{"id":4372,"date":"2026-05-21T12:13:00","date_gmt":"2026-05-21T12:13:00","guid":{"rendered":"https:\/\/www.copahost.com\/blog\/?p=4372"},"modified":"2026-05-26T15:17:59","modified_gmt":"2026-05-26T15:17:59","slug":"encrypted-dns","status":"publish","type":"post","link":"https:\/\/www.copahost.com\/blog\/encrypted-dns\/","title":{"rendered":"DNS over HTTPS, DNS over TLS, and DNS over QUIC: Which Encrypted DNS Protocol Should You Use?"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">You already know that DNS translates domain names into IP addresses \u2014 the internet&#8217;s phone book, as the classic analogy goes. If you want a refresher on how DNS works at its core, <a href=\"https:\/\/www.copahost.com\/blog\/what-does-dns-stand-for\/\">our introduction to DNS<\/a> covers the fundamentals.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But here is something most website owners don&#8217;t know: every DNS query your visitors make is sent in plain text by default. That means your ISP, network administrators, and anyone monitoring the connection can see exactly which domains are being resolved \u2014 even when the page content itself is protected by HTTPS. This is the problem that <strong>encrypted DNS<\/strong> was designed to solve.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In practice, there are four protocols that replace unencrypted DNS: <strong>DNS over HTTPS (DoH)<\/strong>, <strong>DNS over TLS (DoT)<\/strong>, <strong>DNS over QUIC (DoQ)<\/strong>, and DNS over HTTPS\/3 (DoH3). Each one encrypts your DNS queries using a different transport layer, with different tradeoffs in performance, privacy, and compatibility. If you have ever searched for <strong>DoH vs DoT<\/strong> and found conflicting answers, this article explains why \u2014 and gives you real benchmark data from over 3,000 resolvers to help you decide which encrypted DNS protocol is right for your website.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><div id=\"ez-toc-container\" class=\"ez-toc-v2_0_69_1 ez-toc-wrap-center counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#Why_Unencrypted_DNS_Is_Still_a_Problem_in_2026\" title=\"Why Unencrypted DNS Is Still a Problem in 2026\">Why Unencrypted DNS Is Still a Problem in 2026<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#The_Five_DNS_Protocols_You_Need_to_Know\" title=\"The Five DNS Protocols You Need to Know\">The Five DNS Protocols You Need to Know<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#Do53_%E2%80%94_Classic_DNS_Unencrypted\" title=\"Do53 \u2014 Classic DNS (Unencrypted)\">Do53 \u2014 Classic DNS (Unencrypted)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#DoT_%E2%80%94_DNS_over_TLS\" title=\"DoT \u2014 DNS over TLS\">DoT \u2014 DNS over TLS<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#DoH_%E2%80%94_DNS_over_HTTPS\" title=\"DoH \u2014 DNS over HTTPS\">DoH \u2014 DNS over HTTPS<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#DoQ_%E2%80%94_DNS_over_QUIC\" title=\"DoQ \u2014 DNS over QUIC\">DoQ \u2014 DNS over QUIC<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#DoH3_%E2%80%94_DNS_over_HTTPS3\" title=\"DoH3 \u2014 DNS over HTTPS\/3\">DoH3 \u2014 DNS over HTTPS\/3<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#Performance_Comparison_What_the_Research_Says\" title=\"Performance Comparison: What the Research Says\">Performance Comparison: What the Research Says<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#What_This_Means_for_Web_Hosting_and_Website_Performance\" title=\"What This Means for Web Hosting and Website Performance\">What This Means for Web Hosting and Website Performance<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#Infographic\" title=\"Infographic\">Infographic<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#How_to_Test_Your_DNS_Encryption\" title=\"How to Test Your DNS Encryption\">How to Test Your DNS Encryption<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#Check_which_protocol_your_browser_is_using\" title=\"Check which protocol your browser is using\">Check which protocol your browser is using<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#Test_your_current_DNS_leak\" title=\"Test your current DNS leak\">Test your current DNS leak<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#Benchmark_DNS_protocols_yourself\" title=\"Benchmark DNS protocols yourself\">Benchmark DNS protocols yourself<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#Configuring_Encrypted_DNS_on_Your_Server\" title=\"Configuring Encrypted DNS on Your Server\">Configuring Encrypted DNS on Your Server<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#nginx_%E2%80%94_enabling_DNS_over_HTTPS_via_resolver\" title=\"nginx \u2014 enabling DNS over HTTPS via resolver\">nginx \u2014 enabling DNS over HTTPS via resolver<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#Using_Cloudflares_DNS_resolver_anycast_supports_DoHDoT\" title=\"Using Cloudflare&#8217;s DNS resolver (anycast, supports DoH\/DoT)\">Using Cloudflare&#8217;s DNS resolver (anycast, supports DoH\/DoT)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#Enabling_DNSSEC_on_your_domain_cPanel\" title=\"Enabling DNSSEC on your domain (cPanel)\">Enabling DNSSEC on your domain (cPanel)<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#Limits_of_Encrypted_DNS\" title=\"Limits of Encrypted DNS\">Limits of Encrypted DNS<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#Which_Protocol_Should_You_Use\" title=\"Which Protocol Should You Use?