DNS over TLS: DNS Encryption Explained
DNS queries have suffered from security problems in the past. When you browse the Internet, your computer runs queries over UDP protocol without encryption and is, therefore, subject to interception. Google public DNS uses DNS over TLS (DoT) to establish secure sessions. In this article, we’ll cover what DNS over TLS is, how it works to anonymize DNS data for enhanced online security, and much more.
What is DNS over TLS (DoT)?
DNS over TLS, or DoT, is a security protocol that encrypts communication between a DNS client and a DNS server. It protects DNS queries and responses from eavesdroppers using Transport Layer Security (TLS), a successor to Secure Socket Layer (SSL). The IETF outlines DNS resolution over TLS in RFC 7858.
When you visit a website, the padlock icon in your browser shows you that the connection is secure. This happens because your browser and the website agree on a way to obfuscate the information before sending it.
But before this secure connection happens, your browser must find the website’s address using DNS. The domain name system is the Internet's phone book. It turns website names you type into numerical IP addresses computers can read.
The problem is that DNS communication is mainly done in clear text. That means traditional DNS servers are still not always secure. In turn, anyone monitoring the network traffic, including hackers, can listen to the information sent.
The Internet Engineering Task Force proposed DNS over TLS to address these privacy issues. DoT adds a layer of security to the entire DNS resolution process. Using TLS encryption prevents untrustworthy entities from seeing which websites a user is visiting.
DoT helps hide your web browsing history from third parties and prevents DNS spoofing attacks. Even Android has added native support for DNS-over-TLS to prevent spying eyes from knowing your digital movements.

It's worth pointing out that DoT works in the transport layer of the OSI model. Because the encrypted mechanism is closer to the network layer, it provides a strong security solution for any application running on a device.
How does DNS over TLS work?
DNS over TLS is a way to keep your Internet browsing more private. It shields the information between your device and the server when looking up website addresses.
Your device initiates a TLS connection with the DNS server on port 853. This tells your network that the traffic is DNS-over-TLS and not something else.
When your device needs to look up a website, it sends a request to a DoT server using this special port. To verify everything is secure, your device and the server first perform a TLS handshake. The process involves agreeing on how to communicate in a secret code.
Once that handshake happens, your device sends the DNS query in an encrypted form. The server then sends the response back to your device in the same form.
To make the process quicker, your device can send multiple DNS requests over the same secure connection. The intention is to avoid the need to start a new connection every time, which speeds things up.
This back-and-forth happens in the background whenever you type a web address, ensuring nobody can spy on or change your DNS lookups.
Even though the data is private, the connection can still be recognized as DNS traffic because it's happening on port 853. So, while it's harder for others to see exactly what you're doing, your Internet service provider can still tell you're doing DNS lookups.
Benefits of using DNS over TLS
DNS over TLS adds a layer of security around your DNS lookups. While regular DNS servers send your web queries in plaintext, DoT hides them in an encrypted tunnel. Your DNS query is routed privately to keep your browsing habits private.
Some of the benefits you get by implementing DoT include:
- Better privacy and security. The main benefit of DoT is DNS traffic encryption. This means no one can listen in or change the information in transit. With DoT, your Internet activity is harder to tamper with.
- Protection against attacks. Traditional DNS is vulnerable to attacks like DNS spoofing and man-in-the-middle (MitM) attacks. In these types of attacks, a bad actor could trick your device into visiting a fake website. DoT encrypts the connection so that attackers cannot interfere with the data sent between your device and the DNS server.
- Stops DNS tracking. Your ISP can sometimes track what websites you visit through your DNS requests. DoT blocks this to make your DNS queries secret. When you browse with DoT, your DNS traffic travels in a protected tunnel, blocking anyone from snooping on your web destinations.
- Better security for IoT devices. As more smart devices, such as thermostats, cameras, and refrigerators, connect to the Internet, they also need protection. DoT keeps these devices safe from threats like DNS hijacking and other DNS-related security risks through encrypting their DNS traffic.
Comparison with other security protocols
Other security protocols serve the same goal of securing DNS traffic. However, they have key differences in how they implement privacy and security. Let’s compare DoT with other encryption methods.
DoT vs. traditional DNS encryption methods
Old-school DNS sends your web queries out in the open; anyone can read them. DoT conceals those queries in strong protection. While traditional DNS exposes your browsing, DoT keeps it private with security checks.
Websites load slightly slower with DoT because of the extra security steps. But this small speed trade-off brings significant safety gains, as your DNS queries stay hidden from the outside world.
DNSSEC and DNSCrypt are two traditional DNS encryption methods to compare against DNS over TLS. DNSSEC is an older system that tries to secure DNS. However, it deals with a security aspect different from encryption, focusing on authenticating DNS responses to MitM attacks.
