DNS over TLS (DoT)
DNS queries tunneled over TLS on port 853. Same goal as DoH (encrypt DNS) but uses a dedicated port instead of hiding inside HTTPS traffic.
DNS over TLS (DoT, RFC 7858) is encrypted DNS, sent over TLS on its own dedicated port: 853. Same idea as DoH, different transport.
DoH vs DoT
| DoH | DoT | |
|---|---|---|
| Port | 443 (same as HTTPS) | 853 (dedicated) |
| Looks like | Normal web traffic | Encrypted DNS |
| Easy to block? | Hard (would need to block all HTTPS) | Easy (block 853) |
| Browser support | Widespread | Limited |
| OS support | Growing | Strong (Android, systemd-resolved) |
Both encrypt DNS. The difference matters mostly for adversarial network environments.
In a corporate or country-level filter, blocking DoT is trivial (drop port 853). Blocking DoH requires also blocking the specific DoH endpoints (Cloudflare's URL etc.), which is harder because the endpoints change.
Where DoT is used
- Android. "Private DNS" feature in network settings uses DoT.
- systemd-resolved. Linux distros with
DNSOverTLS=yesconfigured. - Enterprise DNS resolvers. Some companies prefer DoT because it's distinguishable from web traffic, easier to monitor.
Public DoT servers
| Resolver | Hostname |
|---|---|
| Cloudflare | one.one.one.one (port 853) |
dns.google (port 853) | |
| Quad9 | dns.quad9.net (port 853) |
SaaS impact
Same as DoH: transparent. Your customers will reach you the same way; the only difference is the encrypted hop between their client and the recursive resolver.