\">Which Protocol Should You Use?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#Summary\" title=\"Summary\">Summary<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#Sources\" title=\"Sources\">Sources<\/a><\/li><\/ul><\/nav><\/div>\n<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Why_Unencrypted_DNS_Is_Still_a_Problem_in_2026\"><\/span>Why Unencrypted DNS Is Still a Problem in 2026<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">When a visitor types your domain name into their browser, their device sends a DNS query before any connection to your server is established. That query travels over the network in plain text on port 53 \u2014 visible to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The visitor&#8217;s ISP<\/li>\n\n\n\n<li>Anyone monitoring the local network (coffee shop Wi-Fi, corporate proxies)<\/li>\n\n\n\n<li>Government-level surveillance infrastructure<\/li>\n\n\n\n<li>Attackers conducting DNS hijacking<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">This happens regardless of whether your site uses HTTPS. The <a href=\"https:\/\/www.copahost.com\/blog\/http-vs-https\/\">HTTPS<\/a> encryption protects the content of the page. The DNS query that happens before the connection is made is a completely separate, unprotected step.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DNS hijacking exploits this gap: an attacker intercepts the plain-text DNS query and returns a false IP address, redirecting the visitor to a malicious site that looks identical to yours. For websites in sensitive sectors \u2014 banking, healthcare, e-commerce \u2014 this is a real attack vector with documented incidents.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The encrypted DNS protocols solve this by wrapping the DNS query in a secure transport layer. The question is which one to use, and for what purpose.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"The_Five_DNS_Protocols_You_Need_to_Know\"><\/span>The Five DNS Protocols You Need to Know<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Do53_%E2%80%94_Classic_DNS_Unencrypted\"><\/span>Do53 \u2014 Classic DNS (Unencrypted)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Port:<\/strong> 53 (UDP and TCP) <strong>Encryption:<\/strong> None <strong>Status:<\/strong> Still dominant, but declining for privacy-sensitive use cases<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The original DNS protocol, defined in RFC 1035 in 1983. Fast, simple, universally supported. The problem is that it was designed in an era when the internet was a small academic network \u2014 privacy was not a design concern. Every query is sent in plain text.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For server-to-server communication in controlled environments (internal networks, data centers), Do53 is still reasonable. For client-facing DNS \u2014 the queries your visitors make from their browsers \u2014 it should be replaced by one of the encrypted alternatives.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"DoT_%E2%80%94_DNS_over_TLS\"><\/span>DoT \u2014 DNS over TLS<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Port:<\/strong> 853 <strong>Transport:<\/strong> TCP + TLS 1.3 <strong>RFC:<\/strong> 7858 (2016) <strong>Encryption:<\/strong> Yes <strong>Status:<\/strong> Widely deployed, supported by most major resolvers<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DoT wraps DNS queries in TLS \u2014 the same encryption layer used by HTTPS. It runs on a dedicated port (853), which makes it easy for network administrators to identify, filter, or block encrypted DNS traffic.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The advantage is simplicity: it is essentially the same encryption model that secures web traffic, applied to DNS. The disadvantage is that the dedicated port makes it easy to detect and block \u2014 which is why it has seen limited browser adoption but strong adoption in enterprise and mobile operating systems.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Android 9+<\/strong> and <strong>iOS 14+<\/strong> support DoT natively as &#8220;Private DNS.&#8221; If a visitor is using a modern mobile device, there is a reasonable chance their DNS queries are already using DoT \u2014 regardless of what your server does.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Performance consideration:<\/strong> DoT requires a TCP three-way handshake plus a TLS handshake before the first query \u2014 adding approximately 2 round-trip times of latency compared to Do53. For high-frequency DNS environments, this matters.