12

What is DNS over TLS (DoT), DNS over Quic (DoQ) and DNS over HTTPS (DoH & DoH3)?

DNS is an old protocol lacking all forms of security. Yet, it is one of the most fundamental protocols of the Internet. DoT and DoH are improvements to add transport security to the DNS protocol by reusing the same security layers used by HTTPS: TLS. Both DoT and DoH use TLS. DoH adds HTTP/2 between DNS and TLS for the framing. DoT also has a framing layer inherited from DNS over TCP, but it is ridiculously simple compared to HTTP/2. They both run on top of TCP.

More recently, Quic was added to the mix. Quic is an odd beast that takes TCP, TLS and the stream capability of HTTP/2 and merge them into a natively encrypted protocol implemented on top of UDP. From this new transport protocol, we get two new variants: DoQ which is similar to DoT but is using the stream capability of Quic instead of the DNS over TCP framing, and DoH3 which is DNS over HTTPS/3, HTTP/3 being HTTP over Quic.

All those protocols offer similar advantages but they have some key differences:

  • DoT and DoQ use a custom ports (tcp/853 and udp/8853 respectively) which can be easily blocked by firewalls while DoH uses the same port and protocol as used for all HTTPS web traffic (tcp/443), making it harder to block or even detect. DoH3 uses udp/443, so it is easier to block but still indistinguishable from other web traffic using this protocol, and HTTP/3 capable clients have the capability to fallback to HTTP/2 when this happens.
  • The HTTP/2 protocol used by DoH is significantly more complex than the basic framing employed by DoT. The advantage of DoH is that most HTTP/2 implementations are battle tested and offer good performance, while most DoT implementations get the DoT “spec” wrong, leading to poorer performance. When properly implemented, DoT offers lower complexity, which may theoretically have a small positive impact on battery usage, but it might be a drop in the bucket compared to TLS. The difference in latency should be non-perceivable though. 
    DoQ and DoH3 on the other side both use the same framing provided by the Quic protocol, which is greatly inspired by the HTTP/2 protocol. The different in complexity between DoQ and DoH3 is thus even thiner than between DoT and DoH.
  • As DoH uses HTTP, when implemented into a browser, there is the concern of having the same tracking capabilities as used on the web (user-agent, cookies etc.). To date, all popular clients, browsers included, are not sending any fingerprintable headers, run with no cookie jar and don't even send a user-agent.
  • DoQ and DoH3 are more resilient to packet loss. DoT and DoH are running on top of a single TCP connection, meaning that in case of a packet loss, all DNS queries or responses after this packet have to wait for the lost packet to be retransmitted (this is called head of line blocking). Thanks to Quic stream design, a single Quic session can carry multiple individual streams. Each stream is independent, and a loss of a packet only affects the stream it is associated with. With both DoQ and DoH3, each DNS query/response is isolated in its own stream, eliminating the head of line blocking issue described above. Those protocol are thus particularly well suited for mobile or highly congested networks, but won't make any substantial difference on a healthy network. One drawback is that Quic is all implemented in userland, and thus requires more CPU and battery to run than TCP. This can be an issue for bandwidth intensive applications, but DNS being pretty light, the difference should be negligible with most implementations.

Some experts like Paul Vixie recommend DoT over DoH. We don’t share this position and generally recommend DoH as it has less chances of being blocked and implementations are often better and clients supporting HTTP/3 can automatically benefit from it or fallback in case of issue thanks to the Alt-Svc/HTTPSSVC protocol negotiation.

NextDNS supports all 4 protocols. See the setup tab for more information on how to use them.

79replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Olivier Poitrey is the DOH3 and DOQ available now in the Set Up tab as per above? I can’t seem to find them. How can I use them in iOS/iPadOs/macOS?

    Like
    • Lady Arwen DoH3 upgrade is automatic when supported. As of today, current versions of iOS/iPadOS and macOS do not support DoH3 yet, but we are working with Apple to make this work in future builds.

      Like 2
    • Olivier Poitrey Thank you! How about DOQ? I don’t think it will be supported by iOS natively anytime soon. Is DOQ via the NextDNS App?

      thanks alot! ✌🏻✌🏻 xx

      Like
    • Lady Arwen it is unlikely that DoQ will be supported by Apple. The industry is heavily leaning in the direction of DoH with Android being the only vendor to have favord DoT. Next version of Windows 10 will support DoH natively and probably DoH3 soon after. I wouldn’t bet on DoQ being widely implemented / deployed any time soon. It does not provide any substantial benefits over DoH3.

      Like 3
      • Catbanana
      • Michael_Villalobos
      • 1 mth ago
      • Reported - view

      Olivier Poitrey any update yet? The best we can get is SOME DoH3 on iOS and Mac but it’s only on browsers and for iOS it’s a temporary thing until it falls back to DoH because of the stupid lock screen.

