What is DNS over TLS (DoT)?

What is DNS over TLS?

DNS over TLS (DoT) is a protocol that encrypts DNS queries by establishing a TLS (Transport Layer Security) connection between your device and a DNS resolver. Standardized in RFC 7858 (May 2016), DoT uses a dedicated port (853) to transport encrypted DNS traffic.

Without encryption, traditional DNS queries are sent in plaintext over port 53. Anyone on the network path — your ISP, a Wi-Fi operator, or a malicious actor — can see which domains you resolve. DoT encrypts this communication using the same TLS protocol that secures HTTPS websites.

Unlike DNS over HTTPS (DoH), which wraps DNS inside HTTPS traffic, DoT uses its own dedicated port. This makes DoT easier for network administrators to identify and manage, which is why it's the preferred choice for enterprise and device-wide deployments.

How DNS over TLS Works

When your device needs to resolve a domain name, DoT encrypts the query before sending it:

1. Your device opens a TCP connection to the DNS resolver on port 853.
2. A TLS handshake authenticates the resolver and establishes an encrypted session.
3. Your DNS query (e.g., example.com) is sent through the encrypted TLS tunnel.
4. The resolver processes the query and returns the answer through the same encrypted channel.
5. Your device uses the resolved IP address to connect to the website.

The TLS connection can be reused for multiple queries, reducing the overhead of repeated handshakes. This makes DoT efficient for sustained use across many DNS lookups.

Benefits of DNS over TLS

• Device-wide encryption: Unlike DoH which typically works per-browser, DoT is configured at the OS level. On Android 9+ it's built in as "Private DNS", applying to all apps and services on the device.
• Privacy from ISPs: Your ISP can no longer see which domains you resolve. DNS queries are encrypted before leaving your device.
• Protection against DNS attacks: DoT prevents man-in-the-middle attacks, DNS poisoning, and query manipulation by encrypting the full communication.
• Network visibility: Because DoT uses a dedicated port (853), network administrators can monitor that encrypted DNS is being used without seeing the content of queries. This makes DoT easier to manage in enterprise environments.
• MDM-friendly: DoT is widely supported by mobile device management platforms like Mosyle, making it ideal for managed device fleets.

DoT vs DoH: What's the Difference?

Both DoT and DoH encrypt DNS queries, but they serve different use cases:

	DNS over TLS (DoT)	DNS over HTTPS (DoH)
Port	853 (dedicated port)	443 (same as HTTPS)
Protocol	TLS over TCP	HTTPS / HTTP/2
Scope	Device-wide (OS-level)	Per-browser or per-app
Visibility	Identifiable on the network (port 853)	Blends with regular web traffic
Best for	Mobile devices, routers, enterprise/MDM	Individual browsers, privacy-focused users
Native support	Android 9+ (Private DNS), many routers	Chrome, Firefox, Edge, Safari, Brave

Which should you use? For mobile devices and managed fleets, DoT is generally the better choice because it works at the OS level. For browser-specific protection, DoH is simpler to configure. Many organizations use both. See our Encrypted DNS overview for a complete comparison.

Limitations of DoT

• Blockable by port: Because DoT uses a dedicated port (853), network administrators or firewalls can block it specifically. This makes DoT less effective at circumventing censorship compared to DoH.
• Not end-to-end encrypted: DoT encrypts the hop between your device and the DNS resolver. The resolver itself decrypts the query to process it — you must trust your resolver.
• Does not hide destination IPs: Like DoH, DoT encrypts the DNS query but not the subsequent connection. The IP address you connect to remains visible in packet headers.
• Limited browser support: Browsers generally support DoH, not DoT. DoT relies on OS-level or router-level configuration.

DoT and DNS Filtering

DoT works well with DNS-based content filtering when configured to use a filtering-aware resolver. When you point DoT at CleanBrowsing, your DNS queries are encrypted in transit but still filtered at the resolver.

This is especially effective for mobile devices. On Android 9+, the built-in Private DNS setting supports DoT natively — once configured, all DNS traffic from every app is encrypted and filtered through CleanBrowsing.

For managed device fleets, DoT can be pushed via MDM platforms:

• Mosyle (DoT) for Apple devices
• Mosyle (DoH/DoT combined) with Chrome enforcement
• Android Private DNS for individual Android devices

CleanBrowsing DoT Endpoints

CleanBrowsing supports DoT across all filters with a global anycast network.

Free Filters

• Family Filter: family-filter-dns.cleanbrowsing.org
  Blocks adult content, proxies, VPNs, and mixed-content sites. Enforces SafeSearch.
• Adult Filter: adult-filter-dns.cleanbrowsing.org
  Blocks adult and explicit content. Allows proxies and mixed-content sites.
• Security Filter: security-filter-dns.cleanbrowsing.org
  Blocks phishing, malware, and malicious domains only.

Paid Customers

Paid customers get a private DoT hostname unique to their filtering configuration:

Custom DoT hostname: custom[code].dot.cleanbrowsing.org

Replace [code] with the unique key from your CleanBrowsing dashboard.

For a full walkthrough of all encrypted DNS protocols we support (DoH, DoT, and DNSCrypt), see our Encrypted DNS setup guide.

How to Enable DNS over TLS

DoT is supported natively on Android 9+ and many routers. Here are our setup guides:

• Android Private DNS (DoT) — built-in on Android 9+
• Mosyle MDM (DoT) — managed Apple devices
• Asus Merlin routers (DoT) — router-level configuration

You can verify your DoT configuration is working by visiting our DNS Leak Test — the results should show CleanBrowsing as your DNS provider.

For advanced verification, use kdig to test the TLS connection directly:

kdig @family-filter-dns.cleanbrowsing.org +tls-ca +tls-host=family-filter-dns.cleanbrowsing.org example.com