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"DoH_%E2%80%94_DNS_over_HTTPS\"><\/span>DoH \u2014 DNS over HTTPS<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Port:<\/strong> 443 <strong>Transport:<\/strong> HTTPS (HTTP\/2 or <a href=\"https:\/\/www.homehost.com.br\/blog\/internet\/http3\/\">HTTP\/3<\/a>) <strong>RFC:<\/strong> 8484 (2018) <strong>Encryption:<\/strong> Yes <strong>Status:<\/strong> Default in Firefox and Chrome; widely adopted<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DoH tunnels DNS queries inside standard HTTPS traffic on port 443 \u2014 the same port used for all web traffic. This makes it indistinguishable from regular browsing traffic, which means it cannot be selectively blocked without blocking all HTTPS.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is both its greatest strength and the source of its most significant controversy. Enterprise network administrators who need to monitor and filter DNS traffic \u2014 for security policy enforcement \u2014 cannot do so when DNS is hidden inside HTTPS. This has led to ongoing tension between browser vendors (who favor DoH) and enterprise security teams (who prefer DoT or local resolvers).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Firefox<\/strong> enabled DoH by default in 2020, using Cloudflare as the fallback resolver. <strong>Chrome<\/strong> followed with a more flexible approach \u2014 using DoH if the user&#8217;s existing DNS resolver supports it. <strong>Edge<\/strong> and <strong>Safari<\/strong> have both added DoH support since 2022.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>For website owners:<\/strong> DoH is the protocol most likely to be used by your visitors&#8217; browsers right now. It does not require any server-side configuration \u2014 your visitors&#8217; DNS queries are resolved by their browser&#8217;s configured DoH resolver before they reach your server.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"DoQ_%E2%80%94_DNS_over_QUIC\"><\/span>DoQ \u2014 DNS over QUIC<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Port:<\/strong> 853 (same as DoT) <strong>Transport:<\/strong> QUIC (UDP) <strong>RFC:<\/strong> 9250 (2022) <strong>Encryption:<\/strong> Yes (TLS 1.3 integrated into QUIC) <strong>Status:<\/strong> Emerging \u2014 growing resolver support, limited browser adoption<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DoQ is the newest major encrypted DNS protocol. It uses QUIC as its transport \u2014 the same protocol that powers HTTP\/3 \u2014 instead of TCP. Like DoT, it runs on port 853 and sends DNS queries directly without HTTP framing overhead.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The performance advantage of DoQ over DoT and DoH comes from QUIC&#8217;s architecture: the transport and TLS handshakes are combined into a single 1-RTT operation (compared to 2 RTTs for DoT and DoH over TCP). Additionally, QUIC&#8217;s connection migration feature means that DNS resolution continues seamlessly when a device switches networks \u2014 from Wi-Fi to cellular, for example \u2014 without re-establishing the connection.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The performance numbers are significant:<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DoQ outperforms DoT and DoH by approximately 33% in single query response time with Session Resumption enabled. Compared to unencrypted DNS over UDP, DoQ is only approximately 2% slower \u2014 making encrypted DNS nearly as fast as unencrypted DNS.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Page load times with DoQ are 10% faster compared to DoH. Compared to plain UDP DNS, DoQ performs only 2% slower, even with the additional encryption overhead.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For context: DoH over TCP requires 2 round-trips for handshake before the first query. DoQ requires 1 round-trip. On a connection with 50ms latency, that is 50ms saved on every cold DNS lookup \u2014 multiplied by the number of DNS queries needed to load a modern webpage (typically 20 or more for complex sites).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Current adoption:<\/strong> Quad9, NextDNS, and AdGuard DNS all support DoQ. Cloudflare and Google do not yet offer production DoQ resolvers. DoQ is a newer protocol using QUIC with lower latency than DoT, but supported by fewer providers than DoH.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"DoH3_%E2%80%94_DNS_over_HTTPS3\"><\/span>DoH3 \u2014 DNS over HTTPS\/3<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Port:<\/strong> 443 <strong>Transport:<\/strong> HTTP\/3 (QUIC) <strong>Status:<\/strong> Emerging, backed by major browser vendors<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DoH3 is DoH running over HTTP\/3 instead of HTTP\/2. Since HTTP\/3 itself runs on QUIC, DoH3 gets the same connection performance benefits as DoQ \u2014 1-RTT handshake, connection migration, no head-of-line blocking \u2014 while maintaining the censorship-resistance advantage of running on port 443.