What is DNS over TLS (DoT)?

DNS over TLS (DoT) is a security protocol that encrypts DNS queries using TLS encryption, preventing third parties from snooping on or manipulating your domain name lookups. It ensures that your browsing activity remains private by securing the communication between your device and the DNS resolver.

How is DNS over TLS different from regular DNS?

Regular DNS sends queries in plain text, making them visible to anyone monitoring your network traffic, such as your ISP or hackers. DNS over TLS wraps those queries in TLS encryption, the same technology used to secure HTTPS websites, so the content of your DNS requests cannot be read or altered.

Does DNS over TLS protect my privacy when using a VPN?

When using a VPN, your DNS queries are typically handled by the VPN provider, but DNS over TLS adds an extra layer of encryption to ensure those queries remain secure even within the VPN tunnel. Many modern VPN services support DoT to prevent DNS leaks and enhance overall privacy.

What port does DNS over TLS use?

DNS over TLS operates on TCP port 853, which is a dedicated port specifically assigned for encrypted DNS traffic. This makes DoT traffic easily distinguishable from standard DNS traffic, which uses port 53.

DNS over TLS (DoT)

DNS over TLS (DoT): Keeping Your Domain Lookups Private

Every time you type a website address into your browser, your device sends a DNS query — essentially asking a server, "What's the IP address for this domain?" Traditionally, these queries travel across the internet in plain text, meaning your internet provider, network administrators, or anyone monitoring your connection can see exactly which websites you're trying to visit. DNS over TLS, commonly abbreviated as DoT, was designed to fix that problem.

What It Is

DNS over TLS is a networking protocol that wraps your DNS queries inside a TLS (Transport Layer Security) encrypted connection — the same technology that protects your banking website or email login. Instead of sending those "where is this website?" requests out in the open, DoT ensures they're scrambled before leaving your device. It was formally standardized in 2016 under RFC 7858 and has since been adopted by major DNS resolvers including Cloudflare (1.1.1.1), Google (8.8.8.8), and others.

How It Works

Normally, DNS traffic runs over port 53 and uses UDP or TCP without any encryption. DoT changes this by establishing a dedicated TLS connection over port 853. Here's the basic flow:

Your device (or DNS resolver) initiates a TLS handshake with the DNS server, verifying its identity using digital certificates.
Once the encrypted tunnel is established, your DNS query travels through it — completely hidden from outside observers.
The DNS server processes the request and sends the response back through the same encrypted channel.
Your device uses the returned IP address to connect to the website.

Because DoT operates on a dedicated port (853), network administrators and firewalls can easily identify and, if they choose, block DoT traffic. This is one key distinction from its close cousin, DNS over HTTPS (DoH), which blends DNS traffic with regular web traffic on port 443 and is harder to block.

Why It Matters for VPN Users

You might be wondering — if I'm already using a VPN, do I need to worry about DoT? It's a fair question. A VPN encrypts all of your traffic, including DNS queries, when routed correctly. However, there are some important nuances:

DNS leaks: If your VPN client isn't configured properly, DNS requests can sometimes bypass the encrypted VPN tunnel and go directly to your ISP's resolver in plain text. A DNS leak can expose your browsing activity even when you think you're protected. DoT provides an additional encryption layer that helps guard against this.
VPN-free environments: Not everyone uses a VPN at all times. On open Wi-Fi networks, at work, or on mobile data, DoT protects your DNS queries independently of a VPN.
ISP surveillance and throttling: Without encrypted DNS, your ISP can log every domain you visit and potentially sell that metadata or use it to throttle specific services. DoT prevents them from reading those queries.

Practical Examples and Use Cases

Home network security: Configuring your router or local DNS resolver to use DoT (pointing to a privacy-focused resolver like Cloudflare or Quad9) means every device on your network benefits from encrypted DNS lookups — without installing anything extra on each device.

Mobile privacy: Android 9 and later includes a built-in "Private DNS" feature that supports DoT natively. You can enable it in settings and route all DNS queries through an encrypted resolver without any third-party app.

Corporate networks: IT teams use DoT to prevent employees or attackers on the network from intercepting internal DNS queries, reducing the risk of DNS spoofing or man-in-the-middle attacks.

Journalists and activists: In regions with heavy internet monitoring, encrypting DNS queries adds a meaningful layer of privacy, making it harder for surveillance systems to build a picture of online behavior based on DNS traffic alone.

DoT isn't a complete privacy solution on its own — your actual web traffic still needs HTTPS or a VPN for full protection — but it closes a frequently overlooked gap in everyday internet security.

DNS over TLS (DoT)Intermediate

DNS over TLS (DoT): Keeping Your Domain Lookups Private

What It Is

How It Works

Why It Matters for VPN Users

Practical Examples and Use Cases

// FAQ