How is DoT (DNS over TLS) used in practice?

See real-world examples and code snippets on the DoT (DNS over TLS) glossary page at CDN Certified.

What concepts are related to DoT (DNS over TLS)?

Related terms include: DNS (Domain Name System), TLS (Transport Layer Security), A Record, DoH (DNS over HTTPS).

DoT (DNS over TLS) (DoT)

DNS

A protocol that encrypts DNS queries by wrapping them in TLS on a dedicated port (853). Provides DNS privacy at the OS level, complementing DoH which operates at the application level.

Updated Mar 17, 2026

Full Explanation

DNS over TLS takes the standard DNS wire format and wraps it in a TLS connection on port 853. Unlike DoH which tunnels DNS inside HTTP, DoT is a simpler protocol: it's literally just DNS-over-TCP with TLS on top. This makes it cleaner from a protocol perspective but also easier to identify and block since it uses a dedicated port.

DoT was standardized in RFC 7858 (2016), two years before DoH. It was designed as the straightforward encrypted DNS solution. The client opens a TLS connection to port 853 on the resolver, sends standard DNS queries over that connection, and receives standard DNS responses. Connection reuse is supported, so multiple queries share one TLS session.

The key difference from DoH is where they operate. DoT works at the OS/resolver level. You configure your system resolver (systemd-resolved, Unbound, knot-resolver) to use a DoT upstream. All DNS queries from every application on the system get encrypted. DoH works at the application level, typically in browsers, and only encrypts that specific application's queries.

For network administrators, DoT is generally preferred over DoH. Since DoT uses port 853, you can manage it with standard firewall rules: block port 853 to prevent DoT to external resolvers, and run your own internal DoT resolver. DoH on port 443 is indistinguishable from normal web traffic, making it nearly impossible to block without breaking the internet.

Android adopted DoT as "Private DNS" in Android 9. It's the only mobile OS with system-level encrypted DNS built in. You can configure it to use any DoT resolver (like dns.google or one.one.one.one). iOS added DoH/DoT support in iOS 14, but it requires a configuration profile rather than a simple settings toggle.

Performance is similar to DoH. The initial connection has a TLS handshake overhead (1-2 RTTs), but subsequent queries on the same connection are fast. Both DoT and DoH support connection reuse and TLS session resumption to minimize this overhead. In practice, the difference between DoT and DoH latency is negligible.

CDN DNS resolvers typically support both DoT and DoH. Cloudflare (1.1.1.1), Google (8.8.8.8), and Quad9 (9.9.9.9) all accept queries on both port 853 (DoT) and their HTTPS endpoints (DoH). For CDN routing purposes, both protocols work equally well since the resolver sees the client's source IP or EDNS Client Subnet data either way.

Examples

# Test DoT with kdig (from knot-dns)
kdig @1.1.1.1 +tls example.com A
# Returns standard DNS response over TLS

# Configure systemd-resolved for DoT
# /etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
DNSOverTLS=yes

sudo systemctl restart systemd-resolved
resolvectl status
# Shows: DNS over TLS: yes

# Configure Unbound for DoT upstream
# /etc/unbound/unbound.conf
server:
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com

# Android: Settings > Network > Private DNS
# Set to: one.one.one.one

# Test DoT connectivity
openssl s_client -connect 1.1.1.1:853 \
  -servername cloudflare-dns.com 2>/dev/null | \
  head -5
# Shows TLS certificate details

Frequently Asked Questions

A protocol that encrypts DNS queries by wrapping them in TLS on a dedicated port (853). Provides DNS privacy at the OS level, complementing DoH which operates at the application level.

# Test DoT with kdig (from knot-dns)
kdig @1.1.1.1 +tls example.com A
# Returns standard DNS response over TLS

# Configure systemd-resolved for DoT
# /etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
DNSOverTLS=yes

sudo systemctl restart systemd-resolved
resolvectl status
# Shows: DNS over TLS: yes

# Configure Unbound for DoT upstream
# /etc/unbound/unbound.conf
server:
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com

# Android: Settings > Network > Private DNS
# Set to: one.one.one.one

# Test DoT connectivity
openssl s_client -connect 1.1.1.1:853 \
  -servername cloudflare-dns.com 2>/dev/null | \
  head -5
# Shows TLS certificate details

Related CDN concepts include:

DNS (Domain Name System) (DNS) — The internet's phone book—translates human-readable domain names (example.com) into IP addresses (93.184.216.34). Every CDN request …
TLS (Transport Layer Security) (TLS) — The encryption protocol that secures HTTPS connections. TLS encrypts data in transit between client and …
A Record — A DNS record type that maps a hostname to an IPv4 address. The most fundamental …
DoH (DNS over HTTPS) (DoH) — A protocol that encrypts DNS queries by sending them over HTTPS (port 443). Prevents ISPs …

Previous Term DoH (DNS over HTTPS)

Next Term DVR Window

Back to Glossary