Comparison of Encrypted DNS Protocols DoH, DoT, DoQ, and DoH3 in 2026 Including Attack Vectors

The post states that DNS-over-HTTPS (DoH) prevents ISP-level snooping and basic DNS hijacking but does not protect against a compromised resolver. DNS-over-TLS (DoT) is noted for being easier to detect and block, which impacts threat actors attempting DNS-based exfiltration. DNS-over-QUIC (DoQ) is highlighted for making traffic correlation harder due to QUIC’s connection ID migration. The discussion includes benchmark data and practical server configurations, focusing on the threat models each protocol addresses.