DNS over TLS (DoT): What it is, how it works, and how to use it

What is DNS over TLS? 

DNS over TLS (DoT) is a protocol that provides encryption between a DNS (domain name system) client and a DNS server. It’s a way to send DNS queries through an encrypted TLS (transport layer security) connection instead of sending them in plain text. When your device asks, “What is the IP address for this domain?”, DoT wraps that request in TLS so outsiders can’t easily read or modify it on the way to the resolver. 

TLS is the encryption standard used to secure many kinds of internet traffic. In DoT, TLS sits on top of a TCP (transmission control protocol) connection and protects the DNS exchange specifically.

Compared with regular DNS, the difference is simple: traditional DNS traffic is often sent unencrypted over port 53, while DNS over TLS encrypts the connection to the resolver.

The standard DNS over TLS port is 853. Because DoT uses a dedicated port, its TCP connections are easy to identify on a network. That’s a good thing for admins who want visibility, but it also makes DoT easier to block than protocols that blend into normal HTTPS traffic.

How does DNS over TLS work?

At a high level, DNS over TLS works like this:

1. 1.A stub resolver, which is the DNS client on your device, connects to a DNS resolver using a TLS connection, usually on TCP port 853.
2. 2.The DNS client and resolver perform a TLS handshake to agree on encryption settings for the TLS session. 
3. 3.The resolver presents its TLS certificate, and the DNS client checks that it matches the expected DNS server identity and a trusted certificate chain.
4. 4.Once the TLS handshake succeeds, an encrypted TLS connection is established. It carries encrypted DNS traffic, so queries and responses travel securely instead of being sent in plain text.

Why DNS privacy matters

Traditional DNS wasn’t built with strong DNS security or privacy in mind. In many cases, queries are sent in plain text, which means your ISP, the network operator, or anyone else on the path may be able to see which domains you look up. 

This feature creates a privacy gap even when the website itself uses HTTPS. It can lead to significant security issues, because attackers may try to intercept or manipulate DNS data to redirect users to malicious destinations. Without better DNS protection, one of the internet’s most basic systems remains exposed.

DNS over TLS vs. DNS over HTTPS

DNS over HTTPS (DoH) is another protocol for encrypting DNS queries. Like DoT, it keeps DNS lookups from being sent in plain text. The main differences come down to visibility, control, and compatibility.

The biggest difference is the port. DNS over TLS uses port 853, while DNS over HTTPS uses port 443, the same TCP port as regular HTTPS traffic. That makes DoH harder to distinguish from normal web traffic. It also explains why some people prefer DoH on restrictive networks and why some organizations prefer DoT, which is easier to manage explicitly.

If you want clear, system-wide encrypted DNS and easier network administration, DoT makes a lot of sense. If you want DNS traffic to blend into normal web traffic and you rely heavily on browser-level protection, DoH may be the better fit.

DNS over TLS vs. DNSSEC

The DNSSEC (domain name system security extensions) vs. DNS over TLS comparison trips people up because the names sound related, but they solve different problems.

DNSSEC helps confirm that the DNS response is authentic and hasn’t been forged. It does this with digital signatures. What it doesn’t do is encrypt the DNS traffic. Someone on the network may still be able to see your lookups.

DoT does the opposite job. It encrypts the DNS connection between your device and the resolver, but it doesn’t by itself prove that every DNS answer is authentic in the DNSSEC sense.

That’s why the best setup is both together: DNSSEC for authenticity and DoT for privacy in transit.

When to use DNS over TLS

Use DNS over TLS whenever you want your queries to be less visible on the network.

That’s especially useful on public Wi-Fi, hotel networks, airport Wi-Fi, school or office guest networks, and even at home if you don’t want your ISP seeing plain DNS lookups. It also makes sense on routers and firewalls when you want encrypted DNS for every device on the network, not just one browser.

What are the benefits of DNS over TLS?

DNS over TLS protects your DNS queries better than regular DNS. The main benefits are:

• Privacy. Your ISP or local network operator has a harder time reading your queries when they’re encrypted.
• Protection against basic DNS tampering. Because the connection is encrypted and authenticated, DoT helps reduce the risk of eavesdropping and some on-path manipulation. That can help defend against DNS spoofing attempts and some man-in-the-middle attacks targeting DNS traffic. 
• System-wide protection. On platforms that support DoT at the operating system or router level, encrypted DNS is not limited to one browser. Apps that use the system resolver can send their DNS requests through the same protected path.
• Clearer control for admins. DoT stays visible as its own protocol instead of blending into normal HTTPS traffic. In managed environments, that makes it easier to apply policies, log DNS activity, and control which encrypted resolvers are allowed.

