DNS

What is DoT?

Also known as: DNS over TLS

Definition

DNS over TLS (DoT) encrypts DNS queries and responses using Transport Layer Security on a dedicated port 853, preventing eavesdropping and tampering.

DNS over TLS (DoT) is a network security protocol that wraps standard DNS queries and responses in a Transport Layer Security (TLS) tunnel. By running DNS inside a dedicated TLS session on port 853, DoT ensures that the entire DNS transaction is encrypted and authenticated, protecting against passive eavesdropping and active manipulation by intermediaries such as ISPs or attackers on the local network.

DoT differs from DNS over HTTPS (DoH) primarily in its transport layer. DoT operates on a well-known port (853) and uses TLS directly on top of TCP, whereas DoH tunnels DNS inside HTTP/2 or HTTP/3 traffic on port 443, making it harder to differentiate from regular web traffic. DoT requires a separate connection establishment and is often deployed alongside a recursive resolver that listens on both port 53 (unencrypted) and port 853. The client and resolver negotiate TLS, verify the server certificate (typically via a pre-configured trust anchor or a pinned certificate), and then exchange DNS messages over a persistent encrypted channel.

In the protocol stack, DoT sits between the DNS application layer and the TCP/TLS transport layer. It is formally defined in RFC 7858 (published May 2016) and RFC 8310 (usage profiles). Stub resolvers on end-user devices, such as mobile phones and PCs, commonly support DoT to query a trusted recursive resolver like Cloudflare (1.1.1.1), Quad9 (9.9.9.9), or Google Public DNS (8.8.8.8). Operators and enterprise networks may deploy DoT forwarders to secure internal DNS traffic to external resolvers, reducing the risk of DNS spoofing and privacy leaks.

Key facts

  • Encrypts DNS queries and responses using TLS on TCP port 853.
  • RFC 7858 defines DoT as a Standards Track protocol; RFC 8310 describes strict and opportunistic usage profiles.
  • Prevents DNS hijacking and cache poisoning by authenticating the resolver.
  • Operates on a separate port from unencrypted DNS (53), making it easy to filter or block.
  • Supported by major public resolvers (Cloudflare, Quad9, Google) and operating systems (Android 9+, iOS 14+).

How it works in practice

A user configures their Android phone to use 'Private DNS mode' with the hostname dns.google. The phone establishes a TLS connection to 8.8.8.8 on port 853, verifies the server certificate, and sends all subsequent DNS queries inside the encrypted tunnel. An attacker on the same Wi-Fi network sees only TCP packets to 8.8.8.8:853; the DNS query for example.com is invisible.

Related terms

DNS over HTTPS DNSCrypt DNSSEC TLS Recursive Resolver Stub Resolver

References

More in DNS

A Record

A DNS resource record that maps a hostname to a 32-bit IPv4 address. It is the most fundamental record type for translating domain names to numeric addresses on the Internet.

AAAA Record

A DNS resource record that maps a hostname to a 128-bit IPv6 address, analogous to the A record for IPv4.

Authoritative DNS

An authoritative DNS server holds the definitive resource records for a specific domain and responds to queries with the final answer for that zone, not a cached copy.

CAA Record

A CAA (Certification Authority Authorization) DNS record lets domain owners specify which certificate authorities are permitted to issue SSL/TLS certificates for their domain.

CNAME Record

A DNS record that maps an alias hostname to the true or canonical hostname, allowing multiple names to resolve to the same IP address without duplicating A or AAAA records.

DNS

The Domain Name System (DNS) is a hierarchical, distributed naming system that translates human-readable domain names (like example.com) into IP addresses and other resource records used by internet protocols.

DNS Anycast

DNS Anycast uses one IP address served from multiple geographically distributed nameservers; queries are routed to the nearest or healthiest node, improving resilience and reducing latency.

DNS Caching

DNS caching stores resolved domain name query results for the specified TTL duration to avoid repeated queries to upstream authoritative servers.

DNS Hijacking

DNS hijacking is an attack or misconfiguration that returns forged DNS responses, causing users to connect to attacker-controlled hosts instead of the intended server.

DNSSEC

DNSSEC (DNS Security Extensions) add cryptographic digital signatures to DNS records, enabling resolvers to verify that responses have not been tampered with or spoofed.

Who Is Online

In total there are 76 users online: 0 registered, 70 guests and 6 bots.

Bots: AhrefsBot Facebook Majestic Other Bot Other Spider SemrushBot

Users active in the past 15 minutes. Total registered members: 340