DNS over TLS vs. DNS over HTTPS: How To Make the Best Choice in 2024?

As the need for DNS encryption evolves, there seems to be a growing debate between DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). With Google (and Firefox) adopting DoH as their DNS encryption method for their browsers, there seems to be a belief that DoH is superior to DoT.

But that’s not the case.

The reality is that DNS-over-HTTPS and DNS-over-TLS are slightly different standards for implementing the same DNS protections. The end goal of DNS encryption is to prevent DNS requests from being read and from being modified.

Both (DoT) and (DoH) prevent:

• Spoofing – Forged DNS requests, these usually come in the form of a man-in-the-middle attack where a malicious actor will temporarily redirect users to a fake login page to collect personal information or login credentials
  
  
• Tracking – When untrustworthy entities can view your DNS requests and collect information on you, this data can be sold to advertisers*

*Privacy policies are not just a box you need to check. They tell you exactly how a company will use your data. The absence of a privacy policy is a warning sign. We take privacy seriously at DNSFilter, you can check out our Privacy Policy and the security best practices we follow to keep our customers safe.

(DoT) vs. (DoH): What’s the difference?

Both DoT and DoH are designed to encrypt DNS requests, preventing common threats like spoofing and tracking. However, the key difference between these protocols lies in the layers at which they operate within the TCP/IP model.

The main difference between DoT and DoH are the layers at which the encryption is enabled. DNS-over-HTTPS is applied at the application layer (two layers removed from the Internet layer) while DNS-over-TLS is applied at the transport layer (one layer removed from the Internet layer).

(DoT) DNS-Over-TLS: Security at the Transport Layer

DNS-over-TLS is implemented at the transport layer, which is closer to the network layer. This positioning allows DoT to encrypt DNS queries across the entire operating system, providing a more comprehensive security solution for all applications running on a device. At DNSFilter, we prefer DoT because it enables encryption at a lower layer, which is crucial for protecting DNS requests that occur outside of the browser environment, such as those made by desktop applications or system processes.

DNS-over-HTTPS: Encryption at the Application Layer

DNS-over-HTTPS, on the other hand, is applied at the application layer. This protocol is particularly well-suited for browsers like Google Chrome and Mozilla Firefox, which already operate at this layer. DoH has gained popularity primarily because it fits seamlessly into the existing infrastructure of these browsers. However, this does not mean that DoH is inherently superior to DoT. In fact, due to its higher placement in the TCP/IP model, DoH requires additional layers of encapsulation, which can result in slightly higher latency and larger packet sizes.

The Advantages and Drawbacks of DoT and DoH

Choosing between DoT and DoH depends largely on the specific needs of your environment. Let’s explore the benefits and limitations of each protocol.

The Efficiency of DNS-over-TLS

One of the main advantages of DoT is its efficiency. Because it operates at the transport layer, DoT can offer lower latency and smaller packet sizes compared to DoH. This makes it an ideal choice for environments where performance is critical. Additionally, DoT’s ability to encrypt DNS queries at the operating system level provides broader protection, securing requests made by all applications on a device, not just those within a browser.

The Popularity of DNS-over-HTTPS

DoH has become the default DNS encryption method for many browsers, largely due to its ease of integration at the application layer. For companies like Google and Mozilla, implementing DoH within their browsers is straightforward, as it aligns with the existing HTTPS infrastructure. However, this popularity has led to a misconception that DoH is superior to DoT. In reality, DoH’s additional layers of encapsulation can introduce higher latency, making it less efficient in certain scenarios.

The Future of DNS Encryption: Evolving Standards and Emerging Protocols

DNS encryption is an evolving field, with new standards and protocols being developed to address emerging security challenges. While DoT and DoH are currently the most robust and widely adopted encryption methods, they are not without their limitations.

DNSSEC: Not a Standalone Solution

DNSSEC (Domain Name System Security Extensions) was one of the earliest attempts to secure DNS queries. However, it deals with a different aspect of security than encryption or privacy, focusing on verifying the authenticity of DNS responses to prevent man-in-the-middle attacks. Encryption and authentication both play an important role in a secure DNS ecosystem but due to its frequent implementation challenges and limited functionality, DNSSEC is less favored today as a standalone security solution.

