Every time someone in your organization visits a website, your network sends an unencrypted DNS request that reveals exactly which sites are being accessed. This creates privacy risks and DNS security vulnerabilities that attackers can exploit.
DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) solve this problem by encrypting DNS traffic, but choosing the wrong one can create new challenges for network administrators
By the end of this article, you’ll know exactly what DoT and DoH are, how they work, how they compare, and which one might be right for you.
Quick Summary: DoT vs DoH
Feature | DNS-over-TLS (DoT) | DNS-over-HTTPS (DoH) |
---|---|---|
Protocol Used | TLS (port 853) | HTTPS (port 443) |
Encryption | Yes | Yes |
Bypasses Firewalls | Less likely | More likely |
Used in | Routers, firewalls | Browsers, apps |
Harder to Block | No | Yes |
Built for | Networks | Applications |
Performance | Fast | Fast, but sometimes slower |
Privacy | High | High (can hide DNS in normal web traffic) |
What Is DNS-over-TLS (DoT)?
DNS-over-TLS encrypts your DNS traffic using TLS, the same security protocol used for HTTPS websites. It runs on port 853 and is often built into routers, DNS servers, or firewalls.
Think of DoT like an armoured truck carrying valuable cargo. Everyone can see it's an armoured truck on the road, but they can't see what's inside or break in to steal it.
How It Works
- Your computer or phone connects to a special DNS server using port 853
- It creates a secure TLS connection (like HTTPS)
- Your DNS requests travel through this encrypted tunnel
- The DNS server sends back encrypted responses
✅ DoT Benefits
- Strong encryption: Uses TLS 1.2 or newer (TLS 1.3 is preferred for better security and performance)
- Easy to monitor: Network admins can see DoT traffic easily
- Simple setup: Works with most firewalls and routers
- Dedicated port: Uses port 853, making it easy to identify
❌ DoT Drawbacks
- Easy to block: Since it uses a specific port, it's simple to block
- Less common: Fewer devices and apps support DoT
- Firewall issues: Some corporate firewalls block port 853
What Is DNS-over-HTTPS (DoH)?
DNS-over-HTTPS does the same thing as DoT, encrypting DNS requests, but it wraps them inside regular HTTPS traffic, disguising DNS traffic as normal web browsing. That means it uses port 443, the same port websites use.
DoH is like hiding a secret note inside a regular letter. From the outside, it looks like normal mail (web traffic), but there's actually a DNS request tucked inside that only the recipient can read.
How It Works
- Your device sends DNS requests to a DoH server using HTTPS
- The request looks like regular web traffic on port 443
- The DNS server processes your request over a secure HTTPS connection
- You get an encrypted response back through the same connection
✅ DoH Benefits
- Hard to block: Looks like regular web traffic
- Wide support: Major browsers like Chrome, Firefox, and Safari support DoH
- Bypasses restrictions: Can work around network blocks
- Same as web security: Uses the same security as online banking
❌ DoH Drawbacks
- Harder to monitor: Network admins can't easily see DoH traffic
- Potential bypass: Users might bypass company DNS policies
- Mixed with web traffic: Makes network troubleshooting harder
⚖️ DNS-over-TLS vs DNS-over-HTTPS: Side-by-Side Comparison
Let’s go deeper into the differences.
If you're managing a network for a business, school, or public Wi-Fi, choosing between DoT and DoH isn’t just about privacy, but also about visibility, control, and compliance.
Here’s how they compare in real-world environments:
1. Network Visibility & Control
DoT is easier to monitor and manage from a network perspective.
You can set it up on routers, firewalls, or DNS servers and enforce it across the entire network. That means you can see, log, and control DNS activity, which is important for enforcing acceptable use policies or compliance rules.
DoH, on the other hand, is harder to detect or manage because it encrypts DNS inside HTTPS traffic. It can bypass enterprise-level filtering tools and make logging much more challenging unless you intercept HTTPS traffic (which raises legal and ethical issues).
2. Security & Compliance
Organizations often need to audit internet activity, apply content filtering, and meet regulatory standards (e.g., CIPA in U.S. schools or GDPR in the EU). DoT integrates well with network-level security tools, including DNS-based filtering and SIEM tools.
DoH can unintentionally allow users to route DNS through external providers, bypassing all filtering and logging, which could be a compliance risk.
3. User Behavior & Bypass Prevention
DoH is built into most modern browsers and apps (Chrome, Firefox, iOS, Android). This means users can enable DoH themselves using third-party DNS resolvers and bypass your network’s DNS policies even if you’ve configured DNS filtering at the router level.
DoT, when enforced at the router or gateway, prevents this kind of circumvention, ensuring that all DNS requests are encrypted but still flow through your chosen DNS provider (like Control D).
4. Ease of Deployment
DoT is ideal for centralized deployment. Set it up once on a router, firewall, or DNS proxy, and all users are protected. There’s no need to touch individual devices.
