DNS over TLS

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

DNS over TLS (DoT) is a security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks.

As of 2019, Cloudflare, Quad9, Google, Quadrant Information Security and CleanBrowsing are providing public DNS resolver services via DNS over TLS.[1][2][3][4][5] In April 2018, Google announced that Android Pie will include support for DNS over TLS.[6] DNSDist, from PowerDNS also announced support for DNS over TLS in its latest version 1.3.0.[7] BIND users can also provide DNS over TLS by proxying it through stunnel.[8] Unbound supports DNS over TLS since 22 January 2018.[9][10] Technitium DNS Server supports DNS over TLS since v3.0 and also supports the protocol to be used with forwarders allowing users to consume DNS over TLS public DNS resolver services.[11]


While many servers support DoT, most client systems do not use it by default.

Linux users can enable DNS over TLS using /etc/systemd/resolved.conf and enabling the setting DNSOverTLS=opportunistic. Alternatively one may install getdns-utils[12] to use DoT directly with the getdns_query tool or system wide with the stubby daemon, unbound or Knot Resolver. Other options are configuring servers as resolvers, such as the above mentioned BIND with stunnel.

Windows users can install Chocolatey. Many solutions for Linux also have Windows counter part, such as an exe for the above mentioned stubby and tools.

See also[edit]

External links[edit]

  • RFC 7858 – Specification for DNS over Transport Layer Security (TLS)
  • RFC 8310 – Usage Profiles for DNS over TLS and DNS over DTLS
  • DNS Privacy Project: dnsprivacy.org


  1. ^ "How to keep your ISP's nose out of your browser history with encrypted DNS". Ars Technica. Retrieved 2018-04-08.
  2. ^ "DNS over TLS - Cloudflare Resolver". developers.cloudflare.com. Retrieved 2018-04-08.
  3. ^ "Google Public DNS now supports DNS-over-TLS". Google Online Security Blog. Retrieved 2019-01-10.
  4. ^ "Quad9, a Public DNS Resolver - with Security". RIPE Labs. Retrieved 2018-04-08.
  5. ^ "Troubleshooting DNS over TLS".[user-generated source]
  6. ^ "DNS over TLS support in Android P Developer Preview". Google Security Blog. April 17, 2018.
  7. ^ "DNS-over-TLS". dnsdist.org. Retrieved 25 April 2018.
  8. ^ "Bind - DNS over TLS".
  9. ^ "Unbound version 1.7.3 Changelog".
  10. ^ Aleksandersen, Daniel. "Actually secure DNS over TLS in Unbound". Ctrl blog. Retrieved 2018-08-07.
  11. ^ "Configuring DNS Server For Privacy & Security". blog.technitium.com. Retrieved 2018-07-19.
  12. ^ Package: getdns-utils, retrieved 2019-04-04