DNS encryption protocols aren’t equal (and your ISP hopes you don’t know why)

Although we use easy-to-remember web addresses, the internet actually operates on a system of IP addresses and remote servers. Behind the scenes, it hinges on the Domain Name System (DNS), which converts those domain names into IP addresses—a format that your device understands.

So, every time you type a domain into your browser, the DNS turns it into machine-readable data. A DNS server is queried, and the DNS traffic is sent. But you know who else can see your DNS information? That's right: basically anyone, including your internet service provider, the government, and any other agencies that want to pry into your data.

Now, the good news is that you can encrypt those DNS requests to stop those prying eyes from seeing the websites and services you're using. The bad news is that it's not as simple as just flicking a switch and having all of your DNS requests protected. Even though some methods shield you from your ISP, others still expose metadata and usage patterns that make it easy to figure out who and where you are. This is why understanding the difference between DNS encryption methods is so important; if you assume encryption automatically equals privacy, your data is going to end up in the wrong hands.

ISPs and DNS protocols

Your ISP cares about what DNS protocol you use

DNS traffic is the easiest way for an ISP to determine which sites you visit. Once you type a domain name into a browser, even if you're protected by HTTPS, the DNS request that follows can show the site you're trying to access. It may not display specific pages on the site you're accessing, but it generally reveals the domain you're visiting. ISPs may utilize this level of visibility for network management purposes. It can also be a source of revenue; the Federal Trade Commission has reported that ISPs inject ads and monetize DNS query data.

It becomes harder for ISPs to continue this business model if your DNS queries are encrypted. You can use protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT) to make it harder for your ISP and anyone not on the network to see what domain names you look up. This drastically eliminates a historical revenue source for ISPs, becoming a privacy win for you, even though it shifts trust to a third-party DoH/DoT resolver (e.g., Cloudflare, Google).

However, it's essential to note that ISPs also play a crucial role in network management, which may involve enforcing parental controls, blocking malware, and complying with local regulations. Once DNS is encrypted, these tasks are much harder for an ISP to perform because it disables the network-wide control the ISP had over DNS-based functions.

The key protocols

DoH vs. DoT vs. ODoH

DNS encryption wasn't always a unified standard. This meant that every DNS encryption protocol could adopt slightly different ways to tackle the problem. DNS over HTTPS (DoH) and DNS over TLS (DoT) are mainstream and commonly deployed encryption protocols. Both protocols aim to encrypt DNS queries so that they're not readable as plaintext, but their design and adoption paths result in each providing a different user experience.

DoH blends perfectly with all your traffic because it runs over HTTPS. It's easy for mainstream browsers like Chrome and Firefox to enable it directly, and networks can't easily block this traffic without disrupting everything. DoT is quite different. It's typically implemented at the system or router level and runs over a dedicated port (853) using TCP with TLS encryption. It's more of a network-level service, but firewalls or ISPs can block it more easily if necessary.

There is, however, a newer encryption protocol: Oblivious DoH (ODoH). Where DoH and DoT solve the problem of encrypting DNS queries so they can't be read in plaintext, ODoH aims to build trust in the resolver itself. If you use DoH or DoT, your preferred resolver sees your IP address, which can identify your location/ISP/home network. However, ODoH includes an additional proxy so that no single party can see both your IP address and your domain queries. This is still an IETF Experimental Standard and adds some latency due to the proxy and double encryption. This overhead may be minimal compared to other DNS encryption methods, but ODoH still lacks mainstream adoption.

DNSCrypt is another lesser-known option that offers strong authentication and encryption, predating DoH and DoT. It's not standardized by the IETF but is actively maintained via proxy implementations that may support newer protocols like ODoH.

All these protocols offer some form of protection, but choosing one over the other ultimately means choosing between ease of deployment, where you shift your trust, and censorship resistance.

The middleman problem

Encryption may still leave you open

Encrypted DNS doesn't make you completely invisible online. The different protocols may make it difficult for any parties outside the network to read your queries, but your resolver can still see visited domain names and your IP address. So, you trade ISP visibility for visibility on a large public resolver.

The patterns in your traffic may also leak metadata. Even when the data content is encrypted, elements like timing, frequency, and packet size can still be analyzed to infer browsing habits. This traffic, in some cases, may be used to hint at domains you visit without decrypting the requests themselves.

Additionally, the limited number of providers raises an issue of centralization, particularly since the majority of encrypted DNS traffic is routed through these limited options. Even though these companies build robust safeguards, a single subpoena, data breach, or regulatory policy may expose user activity.

Making the best-informed decision

You can build a local DNS, but for privacy, an encrypted DNS is a better solution. Whichever option you choose, however, comes with trade-offs: ODoH is still experimental and may introduce some latency, but it reduces trust concentration, while DoH and DoT shift trust from your ISP to a third-party resolver.

You may choose whichever option you please, but the point is that they're not all equal. And in all this, privacy is often at the mercy of centralized infrastructure, corporate policies, and regulatory frameworks. How much we can do to change this may be limited, but that knowledge equips you with an understanding of how much control lies in your hands, and this will ultimately help you make the best-informed decision about what or who you choose to trust.