What is TLS?

Before encrypted communication begins, the client and server perform a TLS handshake:

• Client Hello: The client sends supported TLS versions, cipher suites, and the SNI (server name)
• Server Hello: The server responds with its chosen cipher suite and TLS certificate
• Certificate verification: The client verifies the server's certificate against trusted Certificate Authorities
• Key exchange: Both parties generate shared encryption keys using asymmetric cryptography
• Encrypted session: All subsequent data is encrypted with the shared keys

TLS 1.3 reduces this to a single round trip, improving performance.

TLS is used in two key DNS protocols:

• DNS-over-TLS (DoT): Wraps standard DNS queries in a TLS connection on port 853. Android 9+ supports this natively as "Private DNS." CleanBrowsing fully supports DoT for encrypted DNS filtering
• DNS-over-HTTPS (DoH): Sends DNS queries inside HTTPS connections (which use TLS). Supported by browsers like Chrome and Firefox

Both protocols use TLS to prevent eavesdropping on DNS queries and protect against DNS hijacking and man-in-the-middle attacks during query transport.

For website owners, TLS also secures the connection between visitors and the website itself. NOC.org provides TLS certificate management, CDN, and WAF services that protect websites on the server side.

TLS encrypts data in transit but doesn't prevent DNS filtering. DNS filtering operates at the DNS resolution layer — before any TLS connection is established. When you use CleanBrowsing with DoT or DoH, TLS actually strengthens filtering by:

• Protecting the DNS query: Third parties can't see or modify your DNS queries in transit
• Authenticating the resolver: TLS certificates verify you're connected to CleanBrowsing, not a rogue resolver
• Preventing bypass: Encrypted DNS connections are harder to intercept or redirect than plaintext DNS