      Like
  • I’m happy with dns over https because I’m worried about it being detected by my isp if I use any other method. dns over https is the most disguised one

    Like
  • DoH3 uses udp/443, so it is easier to block

     Why doesn’t it use tcp ?

    Like
    • RouterCFW HTTP/3 uses Quic as transport. Quic is over UDP. More and more services are adding HTTP/3 support, so over time it will be as indistinguishable as tcp/443.

      Like 1
    • Olivier Poitrey No, it can still be recognized. At present, mainland China has blocked many overseas suppliers that provide DOH and DOT, such as opendns, nextdns, Cloudflare DNS, AdGuard DNS, Quad9 DNS and so on.
      At present, the resolved domain names of these encrypted dns can be blocked through SNI. For example, if the third-level domain name contains keywords such as DNS and DOH, it will be blocked as follows:
      "Dns.example.com", "doh.example.com".
      I tested it on my own server and it has been verified.
      Whether it is DOH or DOT, it is currently impossible to achieve full-process encryption. If you add a new protocol, such as DoQ, it will be easier to identify, and the feature is too obvious, so the port number will be blocked directly.
      I also think DoH should be the main development direction. It would be better if SNI encryption can be completed without being recognized. SNI encryption China can also block, it is too powerful.

      https://gfw.report/blog/gfw_esni_blocking/en/

      Like 2
    • Olivier Poitrey According to the IETF doc "Servers MAY serve HTTP/3 on any UDP port". Hoping you guys run this on UDP 443 to be able to really blend in with QUIC. Thanks!

      Like 1
    • Jason Hawkins we run HTTP/3 on port UDP/443 already.

      Like 2
  • as a novice user, I would like to know if dns over quic has any settings or is it already set in the server network? and whether it has been implemented in Private DNS on Android (DNS over TLS)?

    Like
    • Leo it’s available on the server but Android does not support it yet.

      Like 2
      • Leo
      • Leo
      • 2 yrs ago
      • Reported - view

      Olivier PoitreyOh, I see. How to use dns over quic in NextDNS Cli on Windows? Are there no settings to set it?

      Like
    • Leo HTTP/3 will be added to our windows client soon.

      Like
      • Leo
      • Leo
      • 2 yrs ago
      • 1
      • Reported - view

      Olivier Poitrey Okay. If I can  Okay. If I may know, dns over quic now only occurs on what platform and how do I activate it?

      Like 1
    • Leo there is no platform supporting DoQ, and it's not clear if it will be one in the future. If anything, Android would most likely be the one. HTTP/3 on the other hand is already supported by Chrome DoH, Firefox DoH and should be included in a next rev os iOS/macOS. DoH support in Windows might follow.

      Like 3
    • Olivier Poitrey Will HTTP/3 be added to the Linux cli's as well? Looking forward to benchmarking a couple of my pi's running the cli clients. 

      Like
    • Jason Hawkins it’s already there in the master. Will be released with the next revision.

      Like 2
      • Jörgen
      • Pro Subscriber ✅
      • Jorgen_A
      • 2 yrs ago
      • Reported - view

      Olivier Poitrey So DoQ is live now in the CLI v1.32.0? 😄 How do we know if it's using it or not?! Should "Protocol:" when running test.nextdns.io say "DOQ" or something similar?! For me it's still "DOH".

      Like
    • Jörgen A it’s DoH3 (DoH over Quic if you prefer). The CLI need the HTTP layer to transport LAN host info when report-client-info is enabled.

      Like 2
      • Jörgen
      • Pro Subscriber ✅
      • Jorgen_A
      • 2 yrs ago
      • Reported - view

      Olivier Poitrey Got it... 🙂 So DoH3 will not work for me, since I want  to identify my devices. Maybe will disable report-client-info a while,  just to test it out 😉

      Like
    • Jörgen A DoH3 will work for you, DoQ wont. I know it's confusing but DoQ is to DoT what DoH3 is to DoH. Both DoQ and DoH3 are on top of Quic.

      Like 2
      • Jörgen
      • Pro Subscriber ✅
      • Jorgen_A
      • 2 yrs ago
      • Reported - view

      Olivier Poitrey Yeah, it is kinda confusing with all protocols/layers 😉 I still only see "DOH" when using the CLI v1.32.0, but should it say "DoH3" under Protocols when using test.nextdns.io?

      Like
    • Jörgen A so CLI support DoH3 and our servers to, but only when specifically using the doh3.dns.nextdns.io so the CLI does not automatically discover it. We are not ready to enable DoH3 by default, because there are still some problem with some DoH3 capable browsers. We might release another version of CLI with an option to force the http3 hostname.

