{ "@context": "https://schema.org", "@type": "DefinedTerm", "@id": "https://hostdir.net/glossary/dot", "name": "DoT", "alternateName": [ "DNS over TLS" ], "description": "DNS over TLS (DoT) encrypts DNS queries and responses using Transport Layer Security on a dedicated port 853, preventing eavesdropping and tampering.", "url": "https://hostdir.net/glossary/dot", "inDefinedTermSet": "https://hostdir.net/glossary", "termCode": "dot", "mainEntityOfPage": "https://hostdir.net/glossary/dot", "license": "https://creativecommons.org/licenses/by/4.0/", "_hostdir": { "kind": "glossary-term", "slug": "dot", "canonical": "https://hostdir.net/glossary/dot", "term": "DoT", "category": "DNS", "category_slug": "dns", "summary": "DNS over TLS (DoT) encrypts DNS queries and responses using Transport Layer Security on a dedicated port 853, preventing eavesdropping and tampering.", "definition": "DNS over TLS (DoT) is a network security protocol that wraps standard DNS queries and responses in a Transport Layer Security (TLS) tunnel. By running DNS inside a dedicated TLS session on port 853, DoT ensures that the entire DNS transaction is encrypted and authenticated, protecting against passive eavesdropping and active manipulation by intermediaries such as ISPs or attackers on the local network.\n\nDoT differs from DNS over HTTPS (DoH) primarily in its transport layer. DoT operates on a well-known port (853) and uses TLS directly on top of TCP, whereas DoH tunnels DNS inside HTTP/2 or HTTP/3 traffic on port 443, making it harder to differentiate from regular web traffic. DoT requires a separate connection establishment and is often deployed alongside a recursive resolver that listens on both port 53 (unencrypted) and port 853. The client and resolver negotiate TLS, verify the server certificate (typically via a pre-configured trust anchor or a pinned certificate), and then exchange DNS messages over a persistent encrypted channel.\n\nIn the protocol stack, DoT sits between the DNS application layer and the TCP/TLS transport layer. It is formally defined in RFC 7858 (published May 2016) and RFC 8310 (usage profiles). Stub resolvers on end-user devices, such as mobile phones and PCs, commonly support DoT to query a trusted recursive resolver like Cloudflare (1.1.1.1), Quad9 (9.9.9.9), or Google Public DNS (8.8.8.8). Operators and enterprise networks may deploy DoT forwarders to secure internal DNS traffic to external resolvers, reducing the risk of DNS spoofing and privacy leaks.", "examples": "A user configures their Android phone to use 'Private DNS mode' with the hostname dns.google. The phone establishes a TLS connection to 8.8.8.8 on port 853, verifies the server certificate, and sends all subsequent DNS queries inside the encrypted tunnel. An attacker on the same Wi-Fi network sees only TCP packets to 8.8.8.8:853; the DNS query for example.com is invisible.", "key_facts": [ "Encrypts DNS queries and responses using TLS on TCP port 853.", "RFC 7858 defines DoT as a Standards Track protocol; RFC 8310 describes strict and opportunistic usage profiles.", "Prevents DNS hijacking and cache poisoning by authenticating the resolver.", "Operates on a separate port from unencrypted DNS (53), making it easy to filter or block.", "Supported by major public resolvers (Cloudflare, Quad9, Google) and operating systems (Android 9+, iOS 14+)." ], "related_terms": [ "DNS over HTTPS", "DNSCrypt", "DNSSEC", "TLS", "Recursive Resolver", "Stub Resolver" ], "references": [ { "title": "RFC 7858: Specification for DNS over TLS (DoT)", "url": "https://datatracker.ietf.org/doc/html/rfc7858" }, { "title": "RFC 8310: Usage Profiles for DNS over TLS and DNS over DTLS", "url": "https://datatracker.ietf.org/doc/html/rfc8310" }, { "title": "DNS Privacy Project", "url": "https://dnsprivacy.org/" } ], "word_count": 266, "license": "CC BY 4.0", "license_url": "https://creativecommons.org/licenses/by/4.0/", "attribution": "HostDir Glossary — https://hostdir.net/glossary/dot" } }