Overview
DNS over HTTPS (DoH) and DNS over TLS (DoT) both encrypt your DNS queries so that third parties cannot read them in transit. They use different ports and integrate differently with operating systems and applications.
HostuxDNS supports both, along with DNS over QUIC (DoQ) for applications that support it.
Comparison
| Property | DoH | DoT |
|---|---|---|
| Port | 443 |
853 |
| Transport | HTTPS | TLS |
| Indistinguishable from web traffic | Yes | No (dedicated port) |
| Built into browsers | Yes (Firefox, Chrome, Edge) | No |
| Built into Android | No (requires app) | Yes (Private DNS, Android 9+) |
| Built into Windows | Yes (Windows 11 Settings) | No |
| Built into Linux systemd-resolved | Partial | Yes |
| HostuxDNS endpoint | https://dns.hostux.net/dns-query |
dns.hostux.net port 853 |
When to use DoH
Choose DoH if you configure DNS inside a browser or another application:
- Browsers: Firefox, Chrome, Edge all support DoH natively in settings.
- Windows 11: Settings > Network & Internet > DNS server assignment supports DoH directly.
- Any network where port 853 is blocked: DoH runs on port 443 and is harder to filter.
HostuxDNS DoH endpoint: https://dns.hostux.net/dns-query
With ad and tracker blocking: https://dns.hostux.net/ads
When to use DoT
Choose DoT if you want encrypted DNS to apply across the whole system:
- Android: Private DNS (Settings > Network) uses DoT. Enter
dns.hostux.net. - Linux with systemd-resolved: configure
DNS=andDNSOverTLS=yesin/etc/systemd/resolved.conf. - Unbound: forward queries to
dns.hostux.neton port853with TLS verification.
HostuxDNS DoT server name: dns.hostux.net, port 853
DNS over QUIC (DoQ)
DoQ is a newer protocol built on QUIC (the same transport as HTTP/3). It reduces connection latency compared to DoT and is supported by AdGuard Home and dnscrypt-proxy.
HostuxDNS DoQ endpoint: quic://dns.hostux.net, port 853/udp
Set it up
See the setup guide for step-by-step configuration on all supported platforms.
Frequently asked questions
What changes in practice between DoH and DoT?
DoH is configured inside an app or browser. DoT is configured at system level, so every app uses the same resolver.
When is DoH the safer choice on a filtered network?
Use DoH when a network blocks dedicated DNS ports or interferes with DNS traffic. Because it rides on HTTPS, it is harder to single out.
When is DoT the simpler option?
Choose DoT when your operating system already supports encrypted DNS with a hostname. It is the cleanest system-wide setup on Android and some Linux resolvers.
Should you use DoQ instead?
Use DoQ if your client already supports it and you want to cut connection latency. Otherwise, DoH and DoT remain the more widely supported defaults.
Which one should you pick in Firefox or on Android?
In Firefox, DoH is available directly in the browser settings. On Android, DoT applies across the whole device through Private DNS.