What Is Secure DNS (DoH and DoT)?
Secure DNS refers to protocols and mechanisms that protect DNS queries from eavesdropping, tampering, and spoofing. Standard DNS transmits queries in plaintext over UDP port 53, making it trivial for anyone on the network path to see which domains you are resolving or to inject forged responses. Secure DNS addresses these vulnerabilities through encryption and authentication.
Why Standard DNS Is Insecure
Traditional DNS (RFC 1035) has no built-in encryption or authentication. This creates several risks:
- Eavesdropping. ISPs, Wi-Fi operators, and on-path attackers can see every domain you query.
- DNS spoofing/poisoning. An attacker can inject forged responses, redirecting you to malicious servers. This is the attack that DNSSEC was designed to prevent.
- Censorship and manipulation. Network operators can modify DNS responses to block or redirect domains.
DNS over HTTPS (DoH)
DoH (RFC 8484) sends DNS queries inside encrypted HTTPS connections on port 443. Because it uses the same port and protocol as regular web traffic, DoH queries blend in with normal browsing.
Browser and OS support: - Firefox enables DoH by default in the U.S. (using Cloudflare). - Chrome, Edge, and Safari support DoH when the system DNS provider offers it. - Windows 11, iOS 14+, and macOS 11+ support system-level DoH configuration.
Trade-off: DoH is excellent for individual privacy but makes it harder for network administrators to monitor or filter DNS traffic, since it is indistinguishable from HTTPS.
DNS over TLS (DoT)
DoT (RFC 7858) wraps DNS queries in TLS on a dedicated port, 853. It provides the same encryption as DoH but on a separate, identifiable port.
Support: - Android 9+ includes native DoT support under Settings > Network > Private DNS. - systemd-resolved on Linux supports DoT. - Many enterprise DNS appliances support DoT for upstream forwarding.
Trade-off: Because port 853 is distinct, network administrators can allow or block DoT traffic with standard firewall rules, making it more enterprise-friendly than DoH.
DNSSEC
DNSSEC (DNS Security Extensions, RFC 4033-4035) is fundamentally different from DoH and DoT. Instead of encrypting queries, DNSSEC authenticates responses using cryptographic signatures.
- Zone operators sign their DNS records with a private key.
- Resolvers verify signatures using the corresponding public key, published as DNSKEY records.
- A chain of trust extends from the root zone down through TLD zones to individual domains.
- DNSSEC prevents spoofing and cache poisoning but does not encrypt queries. Your ISP can still see which domains you resolve.
DNSSEC and DoH/DoT are complementary: DNSSEC ensures the answer is authentic, while DoH/DoT ensures the query is private.
Choosing a Secure DNS Resolver
Several public resolvers support all three secure DNS mechanisms:
| Provider | DoH | DoT | DNSSEC Validation |
|---|---|---|---|
| Cloudflare (1.1.1.1) | Yes | Yes | Yes |
| Google (8.8.8.8) | Yes | Yes | Yes |
| Quad9 (9.9.9.9) | Yes | Yes | Yes |
Relevance to Email Infrastructure
Secure DNS does not directly affect email delivery, but it protects the integrity of the DNS lookups that underpin email authentication. When a receiving mail server queries your domain's SPF, DKIM, or DMARC records, DNSSEC ensures those responses have not been tampered with. Verify that your domain's DNS records are correctly published with our DNS lookup tool.
Stay on top of your email infrastructure. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.