DoH and DoT Overview
DNS over HTTPS (DoH) and DNS over TLS (DoT) are encrypted DNS protocols designed to solve the security problems of traditional DNS. They encrypt DNS queries and responses to prevent man-in-the-middle attacks, eavesdropping, and DNS hijacking.
Why Encrypted DNS is Needed
Security Issues with Traditional DNS
┌─────────┐ Plaintext UDP 53 ┌─────────┐ │ Client │ ◄───────────────────────► │ DNS Server│ └─────────┘ └─────────┘ ↑ Man-in-the-middle can eavesdrop and tamper
Risks:
- DNS queries are eavesdropped, exposing websites users visit
- DNS responses are tampered, leading to phishing sites
- ISPs can record and analyze users' DNS queries
DNS over TLS (DoT)
How It Works
DoT uses the TLS protocol to encrypt DNS queries, adding a TLS encryption layer on top of the standard DNS protocol.
┌─────────┐ TLS Encrypted Tunnel ┌─────────┐ │ Client │ ◄────────────────────────────► │ DoT Server│ │ │ Port 853 │ │ └─────────┘ └─────────┘
Protocol Stack:
Application Layer: DNS Query/Response Transport Layer: TLS Encryption Network Layer: TCP
Technical Characteristics
| Feature | Description |
|---|---|
| Transport Protocol | TCP |
| Port | 853 (Dedicated Port) |
| Encryption Method | TLS 1.2 or TLS 1.3 |
| Certificate Verification | Requires server certificate verification |
Communication Flow
1. Client establishes TCP connection with DoT server (port 853) 2. TLS handshake, negotiate encryption parameters 3. Verify server certificate 4. Send DNS query through encrypted tunnel 5. Receive encrypted DNS response
Configuration Example
systemd-resolved Configuration:
[Resolve] DNS=8.8.8.8 8.8.4.4 DNSOverTLS=yes
Android Configuration (Private DNS):
Private DNS provider hostname: dns.google
DNS over HTTPS (DoH)
How It Works
DoH encapsulates DNS queries in HTTPS requests, using standard HTTP/2 protocol for transmission.
┌─────────┐ HTTPS Request/Response ┌─────────┐ │ Client │ ◄────────────────────────────► │ DoH Server│ │ │ Port 443 │ │ └─────────┘ └─────────┘
Protocol Stack:
Application Layer: DNS Message (encapsulated in HTTP body) Transport Layer: HTTP/2 Security Layer: TLS 1.2/1.3 Network Layer: TCP
Technical Characteristics
| Feature | Description |
|---|---|
| Transport Protocol | HTTP/2 over TLS |
| Port | 443 (Same as HTTPS) |
| Request Method | GET or POST |
| Content Type | application/dns-message |
Communication Flow
1. Client establishes HTTPS connection with DoH server (port 443) 2. Encode DNS query as DNS message format 3. Send request via HTTP POST or GET 4. Server returns HTTP response containing DNS response 5. Client parses DNS response from HTTP body
Request Example
POST Request:
POST /dns-query HTTP/1.1 Host: cloudflare-dns.com Content-Type: application/dns-message Content-Length: 33 <binary DNS query message>
Response:
HTTP/1.1 200 OK Content-Type: application/dns-message Content-Length: 65 <binary DNS response message>
Configuration Example
Firefox Configuration:
about:config network.trr.mode = 2 network.trr.uri = https://cloudflare-dns.com/dns-query
Chrome Configuration:
Settings → Privacy and Security → Security → Use secure DNS Select: Cloudflare (1.1.1.1)
DoH vs DoT Detailed Comparison
| Comparison Item | DoT | DoH |
|---|---|---|
| Protocol Layer | Transport Layer (TLS) | Application Layer (HTTPS) |
| Port | 853 (Dedicated) | 443 (Shared with HTTPS) |
| Traffic Characteristics | Easily identified as DNS traffic | Mixed with normal HTTPS traffic |
| Deployment Difficulty | Simpler | Requires HTTP server support |
| Performance | Slightly better (less protocol overhead) | Slightly worse (HTTP overhead) |
