UK DNS Privacy Project
  1. Home
  2. Documentation
  3. How it works
  4. Encryption Methods

DNS over TLS (DoT) ​

DNS over TLS (DoT) is a protocol that enhances the privacy and security of DNS queries by encrypting them using the Transport Layer Security (TLS) protocol. Unlike traditional DNS, which sends queries in plaintext over port 53, DoT encrypts these queries, ensuring that they cannot be intercepted or tampered with during transmission.

DoT operates over a dedicated port (853) and requires both the client and the resolver to support the protocol. It is widely regarded as a reliable and secure way to protect DNS traffic.

How does DNS over TLS work? ​

DoT secures DNS communication by wrapping it in a TLS layer. Here’s how it functions:

  1. You enter a domain name (e.g., example.com) into your browser or application.
  2. Your device sends the DNS query to a DoT-compatible resolver over an encrypted TLS connection on port 853.
  3. A secure TLS session is established between your device and the resolver, ensuring that all subsequent communication is encrypted.
  4. The resolver processes the DNS query, determines the corresponding IP address, and sends the encrypted response back to your device.
  5. Your device uses the resolved IP address to establish a connection to the website or service.

This encryption ensures that DNS queries remain private and protected from eavesdropping or modification.

Benefits of DNS over TLS ​

DoT offers several key advantages:

  • By encrypting DNS queries, DoT prevents third parties, such as ISPs or attackers, from monitoring or intercepting DNS traffic.
  • TLS ensures that the communication is with a legitimate DNS resolver, reducing the risk of DNS spoofing or man-in-the-middle attacks.
  • Operating over port 853, DoT traffic is easily identifiable, allowing network administrators to manage it more effectively compared to protocols like DoH.
  • DoT masks DNS queries from being visible on the network, providing users with greater anonymity and protection.

Challenges and Considerations ​

While DoT provides robust privacy and security, it is not without its challenges:

  • Not all devices and networks support DoT, requiring users to configure compatible resolvers or applications.
  • Establishing and maintaining a TLS session can introduce slight latency compared to traditional DNS.
  • Since DoT uses a dedicated port, it may be blocked on networks that restrict or monitor specific ports.
  • Many users rely on large third-party DoT providers, potentially leading to centralisation concerns.

How to Use DoT ​

To use DoT, you need a compatible device and resolver:

  • Enable DoT on Your Device: Many modern operating systems, such as Windows and Android, natively support DoT. You can configure it in your network settings.
  • Third-Party Tools: Some applications and routers offer built-in DoT support, making it easier to adopt.

DoT and UK DNS Privacy Project ​

As part of the UK DNS Privacy Project, we provide DoT-enabled resolvers that prioritise security, privacy, and compliance. Our DoT servers are based in the UK, ensuring low latency and adherence to GDPR standards. By using our DoT service, you can trust that your DNS queries are encrypted, private, and protected against tampering.

For more insights into secure DNS protocols, explore related pages on DNS over HTTPS (DoH) and the broader workings of the UK DNS Privacy Project.

Give us Feedback Support Our Project
Share Share Share Share
Cookies? Nope, we don’t use them — so there’s nothing to accept!