What is DNS over HTTPS (DoH) and DNS over TLS (DoT)?
Why Interviewers Ask This
This question targets practical, hands-on experience with Networking. Interviewers want to see if you've worked with these concepts in real projects, not just read about them. Strong answers include concrete examples.
Answer
Traditional DNS queries are sent in plaintext over UDP/TCP port 53, making them visible to ISPs, network administrators, and attackers — enabling DNS surveillance, censorship, and DNS spoofing. DNS over TLS (DoT, RFC 7858) encrypts DNS queries using TLS on port 853. The connection is separate from HTTPS traffic, making it identifiable and easier for network administrators to monitor or block. DNS over HTTPS (DoH, RFC 8484) sends DNS queries inside HTTPS on port 443, making DNS traffic indistinguishable from regular web traffic — harder to block or monitor. Firefox and Chrome support DoH natively. Providers: Cloudflare (1.1.1.1), Google (8.8.8.8), NextDNS. Trade-offs: DoH improves user privacy from ISPs but moves trust to the DoH provider and reduces network administrators' visibility/control. Enterprise networks often block DoH to maintain DNS-based security controls. DNSSEC provides authentication; DoH/DoT provides confidentiality — both are complementary.
Pro Tip
If you're unsure about a detail, say so honestly and explain your reasoning. Interviewers respect candidates who can think through uncertainty rather than bluffing.