DNS-over-HTTPS (DoH) vs DNS-over-TLS (DoT), which do you prefer?

A short repeat on them, please correct me if I am wrong somewhere:

  • DoH makes https connection and thus looks like any other HTTPS traffic. It leaks more metadata, but simultaneously it’s more commonly unblocked than
  • DoT which is plain DNS traffic within a TLS connection using a dedicated port 853, even if some providers allow it in port 443.
  • DNSCrypt is older technology without RFC, but uses port 443 (and the “main” implementation dnscrypt-proxy also supports DoH)

See also: https://www.privacytools.io/providers/dns/#icanndns

I don’t want to mess my own opinions into the original submission due to beginning so factual, but lately I seem to have been more with DoT due to the 443 allowing servers and using Unbound directly instead of passing everything to DNSCrypt-proxy as while Unbound DoT is said to have issues like not reusing or keeping DoT connections open, it still performs DNSSEC validation locally.

On Android I have been usign DoT more, because it’s supported natively by Android 9+ and today I have sent feedback to Helsinki Metro and libraries requesting the port 853 to be unblocked as those are the only places I frequent that don’t have it open. On an older phone I have been using Nebulo app with DoH (it supports both) as it tends to work everywhere even if there is no native support. DoT after changing my mind due to reading more on DoH and wishing to decrease the HTTPS metadata, I have mobile data, so I don’t have to be stuck with those restrictive networks.

While Nebulo has some benefits like seeing queries and being able to increase logging, I think it’s behind some issues I am having with Conversations faling connections and VoWiFi, but I haven’t been able to confirm it and my Nokia 1 is just so low-end which might be behind the issues.

I am also unsure on whether it’s a good idea to add an app (which also wants to take over the VPN slot which shows warning on top right) to do something that the OS already does, especially with so limited devices.

I think both seem good solutions while not being perfect and I am curious on what does everyone else thinks or uses?

I don’t know which DNS encryption is best for DNS encryption, DoH, or DoT. So please tell me! What’s the best combination of DNS for iPhone and Linux? I want to use the Adguard Pro app on the iPhone, the dns-crypt tool on Linux, the Adguard provider, and the server to use Pi-hole.

Hi, I moved your thread as I think it belongs directly to this thread, even if no one replied to me.

I think the answer which is the best doesn’t have an answer and everyone is going to have their own opinion as everything has its sides.

My setup:

  • iOS:, because I am not an iOS user and it appears to be the most simple option for my family.
  • Android: DNS-over-TLS, currently with Finnish BlahDNS server, as it’s supported natively and in Finland. Edit: also Nebulo with the same Finnish BlahDNS server on older Androids.
  • Linux:
    • Mainly Unbound with DNS-over-TLS
    • Alternatively systemd-resolved (DNS-over-TLS) on my VPS
      • opportunistic DoT (vulnerable to downgrade): traveling family laptop, work try-out-practice laptop
  • Windows: I should really setup something, but so far I am upvoting initials to natively support encrypted DNS in Feedback Hub…

I am not familiar with Adguard Pro or Pi-hole, but I think Adguard DNS supports all of the three options.

1 Like

I see, what are you using?

She literally just listed everything she’s using…