What Is DNS over TLS (DoT)? | NOC.org

Understanding DNS over TLS

DNS over TLS (DoT) is a security protocol that encrypts DNS queries and responses by wrapping them in a TLS connection on a dedicated port (853). Standardized in RFC 7858 (2016), DoT was the first widely adopted approach to encrypting DNS traffic, predating DNS over HTTPS (DoH) by two years.

Traditional DNS operates over UDP port 53 with no encryption. Every query — which domains you visit, which services you connect to — is transmitted in plaintext. Anyone monitoring the network can read, log, or even modify these queries. DoT solves this by establishing an encrypted TLS tunnel before any DNS data is exchanged.

How DoT Works

The DoT protocol operates in a straightforward manner:

• The client initiates a TCP connection to the DNS resolver on port 853.
• A TLS handshake is performed, authenticating the resolver and establishing an encrypted channel. The client can verify the resolver's identity using its TLS certificate.
• Once the TLS session is established, standard DNS queries are sent through the encrypted tunnel using the familiar DNS wire format.
• The resolver performs recursive lookups against authoritative nameservers, and the response is returned through the same encrypted channel.

Because DoT uses TCP rather than UDP, it also supports persistent connections. A single TLS session can carry multiple DNS queries, reducing the overhead of repeated handshakes and improving performance for subsequent lookups.

Privacy Benefits

DoT provides the same fundamental privacy benefit as DoH: it prevents network observers from seeing the content of your DNS queries. This protects against several real-world threats:

• ISP tracking: Without encrypted DNS, your Internet provider can log every domain you visit, even when you use HTTPS for the actual web traffic.
• Man-in-the-middle attacks: Attackers on public Wi-Fi networks can intercept plaintext DNS queries and return forged responses, redirecting you to phishing or malware sites.
• DNS cache poisoning: By encrypting and authenticating DNS responses, DoT makes it significantly harder for attackers to inject forged DNS records into resolver caches.

DoT vs. DoH Comparison

Both protocols encrypt DNS traffic using TLS, but they differ in important ways:

• Port: DoT uses a dedicated port (853), while DoH uses port 443 (shared with all HTTPS traffic). This makes DoT traffic identifiable at the network level.
• Visibility: Network administrators can easily detect, monitor, and control DoT traffic by inspecting port 853. DoH traffic is indistinguishable from regular HTTPS browsing.
• Blocking: Organizations that need to enforce DNS policies can block port 853 to prevent unauthorized DoT usage. Blocking DoH requires blocking specific resolver IP addresses or domains, which is more difficult.
• Implementation: DoT is typically implemented at the operating system or network level. DoH is often implemented within individual applications like web browsers.

For enterprise environments where DNS visibility and policy enforcement are priorities, DoT is often the preferred choice because administrators can manage it through standard firewall rules.

OS-Level Support

DoT has native support across most modern operating systems. Android 9 and later include a "Private DNS" setting that uses DoT by default when configured. Linux systems can use systemd-resolved or stubby as local DoT forwarders. iOS and macOS support DoT through configuration profiles. Windows 11 supports encrypted DNS at the system level, including DoT.

Enterprise Deployment

Deploying DoT in an enterprise environment typically involves configuring internal DNS resolvers to accept DoT connections and directing all endpoints to use those resolvers. Key considerations include:

• Deploy TLS certificates on your internal resolvers so clients can authenticate them.
• Block outbound port 853 at the perimeter firewall to prevent devices from bypassing your internal resolvers.
• Monitor DoT query logs for security analytics, just as you would with traditional DNS logging.
• Pair DoT with a managed DNS infrastructure to ensure reliable resolution with full encryption.

Encrypted DNS is no longer optional for security-conscious organizations. Whether you choose DoT, DoH, or both depends on your network architecture and policy requirements, but the goal is the same: eliminating plaintext DNS from your infrastructure.