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Research across more than 3,000 DoE resolvers demonstrates that DoQ and DoH3 perform comparably, with DoQ slightly outperforming on average. Despite broader feature adoption by DoQ, major browsers currently favor DoH3.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The distinction between DoQ and DoH3 is subtle from a performance perspective. The practical difference for most users is deployment: DoH3 is more likely to be supported by browser vendors because it builds on the existing DoH infrastructure with HTTP\/3 as the transport layer upgrade.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Performance_Comparison_What_the_Research_Says\"><\/span>Performance Comparison: What the Research Says<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The most comprehensive independent benchmark of encrypted DNS protocols was published in the PAM 2026 proceedings (Springer, March 2026), analyzing more than 3,000 resolvers across multiple continents. Here is what the data shows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Protocol<\/th><th>Handshake RTTs<\/th><th>Single Query Latency vs Do53<\/th><th>Page Load vs DoH<\/th><th>Connection Migration<\/th><\/tr><\/thead><tbody><tr><td>Do53 (UDP)<\/td><td>0<\/td><td>Baseline<\/td><td>\u2014<\/td><td>No<\/td><\/tr><tr><td>DoT<\/td><td>2<\/td><td>+15\u201325%<\/td><td>Slightly slower<\/td><td>No<\/td><\/tr><tr><td>DoH (HTTP\/2)<\/td><td>2<\/td><td>+15\u201325%<\/td><td>Baseline<\/td><td>No<\/td><\/tr><tr><td>DoQ<\/td><td>1<\/td><td>+2%<\/td><td>10% faster<\/td><td>Yes<\/td><\/tr><tr><td>DoH3<\/td><td>1<\/td><td>+2\u20133%<\/td><td>Comparable to DoQ<\/td><td>Yes<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The key takeaway: <strong>DoQ and DoH3 have essentially closed the performance gap with unencrypted DNS<\/strong>. A 2% latency penalty for full encryption is negligible in the context of the total page load time for any real-world website.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The 10% page load improvement of DoQ over standard DoH comes from two sources: the faster handshake eliminates one RTT, and QUIC&#8217;s multiplexing handles the 20+ DNS queries that a complex page generates more efficiently than TCP.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_This_Means_for_Web_Hosting_and_Website_Performance\"><\/span>What This Means for Web Hosting and Website Performance<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">DNS resolution happens before any connection to your server. It is part of your Time to First Byte (TTFB) from the visitor&#8217;s perspective. Faster DNS resolution \u2192 lower TTFB \u2192 better Core Web Vitals \u2192 better Google rankings.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The chain is: DNS protocol choice \u2192 handshake latency \u2192 DNS lookup time \u2192 TTFB \u2192 LCP\/FCP \u2192 Core Web Vitals score.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For most websites on shared hosting, the DNS configuration is controlled at three levels:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>1. The resolver the visitor uses.<\/strong> This is largely outside your control \u2014 it depends on the visitor&#8217;s browser settings, operating system, and ISP. Chrome and Firefox default to DoH using their configured resolvers. Android uses DoT via its Private DNS setting.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>2. The authoritative DNS server for your domain.<\/strong> This is what your registrar (or Copahost) controls. Authoritative DNS does not need to use encrypted protocols \u2014 it speaks to resolvers, not browsers. What matters here is the TTL (Time to Live) configuration and response time.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>3. The nameservers you point your domain at.<\/strong> Using Cloudflare&#8217;s nameservers (1.1.1.1, 1.0.0.1) means your visitors who use Cloudflare&#8217;s resolver get DoH \u2014 and Cloudflare&#8217;s anycast network provides very fast authoritative lookups from virtually anywhere in the world.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Practical recommendation for website owners:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Point your domain at nameservers with global anycast infrastructure \u2014 Cloudflare, AWS Route 53, or your hosting provider&#8217;s DNS if they offer anycast<\/li>\n\n\n\n<li>Configure reasonable TTLs (3600 seconds for stable records; 300 seconds when planning changes)<\/li>\n\n\n\n<li>Enable DNSSEC on your domain to prevent DNS spoofing at the authoritative level \u2014 this is independent of encrypted transport and protects the integrity of the answer<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Infographic\"><\/span>Infographic<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"698\" height=\"894\" src=\"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/imagem-2.png\" alt=\"Infographic - Encrypted DNS\" class=\"wp-image-4374\" srcset=\"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/imagem-2.png 698w, https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/imagem-2-234x300.png 234w\" sizes=\"(max-width: 698px) 100vw, 698px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_to_Test_Your_DNS_Encryption\"><\/span>How to Test Your DNS Encryption<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Check_which_protocol_your_browser_is_using\"><\/span>Check which protocol your browser is using<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In Chrome: go to <code>chrome:\/\/net-internals\/#dns<\/code> to see DNS resolution details. For DoH status: <code>chrome:\/\/settings\/security<\/code> \u2192 &#8220;Use secure DNS.&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In Firefox: <code>about:config<\/code> \u2192 search <code>network.trr.mode<\/code>. Values: 0 = off, 2 = DoH with fallback, 3 = DoH only.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Test_your_current_DNS_leak\"><\/span>Test your current DNS leak<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Visit <strong>dnsleaktest.com<\/strong> and run the extended test. If results show only your configured DoH\/DoT resolver, you are not leaking. If results show your ISP&#8217;s resolver, your DNS is not fully encrypted.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Benchmark_DNS_protocols_yourself\"><\/span>Benchmark DNS protocols yourself<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Install dnsdiag for protocol comparison\npip install dnsdiag\n\n# Compare Do53 vs DoH vs DoT for the same query\ndnsping -s 1.1.1.1 -c 10 copahost.com          # Do53\ndnsping -s https:\/\/1.1.1.1\/dns-query -c 10 copahost.com   # DoH\ndnsping -s tls:\/\/1.1.1.1 -c 10 copahost.com    # DoT\ndnsping -s quic:\/\/dns.nextdns.io -c 10 copahost.com  # DoQ\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Configuring_Encrypted_DNS_on_Your_Server\"><\/span>Configuring Encrypted DNS on Your Server<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"nginx_%E2%80%94_enabling_DNS_over_HTTPS_via_resolver\"><\/span>nginx \u2014 enabling DNS over HTTPS via resolver<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># In nginx.conf \u2014 use Cloudflare's encrypted resolver for upstream lookups\nresolver 1.1.1.1 1.0.0.1 valid=300s;\nresolver_timeout 5s;\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Using_Cloudflares_DNS_resolver_anycast_supports_DoHDoT\"><\/span>Using Cloudflare&#8217;s DNS resolver (anycast, supports DoH\/DoT)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Protocol<\/th><th>Address<\/th><\/tr><\/thead><tbody><tr><td>Do53<\/td><td>1.1.1.1 and 1.0.0.1<\/td><\/tr><tr><td>DoT<\/td><td>tls:\/\/1.1.1.1 (port 853)<\/td><\/tr><tr><td>DoH<\/td><td>https:\/\/1.1.1.1\/dns-query<\/td><\/tr><tr><td>DoH3\/DoQ<\/td><td>Supported via browser auto-upgrade<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Enabling_DNSSEC_on_your_domain_cPanel\"><\/span>Enabling DNSSEC on your domain (cPanel)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In cPanel \u2192 Zone Editor \u2192 select your domain \u2192 DNSSEC \u2192 Enable. This signs your DNS records cryptographically, preventing spoofing at the authoritative level. Note: DNSSEC is separate from encrypted transport \u2014 it protects data integrity, not query privacy.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Limits_of_Encrypted_DNS\"><\/span>Limits of Encrypted DNS<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Encrypted DNS is not a complete privacy solution. Being precise about what it protects and what it does not is important:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>What encrypted DNS protects:<\/strong> the content of DNS queries \u2014 which domain names are being resolved \u2014 from passive observers on the network path between the client and the resolver.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>What it does not protect:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Destination IP addresses:<\/strong> once DNS resolves a domain, the connection goes to the IP. The IP is visible even without seeing the DNS query.<\/li>\n\n\n\n<li><strong>SNI (Server Name Indication):<\/strong> unless Encrypted Client Hello (ECH) is also deployed, the domain name leaks in the TLS handshake. ECH, standardized in RFC 9849, is the complement to encrypted DNS that closes this gap. Without additional measures such as Encrypted Client Hello (ECH), the TLS handshake may leak the Server Name Indication (SNI). ECH adoption reduces that leak.<\/li>\n\n\n\n<li><strong>Traffic analysis:<\/strong> volume and timing of connections can still reveal browsing patterns even with all transport encryption in place.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Which_Protocol_Should_You_Use\"><\/span>Which Protocol Should You Use?