Tor vs DNS over HTTPS: Understanding the Privacy Difference

DNS over HTTPS encrypts DNS queries - the requests your browser makes to look up IP addresses for domain names - and sends them over HTTPS to a DNS resolver you choose rather than your ISP's default DNS server. This prevents: (1) Your ISP from seeing which domain names you look up (DNS query logging). (2) DNS-based censorship that works by returning blocked results from ISP DNS servers. (3) Local network attacks (coffee shop attackers, router compromise) that modify DNS responses. DoH significantly improves privacy against passive ISP-level DNS snooping, which is relevant for most users on most networks. Configuring DoH in Firefox or using a DoH-enabled DNS service (Cloudflare 1.1.1.1, Google 8.8.8.8, NextDNS) is a meaningful, easy privacy improvement.

DoH's protection is limited to DNS queries. It does not protect: (1) IP-based blocking - if a site is blocked by IP rather than DNS, DoH does not help. (2) SNI (Server Name Indication) in TLS handshakes - most HTTPS connections advertise the target domain in the unencrypted TLS ClientHello, visible to network observers even with DoH. ESNI (Encrypted SNI, now called ECH - Encrypted Client Hello) addresses this, but deployment is incomplete. (3) Your actual connection IP - the destination IP of your HTTP/HTTPS connections is visible to your ISP regardless of DoH. (4) Deep packet inspection content analysis. (5) Browser fingerprinting and tracking cookies. DoH solves exactly one privacy problem (DNS visibility) and does not address the many other ways your browsing is observable.

Tor routes all traffic through three encrypted hops, protecting: (1) Your IP address from destination servers and ISPs. (2) DNS queries (Tor resolves DNS at the exit relay, not locally). (3) Traffic content through encryption on the circuit (though the exit relay sees unencrypted traffic to non-HTTPS destinations). (4) SNI information (Tor exit relays connect to destinations, ISP sees only connections to Tor guard relays). (5) Access to blocked content (ISP sees only Tor traffic, not destinations). Tor does not protect against: application-level fingerprinting (browser fingerprinting), active malware on your device, and traffic correlation attacks by adversaries who monitor both entry and exit simultaneously.

When using Tor, DoH provides no additional benefit for DNS because Tor already routes DNS through the exit relay, bypassing your ISP's DNS entirely. DoH and Tor solve some overlapping problems but through different mechanisms. DoH is faster and simpler for users who only need DNS-level privacy without full anonymity. Using DoH without Tor still exposes your IP address, destination connections, and SNI. Tor without DoH provides stronger overall privacy because Tor's three-hop routing protects more than just DNS. For a practical recommendation: use Tor Browser for privacy-sensitive browsing (Tor handles DNS correctly by design). Use DoH as an additional configuration on systems where Tor is not active, particularly to prevent ISP-level DNS logging of routine browsing. Never assume DoH provides Tor-equivalent privacy - it does not.

For censorship circumvention specifically, the tool depends on how the censorship is implemented. DNS-only blocking (returns incorrect IP for blocked domains, used by some ISPs and countries): DoH bypasses this completely. A DoH-enabled browser resolves DNS through a non-censored resolver and connects directly to the correct IP. IP-based blocking (blocks the actual server IP, used by more sophisticated censors): DoH does not help. The correct IP is known, but the connection is blocked at the network level. DPI-based blocking (identifies and drops specific traffic types, including Tor itself): DoH does not address this - your connection still traverses the ISP's network. Tor with bridges addresses all three blocking types: it bypasses DNS blocking, IP blocking, and DPI blocking for the traffic routed through Tor.