Why Unencrypted DNS Is a Privacy Problem
Standard DNS queries travel in plaintext over UDP port 53. Every device on the path between you and the DNS resolver — your ISP's routers, network monitoring equipment, your router itself — can read exactly which domain names you query. This reveals your browsing patterns in plain text even when the websites themselves use HTTPS (which only encrypts the content of the page, not the initial DNS lookup).
ISPs have commercially exploited this visibility. DNS query interception lets ISPs redirect failed queries to search pages with ads, inject results, and build behavioral profiles. Some countries use DNS interception for censorship, redirecting blocked domains rather than simply refusing to resolve them.
DNS over HTTPS (DoH)
DoH wraps DNS queries inside standard HTTPS traffic on port 443. The DNS query looks like any other HTTPS request — an observer on the network cannot distinguish it from loading a web page. This makes DoH very difficult to block without disrupting normal web traffic entirely, which is why it is preferred in censorship-circumvention contexts.
DoH is supported natively in Firefox (with Cloudflare as default), Chrome, and Edge. When enabled in the browser, DNS queries from that browser are encrypted regardless of the OS or router DNS settings — other applications on the same machine still use regular DNS unless the OS-level DoH is also configured. Android 9+ supports DoH as Private DNS. Windows 11 supports DoH at the OS level.
DNS over TLS (DoT)
DoT wraps DNS queries in a TLS (SSL) connection on a dedicated port: TCP/UDP port 853. The DNS traffic is encrypted but uses a distinct, identifiable port. Network administrators can see that DoT traffic is occurring (and block port 853 if desired) even though they cannot read the query content. This makes DoT more suitable for enterprise environments where IT teams need to enforce DNS policies while still allowing encrypted DNS for privacy.
DoT is commonly configured at the router or OS level rather than per-browser. On Android, it is called Private DNS and can be configured in network settings. On Linux, systemd-resolved supports DoT. On a router running OPNsense or pfSense, Unbound can forward queries using DoT to upstream resolvers (Cloudflare 1.1.1.1, Google 8.8.8.8, or Quad9 9.9.9.9).
Which Should You Use?
For most home users configuring DNS privacy at the router level (protecting all home network devices): DoT on the router is practical and gives full household coverage. Configure Unbound on OPNsense to forward to a DoT-capable resolver and all devices benefit automatically.
For browser-level protection without router changes: DoH in Firefox or Chrome is the simplest approach. No router configuration needed — just enable it in browser settings. For maximum coverage of all applications (not just browser traffic), configure DoH or DoT at the OS level (Windows 11 DoH, Android Private DNS) or use a local resolver like AdGuard Home that handles DoH/DoT for the whole network.
DoH vs DoT Comparison
| Factor | DNS over HTTPS (DoH) | DNS over TLS (DoT) |
|---|---|---|
| Port | 443 (same as HTTPS) | 853 (dedicated) |
| Traffic identifiable? | No (blends with HTTPS) | Yes (port 853 is DoT-specific) |
| Blockable by network admin | Very difficult (blocks all HTTPS) | Easy (block port 853) |
| Browser support | Chrome, Firefox, Edge (native) | Limited browser support |
| OS-level support | Windows 11, Android 9+ | Android (Private DNS), Linux (systemd-resolved) |
| Router support | AdGuard Home, some firmware | Unbound (pfSense, OPNsense), AdGuard Home |
| Encryption strength | TLS 1.3 (same as HTTPS) | TLS 1.3 |
| Preferred for | Individual users, censorship bypass | Managed networks, router-level deployment |
| Popular providers | Cloudflare (1.1.1.1), Google (8.8.8.8), Quad9 | Cloudflare (1dot1dot1dot1.cloudflare-dns.com), Quad9 |
Frequently Asked Questions
Does DoH or DoT make browsing faster?
Slightly, in some cases. Resolvers like Cloudflare 1.1.1.1 and Google 8.8.8.8 typically have faster global response times than ISP DNS resolvers. The encrypted connection adds a small overhead for the initial TLS handshake, but subsequent queries reuse the connection. In practice, the difference in page load time is not perceptible.
Does DoH or DoT prevent all DNS monitoring?
It prevents your ISP and network path from seeing your DNS queries. However, the resolver you send queries to (Cloudflare, Google, Quad9) can still see your queries and IP address. Choose a resolver with a published privacy policy and minimal logging. Quad9 (9.9.9.9) is run by a non-profit and has a strong no-logging policy.
How do I enable DoH in Firefox?
In Firefox: Settings → Privacy and Security → scroll to DNS over HTTPS → select your protection level (Default Protection or Increased Protection) and a provider. Default Protection uses DoH when available and falls back to regular DNS; Increased Protection uses only DoH. Max Protection blocks non-DoH DNS entirely.
Can I use DoH for my whole home network, not just one browser?
Yes. Set up AdGuard Home or Pi-hole on your home server or router. Configure them to use DoH or DoT upstream resolvers. Then set your router's DHCP server to give all devices the AdGuard Home / Pi-hole IP as their DNS server. Every device on your network — phones, TVs, IoT devices — benefits from encrypted DNS without any per-device configuration.