From 3c59f28accb31bfdbb455f10dd00aeb1a7abea89 Mon Sep 17 00:00:00 2001
From: Rohan Kumar <seirdy@seirdy.one>
Date: Sat, 18 Nov 2023 19:30:46 -0800
Subject: [PATCH] New note: choosing an encrypted dns proto

---
 content/notes/choosing-an-encrypted-dns-proto.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 content/notes/choosing-an-encrypted-dns-proto.md

diff --git a/content/notes/choosing-an-encrypted-dns-proto.md b/content/notes/choosing-an-encrypted-dns-proto.md
new file mode 100644
index 0000000..2b70913
--- /dev/null
+++ b/content/notes/choosing-an-encrypted-dns-proto.md
@@ -0,0 +1,15 @@
+---
+title: "Choosing an encrypted DNS protocol"
+date: 2023-11-18T19:30:46-07:00
+---
+The three most popular DNS protocols with transit encryption are DNS-over-HTTPS (<abbr>DoH</abbr>), DNS-over-TLS (<abbr>DoT</abbr>), and DNS-over-QUIC (<abbr>DoQ</abbr>). This should help you choose what to use:
+
+1. Do you actually need to override OS DNS support? If not, or if you're unsure, go to 6.
+2. Are you ready to implement DNS protocols correctly, or add a dependency that does so? If you're not, go to 5.
+3. Does the network filter DNS traffic? If it does, go to 5.
+4. Do you already have QUIC support? If not, **use DoT.** If you do, **use DoQ.**
+5. Do you have an HTTPS stack? If you do, **use DoH**.
+6. Give up and **delegate to the OS**.
+
+Let your HTTPS stack handle HTTP/1.1 vs. HTTP/2 vs. HTTP/3 support; don't treat DNS-over-HTTP/3 as a separate protocol. I don't know enough about DNSCrypt to make an informed recommendation about it, but DoQ and DoH meet my needs well enough.
+