A Different Wrapper
DNS over TLS, often shortened to DoT, also encrypts DNS lookups, but it does so over a dedicated TLS connection rather than disguising them as web traffic. It runs on its own well known port reserved for encrypted DNS.
How It Differs From DoH
Both DoT and DoH encrypt queries, yet their visibility differs.
- DoT uses a dedicated port, so a network operator can clearly see that encrypted DNS is in use, even though the contents stay private.
- DoH rides the standard HTTPS port and blends in with all other web traffic.
This makes DoT friendlier to network management. An operator can allow or block encrypted DNS as a policy without breaking unrelated traffic.
What It Protects
Like DoH, DoT gives confidentiality and integrity for lookups.
- On path observers see encrypted bytes, not the names you resolve.
- Answers are authenticated against tampering by the TLS session.
- The resolver still learns your queries, so resolver trust remains important.
Choosing Between Them
DoT suits managed networks that want encrypted DNS while keeping the ability to observe and govern it. DoH suits users who want lookups hidden even from the local network.
Key idea
DNS over TLS encrypts lookups on a dedicated visible port, giving the same privacy as DoH while remaining observable as encrypted DNS, which makes it easier for operators to manage.