DNS-over-TLS (DoT) vs DNS-over-HTTPS (DoH): What’s the Difference?

Learn which encrypted DNS protocol is best for security, compliance, and network control in 2025.

· 7 min read
DNS-over-TLS (DoT) vs DNS-over-HTTPS (DoH): What’s the Difference?
💡
The main difference between DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) is the transport protocol used. DoT encrypts DNS traffic using TLS over port 853, while DoH uses HTTPS over port 443. DoH blends with regular HTTPS traffic, whereas DoT is easier to block due to its distinct port.

Every time someone in your organization visits a website, your network sends an unencrypted DNS request that reveals exactly which sites are being accessed. This creates privacy risks and DNS security vulnerabilities that attackers can exploit. 

DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) solve this problem by encrypting DNS traffic, but choosing the wrong one can create new challenges for network administrators

By the end of this article, you’ll know exactly what DoT and DoH are, how they work, how they compare, and which one might be right for you.

Quick Summary: DoT vs DoH

FeatureDNS-over-TLS (DoT)DNS-over-HTTPS (DoH)
Protocol UsedTLS (port 853)HTTPS (port 443)
EncryptionYesYes
Bypasses FirewallsLess likelyMore likely
Used inRouters, firewallsBrowsers, apps
Harder to BlockNoYes
Built forNetworksApplications
PerformanceFastFast, but sometimes slower
PrivacyHighHigh (can hide DNS in normal web traffic)

What Is DNS-over-TLS (DoT)?

DNS-over-TLS encrypts your DNS traffic using TLS, the same security protocol used for HTTPS websites. It runs on port 853 and is often built into routers, DNS servers, or firewalls.

Think of DoT like an armoured truck carrying valuable cargo. Everyone can see it's an armoured truck on the road, but they can't see what's inside or break in to steal it.

How It Works

  • Your computer or phone connects to a special DNS server using port 853
  • It creates a secure TLS connection (like HTTPS)
  • Your DNS requests travel through this encrypted tunnel
  • The DNS server sends back encrypted responses

✅ DoT Benefits

  • Strong encryption: Uses TLS 1.2 or newer (TLS 1.3 is preferred for better security and performance)
  • Easy to monitor: Network admins can see DoT traffic easily
  • Simple setup: Works with most firewalls and routers
  • Dedicated port: Uses port 853, making it easy to identify

❌ DoT Drawbacks

  • Easy to block: Since it uses a specific port, it's simple to block
  • Less common: Fewer devices and apps support DoT
  • Firewall issues: Some corporate firewalls block port 853

What Is DNS-over-HTTPS (DoH)?

DNS-over-HTTPS does the same thing as DoT, encrypting DNS requests, but it wraps them inside regular HTTPS traffic, disguising DNS traffic as normal web browsing. That means it uses port 443, the same port websites use.

DoH is like hiding a secret note inside a regular letter. From the outside, it looks like normal mail (web traffic), but there's actually a DNS request tucked inside that only the recipient can read.

How It Works

  • Your device sends DNS requests to a DoH server using HTTPS
  • The request looks like regular web traffic on port 443
  • The DNS server processes your request over a secure HTTPS connection
  • You get an encrypted response back through the same connection

✅ DoH Benefits

  • Hard to block: Looks like regular web traffic
  • Wide support: Major browsers like Chrome, Firefox, and Safari support DoH
  • Bypasses restrictions: Can work around network blocks
  • Same as web security: Uses the same security as online banking

❌ DoH Drawbacks

  • Harder to monitor: Network admins can't easily see DoH traffic
  • Potential bypass: Users might bypass company DNS policies
  • Mixed with web traffic: Makes network troubleshooting harder

⚖️ DNS-over-TLS vs DNS-over-HTTPS: Side-by-Side Comparison

Let’s go deeper into the differences.

If you're managing a network for a business, school, or public Wi-Fi, choosing between DoT and DoH isn’t just about privacy, but also about visibility, control, and compliance.

Here’s how they compare in real-world environments:

1. Network Visibility & Control

DoT is easier to monitor and manage from a network perspective.

You can set it up on routers, firewalls, or DNS servers and enforce it across the entire network. That means you can see, log, and control DNS activity, which is important for enforcing acceptable use policies or compliance rules.

DoH, on the other hand, is harder to detect or manage because it encrypts DNS inside HTTPS traffic. It can bypass enterprise-level filtering tools and make logging much more challenging unless you intercept HTTPS traffic (which raises legal and ethical issues).

🏆
Winner for visibility and control: DoT

2. Security & Compliance

Organizations often need to audit internet activity, apply content filtering, and meet regulatory standards (e.g., CIPA in U.S. schools or GDPR in the EU). DoT integrates well with network-level security tools, including DNS-based filtering and SIEM tools.

DoH can unintentionally allow users to route DNS through external providers, bypassing all filtering and logging, which could be a compliance risk.

🏆
Winner for compliance and enforceability: DoT

3. User Behavior & Bypass Prevention

DoH is built into most modern browsers and apps (Chrome, Firefox, iOS, Android). This means users can enable DoH themselves using third-party DNS resolvers and bypass your network’s DNS policies even if you’ve configured DNS filtering at the router level.

DoT, when enforced at the router or gateway, prevents this kind of circumvention, ensuring that all DNS requests are encrypted but still flow through your chosen DNS provider (like Control D).