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Scenario<\/th><th>Recommended protocol<\/th><\/tr><\/thead><tbody><tr><td>Personal privacy on public Wi-Fi<\/td><td>DoQ (Quad9 or NextDNS) or DoH (Cloudflare)<\/td><\/tr><tr><td>Enterprise network with monitoring needs<\/td><td>DoT to controlled resolver<\/td><\/tr><tr><td>Browser default (no configuration)<\/td><td>DoH \u2014 already default in Chrome\/Firefox<\/td><\/tr><tr><td>Mobile devices (Android\/iOS)<\/td><td>DoT via system Private DNS setting<\/td><\/tr><tr><td>Maximum performance + privacy<\/td><td>DoQ via NextDNS or Quad9<\/td><\/tr><tr><td>Website\/server DNS resolver<\/td><td>Anycast Do53 with DNSSEC (Cloudflare or Route 53)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The short answer for most website owners: <strong>you do not need to configure anything for your visitors&#8217; DNS queries<\/strong> \u2014 modern browsers handle this automatically. What you can control is the authoritative DNS for your domain (use Cloudflare&#8217;s nameservers for best performance) and DNSSEC (enable it in your registrar or cPanel).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The four encrypted DNS protocols \u2014 DoT, DoH, DoQ and DoH3 \u2014 each solve the plain-text DNS problem with different tradeoffs. DoH is the current standard in browsers. DoQ and DoH3 are the performance-optimized next generation, with research showing they have essentially closed the gap with unencrypted DNS while adding full privacy protection.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For website owners, the most actionable steps are DNSSEC activation on your domain and using an authoritative DNS provider with global anycast infrastructure. For end users who care about privacy, DoQ via Quad9 or NextDNS is the best option available today.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Sources\"><\/span>Sources<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>PAM 2026 \u2014 The Future of DNS Privacy: A Comparison of DNS over QUIC and DNS over HTTP\/3:<a href=\"https:\/\/link.springer.com\/chapter\/10.1007\/978-3-032-18268-5_10\"> https:\/\/link.springer.com\/chapter\/10.1007\/978-3-032-18268-5_10<\/a><\/li>\n\n\n\n<li>Catchpoint \u2014 DNS over QUIC (DoQ) Working and Implementation Guide:<a href=\" https:\/\/www.catchpoint.com\/http2-vs-http3\/dns-over-quic\"> https:\/\/www.catchpoint.com\/http2-vs-http3\/dns-over-quic<\/a><\/li>\n\n\n\n<li>packet.guru \u2014 DNS Encryption in 2026: Practical Guide to DoH, DoT, DoQ and Private DNS: <a href=\"https:\/\/packet.guru\/blog\/DNS-Encryption-in-2026\">https:\/\/packet.guru\/blog\/DNS-Encryption-in-2026<\/a><\/li>\n\n\n\n<li>NextDNS Help Center \u2014 What is DoT, DoQ and DoH:<a href=\" https:\/\/help.nextdns.io\/t\/x2hmvas\"> https:\/\/help.nextdns.io\/t\/x2hmvas<\/a><\/li>\n\n\n\n<li>State of Surveillance \u2014 Best Encrypted DNS May 2026: <a href=\"https:\/\/stateofsurveillance.org\/guides\/technical\/encrypted-dns-comparison\/\">https:\/\/stateofsurveillance.org\/guides\/technical\/encrypted-dns-comparison\/<\/a><\/li>\n\n\n\n<li>linkconfig \u2014 DNS over QUIC and DNS over HTTPS\/3: <a href=\"https:\/\/linkconfig.com\/blog\/dns-over-quic-doh3-encrypted-dns\/\">https:\/\/linkconfig.com\/blog\/dns-over-quic-doh3-encrypted-dns\/<\/a><\/li>\n\n\n\n<li>RFC 9250 \u2014 DNS over Dedicated QUIC Connections:<a href=\" https:\/\/datatracker.ietf.org\/doc\/html\/rfc9250\"> https:\/\/datatracker.ietf.org\/doc\/html\/rfc9250<\/a><\/li>\n\n\n\n<li>RFC 9849 \u2014 TLS Encrypted Client Hello: <a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc9849\">https:\/\/datatracker.ietf.org\/doc\/html\/rfc9849<\/a><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Copahost provides web hosting and domain registration with DNSSEC support on all registered domains. For a foundational understanding of how DNS works, see our guide: <a href=\"https:\/\/www.copahost.com\/blog\/what-does-dns-stand-for\/\">What does DNS stand for?<\/a><\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>You already know that DNS translates domain names into IP addresses \u2014 the internet&#8217;s phone book, as the classic analogy goes. If you want a refresher on how DNS works at its core, our introduction to DNS covers the fundamentals. But here is something most website owners don&#8217;t know: every DNS query your visitors make [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4375,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[186],"tags":[],"class_list":["post-4372","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-dns"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>DNS over HTTPS, DNS over TLS, and DNS over QUIC: Which Encrypted DNS Protocol Should You Use? - Copahost<\/title>\n<meta name=\"description\" content=\"DNS queries travel in plain text by default \u2014 even when your site uses HTTPS. Here&#039;s how DoH, DoT, DoQ and DoH3 work, how they compare in performance (real benchmarks from 3,000+ resolvers), and which one is right for your website.