DoH vs DoT vs Classic DNS: What Your Router Should Use in 2026
Classic DNS is a postcard. DoT is a sealed envelope. DoH is a sealed envelope hidden inside regular mail. Here's which one to use, and where.
TL;DR — Classic DNS is a postcard anyone can read. DoT (DNS over TLS) is a sealed envelope. DoH (DNS over HTTPS) is a sealed envelope hidden in a stack of regular mail. For phones, use DoH. For routers, use DoT. Use classic DNS only when your hardware forces you to — and even then, point it at a trusted resolver, not your ISP.
Three envelopes: the analogy that makes this easy
Imagine DNS as the postal service for Internet addresses. Every time your phone needs to know where netflix.com is, it mails a letter. Here's the difference between the three protocols:
- Classic DNS (port 53) — you write the question on a postcard. Every postal worker along the route can read it, edit it, or replace it with a forgery.
- DoT, DNS over TLS (port 853) — you put the postcard in a sealed envelope. Postal workers can see that you're mailing something privacy-related (it's clearly stamped "DNS mail"), but they can't read the contents.
- DoH, DNS over HTTPS (port 443) — you put the sealed envelope inside a stack of normal web mail. Postal workers can't tell your DNS letter apart from any other web request. They can't read it, and they can't easily block it.
All three get the job done. The question is: how much do you want the Internet's middlemen to see and interfere with?
Classic DNS — the 1987 original
Classic DNS is the original unencrypted DNS protocol, operating on UDP port 53, where queries and answers travel as plain text across the network.
It was designed in 1987, before anyone imagined mass surveillance or ISPs selling browsing data. It works, it's fast, and almost every device on Earth speaks it. But because it's unencrypted:
- Your ISP can read every domain you visit. Most do.
- Your ISP can modify answers. This is how many countries implement site blocks — they hijack the DNS response.
- Public WiFi operators can do the same. The airport WiFi can redirect
bankofamerica.comto a phishing page if they want. - Any malware on your network can poison your cache. Cleartext DNS is a known attack surface.
For a home network behind a trusted router, classic DNS to a good resolver (1.1.1.1, 8.8.8.8, or dns.guardino.ai) is still miles better than ISP DNS. But the moment you leave that network — airport, hotel, cafe, cellular data — you should be on encrypted DNS.
DoT — DNS over TLS (RFC 7858)
DNS over TLS is classic DNS wrapped in the same TLS encryption that secures HTTPS websites, on dedicated port 853. It was standardized in 2016 (RFC 7858).
The good:
- Fully encrypted between your device and the resolver.
- Clean protocol — port 853 is used for nothing else, so routers and firewalls can identify, manage, and log it as a distinct category.
- Low overhead — essentially the same speed as classic DNS once the TLS session is open.
The not-so-good:
- Port 853 is easy to block. Networks that want to force you onto their own DNS can simply close port 853 outbound. This happens on some corporate and public WiFi.
- The fact that you're doing DNS is visible (the port gives it away), even if the queries themselves are encrypted.
DoT shines on home routers. Modern consumer routers from ASUS, Ubiquiti, MikroTik, OpenWrt, and pfSense all support it. You configure it once, and every device on your network benefits — including smart TVs, game consoles, and IoT devices that can't configure DNS themselves.
DoH — DNS over HTTPS (RFC 8484)
DNS over HTTPS is DNS tunneled through an ordinary HTTPS connection on port 443, making encrypted DNS traffic indistinguishable from regular web browsing. It was standardized in 2018 (RFC 8484).
The good:
- Fully encrypted, just like DoT.
- Hard to block. Blocking port 443 would break the entire web, so networks that want to suppress DoH have to do it through deep packet inspection — which is expensive and imperfect.
- Works through hostile networks — airports, schools, captive portals, heavily censored networks.
- Supported natively by phones, modern browsers, and desktop OSes.
The not-so-good:
- Harder to manage at the network layer. Your router can't easily see DoH traffic as "DNS" — it looks like web traffic. This makes enterprise DNS policy enforcement harder.
- Some providers route DoH through a CDN (for anycast performance). The CDN operator technically sits in the path — which is why the trust profile of your DoH provider matters.
- Bypasses router-level filters by design. If you set up family DNS filtering on your router but your kid configures DoH on their phone, it goes around your router. (This is why per-device DoH with your chosen filter is the answer, not fighting DoH.)
DoH shines on phones and laptops — anywhere the device roams off your home network.
