1. Home
  2. Education Articles
  3. What is DNS-over-TLS (DOT)?

What is DNS-over-TLS (DOT)?

DNS-over-TLS (DoT) is a security protocol that encrypts Domain Name System (DNS) queries using Transport Layer Security (TLS). By wrapping DNS traffic in a layer of encryption, DoT prevents third parties—like ISPs, attackers, or network snoops—from seeing or tampering with your DNS activity.

🛡️ Why Use DNS-over-TLS?

Traditional DNS queries are sent in plaintext, making it easy for anyone on the network path to observe or modify them. This can lead to:

  • Privacy risks (your ISP seeing every site you visit),
  • Security risks (attackers spoofing DNS responses),
  • Censorship (DNS requests being blocked or redirected).

DoT mitigates these risks by:

  • Encrypting the full DNS query and response,
  • Authenticating the DNS resolver, ensuring the response hasn’t been tampered with,
  • Maintaining compatibility with existing DNS infrastructure (unlike DoH which uses port 443).

🔍 How Does DoT Work?

  1. A DNS client (your device) establishes a TLS-encrypted TCP connection to a DoT-enabled DNS resolver (typically on port 853).
  2. All DNS queries and responses are exchanged over this encrypted channel.
  3. The resolver processes your request and responds securely.

🆚 DNS-over-TLS vs DNS-over-HTTPS

FeatureDoTDoH
ProtocolTLSHTTPS (TLS over HTTP/2)
Default Port853443
Visibility to FirewallsEasier to identify/blockHarder to detect (uses port 443)
Use CaseSystem-level DNS encryptionApplication/browser-level DNS encryption

DoT is often favored by network administrators due to its transparency and easier filtering, while DoH is preferred for bypassing censorship and working in browser apps.

🌐 CleanBrowsing and DoT

CleanBrowsing supports DNS-over-TLS across all its free and paid plans. Each user is assigned unique DoT endpoints that can be used to:

  • Secure home networks,
  • Lock down school or enterprise environments,
  • Ensure kids’ safety with encrypted filtering.

You can find your personalized DoT configuration by logging into your CleanBrowsing dashboard.

Updated on May 12, 2025
Was this article helpful?

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support