Comparison of DNS Encryption Protocols: DoT, DoH, DoQ

A comparison of Plain DNS, DoT, DoH, and DoQ, covering their layered relationships, ports, performance differences, and suitable scenarios, with practical selection and configuration advice.

Thursday, October 09, 2025

Quick Glossary

Plain DNS: Cleartext DNS, typically uses UDP/53, switching to TCP/53 when necessary (e.g., for truncated responses, zone transfers).
DoT: DNS over TLS, uses TCP over TLS, default port 853 (RFC 7858/8310).
DoH: DNS over HTTPS, based on HTTPS (HTTP/2 or HTTP/3), default port 443 (RFC 8484).
DoQ: DNS over QUIC, based on QUIC + TLS 1.3, default port UDP/853 (RFC 9250, IANA assigned to 853/udp).

Layered Relationship (Simplified TCP/IP Model)

Application Layer: HTTP, HTTPS, DNS (DoH is encapsulated within the HTTPS application layer)
Security Layer: TLS (provides encryption for TCP or QUIC)
Transport Layer: TCP, UDP, QUIC
Network Layer: IP
Link Layer: Ethernet, etc.
Physical Layer: Twisted pair/Fiber optic/Wireless, etc.

Key Points

Plain DNS operates over UDP/TCP, unencrypted.
DoT = TCP + TLS + DNS (dedicated port 853).
DoH = TCP/QUIC + TLS + HTTP(S) + DNS (uses port 443, shared with regular HTTPS).
DoQ = QUIC + TLS 1.3 + DNS (dedicated port UDP/853).

graph TB
    subgraph Application Layer
        A[HTTP]
        A2[HTTPS]
        C[DNS]
        D[DoH DNS over HTTPS]
    end

    subgraph Security Layer
        E[TLS]
    end

    subgraph Transport Layer
        F[TCP]
        G[UDP]
        H[QUIC]
    end

    subgraph Network Layer
        I[IP]
    end

    subgraph Link Layer
        J[Ethernet]
    end

    subgraph Physical Layer
        K[Twisted Pair/Fiber/Wireless]
    end

    A2 --> F
    A2 --> H
    A --> F
    C --> F
    C --> G
    D --> A2
    E --> F
    E --> H
    F --> I
    G --> I
    H --> I
    I --> J
    J --> K

    style D fill:#e1f5fe
    style E fill:#fff3e0

Basics and Corrections

Plain DNS defaults to UDP/53, switching to TCP/53 for truncated responses (TC bit) or when reliable transport is needed.
DoT establishes a TLS tunnel over TCP to transmit DNS messages, default port 853; long-lived connections can be reused to reduce handshake overhead.
DoH treats DNS as a resource within HTTPS (application/dns-message), typically using HTTP/2 or HTTP/3, port 443, easily mixed with regular HTTPS traffic.
DoQ directly uses QUIC (based on UDP) to carry DNS, offering low latency and head-of-line blocking avoidance, but ecosystem adoption is still growing.
Broad statements like “QUIC is always X% faster than TCP” are inaccurate; actual performance depends on network conditions (packet loss, jitter, RTT), connection reuse capabilities, implementation details, and server deployment.
DoH is not inherently “slower/faster just because DNS is placed in HTTP”; performance depends on connection reuse, network quality, and implementation; in many cases, DoH/3 performance is comparable to or even better than DoT.
DoT can use SNI for certificate hostname verification; DoH relies on standard HTTPS certificate validation and hostname matching.
Encrypted DNS only prevents eavesdropping and tampering on the link; it does not equal “complete anonymity.” The resolver may still log queries; choose a trustworthy provider and review their privacy policy.

graph TD
    subgraph DNS Family
        A[Plain DNS UDP/TCP + DNS]

        subgraph Encrypted DNS
            B[DoT TCP + TLS + DNS]
            C[DoH HTTP/2,3 + TLS + DNS]
            D[DoQ QUIC + TLS 1.3 + DNS]
        end

        subgraph Transport Base
            E[TCP]
            F[UDP]
            G[QUIC]
        end
    end

    A --> B
    A --> C
    A --> D

    B --> E
    C --> E
    C --> G
    D --> G
    A --> F

    style A fill:#f3e5f5
    style B fill:#e8f5e8
    style C fill:#e3f2fd
    style D fill:#fff3e0

Comparison Overview

Protocol	Transport Layer	Encryption	Encapsulation	Default Port	Typical Characteristics
Plain DNS	UDP/TCP	None	Native DNS	53	Simple, efficient, plaintext visible, easily tampered/monitored
DoT	TCP	TLS 1.2/1.3	DNS	853	Dedicated port, easily blocked by port, good system-level support
DoH	TCP/QUIC	TLS 1.2/1.3	HTTP/2-3 + DNS	443	Shares port with HTTPS, strong penetration, browser priority support
DoQ	QUIC	TLS 1.3	DNS	853/UDP	Low latency, avoids head-of-line blocking, ecosystem developing

Performance and Latency

Connection Reuse: DoT/DoH/DoQ can all reuse long-lived connections to reduce handshake costs; DoH/2, DoH/3, and DoQ can also multiplex requests within a single connection.
Head-of-Line Blocking: TCP suffers from application-layer head-of-line blocking; HTTP/2 mitigates this over TCP with multiplexing but is still affected by TCP packet loss. QUIC (DoH/3, DoQ) avoids head-of-line blocking at the transport layer, making it more friendly to high packet loss/mobile networks.
First Packet Latency: On initial connection, DoT requires TCP+TLS handshake; DoH/2 is similar; DoH/3/DoQ, based on QUIC, offer faster reconnection and migration. Under sustained load, differences depend more on implementation and network conditions.
Reachability: DoH uses port 443, least likely to be blocked by simple port filtering; DoT uses port 853, often subject to indiscriminate blocking; DoQ uses UDP/853, which may currently be blocked or not permitted.

Client and System Support

Browsers: Chromium family and Firefox have built-in DoH by default (can automatically upgrade to DoH-capable resolvers or use built-in provider lists).
Windows: Windows 11 has native DoH support.
Android: Android 9+ provides “Private DNS” (system-level DoT). System-level DoH support depends on version/manufacturer.
Apple Platforms: iOS 14+/macOS 11+ support DoT and DoH via configuration profiles or NetworkExtension.

Deployment and Selection Recommendations

General/Restricted Networks (e.g., public Wi-Fi, need to bypass simple blocking): Prioritize DoH (port 443), enable HTTP/3 if available.
System-Wide Outbound (router, gateway, Android Private DNS): Prioritize DoT (853), optionally configure DoH as a fallback if the network allows.
High Packet Loss/Mobile Networks: Prioritize DoH/3 with QUIC or DoQ (depending on resolver and client support).
Enterprise/Compliance Scenarios: Choose based on policy (DoH can integrate with existing HTTPS infrastructure; DoT facilitates separation from DNS control plane).

Summary

First choice: DoH (port 443, strong penetration), enable HTTP/3 if available.
If system-wide unification is needed: Prioritize DoT (853) + persistent connections, fall back to DoH (443) if necessary.
If your resolver and clients both support it: Try DoQ (often provides better mobile network experience).

Reference Standards

RFC 7858, RFC 8310 (DNS over TLS)
RFC 8484 (DNS over HTTPS)
RFC 9250 (DNS over QUIC)

Recommended DNS Services

NullPrivate DNS: https://www.nullprivate.com supports DoT, DoH (supports HTTP3), natively supports ad-blocking and traffic splitting.
Self-hosted version: https://github.com/NullPrivate/NullPrivate