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"DNS over HTTPS, DNS over TLS, and DNS over QUIC: Which Encrypted DNS Protocol Should You Use? - Copahost\" \/>\n<meta property=\"og:description\" content=\"DNS queries travel in plain text by default \u2014 even when your site uses HTTPS. Here&#039;s how DoH, DoT, DoQ and DoH3 work, how they compare in performance (real benchmarks from 3,000+ resolvers), and which one is right for your website.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/\" \/>\n<meta property=\"og:site_name\" content=\"Copahost\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-21T12:13:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-26T15:17:59+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/Encrypted-DNS-DNS-over-HTTPS-TLS-and-QUIC.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1536\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Gustavo Gallas\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Gustavo Gallas\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/\"},\"author\":{\"name\":\"Gustavo Gallas\",\"@id\":\"https:\/\/www.copahost.com\/blog\/#\/schema\/person\/386b3f1f79299d43f4ceb33d26428246\"},\"headline\":\"DNS over HTTPS, DNS over TLS, and DNS over QUIC: Which Encrypted DNS Protocol Should You Use?\",\"datePublished\":\"2026-05-21T12:13:00+00:00\",\"dateModified\":\"2026-05-26T15:17:59+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/\"},\"wordCount\":2361,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.copahost.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/Encrypted-DNS-DNS-over-HTTPS-TLS-and-QUIC.png\",\"articleSection\":[\"DNS\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/\",\"url\":\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/\",\"name\":\"DNS over HTTPS, DNS over TLS, and DNS over QUIC: Which Encrypted DNS Protocol Should You Use? - Copahost\",\"isPartOf\":{\"@id\":\"https:\/\/www.copahost.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/Encrypted-DNS-DNS-over-HTTPS-TLS-and-QUIC.png\",\"datePublished\":\"2026-05-21T12:13:00+00:00\",\"dateModified\":\"2026-05-26T15:17:59+00:00\",\"description\":\"DNS queries travel in plain text by default \u2014 even when your site uses HTTPS. Here's how DoH, DoT, DoQ and DoH3 work, how they compare in performance (real benchmarks from 3,000+ resolvers), and which one is right for your website.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#primaryimage\",\"url\":\"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/Encrypted-DNS-DNS-over-HTTPS-TLS-and-QUIC.png\",\"contentUrl\":\"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/Encrypted-DNS-DNS-over-HTTPS-TLS-and-QUIC.png\",\"width\":1536,\"height\":1024,\"caption\":\"Encrypted DNS - DNS over https, tls and quic\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.copahost.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"DNS over HTTPS, DNS over TLS, and DNS over QUIC: Which Encrypted DNS Protocol Should You Use?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.copahost.com\/blog\/#website\",\"url\":\"https:\/\/www.copahost.com\/blog\/\",\"name\":\"Copahost\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.copahost.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.copahost.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.copahost.com\/blog\/#organization\",\"name\":\"Copahost\",\"url\":\"https:\/\/www.copahost.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.copahost.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2016\/03\/copahostlogo.png\",\"contentUrl\":\"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2016\/03\/copahostlogo.png\",\"width\":223,\"height\":40,\"caption\":\"Copahost\"},\"image\":{\"@id\":\"https:\/\/www.copahost.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.copahost.com\/blog\/#\/schema\/person\/386b3f1f79299d43f4ceb33d26428246\",\"name\":\"Gustavo Gallas\",\"description\":\"Graduated in Computing at PUC-Rio, Brazil. Specialized in IT, networking, systems administration and human and organizational development\u200b. Also have brewing skills.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/gustavo-gallas-107926196\/\"],\"url\":\"https:\/\/www.copahost.com\/blog\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"DNS over HTTPS, DNS over TLS, and DNS over QUIC: Which Encrypted DNS Protocol Should You Use? - Copahost","description":"DNS queries travel in plain text by default \u2014 even when your site uses HTTPS. Here's how DoH, DoT, DoQ and DoH3 work, how they compare in performance (real benchmarks from 3,000+ resolvers), and which one is right for your website.