The mechanism guarantees the information you get back from a DNS server is authentic. Validation plays a vital role in a secure DNS ecosystem, but due to its frequent implementation challenges, DNSSEC is less favored today as a standalone security solution.
DNSCrypt is another way to protect your DNS queries. It works similarly to DNS-over-TLS at the transport layer. By default, DNSCrypt uses port 443.
Although DNSCrypt prevents localized cyberattacks, it has not yet become an official standard. That said, it doesn’t always work the same way everywhere.
This lack of standardization has led to inconsistencies in implementation. Since DoT is officially recognized, it is a more trusted option for securing DNS queries.
DoT vs. DNS over HTTPS (DoH)
Both DNS over TLS and DNS over HTTPS keep your DNS lookups private, but they work differently. DoT runs on its own lane - port 853 - while DoH blends in with regular HTTPS traffic on port 443.
Network admins often pick DoT because it's easier to spot on their networks. DoH offers better privacy since it hides regular web traffic, making managing it trickier.
Your choice depends on what matters most: network control with DoT or stronger privacy with DoH.
Another point is that DoT operates at the transport layer. DoH, on the other hand, is implemented at the application layer in the OSI stack.
DoT vs. DNS-over-QUIC (DoQ)
DNS-over-QUIC (DoQ) is a newer method tipped to fix some of the issues with DNS encryption methods like DoT and DoH.
DoQ was officially made a standard in 2021. It uses QUIC technology to improve speed and security.
QUIC (Quick UDP Internet Connections) is a protocol developed by Google and later adopted by the IETF. Unlike DoT, which uses TCP, QUIC uses UDP, a faster, less connection-heavy protocol.
DoT is considered secure, while DoQ aims to be more efficient than QUIC.
Limitations of DNS over TLS
Getting DNS over TLS up and running has its limitations. For one, it can impact performance; the extra TLS layer needs extra computer processing power. This can cause a slight delay in loading websites because encrypting and decrypting the data takes time.
Furthermore, not every device, router, or operating system supports DoT. Anyone who wants to use DNS over TLS must double-check that their network equipment can handle it.
Like DNS over HTTPS, DoT also depends on third-party servers to handle DNS queries. Few companies or providers can have access to a lot of browsing data. Users must trust these providers not to misuse or store their data.
DNS over TLS can also make it harder for network administrators to monitor DNS traffic. Organizations that use DNS filtering to block harmful websites face challenges because DoT hides the DNS queries.
To overcome challenges with DoT, update old firewalls or fix DNS server settings that don't operate smoothly with DoT.
How to enable DNS over TLS
Enabling DNS over TLS on your system is straightforward. You'll need extra software on Windows; look for apps that support DoT protocols.
Mac users can turn it on right in their network settings menu. Linux fans often have it built-in; just update your resolv.conf file or use systemd-resolved.
For best results, pick trusted DoT servers like Cloudflare (1.1.1.1) or Google (8.8.8.8). Your firewall settings should open port 853, or your DNS will not work properly.
Impact of DoT on network performance
Adding DNS over TLS to your network brings some speed considerations. The TLS handshake takes extra milliseconds each time you look up a website. But with today's fast Internet connections, most users won't notice this tiny delay.
To improve speed, pick DNS servers close to your location. Additionally, use modern TLS versions that handle encryption faster. You can also set up TLS session restart to skip repeat handshakes.
Who benefits from DNS over TLS?
Many entities benefit greatly from DNS over TLS.
- Businesses use DNS over TLS to add a strong safety net to company networks.
- Network administrators set up DoT to simplify security oversight; they can track DNS traffic in one secure channel.
- IT teams use DoT to block DNS-based attacks and protect systems from hackers.
- Network managers prefer DoT to meet data protection rules while making DNS traffic monitoring straightforward.
- Internet users get peace of mind knowing that their browsing stays private.
- Security researchers spot DNS problems faster with DoT's clear traffic patterns.
Whether you're a network administrator or an average Internet user, using DNS over TLS can enhance your security and privacy.
Frequently asked questions
What is the DNS over TLS port?
It operates on standard port 853.
Are there case studies of successful DoT implementations?
Yes, there are. Major browsers and operating systems are steadily adding DNS over TLS support to their products. Firefox made waves when it rolled out DNS over TLS in 2020.
Their stats showed a 60% drop in exposed DNS queries after adding DoT, keeping millions of users' browsing habits private. The change caused only a 5ms slowdown in page loads - barely noticeable to users.
Android phones come with DoT settings that are ready to use. Germany's T-Mobile saw similar wins after moving their mobile network to DoT. Customer complaints about fake websites dropped by 70%, while network security improved without affecting speeds.