Back to guides
Comparison

DoH vs DoT vs DNSCrypt vs DoQ

Plain DNS travels in the open, so anyone between you and your resolver can read or change it. There are four main ways to close that gap, plus DoH3, a faster form of one of them. They protect the same thing but make different trade-offs in how they travel, how easily they can be blocked, and how widely they are supported.

YOUR DEVICE RESOLVER DoT TCP + TLS · 853 DoH HTTPS · 443 DoH3 HTTP/3 · 443 DoQ QUIC · 853 DNSCrypt UDP / TCP · 443

Five lanes to the same place; the two QUIC-based lanes (DoH3, DoQ) move quickest. The difference is the road each takes and how hard it is to close.

They all carry the same payload, a DNS question and its answer, inside encryption. What separates them is the transport they ride on, the port they use, and the practical consequences of those two choices.

Why DNS gets encrypted at all

Traditional DNS runs over port 53 with no protection. The name you are looking up, and the address that comes back, travel as plain text. Anyone positioned on the path, the local network, the internet provider, anything in between, can read which sites you are reaching and can even alter the answer to send you somewhere else.

Encryption fixes two things at once: it hides the contents of the lookup from everyone on the path, and it lets your device verify the answer was not tampered with. One point is worth keeping in mind throughout: encryption protects the lookup from the network, not from the resolver you chose. The resolver still sees your queries, so which resolver you trust matters as much as the protocol you use to reach it.

The four protocols

DNS over TLS (DoT)

RFC 7858 · 2016 · port 853

DoT wraps ordinary DNS in a TLS connection on its own dedicated port. It is the most straightforward of the four: the message format does not change, it is simply carried inside TLS. Because it has a port of its own, it is easy to reason about and easy to operate, which is why it became the standard for system-level encrypted DNS, including Android's Private DNS and systemd-resolved on Linux.

The same dedicated port is its weakness. Traffic on port 853 is unmistakably DNS, so a restrictive network can identify and block it without touching anything else.

DNS over HTTPS (DoH)

RFC 8484 · 2018 · port 443

DoH sends the lookup as an HTTPS request on port 443, the same port that carries nearly all web traffic. To anything watching the network it looks like an ordinary connection to a website, so it is the hardest of the four to single out and block. It is also the only one browsers implement directly, which is why Chrome, Edge, and Firefox can use encrypted DNS without any help from the operating system.

The cost is a little more overhead from the HTTP layer wrapped around each query, and the fact that a browser doing its own DoH can quietly disagree with the rest of the system, a common source of confusion and of leaks.

DNS over QUIC (DoQ)

RFC 9250 · 2022 · port 853

DoQ carries DNS over QUIC, the modern UDP-based transport that also underpins HTTP/3. It keeps the encryption and authentication of TLS while removing the head-of-line blocking that can stall TCP-based transports, and it sets up connections faster. That makes it noticeably better on lossy or high-latency links, such as mobile networks, where a dropped packet should not hold up everything behind it.

It is newer than DoH and DoT, so support is still growing, and like DoT it uses port 853, which a network can block. The next entry, DoH3, keeps QUIC's speed while moving back to port 443.

DNS over HTTP/3 (DoH3)

DoH (RFC 8484) carried over HTTP/3 · port 443

DoH3 is not a separate protocol so much as the best of the two before it combined: it is DNS over HTTPS, but the HTTPS rides on HTTP/3, which runs on QUIC. So it keeps DoH's defining advantage, port 443 that blends in with all other web traffic and resists blocking, while gaining QUIC's faster connection setup and its resistance to a single lost packet stalling the rest.

In practice it is the strongest all-round choice where it is available: hard to block like DoH, quick to recover like DoQ. Support depends on both the resolver and the client speaking HTTP/3, which is now common in current browsers and clients. This is the form this service runs natively.

DNSCrypt

community protocol (not an IETF standard) · v2 · usually port 443

DNSCrypt is the oldest of the group and the only one that is not an IETF standard. It predates DoH and DoT and uses public-key cryptography with signed certificates: the client verifies the resolver's certificate before trusting its answers. It is driven by a community client rather than being built into operating systems, so it needs that client installed to work.

Its standout feature is Anonymized DNSCrypt, which routes the query through a relay so the resolver answering it never sees your address, separating who is asking from what is asked. The standardized answer to this, Oblivious DoH, was specified but barely shipped, so in practice this remains DNSCrypt's own territory.

