One tester sat in a cafe, fired up a simple script, and watched plain DNS queries return in about 21 milliseconds. The encrypted version? It matched that pace almost exactly on the same connection. But run the same experiment from a different network, and the story flips. An ISP resolver clocks in at 38 milliseconds median. Switch to Cloudflare’s DoH endpoint from the same line and the number jumps to 167 milliseconds. Quad9 and NextDNS land between 167 and 280 milliseconds. The gap stunned observers. And it raises a question network engineers still wrestle with in 2026.
Gavin Phillips detailed his own tests for MakeUseOf. He measured five popular domains on cafe Wi-Fi using a PowerShell script that cleared the cache before each run. Five runs averaged out. The default resolver hit roughly 20.8 ms. Quad9 over plain UDP lagged at 46.3 ms. Yet Quad9 DoH came back at 21.5 ms. Connection reuse explained the result. Once the TLS session stayed open, the encryption tax largely vanished.
Contrast that with fresh lookups. A discussion on WindowsForum.com broke down a broader MakeUseOf benchmark that tested 150 lookups per resolver. The ISP resolver delivered a 38 ms median. Cloudflare’s unencrypted 1.1.1.1 service sat at 60 ms. Encrypted options suffered. The overhead came from repeated handshakes, certificate checks, and the extra round trips inherent in TLS. That analysis noted the test deliberately measured cold starts. Real browsing benefits from caching and persistent connections. Still, the raw difference stood out.
Namesilo examined the protocols themselves earlier this year. Its March 2026 report put plain DNS at 8 to 12 ms in typical conditions. DoH averaged 12 to 18 ms. DoT landed between 20 and 25 ms. The gap between DoH and DoT surprised some readers. DoH rides port 443 and rides along with ordinary HTTPS traffic. That blending can improve effective performance on networks that throttle or inspect port 853. Namesilo’s comparison gave DoH the edge for personal devices and travel. DoT still wins for router-level deployment where administrators want explicit control.
Global benchmarks tell a more optimistic tale for privacy-focused resolvers. DNSPerf data updated through mid-2026 shows Cloudflare 1.1.1.1 consistently near the top with average query times around 11.5 ms. The provider’s anycast network places servers close to users on every continent. Quad9 and Google Public DNS follow. Yet those headline figures usually reflect a mix of cached and uncached queries plus optimized transports. When testers force cold, encrypted lookups without connection reuse, the penalty appears.
But speed forms only one piece. Plain DNS sends every request in clear text over UDP port 53. Any observer on the path sees the full list of sites visited. ISPs, coffee-shop operators, and state-level actors can log or redirect those queries. Encrypted DNS stops that cold. Both DoH and DoT wrap the query inside TLS. The destination, the content, even the fact that a DNS lookup occurred can stay hidden inside normal web traffic.
Security teams point to additional gains. Encrypted resolvers often add threat intelligence. Quad9 blocks known malicious domains at the resolver level. Cloudflare offers optional filtering through 1.1.1.2 and 1.1.1.3. NextDNS lets users build custom block lists. These features matter more than raw milliseconds for many organizations. A few extra milliseconds per lookup rarely register during page loads where dozens of domains resolve in parallel and browsers cache aggressively.
Corporate networks complicate the picture. Many firewalls block or monitor port 853. DoT becomes visible and easy to shut down. DoH hides inside HTTPS on port 443. That stealth gives users privacy on locked-down networks but creates headaches for administrators who lose visibility into DNS-based threats. Some enterprises now deploy their own DoH proxies or trusted resolvers to regain control without sacrificing encryption.
Browser makers pushed DoH hard. Firefox enabled it by default for some users years ago. Chrome followed. The move sparked debate. Critics worried that centralizing DNS through big tech providers could shift power away from local networks. Supporters countered that users gain protection from snooping ISPs. The debate continues. Yet adoption grows. Millions of queries now flow encrypted by default.
Recent tests reinforce the nuance. A YouTube benchmark from vpnMentor in January 2026 compared multiple public resolvers head to head. Cloudflare again led on speed for many locations. But the video highlighted that local ISP resolvers still win on pure latency in regions where the ISP maintains tight peering. Switching to any public resolver, encrypted or not, can add single-digit milliseconds or more depending on geography. The vpnMentor analysis advised users to measure their own connections rather than trust global rankings.
DNSPerf’s ongoing dashboard lets anyone run similar checks. Its raw performance charts rank resolvers by query speed drawn from millions of probes. Cloudflare holds the lead in most regions. ClouDNS and others trail closely. These numbers reflect production traffic with heavy caching. They do not isolate the encryption overhead. That distinction matters for protocol designers and application developers who care about worst-case cold-start behavior.
So what should engineers and power users do? Test. Tools like dig, kdig, or browser-based DoH testers reveal the truth for a specific location and resolver set. Clear the cache, measure 100 or 200 cold lookups, then repeat with persistent connections. The difference often shrinks dramatically after the first query. Many find the privacy win worth single-digit or low double-digit millisecond penalties that vanish in real workloads.
Phillips reached that conclusion after his cafe tests. He switched to encrypted DNS anyway. The privacy boost arrived without noticeable overhead on his regular networks. Others report the same. A handful of power users configure both: DoH in the browser for personal traffic, DoT at the router for the whole house, and fallback options when speed matters most.
The gap surprised many when first measured. Yet the data now paints a clearer picture. Encryption carries a measurable but often manageable cost. Connection reuse, smart resolver selection, and modern protocols shrink that cost further. For most users the trade-off tilts toward privacy. The numbers still matter. They simply no longer tell the whole story.
WebProNews is an iEntry Publication