13

What is DNS over TLS (DoT), DNS over Quic (DoQ) and DNS over HTTPS (DoH & DoH3)?

DNS is an old protocol lacking all forms of security. Yet, it is one of the most fundamental protocols of the Internet. DoT and DoH are improvements to add transport security to the DNS protocol by reusing the same security layers used by HTTPS: TLS. Both DoT and DoH use TLS. DoH adds HTTP/2 between DNS and TLS for the framing. DoT also has a framing layer inherited from DNS over TCP, but it is ridiculously simple compared to HTTP/2. They both run on top of TCP.

More recently, Quic was added to the mix. Quic is an odd beast that takes TCP, TLS and the stream capability of HTTP/2 and merge them into a natively encrypted protocol implemented on top of UDP. From this new transport protocol, we get two new variants: DoQ which is similar to DoT but is using the stream capability of Quic instead of the DNS over TCP framing, and DoH3 which is DNS over HTTPS/3, HTTP/3 being HTTP over Quic.

All those protocols offer similar advantages but they have some key differences:

  • DoT and DoQ use a custom ports (tcp/853 and udp/8853 respectively) which can be easily blocked by firewalls while DoH uses the same port and protocol as used for all HTTPS web traffic (tcp/443), making it harder to block or even detect. DoH3 uses udp/443, so it is easier to block but still indistinguishable from other web traffic using this protocol, and HTTP/3 capable clients have the capability to fallback to HTTP/2 when this happens.
  • The HTTP/2 protocol used by DoH is significantly more complex than the basic framing employed by DoT. The advantage of DoH is that most HTTP/2 implementations are battle tested and offer good performance, while most DoT implementations get the DoT “spec” wrong, leading to poorer performance. When properly implemented, DoT offers lower complexity, which may theoretically have a small positive impact on battery usage, but it might be a drop in the bucket compared to TLS. The difference in latency should be non-perceivable though. 
    DoQ and DoH3 on the other side both use the same framing provided by the Quic protocol, which is greatly inspired by the HTTP/2 protocol. The different in complexity between DoQ and DoH3 is thus even thiner than between DoT and DoH.
  • As DoH uses HTTP, when implemented into a browser, there is the concern of having the same tracking capabilities as used on the web (user-agent, cookies etc.). To date, all popular clients, browsers included, are not sending any fingerprintable headers, run with no cookie jar and don't even send a user-agent.
  • DoQ and DoH3 are more resilient to packet loss. DoT and DoH are running on top of a single TCP connection, meaning that in case of a packet loss, all DNS queries or responses after this packet have to wait for the lost packet to be retransmitted (this is called head of line blocking). Thanks to Quic stream design, a single Quic session can carry multiple individual streams. Each stream is independent, and a loss of a packet only affects the stream it is associated with. With both DoQ and DoH3, each DNS query/response is isolated in its own stream, eliminating the head of line blocking issue described above. Those protocol are thus particularly well suited for mobile or highly congested networks, but won't make any substantial difference on a healthy network. One drawback is that Quic is all implemented in userland, and thus requires more CPU and battery to run than TCP. This can be an issue for bandwidth intensive applications, but DNS being pretty light, the difference should be negligible with most implementations.

Some experts like Paul Vixie recommend DoT over DoH. We don’t share this position and generally recommend DoH as it has less chances of being blocked and implementations are often better and clients supporting HTTP/3 can automatically benefit from it or fallback in case of issue thanks to the Alt-Svc/HTTPSSVC protocol negotiation.

NextDNS supports all 4 protocols. See the setup tab for more information on how to use them.

80 replies

null
    • Leo
    • 2 yrs ago
    • Reported - view

    as a novice user, I would like to know if dns over quic has any settings or is it already set in the server network? and whether it has been implemented in Private DNS on Android (DNS over TLS)?

      • Jason_Hawkins
      • 2 yrs ago
      • Reported - view

      Olivier Poitrey that would be cool to test out. I too was looking forward to seeing DoH3 when I updated my Ubuntu cli’s yesterday (even if it doesn’t make a big difference) but still saw they were using TCP. 

      • Chris_Leidich
      • 2 yrs ago
      • Reported - view

      Olivier Poitrey Solely out of curiosity -what issues are the browsers having with DOH3? Edge seems to be working OK just in my limited testing, wondering if the other Chromium browsers are having issues. Is this something the community can help you guys test?

    • Sergey_Twersky
    • 2 yrs ago
    • Reported - view

    Why is DoQ still not on the setup tab?