Side by side

  DoT DoH DoH3 DoQ DNSCrypt
TransportTCP + TLSHTTPS (TCP)HTTP/3 (QUIC)QUIC (UDP)UDP / TCP
Port853443443853443
StandardRFC 7858RFC 8484RFC 8484 + 9114RFC 9250Community
In the browserNoYesYesNoNo
Built into OSCommonGrowingGrowingLimitedClient
Blocking resistanceMediumHighHighMediumHigh
Latency on lossy linksFairFairBestBestFair
Source anonymity optionNoNoNoNoRelays

Ratings are practical generalisations, not absolutes; a specific resolver or network can shift any of them.

What actually separates them

Privacy from the network is a tie. They all hide the lookup contents from everyone between you and the resolver. If that is your only goal, any of them does the job.

Privacy from the resolver is where they part. By default the resolver you connect to still sees every query, whichever protocol you used. The practical way to break that link is a relay: the client sends each query through a relay so the resolver answering it never learns your address. Anonymized DNSCrypt does exactly this, set up in dnscrypt-proxy. Oblivious DoH was the standardized attempt at the same idea but never saw real deployment, so for now relays are effectively DNSCrypt's domain.

Resistance to blocking follows the port. DoH, DoH3, and DNSCrypt sit on 443 alongside normal web traffic and are hard to isolate. DoT and DoQ sit on 853, which a network can block outright when it wants to force DNS back into the open.

Performance and reach favour different winners. DoQ and DoH3 handle packet loss best and connect fastest; DoT and DoH are well supported and perfectly fast on stable links; DoH and DoH3 are the ones that work inside a browser with no system changes; DNSCrypt needs its own client but brings relay anonymity the others lack natively.

Which should you use

Most people

DoH or DoT, whichever your system or browser already offers. Both are well supported, and the practical difference for everyday use is small.

Restrictive networks

DoH on port 443 blends with web traffic and is the hardest to block. DNSCrypt on 443 is a strong alternative.

Mobile or lossy links

DoQ, or DoH over HTTP/3, where available. QUIC recovers from packet loss without stalling, which shows on cellular connections.

Maximum source anonymity

Anonymized DNSCrypt relays through dnscrypt-proxy, so the resolver answering your queries cannot tie them to you. Oblivious DoH was the standardized attempt but saw little real adoption.

The bottom line

If you only want the short answer, here is how the five sort out on the questions people actually ask. Each verdict assumes the resolver and the client both support the protocol.

Fastest

DoQ & DoH3

Both ride QUIC, so they finish their handshake in fewer round trips and a single lost packet never holds up the ones behind it. The lead is widest on mobile and other lossy links; on a stable wired connection the rest are close behind.

Most stable & compatible

DoT & DoH

The mature pair. DoT is the native standard on Android and Linux; DoH is built into every major browser and into Windows 11. If you want something that simply works on the widest range of devices today, start with these two.

Hardest to block

DoH & DoH3

Both sit on port 443 next to ordinary web traffic, so a network cannot single them out without breaking the rest of the web. On a restricted or filtered connection this is usually the deciding factor. DNSCrypt on 443 is a close third.

Easiest to turn on

DoH & DoT

DoH is a single toggle in Chrome, Edge, Firefox, and Windows 11. DoT is one hostname field in Android's Private DNS. Neither needs an extra app or a configuration file, unlike DNSCrypt, which needs its own client.

Best for source privacy

DNSCrypt

Anonymized DNSCrypt routes your query through a relay (configured in dnscrypt-proxy), so the resolver that answers never sees who asked. Oblivious DoH aimed to bring the same split to DoH but never really shipped, which leaves DNSCrypt's relays the one option you can actually use today.

Best all-round

DoH3

Where it is supported it gives you everything that matters at once: the port-443 blending that resists blocking, QUIC's speed and loss recovery, and browser support with no extra software. If your resolver and client both speak it, it is the strongest default. It is the form this service runs natively.

What matters more than the protocol

Once the lookup is encrypted, the larger questions are who answers it and whether your setup actually uses the encrypted path. A protocol you trust pointed at a resolver you do not is a poor trade, and an encrypted resolver that your device quietly bypasses protects nothing.

This service answers over DNS over HTTPS, DNS over TLS, and HTTP/3; the protocols page lists what is offered and the setup guide has the per-platform steps. After you configure any of them, confirm it took effect: how the DNS leak test works explains the check, and you can run the leak test to see which resolver actually answered.

Pick one and confirm it works

Configure an encrypted protocol, then verify the lookups really travel it.

Open the setup guide Run the leak test
Back to all guides