Home Главная My IP Мой IP Blog Блог Help Справка Telegram GitHub Facebook Instagram Twitter
EN
English
Русский

DNS Protocols Explained: DoH, DoT, and DNSSEC

Every time you open a site, your device runs a DNS lookup to turn the name into an address (how DNS works covers that step by step). For most of the internet’s history that lookup traveled in plain text, readable by anything on the network path. Newer DNS protocols change this – some encrypt the lookup, one proves the answer is genuine. Here is what each one does and when it matters.

Plain DNS: the default

Traditional DNS (sometimes written Do53, after its port number 53) sends queries and answers in plain text. It is fast and universal – every device supports it – but it has two weak points. Anyone between you and the resolver (your internet provider, a public WiFi operator, or someone sharing the network) can see which names you look up, and in principle alter the answer before it reaches you. Nothing about plain DNS is broken; on its own it simply offers no privacy and no tamper-checking.

DNS over TLS (DoT)

DNS over TLS wraps the same queries in an encrypted channel, the way TLS protects a banking page. It runs on a dedicated port (853), so a network can easily recognise the traffic as DNS – handy for an administrator who wants to manage it, and a limit if a network chooses to block it. On Android, the built-in “Private DNS” setting is DoT, which is the simplest way for most phone users to switch it on.

What DoT gives you: others on the network path can no longer read or change your lookups. What it does not give you: the resolver you connect to still sees every name you request, so encryption moves the trust to whichever resolver you pick rather than removing it.

DNS over HTTPS (DoH)

DNS over HTTPS also encrypts the lookup, but sends it over the same port as ordinary web traffic (443), so it blends in with everything else your browser does. That makes it harder for a network to single out and block, and it is the method most web browsers now offer in their settings. The trade-off mirrors DoT: because it looks like normal HTTPS, it is harder for an administrator to see and manage – which some home users want and some workplaces specifically do not.

Functionally DoH and DoT protect the same thing: the confidentiality of your lookups in transit. The practical difference is visibility. DoT is openly DNS on its own port; DoH hides inside web traffic. Which is “better” depends on whether you want your DNS easy to manage or hard to distinguish.

DNSSEC: a different goal

DNSSEC is often mentioned alongside DoH and DoT, but it solves a different problem and encrypts nothing. Instead it adds a digital signature to DNS records, so a resolver can verify the answer really came from the domain’s owner and was not tampered with along the way.

A simple way to picture it: DoH and DoT seal the envelope so no one can read the letter; DNSSEC is the signature that proves the letter is genuine. They are complementary – you can have one, both, or neither. Encrypted transport hides your lookups; DNSSEC vouches for their authenticity.

Other variants you may see

  • DNS over QUIC (DoQ): similar protection to DoT, built on the faster QUIC transport; support is growing gradually.
  • DNSCrypt: an older independent protocol that also encrypts and authenticates lookups; still used by some tools, though DoH and DoT are now more common.

You rarely need to choose these by hand – they are listed here so the names are familiar when you meet them.

Which one should you use, and how

For most home users the choice is simple:

  • On Android, open the network settings and set “Private DNS” to your chosen provider – that enables DoT system-wide.
  • In a desktop browser, look for a “Secure DNS” or “DNS over HTTPS” option in the security settings.
  • On the router, some models let you set an encrypted resolver for the whole household at once.

Two things to keep in mind. First, encrypted DNS protects the lookup, not your whole connection – it is not a VPN, and the resolver you choose still sees your queries, so pick one you are comfortable trusting. Second, on a managed or workplace network, encrypted DNS may be intentionally disabled; that is a policy choice, not a fault.

Check what your DNS is doing

You can confirm that names resolve, whichever protocol you use:

  1. Open the DNS Lookup tool in IP Tools (Android) or WiFi Tools (iOS).
  2. Enter a domain such as example.com.
  3. Read the returned record – if an address comes back, name resolution is working.

If a site stops loading right after you switch on encrypted DNS, a quick lookup shows whether the new resolver is answering at all. For how the lookup itself works step by step, see how DNS works, and the DNS Lookup help page explains each field.

FAQ

Is DoH or DoT better?
They protect the same thing. DoT is easier for a network to recognise and manage; DoH is harder to distinguish from normal web traffic. Choose based on whether you want DNS visible or blended in.

Does encrypted DNS hide everything I do online?
No. It hides which names you look up from others on the network path, but the resolver still sees them, and it does not hide the addresses you then connect to. It is not a replacement for a VPN.

Is DNSSEC the same as encryption?
No. DNSSEC proves an answer is genuine and untampered; it does not make it private. Encryption (DoH and DoT) and DNSSEC solve different problems and can be used together.

How do I turn on encrypted DNS on my phone?
On Android, set “Private DNS” in the network settings to a provider that supports it – that is DoT. On iOS, it is enabled through a configuration profile or an app that sets it.

Read next Читайте также

IP Tools for Android IP Tools для Android
WiFi Tools for iOS WiFi Tools для iOS
WiFi Tools for Android WiFi Tools для Android
Next →

IP Tools 2026 ©