DNS over TLS (DoT)
What is DNS over TLS (DoT)?
DNS over TLS (DoT)A protocol that encrypts DNS queries inside a dedicated TLS session, protecting them from eavesdropping and tampering on the wire.
DNS over TLS, specified in RFC 7858, runs ordinary DNS messages over a TLS-protected TCP connection to a recursive resolver, typically on port 853. Because TLS provides confidentiality and integrity, observers on the local network or upstream paths cannot inspect or alter the queries. Unlike DoH, DoT uses its own well-known port, which makes it easy to identify and to allow or block at the network level, a property that enterprise and home-router operators often prefer. DoT defends against passive surveillance and on-path spoofing of lookups; combined with DNSSEC validation, it provides both confidentiality and origin authenticity.
● Examples
- 01
An Android phone is configured with a Private DNS hostname so all queries leave the device over TLS.
- 02
A home router forwards every client query to a DoT resolver on port 853.
● Frequently asked questions
What is DNS over TLS (DoT)?
A protocol that encrypts DNS queries inside a dedicated TLS session, protecting them from eavesdropping and tampering on the wire. It belongs to the Network Security category of cybersecurity.
What does DNS over TLS (DoT) mean?
A protocol that encrypts DNS queries inside a dedicated TLS session, protecting them from eavesdropping and tampering on the wire.
How do you defend against DNS over TLS (DoT)?
Defences for DNS over TLS (DoT) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DNS over TLS (DoT)?
Common alternative names include: DoT, RFC 7858.