Are there any ​​limitations of DNS over TLS?

DNS over TLS does have some limitations, and they’re worth knowing before you switch it on:

• It doesn’t hide your IP address. DoT only protects your DNS lookups, and your IP address remains visible.
• Setup is often technical. Some devices make DoT easy to enable, but support is still uneven. Android has built-in support, while desktop setup can be more complex depending on the system, resolver, or network.
• It can interfere with captive portals. On hotel, airport, or café Wi-Fi, the network often expects to intercept DNS during the login process. Encrypted DNS can get in the way until you complete the sign-in step.

How to use DNS over TLS

Many large recursive resolvers support DoT, so the hard part is usually the setup. In general, configuration involves entering the DNS server address or hostname, enabling TLS or Private DNS, and making sure other DNS settings don’t override it.

Before you start, you usually need:

• A DNS provider that supports DoT.
• The correct hostname or DNS server address.
• Certificate-based authentication.

Popular public DNS resolvers that support DoT include Google Public DNS and Cloudflare. The Google Public DNS resolver supports DNS over TLS with the hostname “dns.google.” Cloudflare supports it on 1.1.1.1, and if your DoT client expects a hostname for verification, you can use “one.one.one.one.”

Configure DNS over TLS on an operating system

The exact setup depends on the device, but the basic idea is the same: choose a DoT-capable resolver, enter the right details, and make sure encrypted DNS is enabled.

Android

Android has one of the simplest built-in DoT setups:

1. 1.Go to network settings.
2. 2.Open “Private DNS.”
3. 3.Choose the private DNS provider hostname option.
4. 4.Enter a supported hostname such as the one from your DNS provider. 

Android will then try to send system DNS traffic over DoT.

Windows / Windows 11

Windows 11 supports encrypted DNS, including DoT, but the setup varies depending on your version of Windows and whether the device is managed by an organization.

In general, you need to:

1. 1.Open your network settings.
2. 2.Choose a DNS resolver that supports DoT.
3. 3.Enable encrypted DNS for that connection.
4. 4.Apply the changes and reconnect if needed.

On managed work devices, these settings may already be configured or restricted by IT.

Linux

On many Linux systems, DNS over TLS is set up through systemd-resolved:

1. 1.Open the resolver configuration file (often “resolved.conf”).
2. 2.Enter the DNS server you want to use.
3. 3.Enable the “DNSOverTLS” setting.
4. 4.Restart the resolver service so the changes take effect.

macOS

macOS supports DNS over TLS through Apple’s DNS settings frameworks and device management tools, but there’s no simple built-in consumer toggle. In general, the process looks like this:

1. 1.Choose a DNS provider that supports DNS over TLS.
2. 2.Get the resolver details, including the server hostname used for certificate validation.
3. 3.Add those DNS settings through a configuration profile, device management tool, or supported app.
4. 4.Apply the configuration and make sure it’s enabled for the networks where you want to use it.

Configure DNS over TLS on a router or firewall

Setting up DoT on a router or firewall is often the most practical option for a home or office because it covers every device on that network.

You’ll need to: 

1. 1.Open the DNS settings in your router or firewall.
2. 2.Choose a resolver that supports DoT.
3. 3.Enter the resolver’s IP and authentication hostname if required.
4. 4.Enable DNS over TLS and save.
5. 5.Reboot or reload the DNS service.

Exact menu names depend on the hardware and firmware.

Use DoT with NordVPN

If you’re connected to NordVPN, you usually don’t need to set up DoT on the same device. NordVPN’s native apps automatically use NordVPN DNS servers while the VPN is active, helping prevent DNS leaks and keeping DNS requests inside the VPN tunnel.

That means a separate DoT setup adds little value while the VPN is already handling DNS securely. It may also create extra complexity or conflicts, especially if you try to force a custom DNS setup on top of the VPN connection.

Test DNS over TLS

You can use a few methods to check whether DNS over TLS is working:

• Use a DNS leak test or resolver check to confirm which DNS service is answering your queries. 
• Use packet capture tools on desktop systems or network gear to see whether DNS traffic is going to port 853 instead of port 53.
• Check your operating system’s network or resolver logs to see whether encrypted DNS is active.