A Comparison of DNS over HTTPS (DoH) to Transport Layer Security (DoT)
- Gary Leicht
DNS over HTTPS (DoH) | Transport Layer Security (DoT) |
|---|---|
DoH employs equivalent encryption and security measures as HTTPS, including TLS/SSL and certificate-based authentication. Queries and responses in DoH are transmitted via unencrypted UDP/TCP using Port 443. In instances where UDP is not accessible, TCP serves as a fallback option. | DoT commonly employs TCP as the primary transport protocol, while also accommodating UDP. It secures DNS queries and responses through the utilization of the Transport Layer Security (TLS) protocol. The encrypted communication takes place over TCP/UDP Port 853, although unencrypted communication can occur over TCP/UDP Port 53. |
The HTTPS protocol offers end-to-end encryption and authentication, ensuring the privacy and integrity of DNS communication. | The TLS protocol ensures end-to-end encryption and authentication, guaranteeing the confidentiality and integrity of DNS communication. |
The client sends encrypted DNS queries to a DoH-compatible recursive DNS resolver. | DNS queries and responses are transmitted through an encrypted TLS session between the client and a DoT-compatible recursive DNS resolver. |
The resolver decrypts the query, performs the DNS lookup, and then securely transmits the encrypted response back to the client via HTTPS. | Upon connection, the client commences a TLS handshake with the resolver. Upon successful establishment of the TLS session, all ensuing DNS queries and responses are encrypted and transmitted through this secure channel. |
The IETF has defined DNS over HTTPS as RFC 8484. | |
For further information on DoH, see DNS over HTTPS. | For further information on DoT, see Using DNS Forwarding Proxy. |