over port 443, indistinguishable from other encrypted web traffic. On a technical level, DoH embeds DNS messages into the body of HTTP requests, leveraging the full stack of web technologies such as HTTP/2, multiplexing, and proxying. This approach enables DoH to bypass network-based censorship and filtering more effectively than DoT. Because the traffic blends in with ordinary HTTPS, it becomes difficult for intermediaries to block or detect without resorting to more invasive techniques such as deep packet inspection or full TLS interception.

The architectural differences between DoH and DoT reflect a broader philosophical divide. DoT was embraced by traditional network operators and privacy-focused infrastructure providers who valued transparency, manageability, and the principle of user choice. By preserving the DNS ecosystem’s separability, DoT allowed users to redirect their DNS traffic to trusted resolvers while maintaining the ability to inspect or monitor DNS behavior at the system level. This made it particularly attractive in enterprise environments, parental control setups, or regulated industries where DNS-based visibility is critical.

DoH, by contrast, was seen by its proponents as a necessary evolution in user protection, particularly on untrusted networks such as public Wi-Fi, mobile data, or in countries with aggressive DNS-based censorship. Major browser vendors like Mozilla and Google spearheaded DoH deployments by embedding DoH resolvers directly into their browsers, effectively bypassing the operating system’s DNS settings. This client-level implementation allowed end users to circumvent local DNS policies, including those enforced by ISPs or enterprise networks. For privacy advocates, this was a victory—users could prevent intermediaries from seeing or tampering with their DNS queries. But for network operators, it introduced a significant loss of control, as encrypted DNS traffic was now interwoven with general web traffic and routed to third-party resolvers often located outside organizational oversight.

The deployment of DoH by major tech companies fueled concerns about centralization. Critics argued that funneling vast volumes of DNS traffic through a small number of large DoH providers concentrated power in ways that undermined the decentralized spirit of the internet. Others questioned the implications for regulatory compliance, security monitoring, and even national sovereignty. In contrast, DoT allowed for a more federated model where individuals and organizations could run their own encrypted resolvers, maintaining autonomy while still benefiting from encryption.

Despite the controversy, both DoH and DoT have contributed significantly to improving DNS security. They have spurred broader adoption of DNS encryption among public resolvers, prompted improvements in DNS resolver transparency and accountability, and encouraged dialogue between stakeholders about balancing privacy, security, and control. DNS providers like Cloudflare, Quad9, and NextDNS now support both protocols, giving users a choice in how they secure their DNS traffic.

From a performance perspective, DoH can offer advantages due to its integration with HTTP/2 and HTTP/3, which support features like connection multiplexing and reduced latency. This has made it attractive in mobile and high-performance environments. However, DoT offers predictable behavior and ease of debugging, which can be crucial in systems administration and technical diagnostics. Ultimately, the choice between DoH and DoT often comes down to use case, policy environment, and user preference.

As the internet continues to evolve toward a model of privacy by default, the importance of encrypted DNS will only grow. Whether DoH or DoT becomes dominant—or whether they coexist as complementary tools—depends on the community’s ability to reconcile competing priorities. What is clear is that both protocols represent critical steps forward in protecting the confidentiality of DNS queries, empowering users with greater control over their data, and challenging outdated assumptions about the transparency of internet infrastructure.

In the battle for encrypted DNS, there are no clear villains or victors—only an ongoing negotiation between performance, privacy, and governance. DoH and DoT each bring strengths and compromises to the table, and their coexistence underscores a healthy, if occasionally contentious, diversity of thought in internet protocol development. As adoption continues and real-world implementations mature, the lessons learned from this debate will shape not only how DNS evolves but how the internet itself defines the boundaries between trust, transparency, and user empowerment.

As awareness of digital privacy and data protection surged in the wake of pervasive surveillance revelations and rising cybersecurity threats, one of the internet’s oldest and most critical protocols came under renewed scrutiny: the Domain Name System. Traditional DNS, though functionally effective, transmitted queries and responses in plaintext, making it trivial for any intermediary—be it…