DNS is an old protocol lacking all forms of security. Yet, it is one of the most fundamental protocols of the Internet. DoT and DoH are improvements to add transport security to the DNS protocol by reusing the same security layers used by HTTP: TLS. Both DoT and DoH use TLS. DoH adds HTTP/2 between DNS and TLS for the framing. DoT also has a framing layer inherited from DNS over TCP, but it is ridiculously simple compared to HTTP/2.
Both protocols offer similar advantages but they have some key differences:
- DoT uses a custom port (853) which can be easily blocked by firewalls while DoH uses the same port and protocol as used for HTTPS (443), making it harder to block or even detect.
- The HTTP/2 protocol used by DoH is significantly more complex than the basic framing employed by DoT. The advantage of DoH is that most HTTP/2 implementations are battle tested and offer good performance, while most DoT implementations get the DoT “spec” wrong, leading to poorer performance. When properly implemented, DoT offers lower complexity, which may theoretically have a small positive impact on battery usage, but it might be a drop in the bucket compared to TLS. The difference in latency should be non-perceivable though.
- As DoH uses HTTP, when implemented into a browser, there is the concern of having the same tracking capabilities as used on the web (user-agent, cookies etc.).
Some experts like Paul Vixie recommend DoT over DoH. We don’t share this position and generally recommend DoH as it has less chances of being blocked and implementations are often better.
In our official apps we use a custom version of DoH that offloads more work (UDP/IP de/encap) on our server to reduce on-device workload. We think it is the best tradeoff between performance, compatibility and battery usage.