RSS

Encrypted DNS in 2026: DoH, DoT and DoQ compared with real benchmarks

ggallas1 pts0 comments

DNS over HTTPS, DNS over TLS, and DNS over QUIC: Which Encrypted DNS Protocol Should You Use? - Copahost Skip to content

","library":"fa-solid"},"toggle":"burger"}" data-widget_type="nav-menu.default"><br>Menu

DNS over HTTPS, DNS over TLS, and DNS over QUIC: Which Encrypted DNS Protocol Should You Use?

May 21, 2026

By<br>Gustavo Gallas

Reading Time: 9 minutes

DNS

You already know that DNS translates domain names into IP addresses — the internet’s phone book, as the classic analogy goes. If you want a refresher on how DNS works at its core, our introduction to DNS covers the fundamentals.<br>But here is something most website owners don’t know: every DNS query your visitors make is sent in plain text by default. That means your ISP, network administrators, and anyone monitoring the connection can see exactly which domains are being resolved — even when the page content itself is protected by HTTPS. This is the problem that encrypted DNS was designed to solve.<br>In practice, there are four protocols that replace unencrypted DNS: DNS over HTTPS (DoH) , DNS over TLS (DoT) , DNS over QUIC (DoQ) , and DNS over HTTPS/3 (DoH3). Each one encrypts your DNS queries using a different transport layer, with different tradeoffs in performance, privacy, and compatibility. If you have ever searched for DoH vs DoT and found conflicting answers, this article explains why — and gives you real benchmark data from over 3,000 resolvers to help you decide which encrypted DNS protocol is right for your website.<br>Table of Contents

Why Unencrypted DNS Is Still a Problem in 2026<br>When a visitor types your domain name into their browser, their device sends a DNS query before any connection to your server is established. That query travels over the network in plain text on port 53 — visible to:<br>The visitor’s ISP<br>Anyone monitoring the local network (coffee shop Wi-Fi, corporate proxies)<br>Government-level surveillance infrastructure<br>Attackers conducting DNS hijacking<br>This happens regardless of whether your site uses HTTPS. The HTTPS encryption protects the content of the page. The DNS query that happens before the connection is made is a completely separate, unprotected step.<br>DNS hijacking exploits this gap: an attacker intercepts the plain-text DNS query and returns a false IP address, redirecting the visitor to a malicious site that looks identical to yours. For websites in sensitive sectors — banking, healthcare, e-commerce — this is a real attack vector with documented incidents.<br>The encrypted DNS protocols solve this by wrapping the DNS query in a secure transport layer. The question is which one to use, and for what purpose.<br>The Five DNS Protocols You Need to Know<br>Do53 — Classic DNS (Unencrypted)<br>Port: 53 (UDP and TCP) Encryption: None Status: Still dominant, but declining for privacy-sensitive use cases<br>The original DNS protocol, defined in RFC 1035 in 1983. Fast, simple, universally supported. The problem is that it was designed in an era when the internet was a small academic network — privacy was not a design concern. Every query is sent in plain text.<br>For server-to-server communication in controlled environments (internal networks, data centers), Do53 is still reasonable. For client-facing DNS — the queries your visitors make from their browsers — it should be replaced by one of the encrypted alternatives.<br>DoT — DNS over TLS<br>Port: 853 Transport: TCP + TLS 1.3 RFC: 7858 (2016) Encryption: Yes Status: Widely deployed, supported by most major resolvers<br>DoT wraps DNS queries in TLS — the same encryption layer used by HTTPS. It runs on a dedicated port (853), which makes it easy for network administrators to identify, filter, or block encrypted DNS traffic.<br>The advantage is simplicity: it is essentially the same encryption model that secures web traffic, applied to DNS. The disadvantage is that the dedicated port makes it easy to detect and block — which is why it has seen limited browser adoption but strong adoption in enterprise and mobile operating systems.<br>Android 9+ and iOS 14+ support DoT natively as "Private DNS." If a visitor is using a modern mobile device, there is a reasonable chance their DNS queries are already using DoT — regardless of what your server does.<br>Performance consideration: DoT requires a TCP three-way handshake plus a TLS handshake before the first query — adding approximately 2 round-trip times of latency compared to Do53. For high-frequency DNS environments, this matters.<br>DoH — DNS over HTTPS<br>Port: 443 Transport: HTTPS (HTTP/2 or HTTP/3) RFC: 8484 (2018) Encryption: Yes Status: Default in Firefox and Chrome; widely adopted<br>DoH tunnels DNS queries inside standard HTTPS traffic on port 443 — the same port used for all web traffic. This makes it indistinguishable from regular browsing traffic, which means it cannot be selectively blocked without blocking all HTTPS.<br>This is both its greatest strength and the source of its most significant controversy. Enterprise network administrators who need to monitor and filter...

https encrypted query port network encryption

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

The Mirror Is Part of the Machine

london_safari10 ptstelemetry mirror decision logs enough time

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.