      • Pro subscriber ✓
      • DynamicNotSlow
      • 2 yrs ago
      • Reported - view

      Sergey Twersky it can be used same as DoT but with a client supporting DoQ (almost none exist as of today).

      • IsmailAfghan
      • 1 yr ago
      • Reported - view

      DynamicNotSlow  New free DNS free intrent

    • Hugo_Loaiza_Avila
    • 2 yrs ago
    • Reported - view

    Hello. Will DoH3 be supported in the Android app?

    • Umur_Soydan
    • 2 yrs ago
    • Reported - view

    DOH3 currently available ? or when it will be ?

      • NextDNs
      • 2 yrs ago
      • Reported - view

      Umur Soydan it is currently available on doh3.dns.nextdns.io

      • Jason_Hawkins
      • 2 yrs ago
      • Reported - view

      NextDNS no client currently supports DoH3 though right?

      • NextDNs
      • 2 yrs ago
      • Reported - view

      Jason Hawkins chrome and firefox do

      • Umur_Soydan
      • 2 yrs ago
      • Reported - view

      NextDNS so we should use as https://doh3.dns.nextdns.io/customerid ? and we can use with another app on android such as nebulo, adguard etc. ?

      • NextDNs
      • 2 yrs ago
      • Reported - view

      Umur Soydan yes you just add doh3. in front of the DoH URL. As far as we know, none of the apps you mentioned are supporting HTTP/3 for now.

      • Carrot_eggs
      • 2 yrs ago
      • Reported - view

      NextDNS Does adguardhome currently support HTTP/3?

      • NextDNs
      • 2 yrs ago
      • Reported - view

      Carrot eggs it does only support DoQ which is different. DoH3 is using HTTP/3 (HTTP over QUIC). We support DoQ too, you can use the same hostname as for DoT, but specifying the quic protocol.

      • Jason_Hawkins
      • 2 yrs ago
      • Reported - view

      NextDNS gotcha. I use the cli client and iOS so I’ll have the wait for support on those.  

      • kingsmanvn
      • 1 yr ago
      • Reported - view

      Umur Soydan Nebulo supported DoH3

    • Gradito_Tunggulcahyo
    • 2 yrs ago
    • Reported - view

    hey guys seems like I'm successful to use doh3 using Intra on Android. 

      • Pro subscriber ✓
      • DynamicNotSlow
      • 2 yrs ago
      • Reported - view

      Gradito Tunggulcahyo how is the performance compared to normal DoH for you?

      In Edge browser it's mostly delayed with some seconds for new domains for me.

      • Gradito_Tunggulcahyo
      • 2 yrs ago
      • Reported - view

      DynamicNotSlow  I don't see any performance issue, but not really sure about the improvement that I feel so far.

       

      maybe I should use this for a week or a month to feel the impact of doh3

      • Umur_Soydan
      • 2 yrs ago
      • Reported - view

      chigarow i think it doesnt support, just go to test.nextdns.io with your browser and protokol need to be "DOH3"

      i face same with Nebulo app, when you type the DoH3 setting text in app it works again as DOH ( not DOH3) 

      but on computer, with opera,Chrome browser when you type DOH3 setting, protokol says you  are using DOH3

      i think currently just these browsers support DOH3

      • Gradito_Tunggulcahyo
      • 2 yrs ago
      • Reported - view

      Umur Soydan ah I see 

      Soo thanks a lot for the information yaap, just checked and I get DOH not DOH3 

      thankyouuu and sorry for the misleading 🙏🙏

      • Umur_Soydan
      • 2 yrs ago
      • Reported - view

      chigarow  no problem, i hope soon apps start to support DOH3 and we can use it 

      • Pro subscriber ✓
      • DynamicNotSlow
      • 2 yrs ago
      • Reported - view

      Umur Soydan Edge also don't support DoH3 yet. That may the reason for my performance problems.

    • Chris_Leidich
    • 2 yrs ago
    • Reported - view

    Noticed today that my iPad running iOS 14.5.1 appears to be connecting over DoH3 using the native encrypted DNS. Looks like maybe Apple added this in a recent update. Anyone else seeing this?

      • iOS Developer
      • Rob
      • 2 yrs ago
      • Reported - view

      Chris Leidich Interesting!

      I still see DNS-over-HTTPS (not DNS-over-HTTPS/3), but I'm using the NextDNS App instead of the Apple profile.