DNS over HTTPS vs DNS over TLS in 2026: Which Is Better?
Disclosure: SpeedTestHQ is reader-supported. We may earn a commission from purchases made through links on this page, at no extra cost to you. We only recommend products we've tested or extensively researched. Last updated May 2026.
DNS over HTTPS (DoH) and DNS over TLS (DoT) both encrypt DNS queries — a major upgrade from unencrypted DNS. DoH runs on port 443 (HTTPS) so it blends with regular web traffic and is harder to block. DoT runs on dedicated port 853, making it easier to identify and filter at the network level. Browsers default to DoH; OS-level and router DNS should use DoT or DoH. Both are good — DoH is more practical for end users.
DoH vs DoT: At-a-Glance
| Feature | DNS over HTTPS (DoH) | DNS over TLS (DoT) | Winner |
|---|---|---|---|
| Port | 443 (standard HTTPS port) | 853 (dedicated DNS port) | DoH (harder to block) |
| Traffic type | HTTPS (blends with web traffic) | TLS-wrapped DNS (identifiable) | DoH |
| Blockability | Hard to block without blocking all HTTPS | Easy to block (port 853 can be firewalled) | DoH |
| Browser support | Native in Chrome, Firefox, Edge, Safari | Not natively supported in browsers | DoH |
| OS support | Windows 11, Android 9+, iOS 14+ | Android 9+, iOS 14+, Linux (systemd-resolved) | Tie |
| Privacy level | High (TLS 1.3 encryption) | High (TLS 1.3 encryption) | Tie |
| Performance overhead | Low (HTTP/2 or HTTP/3 multiplexing) | Low (persistent TLS connection) | Tie |
| Router support | Less common | Common (Asus, pfSense, OPNsense, UniFi) | DoT (for router deployment) |
| ISP visibility | Not visible (blends with HTTPS) | Identifiable as DNS on port 853 | DoH |
| Recommended for | Browsers, personal devices, public Wi-Fi | Routers, enterprise networks, OS-level | Use-case dependent |
Why Both Matter: The Unencrypted DNS Problem
Traditional DNS queries are sent in plaintext over UDP port 53. This means:
- Your ISP can see every domain you resolve (even if the content is HTTPS-encrypted)
- Network administrators, public Wi-Fi operators, and anyone intercepting traffic can log your browsing habits by domain
- DNS spoofing attacks (returning false IP addresses) are possible without DNSSEC
DoH and DoT both solve this by wrapping DNS queries in TLS encryption — the same encryption used for HTTPS web traffic.
Which Should You Use?
| Use Case | Recommended Protocol | Provider |
|---|---|---|
| Browser-level DNS (Chrome, Firefox) | DoH | Cloudflare 1.1.1.1 or Google 8.8.8.8 |
| Android / iOS device-level | DoT ("Private DNS" setting) | one.one.one.one (Cloudflare) |
| Windows 11 OS-level | DoH | Cloudflare or Google in Network Settings |
| Router-level (whole network) | DoT | Cloudflare 1.1.1.1 or Quad9 9.9.9.9 |
| Pi-hole / Unbound setup | DoT | Stubby forwarding to 1.1.1.1#853 |
| Public / corporate networks | DoH | Harder to block by network admin |
Popular Encrypted DNS Resolvers
| Resolver | DoH URL | DoT Hostname | Notable Feature |
|---|---|---|---|
| Cloudflare | https://cloudflare-dns.com/dns-query | one.one.one.one | Fastest, strong privacy policy |
| https://dns.google/dns-query | dns.google | Highly reliable, global anycast | |
| Quad9 | https://dns.quad9.net/dns-query | dns.quad9.net | Malware blocking, nonprofit |
| NextDNS | Custom per account | Custom per account | Customizable filtering, logging |
Frequently Asked Questions
What is DNS over HTTPS?
DNS over HTTPS (DoH) is a protocol that sends DNS queries encrypted inside standard HTTPS traffic on port 443. This means your DNS lookups are indistinguishable from regular web traffic — your ISP, network admin, or anyone monitoring the connection cannot see which domains you are resolving. DoH is supported natively in Firefox, Chrome, Edge, and most modern browsers. It was standardized in RFC 8484 (2018).
Is DoH or DoT more private?
Both DoH and DoT provide the same level of encryption — TLS 1.3 in both cases — so neither is more private in terms of what the DNS resolver sees. The practical difference is who can observe that you are making encrypted DNS queries. DoT on port 853 is identifiable as DNS traffic and can be blocked or monitored at the network level. DoH on port 443 blends with all HTTPS traffic and cannot be selectively blocked without also blocking all HTTPS. For user privacy against ISP monitoring, DoH is more robust.
Does DNS over HTTPS slow down the internet?
DoH adds a small overhead compared to unencrypted DNS — the TLS handshake and HTTPS framing add a few milliseconds to the first DNS resolution. In practice, with DNS caching and persistent connections, the performance difference between DoH and unencrypted DNS is negligible for normal web browsing (under 10ms per query). DNS-over-TLS has similar performance. Connection reuse (HTTP/2 or HTTP/3 for DoH) further reduces overhead on repeated queries.
Does my router support encrypted DNS?
Many modern routers support DNS over TLS (DoT) in their firmware — including Asus routers with AsusWRT, pfSense/OPNsense, UniFi, and DD-WRT. DNS over HTTPS at the router level is less common but growing. If your router doesn't support DoT/DoH natively, you can run a local DNS resolver like Pi-hole with Unbound, or Stubby, to forward queries over DoT to Cloudflare (1.1.1.1) or Google (8.8.8.8). Most consumer routers from 2023+ include DoT support.
Should I use 1.1.1.1 or 8.8.8.8?
Cloudflare's 1.1.1.1 is generally faster than Google's 8.8.8.8 in benchmark tests and has a strong privacy policy (Cloudflare commits to not selling DNS query data). Google's 8.8.8.8 is highly reliable and widely deployed. For privacy-focused users, 1.1.1.1 is the preferred choice. For maximum reliability without privacy concerns, 8.8.8.8 is a solid default. Both support DoH and DoT. You can also use Quad9 (9.9.9.9) for DNS-level malware blocking with privacy protections.