DNS was designed without encryption, so the lookups your device makes are normally visible to your ISP and anyone on the network. DNS over TLS (DoT) is one of the two main ways to fix that. It wraps your DNS queries in the same TLS encryption that secures HTTPS — but instead of blending into web traffic, it runs on its own dedicated port, which makes it clean to manage and popular at the operating-system level.
What Is DNS over TLS (DoT)?
DNS over TLS (DoT) is a protocol, defined in RFC 7858, that sends DNS queries and responses over an encrypted TLS connection. It uses a dedicated port — 853 — reserved specifically for encrypted DNS. Your device opens a TLS session to a DoT-capable resolver, verifies the server's certificate, and then exchanges standard DNS messages inside that secure channel.
The result is the same two guarantees that all encrypted DNS provides: privacy (no one on the network can read your lookups) and integrity (no one can alter the answers in transit).
The Problem DoT Solves
Traditional DNS ("Do53") sends every query in plain text on port 53. That exposes which domains you visit to your ISP and any network operator, and it lets an on-path attacker spoof answers to redirect you. HTTPS already encrypts website content, but the DNS lookup that happens before the connection stayed exposed. DoT closes that gap — the same problem solved by DNS over HTTPS (DoH), just over a different transport.
How DNS over TLS Works
Step 1 — Establish a TLS session
Your device (or resolver) opens a TCP connection to the DoT server on port 853 and performs a TLS handshake, validating the server's certificate to confirm it is talking to the intended resolver.
Step 2 — Send the DNS query inside TLS
Once the encrypted channel is up, a normal DNS query (for example, an A record for showdns.net) is sent inside it — the same wire format as classic DNS, just encrypted.
Step 3 — Receive the encrypted answer
The resolver performs the recursive lookup and returns the answer over the same TLS connection, which is kept open and reused for subsequent queries to avoid repeating the handshake.
# Query Cloudflare over DoT using kdig (Knot DNS utilities)
kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com showdns.net ADoT vs DoH: What's the Difference?
DoT and DoH provide the same encryption using TLS. The difference is where the encrypted traffic sits and who tends to control it:
| DoT | DoH | |
|---|---|---|
| Port | 853 (dedicated) | 443 (shared with HTTPS) |
| Visibility on network | Identifiable — easy to spot on port 853 | Hidden — looks like normal HTTPS |
| Easy to block/filter? | Yes, by blocking port 853 | Hard, without blocking all HTTPS |
| Typical home | Operating systems, routers | Web browsers |
| Admin visibility | Network admins can see and manage it | Opaque to network admins |
In short: DoT is easier to manage and monitor (favoured by network operators and mobile OSes), while DoH is harder to block (favoured by browsers seeking maximum resistance to interference).
Where DoT Is Commonly Used
- Android ("Private DNS") — Android has built-in DoT support system-wide since Android 9. You just enter a provider hostname and every app benefits.
- Routers & DNS forwarders — tools like AdGuard Home, Pi-hole (with a resolver), and some router firmwares can send DoT upstream for the whole network.
- Linux —
systemd-resolvedsupports DoT, and standalone clients like Stubby or Unbound can run it.
Benefits of DoT
- Privacy — your ISP and local network can no longer read your DNS lookups.
- Integrity — TLS prevents on-path tampering with DNS answers.
- System-wide coverage — configured at the OS or router level, it protects every app, not just the browser.
- Manageability — because it uses a known port, administrators can deploy and audit it deliberately.
Limitations of DoT
- You trust the resolver — your queries are hidden from the network but visible to the DoT provider. Choose one with a clear no-logging policy.
- Easier to block — a restrictive network can simply block port 853, forcing a fallback to plaintext DNS.
- Does not hide destination IPs — after resolution, the network still sees the addresses you connect to.
Which Providers Support DoT?
Most major public resolvers offer DoT. Unlike DoH (which uses a URL), DoT is configured with a hostname on port 853:
Cloudflare 1dot1dot1dot1.cloudflare-dns.com (1.1.1.1 : 853)
Google dns.google (8.8.8.8 : 853)
Quad9 dns.quad9.net (9.9.9.9 : 853)
AdGuard dns.adguard-dns.com (94.140.14.14 : 853)Compare options in our list of the best DNS providers, or browse the full public resolver directory.
How to Enable DoT
The most common way is Android's built-in Private DNS: Settings → Network & internet → Private DNS → Private DNS provider hostname, then enter a hostname such as dns.google or 1dot1dot1dot1.cloudflare-dns.com. On Linux you can enable it in systemd-resolved, and many routers expose an "encrypted DNS" setting. If you primarily want encrypted DNS in your browser instead, DoH is usually the simpler route — see How to Enable DoH in Chrome.
Does DoT Replace DNSSEC?
No — they are complementary. DoT encrypts the connection between you and your resolver (transport privacy). DNSSEC signs DNS records so their authenticity can be verified at the source (data integrity). DoT hides your queries; DNSSEC proves the answers are genuine. Learn more in What Is DNSSEC?
Frequently Asked Questions
Is DoT better than DoH?
Neither is universally better — they use the same encryption. DoT runs on a dedicated port (853), which makes it easy to manage but also easy to block. DoH shares port 443 with web traffic, making it hard to block but opaque to network administrators. The best choice depends on whether you value manageability or censorship resistance.
Does DoT make me anonymous?
No. DoT hides your DNS queries from the network, but the resolver still sees them, and your device still connects to destination IP addresses the network can observe. DoT improves privacy but is not full anonymity.
Is Android Private DNS the same as DoT?
Yes. Android's "Private DNS" feature is an implementation of DNS over TLS. When you enter a provider hostname, Android sends all DNS queries over DoT on port 853.
Can DoT be blocked?
Yes. Because DoT uses the dedicated port 853, a network can block that port to prevent it, which may cause a fallback to plaintext DNS unless a strict mode is enabled. This is the main practical difference from DoH, which is far harder to block.