Technical Specification

Next-Gen DNS Protocols

Deep dive into the architecture of modern encrypted DNS. Understanding the performance characteristics, security models, and implementation differences.

Protocol Comparison

Benchmarking Speed, Privacy, and Reliability

DoH

RFC 8484
Stealth (Privacy)High
Connection SpeedMedium

Port 443: Blends with web traffic. Hardest to block.

Best for: Bypassing Censorship

DoT

RFC 7858
Stealth (Privacy)Low
Connection SpeedMedium

Port 853: Dedicated port. Easily blocked by firewalls.

Best for: Android / OS Integration

DoQ

RFC 9250
Stealth (Privacy)Medium
Connection SpeedUltra

QUIC/UDP: 0-RTT handshake. Solves packet loss lag.

Best for: Low Latency / Mobile

DNS over HTTPS

RFC 8484 • Port 443

DoH encapsulates DNS queries within standard HTTPS (HTTP/2) traffic. Because it uses Port 443 (the same as all web traffic), DoH is incredibly difficult for censors to block without breaking the entire internet.

Why we use it

It is the gold standard for bypassing firewalls and ISP filtering. Browsers (Chrome, Firefox) prioritize it for its stealth.

Wire Format (HTTP/2) GET / POST
:method = POST
:scheme = https
:path = /dns-query
accept: application/dns-message
content-type: application/dns-message
content-length: 56
<Binary DNS Packet>
Connection Flow TLS 1.3
TCP Handshake (SYN/ACK)
TLS Client Hello
Encrypted Tunnel Established
[Length] [DNS Query]

DNS over TLS

RFC 7858 • Port 853

DoT is the "purest" encrypted DNS protocol. It strips away the HTTP overhead and wraps standard DNS packets directly in a TLS tunnel over TCP. This makes it slightly more bandwidth-efficient than DoH.

Built for OS

It is the native standard for Android ("Private DNS") and iOS. It maintains a persistent connection to reduce latency.

DNS over QUIC

RFC 9250 • UDP

DoQ solves the "Head-of-Line Blocking" problem. By using QUIC (over UDP) instead of TCP, it allows multiple queries to be resolved in parallel without waiting for lost packets to be retransmitted.

0-RTT Faster connection setup than TCP+TLS.
Roaming Survives switching from WiFi to 5G.
QUIC Stream Stream ID: 4
// No TCP Handshake
Query A: google.com -> Sent
Query B: youtube.com -> Sent
Query A: [Lost Packet] Ignored
Query B: Result Processed!
* Query B not blocked by A's loss
The Hybrid Solution

HTTP/3 DNS

We fully support h3 on our DoH endpoint. This is technically "DNS over HTTPS" but swaps the underlying TCP transport for QUIC. It gives you the stealth of DoH (Port 443) with the speed of UDP.

alt-svc: h3=":443"; ma=86400
h3
Protocol
QUIC + TLS 1.3