What is DNS over TLS (DoT)? Enhancing Your Online Privacy
Every time you click a link or type a web address, your Internet Service Provider (ISP) logs that destination within milliseconds, even if the website uses HTTPS, simply because standard DNS queries travel in plaintext.
When you browse the web, your device relies on the Domain Name System (DNS) to translate human-friendly names like whoip.tw into machine-readable IP addresses. If you want to brush up on how this translation works behind the scenes, you can read our guide on how DNS works.
The original DNS protocol, designed in 1983, was never built with security in mind. By default, your DNS requests are sent in unencrypted plaintext. This means anyone sitting on the same Wi-Fi network, your ISP, or even a malicious actor middleman can easily peek at every single website you try to visit.
To patch this decades-old privacy hole, network engineers introduced two primary encryption methods: DNS over TLS (DoT) and DNS over HTTPS (DoH). Let’s take a closer look at DNS over TLS (DoT), how it quietly shields your digital footprint at the system level, and how it stacks up against its browser-friendly sibling, DoH.
What is DNS over TLS (DoT)?
At its core, DNS over TLS (DoT) is a security protocol that takes standard, naked DNS queries and wraps them inside a secure Transport Layer Security (TLS) tunnel. This is the exact same encryption technology that turns insecure HTTP web traffic into secure HTTPS.
Officially standardized by the Internet Engineering Task Force (IETF) in May 2016 under RFC 7858, DoT operates with singular focus:
- Dedicated Port: DoT uses a specific network port, TCP port 853.
- Single-Purpose Channel: Unlike general web traffic, port 853 is reserved exclusively for encrypted DNS queries.
- Connection Setup: Before your device asks for an IP address, it performs a TLS handshake with a DoT-supporting resolver (like Cloudflare’s 1.1.1.1, launched on April 1, 2018). Once identity is verified and cryptographic keys are exchanged, all queries flow through this secure pipe.
This dedicated design provides a massive security upgrade. Because the connection is encrypted end-to-end, eavesdroppers cannot see which domains you are querying. It also prevents on-path attackers from tampering with your DNS responses—a common tactic used in phishing attacks to redirect users to fraudulent websites.
However, dedicating a unique highway for DNS traffic comes with specific trade-offs, especially when network administrators decide they want to control what passes through their gates.
DoT vs. DoH: The Great Encryption Split
When researching secure DNS, you will inevitably run into DNS over HTTPS (DoH). While both protocols use TLS to achieve strong encryption, their underlying philosophies and implementation methods are vastly different.
The IETF published the specifications for DoH in October 2018 under RFC 8484. Instead of establishing a dedicated pathway like DoT, DoH packages DNS queries inside standard HTTPS packets and sends them over port 443—the universal port used for almost all secure web traffic.
This subtle architectural difference creates distinct real-world behaviors:
1. Visibility and Stealth
DoH is a master of disguise. Because it utilizes port 443, DoH queries blend seamlessly into the ocean of regular web traffic. To an ISP or network monitor, a DoH request is indistinguishable from secure online banking, scrolling through social media, or streaming a movie.
DoT, on the other hand, stands out. Because it operates on port 853, any network observer can instantly tell that you are using encrypted DNS. While they still cannot see which websites you are looking up, they know you are actively hiding your DNS traffic.
2. Blockability
This visibility directly affects how easily these protocols can be blocked. Because DoT uses a unique port, a network administrator at a school, workplace, or within a highly restrictive country can block all DoT traffic simply by shutting down port 853 on their firewall. This forces your device to either fall back to unencrypted DNS or lose internet connectivity entirely.
Blocking DoH is incredibly difficult. Because port 443 is vital for modern internet usability, blocking it would essentially break the web, making it impossible to access secure sites.
3. System-Level vs. App-Level Control
DoT is typically configured at the operating system level (supported natively on Android 9+ and iOS). Once enabled, every single app on your device automatically uses DoT for its queries.
DoH is favored heavily by web browsers like Google Chrome and Mozilla Firefox. These browsers often enable DoH natively within their own settings, bypassing the operating system’s DNS configurations. While convenient for users, this can frustrate network administrators who lose the ability to manage local DNS policies for security filtering.
Understanding these operational differences helps explain why choosing one over the other depends entirely on your current threat model.
Performance and Overhead
A common concern when switching to any encrypted protocol is latency. Does wrapping your queries in cryptographic layers slow down your web browsing experience?
In practice, the performance difference between encrypted DNS and traditional, unencrypted DNS is negligible. This is thanks to a technology called TLS Session Resumption. Once your device establishes an initial handshake with an encrypted resolver, subsequent queries reuse the existing secure session, skipping the heavy mathematical calculations required for a new handshake.
When comparing the two secure protocols, DoT actually holds a slight edge in efficiency.
Because DoH wraps DNS queries inside the extra formatting layers of HTTP/2 or HTTP/3 (including large headers and specific application data structures), it carries more data overhead. DoT strips away this web application wrapper, transmitting raw DNS data directly inside the TLS tunnel. For resource-constrained devices or networks where every byte counts, DoT is the cleaner, more lightweight solution.
Regardless of which protocol you choose, you must ensure that your encrypted queries are actually reaching their destination without slipping back into plaintext. To make sure your system is configured correctly, check out our guide on how to identify and fix DNS leaks.
Which One Should You Choose?
When deciding between DoT and DoH for your daily setup, the choice usually comes down to your environment and device.
- For Mobile Devices (Android/iOS): Go with DoT. Mobile operating systems have built-in, native support for DoT (often labeled “Private DNS”). It applies system-wide, ensuring that all background apps—not just your web browser—are protected under a single setting while consuming minimal battery power.
- For Restrictive Networks: If you are using public Wi-Fi at a hotel, working on a corporate network with strict policies, or traveling in regions with heavy censorship, DoH is your best bet. Its ability to masquerade as standard web traffic on port 443 keeps your queries flowing where DoT might be blocked.
- For Home Network Routers: If you want to secure every smart TV, gaming console, and IoT device in your home without configuring them individually, look for a router that supports DoT. Keeping all queries within a clean, lightweight system-level protocol is the most efficient approach for a home gateway.
Securing your DNS queries is a massive step forward in taking back your digital privacy, but it is only one piece of the puzzle. While encrypted DNS prevents your ISP from seeing the domains you lookup, your destination IP address still travels in the clear during connection establishment.