Share this
DNS over TLS vs. DNS over HTTPS: How To Make the Best Choice in 2024?
by Greg Delaney on Sep 25, 2024 12:45:00 AM
As the need for DNS encryption evolves, there seems to be a growing debate between DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). With Google (and Firefox) adopting DoH as their DNS encryption method for their browsers, there seems to be a belief that DoH is superior to DoT.
But that’s not the case.
The reality is that DNS-over-HTTPS and DNS-over-TLS are slightly different standards for implementing the same DNS protections. The end goal of DNS encryption is to prevent DNS requests from being read and from being modified.
Both (DoT) and (DoH) prevent:
- Spoofing – Forged DNS requests, these usually come in the form of a man-in-the-middle attack where a malicious actor will temporarily redirect users to a fake login page to collect personal information or login credentials
- Tracking – When untrustworthy entities can view your DNS requests and collect information on you, this data can be sold to advertisers*
*Privacy policies are not just a box you need to check. They tell you exactly how a company will use your data. The absence of a privacy policy is a warning sign. We take privacy seriously at DNSFilter, you can check out our Privacy Policy and the security best practices we follow to keep our customers safe.
(DoT) vs. (DoH): What’s the difference?
Both DoT and DoH are designed to encrypt DNS requests, preventing common threats like spoofing and tracking. However, the key difference between these protocols lies in the layers at which they operate within the TCP/IP model.
The main difference between DoT and DoH are the layers at which the encryption is enabled. DNS-over-HTTPS is applied at the application layer (two layers removed from the Internet layer) while DNS-over-TLS is applied at the transport layer (one layer removed from the Internet layer).
(DoT) DNS-Over-TLS: Security at the Transport Layer
DNS-over-TLS is implemented at the transport layer, which is closer to the network layer. This positioning allows DoT to encrypt DNS queries across the entire operating system, providing a more comprehensive security solution for all applications running on a device. At DNSFilter, we prefer DoT because it enables encryption at a lower layer, which is crucial for protecting DNS requests that occur outside of the browser environment, such as those made by desktop applications or system processes.
DNS-over-HTTPS: Encryption at the Application Layer
DNS-over-HTTPS, on the other hand, is applied at the application layer. This protocol is particularly well-suited for browsers like Google Chrome and Mozilla Firefox, which already operate at this layer. DoH has gained popularity primarily because it fits seamlessly into the existing infrastructure of these browsers. However, this does not mean that DoH is inherently superior to DoT. In fact, due to its higher placement in the TCP/IP model, DoH requires additional layers of encapsulation, which can result in slightly higher latency and larger packet sizes.
The Advantages and Drawbacks of DoT and DoH
Choosing between DoT and DoH depends largely on the specific needs of your environment. Let’s explore the benefits and limitations of each protocol.
The Efficiency of DNS-over-TLS
One of the main advantages of DoT is its efficiency. Because it operates at the transport layer, DoT can offer lower latency and smaller packet sizes compared to DoH. This makes it an ideal choice for environments where performance is critical. Additionally, DoT’s ability to encrypt DNS queries at the operating system level provides broader protection, securing requests made by all applications on a device, not just those within a browser.
The Popularity of DNS-over-HTTPS
DoH has become the default DNS encryption method for many browsers, largely due to its ease of integration at the application layer. For companies like Google and Mozilla, implementing DoH within their browsers is straightforward, as it aligns with the existing HTTPS infrastructure. However, this popularity has led to a misconception that DoH is superior to DoT. In reality, DoH’s additional layers of encapsulation can introduce higher latency, making it less efficient in certain scenarios.
The Future of DNS Encryption: Evolving Standards and Emerging Protocols
DNS encryption is an evolving field, with new standards and protocols being developed to address emerging security challenges. While DoT and DoH are currently the most robust and widely adopted encryption methods, they are not without their limitations.
DNSSEC: Not a Standalone Solution
DNSSEC (Domain Name System Security Extensions) was one of the earliest attempts to secure DNS queries. However, it deals with a different aspect of security than encryption or privacy, focusing on verifying the authenticity of DNS responses to prevent man-in-the-middle attacks. Encryption and authentication both play an important role in a secure DNS ecosystem but due to its frequent implementation challenges and limited functionality, DNSSEC is less favored today as a standalone security solution.
DNSCrypt: A Lesser-Known Alternative
DNSCrypt is another protocol aimed at securing DNS queries, operating similarly to DNS-over-TLS at the transport layer. While DNSCrypt provides encryption and prevents localized man-in-the-middle attacks, it has not been standardized through an RFC (Request for Comments). This lack of standardization has led to inconsistencies in implementation, making DNSCrypt less popular and reliable compared to DoT and DoH.
DNS-over-QUIC (DoQ): The Next Evolution in DNS Encryption
DNS-over-QUIC (DoQ) is an emerging protocol that seeks to improve upon the limitations of existing DNS encryption methods like DoT and DoH. Officially standardized in 2021, DoQ leverages the QUIC transport protocol, which was initially developed by Google and later adopted by the IETF as a standard for secure, low-latency internet connections.
