DNS over TLS and DNS over HTTPS are two standards developed for encrypting plaintext DNS traffic in order to prevent malicious parties, advertisers, ISPs, and others from being able to interpret the data.

DNS over TLS

DNS over TLS, or DoT, is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications. (TLS is also known as “SSL.“) DoT adds TLS encryption on top of the user datagram protocol (UDP), which is used for DNS queries. Additionally, it ensures that DNS requests and responses are not tampered with or forged via on-path attacks.


DNS over HTTPS, or DoH, is an alternative to DoT. With DoH, DNS queries and responses are encrypted, but they are sent via the HTTP or HTTP/2 protocols instead of directly over UDP. Like DoT, DoH ensures that attackers can't forge or alter DNS traffic. DoH traffic looks like other HTTPS traffic – e.g. normal user-driven interactions with websites and web apps – from a network administrator's perspective.

In February 2020, the Mozilla Firefox browser began enabling DoH for U.S. users by default. DNS queries from the Firefox browser are encrypted by DoH and go to either Cloudflare or NextDNS. Several other browsers also support DoH, although it is not turned on by default.

Oblivious DNS over HTTPS

但 DoH/DoT 的推出也引发了两个问题,其一是 DNS 的中心化引入了单点故障,其二是解析器仍然可以将所有查询关联到客户 IP 地址。为了更好的保护用户隐私,Cloudflare、Fastly 和苹果的工程师合作开发了新的协议 ODoH(代表 Oblivious DNS over HTTPS)。

ODoH 加入了一个公钥加密层以及客户端和 DoH 服务器之间的网络代理,确保只有用户才能访问 DNS 信息及其 IP 地址。工程师们用 Rust、Go 等语言实现了互操作 ODoH 实现并将其开源,Cloudflare 的公共 DNS 服务器 已经能支持 ODoH 查询。Firefox 已经表达了支持 ODoH 的意愿。

Different between DoT & DoH

Each standard was developed separately and has its own RFC* documentation, but the most important difference between DoT and DoH is what port they use. DoT only uses port 853, while DoH uses port 443, which is the port that all other HTTPS traffic uses as well.

Because DoT has a dedicated port, anyone with network visibility can see DoT traffic coming and going, even though the requests and responses themselves are encrypted. In contrast, with DoH, DNS queries and responses are camouflaged within other HTTPS traffic, since it all comes and goes from the same port.

https://tools.ietf.org/html/rfc7858 - Specification for DNS over Transport Layer Security (TLS)
https://tools.ietf.org/html/rfc8310 - Usage Profiles for DNS over TLS and DNS over DTLS
https://tools.ietf.org/html/rfc8484 - DNS Queries over HTTPS (DoH)

除 DoT, DoH 外还有 DNSSEC, DNSCrypt 等安全DNS协议


DNSSEC是“Domain Name System Security Extensions”的缩写,代表域名系统安全扩展,允许域名所有者对DNS记录进行数字签名,签名DNS记录的私有签名密钥通常仅由合法域名所有者持有,因此可防止未经授权的第三方修改DNS条目。

DNSSEC诞生于1997年,已经列入互联网标准化文档(参考RFC 4033、RFC 4034、RFC 4035),是最早大规模部署的DNS安全协议,所有的根域名服务器都已经部署了DNSSEC。





https://github.com/DNSCrypt/dnscrypt-protocol - DNSCrypt protocol specification

https://dnsprivacy.org/ - DNS Privacy Project
https://datatracker.ietf.org/wg/dprive/documents/ - DNS PRIVate Exchange (dprive)
https://developers.google.com/speed/public-dns/docs/dns-over-https - DNS-over-HTTPS
https://security.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html - DNS over TLS support in Android P Developer Preview
https://www.cloudflare.com/learning/dns/dns-over-tls/ - DNS over TLS vs. DNS over HTTPS | Secure DNS
https://yq.aliyun.com/articles/693098 - 4种DNS安全协议对比:DNSSEC,DNSCrypt,DNS over TLS,DNS over HTTPS