DNSCrypt: A Lesser-Known Alternative

DNSCrypt is another protocol aimed at securing DNS queries, operating similarly to DNS-over-TLS at the transport layer. While DNSCrypt provides encryption and prevents localized man-in-the-middle attacks, it has not been standardized through an RFC (Request for Comments). This lack of standardization has led to inconsistencies in implementation, making DNSCrypt less popular and reliable compared to DoT and DoH.

DNS-over-QUIC (DoQ): The Next Evolution in DNS Encryption

DNS-over-QUIC (DoQ) is an emerging protocol that seeks to improve upon the limitations of existing DNS encryption methods like DoT and DoH. Officially standardized in 2021, DoQ leverages the QUIC transport protocol, which was initially developed by Google and later adopted by the IETF as a standard for secure, low-latency internet connections.

QUIC, which stands for "Quick UDP Internet Connections," is a transport layer protocol that uses UDP (User Datagram Protocol) to provide fast and reliable connections with built-in encryption. By integrating DNS-over-QUIC, DoQ offers several advantages over DoT and DoH, including:

• Lower Latency: DoQ reduces connection setup times, leading to faster DNS query resolutions.
  
  
• Improved Performance: Unlike TCP, QUIC can maintain performance over unreliable networks, making it ideal for mobile devices and environments with variable connectivity.
  
  
• Enhanced Security: DoQ inherits the security benefits of QUIC, including forward secrecy and protection against replay attacks.

The adoption of DoQ is still in its early stages, but it shows promise as a more efficient and secure alternative to existing DNS encryption protocols. As more organizations begin to explore DoQ, it could become a significant player in the DNS security landscape.

For a deeper dive into DNS-over-QUIC and its benefits, read more here.  

DNS encryption is still evolving

There is no right answer when it comes to DoT or DoH, because these standards support varying use cases. But if DoH continues to be adopted like it has been, we might see DoT go by the wayside.

With that being said, it’s not just a matter of choosing DoT or DoH. There is still work that needs to be done in both DNS encryption and SNI (Server Name Indication) encryption.

SNI is the layer above TLS and an extension of the TLS layer. Once you make a DNS request and TLS makes a secure connection with that IP address, SNI tells the server in clear text (not encrypted) what the name of that domain is. While this does not impact things like man-in-the-middle attacks, it does impact privacy. Currently, SNI is not encrypted, though it is something that is being worked on.

While DoT and DoH are the most secure and standardized methods for encrypting DNS, they do not encrypt the request that goes to the authoritative DNS. That request is received in clear text. This is a point of vulnerability in both DoT and DoH, as well as DNSCrypt. Right now there is no standard for encrypting this information.

As a DNS resolver, we support and welcome a standard for encrypting messages to authoritative DNS, and we’d love to work with providers to help put this in place.

But the point I’m trying to make here is that neither DoT nor DoH are perfect DNS encryption solutions at this moment. More work still needs to be done, like enabling 0-RTT for all DNS-over-TLS and DNS-over-HTTPS implementations.

While everyone is talking about DoH, it’s not because it’s the most secure or most efficient solution. It’s because right now, it’s the solution that’s getting the most press. When VHS overtook Betamax, it wasn’t because VHS was better in every way. Betamax actually provided better video quality, but VHS was cheaper and allowed people to record longer programs. VHS and Betamax both achieve the same end (recording and displaying video), similar to how DoT and DoH both provide encryption through slightly different methods.

One of the biggest impacts of the “DoH vs. DoT” debate is the way MSPs implement network-level DNS filtering. With DoH becoming the de facto standard, it makes performing DoH bypasses on system-level DNS settings nearly impossible. There’s no standard method at this time for alternative workarounds. We’ll go into this subject in more detail in a later blog post, as there is a lot to consider when discussing the impact on MSPs.

For more reading on DNS-over-TLS and how it’s implemented by DNSFilter, visit our support documentation.

If you’re an MSP interested in learning about the impact DoH has on your business, read the blog on what DNS-over-HTTPS means for your business and DNS security as a whole.