DNS over TLS (DoT) Explained

Traditional DNS sends every query in plain text. Your ISP sees every domain you look up. Your coffee shop's WiFi sees it. Anyone in the network path can read it.

DNS over TLS (DoT) encrypts those queries. But here's what most explanations skip: someone still has to resolve them. You're not eliminating trust—you're choosing who to trust.

How It Works

Instead of plain text on UDP port 53, DoT establishes an encrypted TLS connection to a resolver on TCP port 853. Your device and the resolver perform a TLS handshake—exchanging certificates, verifying identity, negotiating encryption. Then your DNS queries flow through the tunnel.

A network observer sees traffic going to port 853 on a known resolver. They can see that you're making DNS queries. They cannot see what you're querying.

The connection stays open for multiple queries. You don't pay the TLS handshake cost for every lookup—just the first one. Once established, DoT is nearly as fast as traditional DNS.

The Port 853 Trade-off

DoT uses port 853. Only port 853. This is either its greatest strength or its fatal flaw.

For network administrators, the dedicated port is a gift. You can see DoT traffic clearly, route it, apply policies to it, monitor that it's happening—all without seeing what's inside. Visibility and control for the network; privacy from external observers for users.

For users trying to evade surveillance or censorship, the dedicated port is a target. Blocking port 853 blocks all DoT. Restrictive networks can kill encrypted DNS with one firewall rule.

This is where DNS over HTTPS (DoH) diverges. DoH sends DNS queries over port 443—the same port as all HTTPS web traffic. You can't block it without blocking the web itself.

DoT: Transparent to your network, blockable. DoH: Invisible to your network, uncontrollable.

Choose based on who you're trying to hide from.

The Trust Concentration Problem

With traditional DNS, your queries scatter—your ISP sees them, intermediate networks might cache them, multiple parties have access.

With DoT, you're concentrating them. Cloudflare at 1.1.1.1. Google at 8.8.8.8. Quad9 at 9.9.9.9. Your ISP can no longer see your lookups—but your chosen resolver sees all of them. Every site you visit. Every service you connect to. One company gets all of it.

This is the privacy trade-off that matters. You're not making your DNS queries private. You're choosing who they're private from and who they're visible to. Read your resolver's privacy policy. Understand their logging practices. You're handing them your complete browsing history.

Configuring DoT

Android (9+): Settings → Network → Private DNS. Enter a hostname like one.one.one.one or dns.google. Every app now uses encrypted DNS.

iOS/macOS: Requires installing a configuration profile—Apple doesn't expose this in the UI. Cloudflare and other providers offer downloadable profiles.

Linux: Configure systemd-resolved with DNSOverTLS=yes, or run Stubby as a local proxy.

Enterprise: Your internal resolvers use traditional DNS for clients; they use DoT to reach the Internet. Centralize the encrypted connection rather than configuring every device.

When to Use What

Use DoT when:

• You want DNS privacy from your ISP and network observers
• You're on an enterprise network that needs traffic visibility without content inspection
• The network doesn't block port 853

Use DoH when:

• Port 853 is blocked
• You need DNS encryption that can't be detected or filtered
• Even the existence of encrypted DNS traffic could be problematic

Use neither when:

• You run your own resolver and trust your network path
• You're already using a VPN that handles DNS
• Latency is critical and you can't afford handshake overhead

Three Answers to the Same Question

Who sees what?

Traditional DNS: Everyone sees everything.

DoT: Your network sees the traffic exists. Your resolver sees the content. Everyone else sees nothing.

DoH: Nobody sees the traffic exists. Your resolver sees the content. Everyone else sees nothing.

Choose accordingly.

Sources