Home

DNSOverTLS

DNS-over-TLS (DoT) is a DNS transport protocol that uses Transport Layer Security to encrypt DNS queries and responses between a client and a recursive resolver. Defined in RFC 7858, it operates over TCP on port 853 and provides confidentiality and integrity for DNS messages by wrapping them in TLS.

In operation, a client establishes a TLS session with a DoT-capable resolver, negotiates a cipher suite, and

Security and privacy: DoT encrypts the payloads from eavesdroppers, protecting against many network-level observers. However, the

Deployment and use: DoT is supported by several public resolvers, including major providers, and is available

Comparison with DNS over HTTPS: DoT transmits DNS messages directly within TLS over a dedicated port, whereas

then
exchanges
standard
DNS
messages
inside
the
TLS
channel.
The
resolver
replies
with
DNS
responses,
and
connections
may
be
kept
open
and
reused
for
subsequent
queries.
DoT
allows
the
use
of
DNSSEC
for
authenticating
responses,
though
DNSSEC
and
DoT
address
different
security
aspects.
resolver
itself
still
sees
the
queries,
and
metadata
such
as
the
client’s
IP
address
is
exposed
to
the
resolver.
The
TLS
handshake
can
reveal
the
intended
server
through
the
server
name
indication
(SNI),
and
DoT
does
not
hide
query
patterns
or
volumes
from
network
observers
in
general.
in
many
operating
systems
and
network
devices.
Clients
configure
a
trusted
DoT
resolver
and
port
853.
DoT
is
often
used
in
conjunction
with
DNSSEC
to
provide
authenticity
of
DNS
data.
DNS
over
HTTPS
encapsulates
DNS
within
HTTPS
over
TLS
(commonly
on
port
443).
DoT
can
offer
simpler
firewall
behavior
and
lower
overhead
for
DNS
traffic,
while
DoH
benefits
from
standard
HTTP
infrastructure
and
easier
sharing
of
caching
and
tooling.