standard calls to DNS are over http, meaning that any requests are visible to anyone watching
DoT and DoH attempt to fix this.
consider the DNS requests as postcards - meaning anyone handling them can read the contents. this is a standard DNS request
- DoT protects the transport on a dedicated port 853
- DoH protects the transport on the common port 443
while both solutions protect the DNS request by wrapping encryption around the "postcard", the difference now comes down to security vs privacy
DoT is secure but not private. as the communications happens over a dedicated port, administrators may secure the sources of requests - good security!
DoH is private because all the requests travel over a common communication channel intermingled with other https requests - good privacy!