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.copahost.com\/blog\/encrypted-dns\/","og_locale":"en_US","og_type":"article","og_title":"DNS over HTTPS, DNS over TLS, and DNS over QUIC: Which Encrypted DNS Protocol Should You Use? - Copahost","og_description":"DNS queries travel in plain text by default \u2014 even when your site uses HTTPS. Here's how DoH, DoT, DoQ and DoH3 work, how they compare in performance (real benchmarks from 3,000+ resolvers), and which one is right for your website.","og_url":"https:\/\/www.copahost.com\/blog\/encrypted-dns\/","og_site_name":"Copahost","article_published_time":"2026-05-21T12:13:00+00:00","article_modified_time":"2026-05-26T15:17:59+00:00","og_image":[{"width":1536,"height":1024,"url":"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/Encrypted-DNS-DNS-over-HTTPS-TLS-and-QUIC.png","type":"image\/png"}],"author":"Gustavo Gallas","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Gustavo Gallas","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#article","isPartOf":{"@id":"https:\/\/www.copahost.com\/blog\/encrypted-dns\/"},"author":{"name":"Gustavo Gallas","@id":"https:\/\/www.copahost.com\/blog\/#\/schema\/person\/386b3f1f79299d43f4ceb33d26428246"},"headline":"DNS over HTTPS, DNS over TLS, and DNS over QUIC: Which Encrypted DNS Protocol Should You Use?","datePublished":"2026-05-21T12:13:00+00:00","dateModified":"2026-05-26T15:17:59+00:00","mainEntityOfPage":{"@id":"https:\/\/www.copahost.com\/blog\/encrypted-dns\/"},"wordCount":2361,"commentCount":0,"publisher":{"@id":"https:\/\/www.copahost.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#primaryimage"},"thumbnailUrl":"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/Encrypted-DNS-DNS-over-HTTPS-TLS-and-QUIC.png","articleSection":["DNS"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.copahost.com\/blog\/encrypted-dns\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.copahost.com\/blog\/encrypted-dns\/","url":"https:\/\/www.copahost.com\/blog\/encrypted-dns\/","name":"DNS over HTTPS, DNS over TLS, and DNS over QUIC: Which Encrypted DNS Protocol Should You Use? - Copahost","isPartOf":{"@id":"https:\/\/www.copahost.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#primaryimage"},"image":{"@id":"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#primaryimage"},"thumbnailUrl":"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/Encrypted-DNS-DNS-over-HTTPS-TLS-and-QUIC.png","datePublished":"2026-05-21T12:13:00+00:00","dateModified":"2026-05-26T15:17:59+00:00","description":"DNS queries travel in plain text by default \u2014 even when your site uses HTTPS. Here's how DoH, DoT, DoQ and DoH3 work, how they compare in performance (real benchmarks from 3,000+ resolvers), and which one is right for your website.","breadcrumb":{"@id":"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.copahost.com\/blog\/encrypted-dns\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#primaryimage","url":"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/Encrypted-DNS-DNS-over-HTTPS-TLS-and-QUIC.png","contentUrl":"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2026\/05\/Encrypted-DNS-DNS-over-HTTPS-TLS-and-QUIC.png","width":1536,"height":1024,"caption":"Encrypted DNS - DNS over https, tls and quic"},{"@type":"BreadcrumbList","@id":"https:\/\/www.copahost.com\/blog\/encrypted-dns\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.copahost.com\/blog\/"},{"@type":"ListItem","position":2,"name":"DNS over HTTPS, DNS over TLS, and DNS over QUIC: Which Encrypted DNS Protocol Should You Use?"}]},{"@type":"WebSite","@id":"https:\/\/www.copahost.com\/blog\/#website","url":"https:\/\/www.copahost.com\/blog\/","name":"Copahost","description":"","publisher":{"@id":"https:\/\/www.copahost.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.copahost.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.copahost.com\/blog\/#organization","name":"Copahost","url":"https:\/\/www.copahost.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.copahost.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2016\/03\/copahostlogo.png","contentUrl":"https:\/\/www.copahost.com\/blog\/wp-content\/uploads\/2016\/03\/copahostlogo.png","width":223,"height":40,"caption":"Copahost"},"image":{"@id":"https:\/\/www.copahost.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.copahost.com\/blog\/#\/schema\/person\/386b3f1f79299d43f4ceb33d26428246","name":"Gustavo Gallas","description":"Graduated in Computing at PUC-Rio, Brazil. Specialized in IT, networking, systems administration and human and organizational development\u200b. Also have brewing skills.","sameAs":["https:\/\/www.linkedin.com\/in\/gustavo-gallas-107926196\/"],"url":"https:\/\/www.copahost.com\/blog\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/posts\/4372","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/comments?post=4372"}],"version-history":[{"count":1,"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/posts\/4372\/revisions"}],"predecessor-version":[{"id":4376,"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/posts\/4372\/revisions\/4376"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/media\/4375"}],"wp:attachment":[{"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/media?parent=4372"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/categories?post=4372"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.copahost.com\/blog\/wp-json\/wp\/v2\/tags?post=4372"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}