QUIC, which stands for "Quick UDP Internet Connections," is a transport layer protocol that uses UDP (User Datagram Protocol) to provide fast and reliable connections with built-in encryption. By integrating DNS-over-QUIC, DoQ offers several advantages over DoT and DoH, including:
- Lower Latency: DoQ reduces connection setup times, leading to faster DNS query resolutions.
- Improved Performance: Unlike TCP, QUIC can maintain performance over unreliable networks, making it ideal for mobile devices and environments with variable connectivity.
- Enhanced Security: DoQ inherits the security benefits of QUIC, including forward secrecy and protection against replay attacks.
The adoption of DoQ is still in its early stages, but it shows promise as a more efficient and secure alternative to existing DNS encryption protocols. As more organizations begin to explore DoQ, it could become a significant player in the DNS security landscape.
For a deeper dive into DNS-over-QUIC and its benefits, read more here.
DNS encryption is still evolving
There is no right answer when it comes to DoT or DoH, because these standards support varying use cases. But if DoH continues to be adopted like it has been, we might see DoT go by the wayside.
With that being said, it’s not just a matter of choosing DoT or DoH. There is still work that needs to be done in both DNS encryption and SNI (Server Name Indication) encryption.
SNI is the layer above TLS and an extension of the TLS layer. Once you make a DNS request and TLS makes a secure connection with that IP address, SNI tells the server in clear text (not encrypted) what the name of that domain is. While this does not impact things like man-in-the-middle attacks, it does impact privacy. Currently, SNI is not encrypted, though it is something that is being worked on.
While DoT and DoH are the most secure and standardized methods for encrypting DNS, they do not encrypt the request that goes to the authoritative DNS. That request is received in clear text. This is a point of vulnerability in both DoT and DoH, as well as DNSCrypt. Right now there is no standard for encrypting this information.
As a DNS resolver, we support and welcome a standard for encrypting messages to authoritative DNS, and we’d love to work with providers to help put this in place.
But the point I’m trying to make here is that neither DoT nor DoH are perfect DNS encryption solutions at this moment. More work still needs to be done, like enabling 0-RTT for all DNS-over-TLS and DNS-over-HTTPS implementations.
While everyone is talking about DoH, it’s not because it’s the most secure or most efficient solution. It’s because right now, it’s the solution that’s getting the most press. When VHS overtook Betamax, it wasn’t because VHS was better in every way. Betamax actually provided better video quality, but VHS was cheaper and allowed people to record longer programs. VHS and Betamax both achieve the same end (recording and displaying video), similar to how DoT and DoH both provide encryption through slightly different methods.
One of the biggest impacts of the “DoH vs. DoT” debate is the way MSPs implement network-level DNS filtering. With DoH becoming the de facto standard, it makes performing DoH bypasses on system-level DNS settings nearly impossible. There’s no standard method at this time for alternative workarounds. We’ll go into this subject in more detail in a later blog post, as there is a lot to consider when discussing the impact on MSPs.
The Role of DNSFilter in DNS SecurityAt DNSFilter, we are committed to providing the most secure DNS filtering solutions available. We have chosen to implement DoT as our primary DNS encryption method due to its efficiency and ability to protect DNS queries at the system level. However, we recognize the growing importance of DoH, particularly for users who rely heavily on browser-based applications. As such, we are actively developing a DoH implementation to meet the needs of our diverse client base. |
For more reading on DNS-over-TLS and how it’s implemented by DNSFilter, visit our support documentation.
If you’re an MSP interested in learning about the impact DoH has on your business, read the blog on what DNS-over-HTTPS means for your business and DNS security as a whole.
Share this
Categories
- Featured (265)
- Protective DNS (22)
- IT (15)
- IndyCar (9)
- Content Filtering (8)
- Cybersecurity Brief (7)
- IT Challenges (7)
- Public Wi-Fi (7)
- AI (6)
- Deep Dive (6)
- Malware (4)
- Roaming Client (4)
- Team (4)
- Compare (3)
- MSP (3)
- Phishing (3)
- Tech (3)
- Anycast (2)
- Events (2)
- Machine Learning (2)
- Ransomware (2)
- Tech Stack (2)
- Secure Web Gateway (1)
Earlier this month I joined Mikey Pruitt, our Global Partner Evangelist, on the DNSFilter podcast dnsUNFILTERED to discuss my 2025 cybersecurity predictions. We had a lot of fun and covered all of the points I’ll outline here, but I wanted to go deeper. My 30 years of cybersecurity experience have given me a strong sense of where we’re heading as an industry—the shift to the cloud in many ways is a precursor in the adoption of AI and the future...
Most businesses only think about DNS security after an attack has already occurred. By then, the damage is done - downtime, lost revenue, compromised data, and a tarnished reputation. In an environment where cyber threats are constantly evolving, a reactive approach to DNS security simply isn’t enough.
Customer experience is the secret sauce that sets successful Managed Service Providers (MSPs) apart from the rest. In a market teeming with competition, you need to offer more than the best technology or the lowest prices. It's about how clients feel when they interact with your services. A stellar customer experience can transform a one-time client into a loyal advocate, while a poor one can send them running to your competitors. According to a ...