🏆
Winner for preventing DNS bypasses: DoT

4. Ease of Deployment

DoT is ideal for centralized deployment. Set it up once on a router, firewall, or DNS proxy, and all users are protected. There’s no need to touch individual devices.

DoH often requires configuration per device or per browser, which isn’t scalable for large networks unless you're managing devices via MDM or endpoint policies.

🏆
Winner for ease of deployment: DoT

5. Blocking & Filtering Effectiveness

With DoT, you can control exactly which DNS server is being used, making content filtering predictable and consistent. DoH makes this harder, especially when browsers use their own DoH resolvers, ignoring your network DNS settings.

Control D, for example, supports blocking third-party DoH resolvers, allowing you to stop unauthorized DNS traffic entirely, giving you the best of both worlds.

🏆
Winner for consistent filtering: DoT (with DoH blocking support)

💼 Business Impact: Why This Matters for Your Organization

Cost Implications 

DoT: Lower bandwidth usage, easier monitoring, reduces IT costs
DoH: May increase bandwidth due to HTTPS overhead
Hidden costs: DoH can bypass security tools, requiring additional investments

Compliance Considerations

Many industries require DNS logging and monitoring:

  • HIPAA: Healthcare organizations need DNS audit trails
  • SOX: Financial services must monitor all network activity
  • GDPR: EU organizations need to control data flows
  • CIPA: US schools must filter and log internet access

DoT Advantage: Makes compliance easier by maintaining network visibility while adding encryption.

Risk Assessment

Risk FactorDoTDoH
Data breachesLowLow
Compliance violationsLowMedium-High
Shadow ITLowMedium
Network blindnessLowHigh
User bypassLowHigh

Summary: Which One Should You Use?

Your NeedBest Option
Enforce DNS filtering policies✅ DoT
Maintain network-wide visibility✅ DoT
Prevent users from bypassing controls✅ DoT
Meet compliance or auditing needs✅ DoT
Allow private DNS in personal apps onlyDoH (with restrictions)
Lock down public Wi-Fi or school networks✅ DoT with DoH blocked

🌐 How Control D Supports DoT and DoH

Control D is a privacy-first DNS filtering platform that supports both DoT and DoH.

With Control D, you get:

  • Privacy: Encrypted DNS with no logging
  • Control: Block ads, trackers, social media, or apps
  • Customization: Ability to apply multiple policies to different user/network groups
  • Bypass-proof filters: Stops DoH-in-the-browser with a single toggle

You can set up Control D with:

  • DoT on your router (protects your whole network)
  • DoH in your browser or device (for personal use)

Final Thoughts: DoT vs DoH

Both DNS-over-TLS and DNS-over-HTTPS solve the same core problem: making DNS requests private and secure. Your choice depends on your specific needs:

For organizations that manage networks, like businesses, schools, and public Wi-Fi providers, DNS-over-TLS (DoT) is a better choice. It offers encrypted DNS while still allowing visibility, filtering, and control at the network level.

DNS-over-HTTPS (DoH) is suited for personal privacy, making it better for individuals and families. However, in managed environments, it can bypass policies, hide traffic from administrators, and make compliance harder.

With a solution like Control D, you can enforce DoT across your entire network, block unauthorized DoH traffic, and apply custom filtering to meet your security and compliance needs.

🧑‍💻
Learn more about how Control D can keep your business safe online within minutes. Book a no-obligation call with a product expert👇

Frequently Asked Questions (FAQs)

1. What is the difference between DoT and DoH?

DoT uses TLS on port 853; DoH uses HTTPS on port 443. Both encrypt DNS, but DoH hides it inside web traffic.

2. Is DNS-over-HTTPS more secure than DNS-over-TLS?

Both are secure. DoH is harder to block, while DoT is easier to manage on networks.

3. Can DoH bypass DNS filters?

Yes. Because it uses port 443 (like normal web traffic), it can bypass basic DNS filtering.

4. Should I use DoH or DoT?

Use DoT for routers and networks. Use DoH in browsers.

5. Does Control D support DoT and DoH?

Yes, Control D supports both, giving you flexible, encrypted DNS options.

6. Can I use both DoT and DoH at the same time?

Yes, on different devices or apps. You can configure one device with DoT and another with DoH.

7. Is DoH slower than DoT?

DoH can be slower due to HTTP overhead, but this difference (a few milliseconds) is typically unnoticeable for most users.

8. Which DNS encryption is better for enterprise networks?

DNS over TLS (DoT) is generally better for enterprise networks because it provides encryption while maintaining network visibility and control. DoH can bypass corporate DNS policies.

9. Can employees bypass DNS filters with DoH?

Yes, most browsers support DoH by default, allowing users to bypass network-level DNS filtering.

10. What's the difference between DoT, DoH, and DoQ?

DoT uses TLS on port 853, DoH uses HTTPS on port 443, and DoQ uses the newer QUIC protocol. DoQ offers the best performance but has limited adoption currently.

12. Should schools use DoT or DoH for student internet access?

Schools should use DoT for network-wide protection and block DoH to maintain filtering compliance with regulations like CIPA. This ensures all student traffic is properly filtered.

Blocks threats, unwanted content, and ads on all devices within minutes

Secure, Filter, and Control Your Network

Control D is a modern and customizable DNS service that blocks threats, unwanted content and ads - on all devices. Onboard in minutes, and forget about it.

Deploy Control D in minutes on your device fleet using any RMM

Block malware, harmful content, trackers and ads in seconds

Go beyond blocking with privacy features