Can DoH replace DNSSEC?

No. DoH encrypts the conversation between you and your resolver — it doesn't authenticate the records the resolver got from authoritative servers. A malicious or compromised resolver can still serve fake answers; DNSSEC is what verifies the records themselves. The two layers solve different problems and are designed to coexist.

What's the difference between DoH and DoT?

Both encrypt DNS queries from client to resolver. DoH (DNS over HTTPS) wraps DNS in HTTPS — port 443, indistinguishable from normal web traffic. DoT (DNS over TLS) uses a dedicated port (853) and is easier for network operators to identify and manage. DoH is harder to filter; DoT is more transparent operationally. Both are equally good cryptographically.

Does DoH hide DNS queries from my ISP?

It hides them from anyone between you and the DoH resolver — including your ISP if you're using a non-ISP DoH resolver (1.1.1.1, 8.8.8.8, etc.). The resolver itself sees the queries; you've shifted who knows what you're querying, not eliminated visibility entirely. If privacy from the resolver matters too, look at oblivious DoH (ODoH) which adds a relay layer.

Should I use DoH or stick with the system resolver?

Most modern operating systems and browsers default to encrypted DNS now. Chrome, Firefox, Safari, iOS, and Windows 11 all support DoH/DoT and many enable it by default for popular resolvers. Override only if you have specific reasons (corporate DNS filtering, Pi-hole, custom split-DNS).

Does DNScale support DoH on its authoritative servers?

DoH is primarily a recursive-resolver concept — clients querying resolvers like 1.1.1.1. DNScale runs authoritative servers (the source of truth for zones), which traditionally serve plain DNS. The relevant encryption layers for authoritative DNS are different: DNSSEC for record integrity, and TSIG / DNS-over-TLS for zone transfers. We support DNSSEC by default; secure zone-transfer options are available.

SecurityIntermediate

DNSSEC vs DNS over HTTPS (DoH)

Understand the difference between DNSSEC and DNS over HTTPS. DNSSEC proves DNS records are authentic; DoH encrypts queries for privacy. Learn why you need both.

Updated 4 May 2026

Start free Browse guides

Answer snapshot

DNSSEC and DoH solve different problems. DNSSEC adds cryptographic signatures so resolvers can verify DNS answers haven't been tampered with — it's about authenticity. DoH (DNS over HTTPS) encrypts the channel between client and recursive resolver — it's about privacy. They're complementary, not alternatives. Modern stacks deploy both: DNSSEC at the zone level, DoH/DoT at the resolver-client level.

DNSSEC and DNS over HTTPS (DoH) are both DNS security technologies, but they solve fundamentally different problems. DNSSEC proves that DNS answers have not been tampered with. DoH hides DNS queries from network observers. They are complementary, not competing.

TL;DR

DNSSEC adds cryptographic signatures to DNS records. Resolvers can verify that an answer is authentic and unmodified — but the query and response are still visible on the wire.
DoH wraps DNS queries inside an encrypted HTTPS connection between the client and the resolver. Eavesdroppers cannot see which domains you look up — but DoH says nothing about whether the answer is genuine.
Using both together gives you authenticated answers delivered over an encrypted channel.

They Solve Different Problems

	DNSSEC	DNS over HTTPS
Protects against	Record tampering, cache poisoning	Eavesdropping, query logging by ISPs
Scope	End-to-end: from authoritative server to validating resolver	Hop-by-hop: from client to resolver only
Mechanism	Cryptographic signatures (RRSIG, DNSKEY, DS)	TLS encryption over HTTPS
Who deploys it	Zone owner (signs) + resolver (validates)	Client (sends DoH) + resolver (accepts DoH)
Visible to network	Yes — queries and answers are plaintext	No — encrypted inside HTTPS
Proves authenticity	Yes	No
Hides queries	No	Yes (from local network only)

How DNSSEC Works

DNSSEC adds a chain of trust from the DNS root zone down to your domain. Each level cryptographically signs the next:

The root zone publishes its own DNSKEY and signs the DS records for each TLD.
The TLD (e.g. .eu) publishes its DNSKEY and signs DS records for domains under it.
Your zone (e.g. dnscale.eu) publishes its DNSKEY and signs every record set with RRSIG signatures.

A validating resolver walks this chain from the root to your domain. If any signature fails, the response is rejected. This prevents:

Cache poisoning — an attacker cannot inject forged records because they cannot produce valid signatures.
Man-in-the-middle modification — even if an attacker intercepts the response, altering it breaks the cryptographic signature.