      Like 5
    • Olivier Poitrey that would be cool to test out. I too was looking forward to seeing DoH3 when I updated my Ubuntu cli’s yesterday (even if it doesn’t make a big difference) but still saw they were using TCP. 

      Like
    • Olivier Poitrey Solely out of curiosity -what issues are the browsers having with DOH3? Edge seems to be working OK just in my limited testing, wondering if the other Chromium browsers are having issues. Is this something the community can help you guys test?

      Like
  • Why is DoQ still not on the setup tab?

    Like
      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 2 yrs ago
      • Reported - view

      Sergey Twersky it can be used same as DoT but with a client supporting DoQ (almost none exist as of today).

      Like
    • DynamicNotSlow  New free DNS free intrent

      Like
  • Hello. Will DoH3 be supported in the Android app?

    Like
  • DOH3 currently available ? or when it will be ?

    Like
    • Umur Soydan it is currently available on doh3.dns.nextdns.io

      Like 2
    • NextDNS no client currently supports DoH3 though right?

      Like
    • Jason Hawkins chrome and firefox do

      Like 2
    • NextDNS so we should use as https://doh3.dns.nextdns.io/customerid ? and we can use with another app on android such as nebulo, adguard etc. ?

      Like
    • Umur Soydan yes you just add doh3. in front of the DoH URL. As far as we know, none of the apps you mentioned are supporting HTTP/3 for now.

      Like
    • NextDNS Does adguardhome currently support HTTP/3?

      Like
    • Carrot eggs it does only support DoQ which is different. DoH3 is using HTTP/3 (HTTP over QUIC). We support DoQ too, you can use the same hostname as for DoT, but specifying the quic protocol.

      Like 1
    • NextDNS gotcha. I use the cli client and iOS so I’ll have the wait for support on those.  

      Like
      • kingsmanvn
      • kingsmanvn
      • 5 mths ago
      • Reported - view

      Umur Soydan Nebulo supported DoH3

      Like
  • hey guys seems like I'm successful to use doh3 using Intra on Android. 

    Like
      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 2 yrs ago
      • Reported - view

      Gradito Tunggulcahyo how is the performance compared to normal DoH for you?

      In Edge browser it's mostly delayed with some seconds for new domains for me.

      Like
      • chigarow
      • Gradito_Tunggulcahyo
      • 2 yrs ago
      • Reported - view

      DynamicNotSlow  I don't see any performance issue, but not really sure about the improvement that I feel so far.

       

      maybe I should use this for a week or a month to feel the impact of doh3

      Like
    • chigarow i think it doesnt support, just go to test.nextdns.io with your browser and protokol need to be "DOH3"

      i face same with Nebulo app, when you type the DoH3 setting text in app it works again as DOH ( not DOH3) 

      but on computer, with opera,Chrome browser when you type DOH3 setting, protokol says you  are using DOH3

      i think currently just these browsers support DOH3

      Like 2
      • chigarow
      • Gradito_Tunggulcahyo
      • 2 yrs ago
      • 1
      • Reported - view

      Umur Soydan ah I see 

      Soo thanks a lot for the information yaap, just checked and I get DOH not DOH3 

      thankyouuu and sorry for the misleading 🙏🙏

      Like 1
    • chigarow  no problem, i hope soon apps start to support DOH3 and we can use it 

      Like 2
      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 2 yrs ago
      • Reported - view

      Umur Soydan Edge also don't support DoH3 yet. That may the reason for my performance problems.

      Like
  • Noticed today that my iPad running iOS 14.5.1 appears to be connecting over DoH3 using the native encrypted DNS. Looks like maybe Apple added this in a recent update. Anyone else seeing this?

    Like 1
      • Rob
      • iOS Developer
      • Rob
      • 2 yrs ago
      • Reported - view

      Chris Leidich Interesting!

      I still see DNS-over-HTTPS (not DNS-over-HTTPS/3), but I'm using the NextDNS App instead of the Apple profile.

      Like
    • Rob My iPhone (also running 14.5.1 with native DNS) still shows regular DNS-over-HTTPS. Not sure what is special about the iPad, or else this is being gradually deployed somehow by NextDNS.

      Like 1
      • Rob
      • iOS Developer
      • Rob
      • 2 yrs ago
      • Reported - view

      Chris Leidich What do you mean with "native DNS"?

      • NextDNS iOS App?
      • NextDNS Apple configuration profile?
      Like
      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 2 yrs ago
      • Reported - view

      Chris Leidich i can't confirm that with my iPad 2020.

      Your screen looks also like the NextDNS app as the NextDNS website doesn't provide a "show Tracker Insights" menu.