Head-to-head comparison
| Protocol | Port | Encryption | Router support | App-level support | Performance | Best use case |
|---|---|---|---|---|---|---|
| Classic DNS | UDP 53 | None | Universal | Universal | Fastest (no TLS handshake) | Legacy devices only |
| DoT | TCP 853 | TLS 1.2/1.3 | Good (modern routers) | Android 9+, Linux, macOS | ~5 ms overhead | Home routers |
| DoH | TCP 443 | TLS 1.2/1.3 | Limited (flagship routers) | iOS 14+, Android 9+, Firefox, Chrome, Windows 11 | ~5 ms overhead | Phones, laptops, hostile networks |
Why it matters for families
Here's the practical playbook for a family household in 2026.
On your home router — use DoT.
Configure your router to use a filtering DoT resolver (like dns.guardino.ai on port 853). Every device on your WiFi — smart TVs, consoles, IoT, guests — is now protected and encrypted. Setup is a one-time thing.
On every phone and laptop — use DoH with a per-user endpoint. Install a DoH profile that points to your filtering provider. This follows the device off your WiFi onto cellular data — which is the most important coverage for a teen's phone. Guardino provides this as a per-user DoH URL with a QR-code installer.
On old hardware that supports neither — use classic DNS to a trusted resolver.
A Chromecast from 2015 may not speak DoH or DoT. That's fine: point it at classic DNS dns.guardino.ai or a trusted public resolver. Cleartext inside your home network is an acceptable compromise.
Never leave phones on ISP default DNS. This is the single biggest upgrade most families can make in sixty seconds.
Common misconceptions
Myth 1: "DoH is a security risk because it bypasses my router's filter." Only if your router was the only thing filtering. If the DoH endpoint is your family filter, DoH is the feature — not the bug. It extends protection onto cellular data.
Myth 2: "DoT is obsolete now that DoH exists." No. DoT is cleaner for routers precisely because it's distinguishable. For infrastructure-level DNS, distinguishability is a feature, not a weakness.
Myth 3: "Encrypted DNS is slow." The extra latency is about 5 milliseconds — imperceptible. A good anycast network (Guardino runs 32 regions) makes encrypted DNS faster than most ISP DNS.
Myth 4: "ISPs can't see anything if I use DoH." They see less, but they still see the IP addresses you connect to. For small sites with their own IP, that's nearly as revealing as the domain. For CDN-hosted sites (most of the top 10,000), the IP is shared and reveals little.
Myth 5: "Configuring DoH is too technical." Not in 2026. Apple, Google, and Microsoft all ship DoH profile installers. Scan a QR code and you're done.
How Guardino does it
Guardino AI supports both DoH and DoT natively on every one of our 32 anycast regions. Each customer gets a per-user DoH endpoint — dns.guardino.ai/dns-query/{token} — and a matching DoT hostname. Setup is a QR code: on iOS and macOS it installs a configuration profile in seconds; on Android it populates the Private DNS field; on routers it autofills the DoT configuration. Latency is under 15 ms anywhere in the world. Every query is resolved in memory under a zero-log architecture — no query records, ever. Free tier: 300,000 queries per month. Pro: $6.99/month, 7-day trial.
Frequently asked questions
Is DoH better than DoT? Neither is strictly better. Use DoH on phones (blends with web traffic) and DoT on routers (cleaner protocol).
Does my ISP still see my browsing if I use DoH? They see far less. DoH hides the domain lookup. They can still see destination IPs, but for CDN-hosted sites those reveal little.
Which protocol does Guardino support? Both, on all 32 regions. Phones use DoH; routers typically use DoT.
Will my router work with encrypted DNS? Most routers from 2022 onward support DoT. Flagship routers support DoH. Very old routers support neither.
Is classic DNS still okay in 2026? Only behind a trusted network, and only pointed at a trusted resolver.
Further reading
- How DNS Filtering Works: A Parent's Guide in Plain English
- What Is Zero-Log DNS and Why Does It Actually Matter?
- Product: Features · Setup Guide
External references:
- RFC 8484 — DNS Queries over HTTPS (DoH)
- RFC 7858 — DNS over Transport Layer Security (DoT)
- Mozilla DoH policy
- Google Public DNS — DoH docs
Ready to encrypt your DNS?
One QR code. Every device. 32 regions. Zero logs. Start free with Guardino — 300,000 queries per month, no card required.
Try Guardino free
Block dark patterns, dopamine loops, ads, trackers — on every device in your home with one QR code. No app to install. 7-day free trial, no card.
Keep reading
What Is Zero-Log DNS and Why Does It Actually Matter?
Every website you visit starts with a DNS query. 'Zero-log' means that query is never written down. Here's why that's quietly one of the most important privacy choices you'll make.
Why Most Adult Content Blockers Fail (And What Actually Stops It)
Teenagers are clever, tech is imperfect, and no blocker is bulletproof. Here's the honest list of how blockers fail — and the real plan that works.
How DNS Filtering Works: A Parent's Guide in Plain English (2026)
DNS is the Internet's phonebook. Here's exactly how flipping one setting can protect your whole household — in plain English.