DoT vs DoH vs DoQ
Categories:
DoT
DNS over TLS (DoT) is a DNS encryption protocol based on TLS. TLS 1.2 requires at least four round-trips, TLS 1.3 requires at least three round-trips, while DNS requests only need one round-trip.
Timeline
↓
┌───────────────────────────────────────────────────────────────────────┐
│ Client Server
│ │
│ Client sends SYN segment │
│ ────────────────────────────────────────────────────────────────────▶│
│ SYN = 1, Seq = x │
│ │
│ ←─────────────────────────────────────────────────────────────────────│
│ Server responds with SYN-ACK segment │
│ SYN = 1, ACK = 1, Seq = y, Ack = x + 1 │
│ │
│ Client sends ACK segment │
│ ────────────────────────────────────────────────────────────────────▶│
│ ACK = 1, Seq = x + 1, Ack = y + 1 │
│ │
│ TCP connection established │
│ Client sends ClientHello │
│ ────────────────────────────────────────────────────────────────────▶│
│ │
│ ←─────────────────────────────────────────────────────────────────────│
│ Server responds with ServerHello │
│ Server sends certificate chain │
│ │
│ Client sends key exchange message │
│ ────────────────────────────────────────────────────────────────────▶│
│ │
│ Server sends key exchange message │
│ ←─────────────────────────────────────────────────────────────────────│
│ │
│ Client sends Finished │
│ ────────────────────────────────────────────────────────────────────▶│
│ │
│ Server sends Finished │
│ ←─────────────────────────────────────────────────────────────────────│
│ │
│ TLS handshake completed │
│ Client sends DNS query │
│ ────────────────────────────────────────────────────────────────────▶│
│ │
│ ←─────────────────────────────────────────────────────────────────────│
│ Server responds with DNS query │
│ │
└───────────────────────────────────────────────────────────────────────┘
TLS 1.2 handshake requires at least two round-trip times (RTT): client sends ClientHello, server replies with ServerHello and certificates, then client sends ClientKeyExchange and ChangeCipherSpec, finally server sends Finished. TLS 1.3 simplifies the handshake to one round-trip (1-RTT). When sending ClientHello, client can include key share information (ClientKeyShare), server also includes key share information in ServerHello response, completing key negotiation and handshake within the first round-trip.
DoH
DNS over HTTPS (DoH) is a DNS encryption protocol based on HTTPS. HTTPS, being TCP-based, requires at least three round-trips to establish a connection while DNS requests only need one round-trip. Therefore, DoH is the slowest among the three encrypted DNS protocols.
Compared to DoT, DoH has higher protocol overhead due to additional HTTP protocol headers, making it slightly slower than DoT. Other aspects are similar to DoT.
DoQ
DNS over QUIC (DoQ) is a DNS encryption protocol based on QUIC. QUIC, being UDP-based, requires two round-trips to establish a connection while DNS requests only need one round-trip. Therefore, DoQ is the fastest among the three encrypted DNS protocols.
Timeline
↓
┌───────────────────────────────────────────────────────────────────────┐
│ Client Server
│ │
│ Client sends Initial Packet │
│ Contains: QUIC version, Connection ID, encrypted handshake message │
│ (ClientHello), possibly application-layer data │
│ ────────────────────────────────────────────────────────────────────▶│
│ │
│ │
│ ←─────────────────────────────────────────────────────────────────────│
│ Server responds with Initial Packet │
│ Contains: encrypted handshake message (ServerHello, Certificate, │
│ ServerKeyExchange etc.) │
│ May contain confirmation or rejection of client's 0-RTT data │
│ │
│ Client sends encrypted handshake message (EndOfEarlyData, Finished) │
│ ────────────────────────────────────────────────────────────────────▶│
│ │
│ Server sends encrypted handshake message (Finished) │
│ ←─────────────────────────────────────────────────────────────────────│
│ │
│ Handshake completed │
│ Connection established │
│ Data transmission begins │
│ ────────────────────────────────────────────────────────────────────▶│
│ ←─────────────────────────────────────────────────────────────────────│
│ Data transmission │
│ Data transmission │
│ Data transmission │
└───────────────────────────────────────────────────────────────────────┘
QUIC uses TLS 1.3 or higher to secure connections. The encrypted handshake process resembles traditional TLS handshake but is conducted through QUIC’s packet format, allowing data transmission to start simultaneously with handshake. If a client has previously established a QUIC connection with the server, it can immediately send application-layer data in new connection attempts without waiting for server response. This mechanism, called 0-RTT, can significantly reduce interaction latency. However, 0-RTT data might be rejected by servers due to replay attack risks.
QUIC’s design objectives include faster connection establishment and better congestion control compared to TCP, while maintaining compatibility with existing network infrastructure. Through these mechanisms, QUIC achieves fast handshake during first connection and utilizes 0-RTT for reduced latency in subsequent connections.
Conclusion
In stable network environments, DoQ theoretically offers the fastest speed thanks to its UDP and TLS 1.3 foundation. However, in actual networks, UDP’s connectionless nature may lead to random packet drops by ISPs during heavy traffic, causing connection instability. DoT is slightly slower than DoQ but offers more stable TCP-based connections. DoH is slower due to its HTTP-based protocol, but provides richer backend functionality. Choose the appropriate encrypted DNS protocol based on your network environment and requirements.
Reference
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
We're sorry to hear that. Please tell us how we can improve.