What DNSSEC does not do

DNSSEC does not encrypt anything. Queries and responses travel in plaintext. An observer on the network can see every domain you look up and every answer you receive. DNSSEC only guarantees that the answer is the one the zone owner published.

How DNS over HTTPS Works

DoH wraps standard DNS queries inside an HTTPS connection (port 443) between the client — typically a browser or OS stub resolver — and a DoH-capable recursive resolver.

The client opens a TLS-encrypted HTTPS connection to the resolver (e.g. https://dns.example.com/dns-query).
DNS queries are sent as HTTP requests (GET or POST) with the application/dns-message content type.
The resolver decrypts the query, resolves it normally (contacting authoritative servers over standard DNS), and returns the answer over the same encrypted channel.

Because the connection uses TLS, anyone between the client and the resolver — ISPs, Wi-Fi operators, corporate proxies — sees only encrypted HTTPS traffic to the resolver's IP address. They cannot see which domains are being queried.

What DoH does not do

DoH only encrypts the first hop — from the client to the resolver. The resolver still contacts authoritative nameservers over standard, unencrypted DNS. DoH also does not verify that answers are genuine. If the resolver itself is compromised, or if it receives a poisoned answer from an upstream server, DoH will dutifully deliver that forged answer over a perfectly encrypted channel.

Why You Need Both

Threat	DNSSEC alone	DoH alone	Both
Cache poisoning / forged answers	Protected	Vulnerable	Protected
ISP logging your queries	Visible	Hidden	Hidden
On-path attacker modifying answers	Protected	Vulnerable	Protected
Wi-Fi eavesdropping on queries	Visible	Hidden	Hidden
Compromised resolver returning bad data	Protected (if resolver validates)	Vulnerable	Protected

Running DNSSEC-signed zones and using a DoH-capable validating resolver gives you defence in depth: authenticity from DNSSEC, privacy from DoH.

DNSSEC with DNScale

DNScale supports DNSSEC out of the box. You can enable signing and manage keys from the dashboard or via the API:

Open your zone in the DNScale dashboard and click the Shield icon.
Click Generate Key Pair to create a signing key (CSK with ECDSAP256SHA256).
Copy the DS records and add them at your domain registrar.
Once the DS records propagate, your zone is DNSSEC-protected.

For detailed key management, including rollovers, see the DNSSEC Key Management guide.

Key Takeaways

DNSSEC and DoH are not interchangeable — they protect against different threats.
DNSSEC proves records are authentic via a cryptographic chain of trust. It does not encrypt.
DoH encrypts queries between the client and resolver. It does not verify authenticity.
For comprehensive DNS security, deploy DNSSEC on your zones and use a DoH-capable validating resolver.

Frequently asked questions

Can DoH replace DNSSEC?: No. DoH encrypts the conversation between you and your resolver — it doesn't authenticate the records the resolver got from authoritative servers. A malicious or compromised resolver can still serve fake answers; DNSSEC is what verifies the records themselves. The two layers solve different problems and are designed to coexist.
What's the difference between DoH and DoT?: Both encrypt DNS queries from client to resolver. DoH (DNS over HTTPS) wraps DNS in HTTPS — port 443, indistinguishable from normal web traffic. DoT (DNS over TLS) uses a dedicated port (853) and is easier for network operators to identify and manage. DoH is harder to filter; DoT is more transparent operationally. Both are equally good cryptographically.
Does DoH hide DNS queries from my ISP?: It hides them from anyone between you and the DoH resolver — including your ISP if you're using a non-ISP DoH resolver (1.1.1.1, 8.8.8.8, etc.). The resolver itself sees the queries; you've shifted who knows what you're querying, not eliminated visibility entirely. If privacy from the resolver matters too, look at oblivious DoH (ODoH) which adds a relay layer.
Should I use DoH or stick with the system resolver?: Most modern operating systems and browsers default to encrypted DNS now. Chrome, Firefox, Safari, iOS, and Windows 11 all support DoH/DoT and many enable it by default for popular resolvers. Override only if you have specific reasons (corporate DNS filtering, Pi-hole, custom split-DNS).
Does DNScale support DoH on its authoritative servers?: DoH is primarily a recursive-resolver concept — clients querying resolvers like 1.1.1.1. DNScale runs authoritative servers (the source of truth for zones), which traditionally serve plain DNS. The relevant encryption layers for authoritative DNS are different: DNSSEC for record integrity, and TSIG / DNS-over-TLS for zone transfers. We support DNSSEC by default; secure zone-transfer options are available.

Related guides

Ready to manage your DNS with confidence?

DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.

Start free