      Like
    • Rob Using the config profile, not the app

      Like
    • DynamicNotSlow The screenshot was from my phone, it shows that link on the smaller screen version of my.NextDNS.io.

      test.NextDNS.io shows DOH3 too. Haven’t been able to reason out why my iPad is special compared to other iOS devices I have though. Just an interesting observation for now.

      Like 1
  • NextDNS i used https://doh3.dns.nextdns.io/ in android Firefox nightly but https://test.nextdns.io/ shows protocol is doh

    According to mozilla Web servers can indicate support by using the Alt-Svc response header or by advertising HTTP/3 support with a HTTPS DNS record. Both the client and server must support the same QUIC and HTTP/3 draft version to connect with each other. For example, Firefox currently supports drafts 27 to 32 of the specification, so the server must report support of one of these versions (e.g., “h3-32”) in Alt-Svc or HTTPS record for Firefox to try to use QUIC and HTTP/3 with that server. When visiting such a website, viewing the network request information in Dev Tools should show the Alt-Svc header, and also indicate that HTTP/3 was used.

    Like
  • Doh3 is working on android Firefox nightly. https://test.nextdns.io/ shows protocol as doh3 and about:networking shows doh3.dns.nextdns.io uses http/3

    Like
  • https://doh3.dns.nextdns.io/info

    Has been blocked by SNI in China

    Like 1
    • Carrot eggs are you surprised? They block everything they can lol

      Like
  • DoH....moving DNS into the application layer may be great for privacy but how do you now stop malicious software from contacting their own DNS servers and hiding their nefarious activity.

    Also I could set the DNS  in the router, but since DoH is using port 443 what stops an application or a user from using whichever DoH server they want and bypassing the NextDNS protections/blocklists etc?

    Like
      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 1 yr ago
      • Reported - view

      andrew hill malicious software doesn't need any DNS.

      If you want stop malware at that level, it's already too late.

      Like
    • DynamicNotSlow I am talking about a layered approach and this is taking one layer away as well as creating another set of problems like local LAN resolution.

      Like
  • OK so what's the point of nextDNS then if it can be so easily bypassed?

    "NextDNS protects you from all kinds of security threats, blocks ads and trackers on websites and in apps and provides a safe and supervised Internet for kids — on all devices and on all networks."

    Like
      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 1 yr ago
      • Reported - view

      andrew hill you should first read about how DNS works.

      NextDNS works as expected / as DNS works.

      Like
    • DynamicNotSlow OK lets say we trust NextDNS or Cloudflare but don't trust some other random DNS provider, since DoH is using 443 how do you stop any application from using whichever DNS it feels like, now you have to maintain a list of non approved DNS resolvers to block at the firewall level, an impossible task.

      Like
      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 1 yr ago
      • Reported - view

      andrew hill you can't. Also, as i said already application doesn't need DNS.

      Applications can also use internal system processes to circumstances your blockage. Badness enumeration just don't work.

      Like
      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 1 yr ago
      • 2
      • Reported - view

      andrew hill typical media nonsense.

      Also, none of that you post is related to NextDNS nor this topic.

      Like 2
      • Utai
      • Utai
      • 1 yr ago
      • 1
      • Reported - view

      DynamicNotSlow 

      Like 1
      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 1 yr ago
      • Reported - view

      Utai ?

      Like
      • aioyups
      • aioyups
      • 1 mth ago
      • Reported - view

      DynamicNotSlow yup agreed it's typical media nonsense.

      Encrypted dns definitly increase more security, despite it's weakness since nothing perfect in the world. It's like adding lock to a house it will increase security despite thief can still pick the lock. Only fake expert will says bullshit like a lock causes more problems than it solves. 😂

      Like
      • aioyups
      • aioyups
      • 1 mth ago
      • Reported - view

      andrew hill it's entirely different case. Nextdns only provide secure dns service, and yet you ask about maintaining firewall to prevent application/user mischief.

      It's quite not logical to ask a $2 service to protect you from all kind of threat. 😅😅

      Like
  • Can somebody comment on DoH3 available on iOS via NextDNS? I have both an iPhone and iPad with latest iOS. I tried both the iOS NextDNS as well as the NextDNS profile, and I can’t get anything about DoH3. How did Chris did this above?

    Like 1
    • Luke Skywalker still not working in beta 3. We're working with Apple to make it work eventually.

      Like 4
  • Like
      • Zigan
      • Zigan
      • 1 yr ago
      • Reported - view

      Zigan 

      Like
  • Is it possible for server logs to display which dns query was made through http3 connections? That would be neat. 

    Like
  • It seems like I can only access web3 links using DoT, with DoH it doesn't work. Is this expected?

    Like
  • How to configure DoT, DoQ and DoH on Ventura which supports this protocols?

    Like 2