What Is DNS over TLS (DoT)?

DoT encrypts DNS queries inside a TLS connection on a dedicated port. Here is how it works, how it compares to DoH, and where it is most commonly used.


DNS was designed without encryption, so the lookups your device makes are normally visible to your ISP and anyone on the network. DNS over TLS (DoT) is one of the two main ways to fix that. It wraps your DNS queries in the same TLS encryption that secures HTTPS — but instead of blending into web traffic, it runs on its own dedicated port, which makes it clean to manage and popular at the operating-system level.

What Is DNS over TLS (DoT)?

DNS over TLS (DoT) is a protocol, defined in RFC 7858, that sends DNS queries and responses over an encrypted TLS connection. It uses a dedicated port — 853 — reserved specifically for encrypted DNS. Your device opens a TLS session to a DoT-capable resolver, verifies the server's certificate, and then exchanges standard DNS messages inside that secure channel.

The result is the same two guarantees that all encrypted DNS provides: privacy (no one on the network can read your lookups) and integrity (no one can alter the answers in transit).

The Problem DoT Solves

Traditional DNS ("Do53") sends every query in plain text on port 53. That exposes which domains you visit to your ISP and any network operator, and it lets an on-path attacker spoof answers to redirect you. HTTPS already encrypts website content, but the DNS lookup that happens before the connection stayed exposed. DoT closes that gap — the same problem solved by DNS over HTTPS (DoH), just over a different transport.

Port 853 Is Reserved for Encrypted DNSDoT has its own IANA-assigned port (853), separate from both plaintext DNS (53) and HTTPS (443). This dedicated port is the key characteristic that distinguishes DoT from DoH.

How DNS over TLS Works

Step 1 — Establish a TLS session

Your device (or resolver) opens a TCP connection to the DoT server on port 853 and performs a TLS handshake, validating the server's certificate to confirm it is talking to the intended resolver.

Step 2 — Send the DNS query inside TLS

Once the encrypted channel is up, a normal DNS query (for example, an A record for showdns.net) is sent inside it — the same wire format as classic DNS, just encrypted.

Step 3 — Receive the encrypted answer

The resolver performs the recursive lookup and returns the answer over the same TLS connection, which is kept open and reused for subsequent queries to avoid repeating the handshake.

bash
# Query Cloudflare over DoT using kdig (Knot DNS utilities) kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com showdns.net A

DoT vs DoH: What's the Difference?

DoT and DoH provide the same encryption using TLS. The difference is where the encrypted traffic sits and who tends to control it:

DoTDoH
Port853 (dedicated)443 (shared with HTTPS)
Visibility on networkIdentifiable — easy to spot on port 853Hidden — looks like normal HTTPS
Easy to block/filter?Yes, by blocking port 853Hard, without blocking all HTTPS
Typical homeOperating systems, routersWeb browsers
Admin visibilityNetwork admins can see and manage itOpaque to network admins

In short: DoT is easier to manage and monitor (favoured by network operators and mobile OSes), while DoH is harder to block (favoured by browsers seeking maximum resistance to interference).

Neither Is Strictly BetterThe right choice depends on your goal. Want encrypted DNS that a network can still see and manage centrally? DoT. Want DNS that is very hard for a network to detect or block? DoH. The cryptographic protection is equivalent.

Where DoT Is Commonly Used

  • Android ("Private DNS") — Android has built-in DoT support system-wide since Android 9. You just enter a provider hostname and every app benefits.
  • Routers & DNS forwarders — tools like AdGuard Home, Pi-hole (with a resolver), and some router firmwares can send DoT upstream for the whole network.
  • Linuxsystemd-resolved supports DoT, and standalone clients like Stubby or Unbound can run it.

Benefits of DoT

  • Privacy — your ISP and local network can no longer read your DNS lookups.
  • Integrity — TLS prevents on-path tampering with DNS answers.
  • System-wide coverage — configured at the OS or router level, it protects every app, not just the browser.
  • Manageability — because it uses a known port, administrators can deploy and audit it deliberately.

Limitations of DoT

  • You trust the resolver — your queries are hidden from the network but visible to the DoT provider. Choose one with a clear no-logging policy.
  • Easier to block — a restrictive network can simply block port 853, forcing a fallback to plaintext DNS.
  • Does not hide destination IPs — after resolution, the network still sees the addresses you connect to.
Watch for Silent FallbackIf a network blocks port 853, some clients quietly fall back to unencrypted DNS. Where available, enable a "strict" mode that refuses to resolve rather than downgrading to plaintext.

Which Providers Support DoT?

Most major public resolvers offer DoT. Unlike DoH (which uses a URL), DoT is configured with a hostname on port 853:

text
Cloudflare 1dot1dot1dot1.cloudflare-dns.com (1.1.1.1 : 853) Google dns.google (8.8.8.8 : 853) Quad9 dns.quad9.net (9.9.9.9 : 853) AdGuard dns.adguard-dns.com (94.140.14.14 : 853)

Compare options in our list of the best DNS providers, or browse the full public resolver directory.

How to Enable DoT

The most common way is Android's built-in Private DNS: Settings → Network & internet → Private DNS → Private DNS provider hostname, then enter a hostname such as dns.google or 1dot1dot1dot1.cloudflare-dns.com. On Linux you can enable it in systemd-resolved, and many routers expose an "encrypted DNS" setting. If you primarily want encrypted DNS in your browser instead, DoH is usually the simpler route — see How to Enable DoH in Chrome.

Does DoT Replace DNSSEC?

No — they are complementary. DoT encrypts the connection between you and your resolver (transport privacy). DNSSEC signs DNS records so their authenticity can be verified at the source (data integrity). DoT hides your queries; DNSSEC proves the answers are genuine. Learn more in What Is DNSSEC?

Frequently Asked Questions

Is DoT better than DoH?

Neither is universally better — they use the same encryption. DoT runs on a dedicated port (853), which makes it easy to manage but also easy to block. DoH shares port 443 with web traffic, making it hard to block but opaque to network administrators. The best choice depends on whether you value manageability or censorship resistance.

Does DoT make me anonymous?

No. DoT hides your DNS queries from the network, but the resolver still sees them, and your device still connects to destination IP addresses the network can observe. DoT improves privacy but is not full anonymity.

Is Android Private DNS the same as DoT?

Yes. Android's "Private DNS" feature is an implementation of DNS over TLS. When you enter a provider hostname, Android sends all DNS queries over DoT on port 853.

Can DoT be blocked?

Yes. Because DoT uses the dedicated port 853, a network can block that port to prevent it, which may cause a fallback to plaintext DNS unless a strict mode is enabled. This is the main practical difference from DoH, which is far harder to block.

Related Articles