| Firewall Penetration | May be blocked by enterprise firewalls | Difficult to block (same as HTTPS) |
| Logging | Dedicated DNS logs | Mixed in Web access logs |
Pros and Cons of Each
DoT Advantages
✅ Simple Protocol: Directly adds TLS layer on DNS ✅ Better Performance: Less protocol overhead, lower latency ✅ Dedicated Port: Clear traffic separation ✅ Easy to Monitor: Network administrators can distinguish DNS traffic
DoT Disadvantages
❌ Easily Identified: Dedicated port 853 easily blocked by firewalls ❌ Less Privacy: ISPs can know you're using encrypted DNS ❌ Restricted in Enterprise: May be blocked by enterprise security policies
DoH Advantages
✅ High Stealth: Traffic indistinguishable from normal HTTPS ✅ Firewall Friendly: Port 443 usually open ✅ Easy to Deploy: Reuses existing Web infrastructure ✅ Privacy Protection: ISPs cannot distinguish DNS queries from Web access
DoH Disadvantages
❌ Complex Protocol: Requires HTTP/2 protocol stack ❌ Performance Overhead: HTTP headers add extra overhead ❌ Hard to Monitor: Enterprise network administrators cannot audit DNS queries ❌ Mixed Logs: DNS logs mixed with Web logs
Major DoH/DoT Service Providers
| Provider | DoH Address | DoT Address | Features |
|---|---|---|---|
| Cloudflare | https://cloudflare-dns.com/dns-query | 1.1.1.1:853 | Fast, privacy-first |
| https://dns.google/dns-query | 8.8.8.8:853 | Stable and reliable | |
| Quad9 | https://dns.quad9.net/dns-query | 9.9.9.9:853 | Malicious domain blocking |
| Alibaba | https://dns.alidns.com/dns-query | 223.5.5.5:853 | Fast domestic access |
| DNSPod | https://doh.pub/dns-query | - | Tencent subsidiary |
How to Choose Between DoH and DoT
Scenarios for Choosing DoT
- Enterprise network environments requiring DNS traffic monitoring
- Pursuing best performance, reducing protocol overhead
- Network administrators need to audit DNS queries
- Firewall policies allow port 853
Scenarios for Choosing DoH
- Public WiFi and other untrusted networks
- Need to bypass DNS censorship or hijacking
- Pursuing highest privacy protection
- Enterprise firewalls block port 853
Practical Recommendations
Individual users (privacy priority): DoH Enterprise users (management needs): DoT Mobile devices (variable networks): DoH Server environments (performance priority): DoT
Common Interview Questions
Q: What's the difference between DoH and HTTPS?
A: DoH uses HTTPS as the transport layer to transmit DNS messages. Regular HTTPS transmits Web content (HTML, JS, etc.), while DoH transmits DNS queries and response messages (binary format).
Q: Why is DoH harder to block by firewalls than DoT?
A: Because DoH uses standard HTTPS port 443, traffic characteristics are identical to normal Web access. DoT uses dedicated port 853, which is easily identified and blocked.
Q: Can DoH/DoT completely prevent DNS hijacking?
A: They can prevent hijacking and eavesdropping during transmission, but cannot prevent:
- Client configuration tampered by malware
- DoH/DoT server itself being attacked
- Local hosts file being modified
Summary
| Aspect | DoT | DoH |
|---|---|---|
| Core Protocol | TLS | HTTPS |
| Best Scenario | Enterprise networks, performance priority | Privacy protection, bypass censorship |
| Deployment Difficulty | Low | Medium |
| Privacy Protection | Good | Excellent |
| Performance | Excellent | Good |
| Firewall Penetration | Poor | Excellent |
Trend: Currently DoH is more favored by browser vendors (Firefox, Chrome default support), while DoT is more supported by system-level and network device vendors. Both are effective solutions for encrypted DNS, and the choice depends on specific scenario requirements.