Code on a screen

What is DNS over TLS?

DNS over TLS (DoT) is a protocol for the encrypted transmission of DNS (Domain Name System) queries. Name resolution on the Internet is typically transmitted unencrypted via UDP. With DoT, however, the assignment of domains and the associated IP addresses is encrypted using the Transport Layer Security (TLS) protocol. This protects the transmission from interception, manipulation and man-in-the-middle attacks.

Myra Services on this topic: Leading Edge Performance and certified Security powered by Myra Secure DNS
Setup DNS over TLS


DNS over TLS: Definition

DoT is the standard (RFC 7858) proposed by the Internet Engineering Task Force (IETF) for fortifying DNS connections. In contrast to conventional DNS requests, DoT establishes a secure TCP (Transmission Control Protocol) connection between the client and the DNS server, which is authenticated and encrypted using TLS. This ensures that no interception attacks are possible via man-in-the-middle and also that no manipulated DNS entries can be infiltrated, which further prevents DDoS attacks (distributed denial of service). Technically, name resolution using DoT takes place via TCP port 853. Currently, many client devices such as routers, smartphones, and tablets already support the DoT protocol as standard. For desktop PCs, there are software solutions that enable this support. To ensure secure name resolution via DoT is successful, the DNS resolver must also support the standard. End users now have a wide selection of free DNS providers to choose from.


Is DNS over TLS useful?

DoT primarily offers advantages in terms of security and data protection. When DNS technology for assigning domain names and IP addresses was developed in the early days of the Internet, security concerns did not yet play a major role. For this reason, the transmission of queries takes place by default in plain text, and no verification of the DNS entries is carried out either.

For these reasons, cybercriminals can abuse the DNS as a powerful tool for attacks. Manipulating the delegation structure of domain names, for example, can redirect data traffic to other IP addresses. In this way, Internet users can be diverted to malicious platforms – without them noticing anything suspicious – for the purpose of stealing their account data, spreading malware, or spreading fake news. These types of attack on the DNS are known as DNS cache poisoning, DNS spoofing or DNS hijacking. The censorship of and blocking measures against individual websites are also possible via the DNS. Autocratic states, for example, often resort to DNS blocks to censor unpopular social media platforms or the web presence of the political opposition. This involves checking DNS queries against a blacklist of “undesirable Internet sites” and responding with a specific IP address if there are hits. In this way, network operators also block illegal platforms on the net.


What does DNS over TLS protect against?

The threat potential of DNS-based attacks was demonstrated in 2019, for example, when the Internet Corporation for Assigned Names and Numbers (ICANN) issued an urgent warning about a global DNS hijacking campaign. The attack affected dozens of domains belonging to government, telecommunications and Internet infrastructure organizations in Europe, North America, North Africa and the Middle East. Actors with a state background are believed to have been behind the attacks, primarily pursuing political goals.

Code on a screen


What are the disadvantages of DNS over TLS?

Since DoT runs specifically over TCP port 853, the protocol is relatively easy to block via port filters or firewalls. In such a case, a fallback to conventional, “unsecure” DNS or one of the other encryption methods is required in order to establish a connection to a specific website. Furthermore, the encryption creates an overhead that results in measurable performance losses.


What are the alternatives to DNS over TLS?

DoT is not the only way to protect DNS queries. Over the years, a whole range of standards and extensions have evolved to authenticate and/or encrypt DNS. Here is a selection of the most common solutions at a glance:


DNS over HTTPS (DoH) is currently one of the most common solutions for DNS encryption, alongside DoT. With DoH, DNS queries and responses are sent using the secure website protocol HTTPS via port 443. This makes the transmissions indistinguishable from conventional website traffic, which prevents targeted blocking of the technology, for example by the network operator. Compared to conventional DNS name resolution, DoH is less performant. DoH was standardized by the IETF in 2018 as RFC 8484.


DNS over QUIC (DoQ) is a novel protocol currently being standardized by the IETF. DoQ aims to combine the advantages of encrypted name resolution with short latency times. For high-performance data transfer, DoQ uses the new QUIC protocol, which is also used in HTTP/3 and relies on TLS 1.3 for security.


DNSCrypt is also a protocol that is used for encryption, authentication, and optionally anonymization of communication between the DNS client and the DNS resolver. The data traffic to the DNS resolver is safeguarded via asymmetric encryption using Curve25519. By default, DNSCrypt uses port 443. To anonymize DNS queries, DNSCrypt can be extended with Anonymized DNS technology, which is also compatible with the other encrypted protocols, but which DNSCrypt claims is the easiest and most efficient to implement.


DNSSEC is a security extension that provides source authentication during name resolution. The technology can be used to validate the integrity of web servers and the connections established with them. This ensures that a specific domain is in fact assigned to the correct web server. Sabotage attempts can thus be detected and countered. DNSSEC can also be used to secure the integrity of digital communication via e-mail or VoIP. Unlike DoT, DoH, or DNSCrypt, DNSSEC does not encrypt the name resolution; the focus here is solely on integrity checking to rule out any damaging manipulation.


DNS over TLS: What you need to know

DoT is a protocol for encrypted name resolution that is designed to offer cybersecurity and data protection advantages compared with unprotected DNS. The technology establishes a TLS-protected connection between the client and the resolver using port 853 by default. This protects transmitted DNS queries and responses from espionage and sabotage by man-in-the-middle attacks. Critics of DoT, however, complain that the technology can be countered relatively easily, for example by blocking the designated port in the respective network. Furthermore, encryption via TLS causes measurable performance losses. In addition to DoT, a variety of other solutions for DNS safeguarding exist, such as DNSSEC, DoH, DoQ and DNSCrypt. All have their own advantages and disadvantages. None of the technologies has yet gained widespread acceptance.