Skip to content

What is DNS over TLS (DoT)?

Get the latest news, invites to events, and much more

DNS over TLS (transport layer security) or DoT is a form of full-stream encryption between a DNS client and a DNS server. It overcomes the “last-mile” security problem: communications between client and server are very rarely encrypted, which leaves them vulnerable. 

Full documentation is a bit more complex, but the process through which DoT operates is simple. Clients and servers negotiate a TLS session to route their channel of communication through port 853 to keep it secure – or they mutually agree to use another port. 

Both sides encrypt every communication through this channel, rather than blending encrypted and encrypted files which can pose severe security risks. 

Once they connect through the DNS client, both sides complete the TLS handshake and authenticate through the DNS server, after which they encrypt the connection. 

This system acts as an encrypted alternative to DNS over HTTPS (DoH). It operates with no HTTP layering underneath. While this method reduces HTTP function flexibility, it also increases performance because it includes fewer steps in the process. 

Because it forces all connections to the DNS server into encryption, this system has unexpected benefits for privacy as well as DNS security: it conceals web activity from the internet service provider (ISP). While this concealment may lead to abuse, it also keeps connection information away from malicious actors who breach the ISP’s network.