DoH often requires configuration per device or per browser, which isn’t scalable for large networks unless you're managing devices via MDM or endpoint policies.
5. Blocking & Filtering Effectiveness
With DoT, you can control exactly which DNS server is being used, making content filtering predictable and consistent. DoH makes this harder, especially when browsers use their own DoH resolvers, ignoring your network DNS settings.
Control D, for example, supports blocking third-party DoH resolvers, allowing you to stop unauthorized DNS traffic entirely, giving you the best of both worlds.
💼 Business Impact: Why This Matters for Your Organization
Cost Implications
DoT: Lower bandwidth usage, easier monitoring, reduces IT costs
DoH: May increase bandwidth due to HTTPS overhead
Hidden costs: DoH can bypass security tools, requiring additional investments
Compliance Considerations
Many industries require DNS logging and monitoring:
- HIPAA: Healthcare organizations need DNS audit trails
- SOX: Financial services must monitor all network activity
- GDPR: EU organizations need to control data flows
- CIPA: US schools must filter and log internet access
DoT Advantage: Makes compliance easier by maintaining network visibility while adding encryption.
Risk Assessment
Risk Factor | DoT | DoH |
---|---|---|
Data breaches | Low | Low |
Compliance violations | Low | Medium-High |
Shadow IT | Low | Medium |
Network blindness | Low | High |
User bypass | Low | High |
Summary: Which One Should You Use?
Your Need | Best Option |
---|---|
Enforce DNS filtering policies | ✅ DoT |
Maintain network-wide visibility | ✅ DoT |
Prevent users from bypassing controls | ✅ DoT |
Meet compliance or auditing needs | ✅ DoT |
Allow private DNS in personal apps only | DoH (with restrictions) |
Lock down public Wi-Fi or school networks | ✅ DoT with DoH blocked |
🌐 How Control D Supports DoT and DoH
Control D is a privacy-first DNS filtering platform that supports both DoT and DoH.
With Control D, you get:
- ✅ Privacy: Encrypted DNS with no logging
- ✅ Control: Block ads, trackers, social media, or apps
- ✅ Customization: Ability to apply multiple policies to different user/network groups
- ✅ Bypass-proof filters: Stops DoH-in-the-browser with a single toggle
You can set up Control D with:
- DoT on your router (protects your whole network)
- DoH in your browser or device (for personal use)
Final Thoughts: DoT vs DoH
Both DNS-over-TLS and DNS-over-HTTPS solve the same core problem: making DNS requests private and secure. Your choice depends on your specific needs:
For organizations that manage networks, like businesses, schools, and public Wi-Fi providers, DNS-over-TLS (DoT) is a better choice. It offers encrypted DNS while still allowing visibility, filtering, and control at the network level.
DNS-over-HTTPS (DoH) is suited for personal privacy, making it better for individuals and families. However, in managed environments, it can bypass policies, hide traffic from administrators, and make compliance harder.
With a solution like Control D, you can enforce DoT across your entire network, block unauthorized DoH traffic, and apply custom filtering to meet your security and compliance needs.

Frequently Asked Questions (FAQs)
1. What is the difference between DoT and DoH?
DoT uses TLS on port 853; DoH uses HTTPS on port 443. Both encrypt DNS, but DoH hides it inside web traffic.
2. Is DNS-over-HTTPS more secure than DNS-over-TLS?
Both are secure. DoH is harder to block, while DoT is easier to manage on networks.
3. Can DoH bypass DNS filters?
Yes. Because it uses port 443 (like normal web traffic), it can bypass basic DNS filtering.
4. Should I use DoH or DoT?
Use DoT for routers and networks. Use DoH in browsers.
5. Does Control D support DoT and DoH?
Yes, Control D supports both, giving you flexible, encrypted DNS options.
6. Can I use both DoT and DoH at the same time?
Yes, on different devices or apps. You can configure one device with DoT and another with DoH.
7. Is DoH slower than DoT?
DoH can be slower due to HTTP overhead, but this difference (a few milliseconds) is typically unnoticeable for most users.
8. Which DNS encryption is better for enterprise networks?
DNS over TLS (DoT) is generally better for enterprise networks because it provides encryption while maintaining network visibility and control. DoH can bypass corporate DNS policies.
9. Can employees bypass DNS filters with DoH?
Yes, most browsers support DoH by default, allowing users to bypass network-level DNS filtering.
10. What's the difference between DoT, DoH, and DoQ?
DoT uses TLS on port 853, DoH uses HTTPS on port 443, and DoQ uses the newer QUIC protocol. DoQ offers the best performance but has limited adoption currently.
12. Should schools use DoT or DoH for student internet access?
Schools should use DoT for network-wide protection and block DoH to maintain filtering compliance with regulations like CIPA. This ensures all student traffic is properly filtered.