Network+Security+Intermediate14 min read

What Is DoT? Security Definition

Also known as: DNS over TLS, DNS-over-TLS

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

DNS over TLS (DoT) is a security protocol that encrypts Domain Name System (DNS) queries and responses using the Transport Layer Security (TLS) protocol. Normally, DNS queries are sent in plaintext over UDP or TCP, making them visible to anyone monitoring the network. DoT wraps these queries in a TLS tunnel, typically on port 853, to prevent eavesdropping, tampering, and spoofing. It ensures that the DNS resolution process remains confidential and authentic between the client (such as a user's device or a recursive resolver) and the upstream DNS server. DoT was standardized in RFC 7858 and is widely used to enhance privacy in both enterprise and home networks, especially against passive surveillance and man-in-the-middle attacks. By encrypting the entire DNS exchange, DoT protects user privacy and improves the overall security posture of network communications.

Must Know for Exams

On the CompTIA Network+ exam (N10-008), DoT appears in Domain 4.0 (Network Security) and Domain 5.0 (Network Troubleshooting). Key exam focus areas include: (1) Identifying DoT as a method to encrypt DNS traffic, contrasting it with unencrypted DNS (port 53) and DoH (port 443).

(2) Knowing that DoT uses TCP port 853 by default—a common exam question asks which port is used by DNS over TLS. (3) Understanding that DoT operates at the Transport Layer (Layer 4) for the TCP connection, but the encryption is at the Presentation Layer (Layer 6) via TLS. (4) Recognizing that DoT provides encryption but does not hide the fact that DNS traffic is occurring—an attacker can still see that port 853 is in use.

(5) Troubleshooting scenarios where DoT fails due to firewall blocking port 853, incorrect TLS certificate validation, or mismatched cipher suites. On Security+ (SY0-601), DoT appears in Domain 3.0 (Implementation) and Domain 4.

0 (Operations and Incident Response). Exam focus includes: (1) DoT as a control to protect DNS from man-in-the-middle attacks. (2) Comparing DoT to DNSSEC—DoT encrypts, DNSSEC signs.

(3) Understanding that DoT does not prevent DNS-based data exfiltration if the resolver is malicious. (4) Knowing that DoT can be used with public DNS providers to enhance privacy on untrusted networks. (5) Recognizing that DoT is not a replacement for DNSSEC; both can be used together for comprehensive DNS security.

Simple Meaning

Imagine you are mailing a postcard to a friend asking for directions to their house. Anyone handling that postcard—postal workers, neighbors, even strangers—can read your request and the reply. DNS over TLS is like putting that postcard inside a sealed, opaque envelope.

Only your friend can open the envelope and read the directions. Even if someone intercepts the envelope, they cannot see what is inside or tamper with the message. This way, your request for a website address (like 'example.

com') and the IP address returned remain private and unchanged. Just as you trust the postal service to deliver the sealed envelope, DoT trusts the encrypted TLS connection to protect your DNS queries from prying eyes.

Full Technical Definition

DNS over TLS (DoT) is a network security protocol defined in RFC 7858 that encrypts DNS queries and responses using TLS, typically over TCP port 853. It operates at the Application Layer (Layer 7) of the OSI model, but relies on the Transport Layer (Layer 4) for TCP and the Presentation/Session Layers for TLS encryption. The protocol establishes a TLS session between a DNS client (stub resolver) and a DNS server (recursive resolver) before any DNS messages are exchanged.

The TLS handshake authenticates the server (optionally the client) and negotiates encryption keys. Once established, all DNS messages are encapsulated within TLS records, ensuring confidentiality, integrity, and authenticity. DoT uses a dedicated port (853) to distinguish encrypted DNS traffic from unencrypted DNS (port 53).

The packet structure consists of a standard DNS message (header, question, answer, authority, additional) wrapped in a TLS record. Compared to DNS over HTTPS (DoH), DoT operates at a lower layer (transport vs. application) and is easier to filter or block by network administrators.

DoT is often used in enterprise environments where network policy requires visibility into DNS traffic, but still demands encryption against external threats. It is also supported by major operating systems (Android, iOS, Windows) and public DNS providers (Cloudflare, Quad9, Google).

Real-Life Example

At a mid-sized company, the IT team deploys a Pi-hole DNS sinkhole on the local network to block ads and trackers. They configure all employee workstations to use the Pi-hole as their DNS resolver. However, they notice that some employees use VPNs or public Wi-Fi, which bypass the local resolver and send DNS queries in plaintext over the internet.

To enforce consistent DNS security, the IT team enables DoT on the Pi-hole and configures it to forward encrypted queries to Cloudflare's 1.1.1.1 DoT service. They also push a Group Policy Object (GPO) to all Windows domain-joined machines, setting the DNS resolver to use DoT with the Pi-hole's IP address.

Now, when an employee types 'example.com' in their browser, the query is encrypted from the workstation to the Pi-hole, and then from the Pi-hole to Cloudflare. Even if an attacker intercepts the traffic, they cannot see which websites are being requested.

The company also logs DNS queries for security auditing, but the logs only show encrypted traffic metadata, not the actual queries—protecting employee privacy while maintaining network oversight.

Why This Term Matters

IT professionals must understand DoT because DNS is a fundamental network service that is often exploited for surveillance, data exfiltration, and attacks like DNS spoofing or cache poisoning. Without encryption, DNS queries reveal every website a user visits, making it a prime target for eavesdropping. DoT provides a straightforward way to encrypt DNS traffic without changing the underlying DNS protocol, making it easy to deploy on existing infrastructure.

Troubleshooting DoT issues requires knowledge of TLS handshakes, certificate validation, and firewall rules for port 853. For career value, DoT is a key topic in CompTIA Network+ and Security+ exams, and real-world experience with DoT configuration is increasingly expected in network administration roles. Understanding DoT also helps professionals evaluate privacy trade-offs between DoT and DoH, and implement DNS security policies that balance encryption with network monitoring needs.

How It Appears in Exam Questions

Question Pattern 1: 'Which port does DNS over TLS use?' Wrong answers include 53 (DNS), 443 (HTTPS/DoH), 389 (LDAP). Correct answer: 853. Pattern 2: 'Which of the following encrypts DNS queries but does not provide authentication?'

Wrong answers: DNSSEC (provides authentication, not encryption), IPsec (encrypts but not DNS-specific), TLS (correct but too broad). Correct: DNS over TLS. Pattern 3: 'A network administrator wants to encrypt DNS traffic between clients and the corporate DNS server.

Which protocol should they use?' Wrong answers: DNS over HTTPS (uses port 443, may be filtered), plain DNS (no encryption), DNSSEC (signs but does not encrypt). Correct: DNS over TLS.

Pattern 4: Scenario: 'Users report that DNS resolution fails after a firewall update. The firewall blocks all ports except 53, 80, and 443. What is the most likely cause?' Wrong answers: DNS server down, incorrect DHCP settings, DNSSEC validation failure.

Correct: DoT uses port 853, which is blocked. The correct answer is to allow port 853 or switch to DoH (port 443).

Practise DoT Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Step 1: A user types 'www.example.com' into their browser. Step 2: The operating system's stub resolver checks its local cache; no entry found. Step 3: The stub resolver initiates a TCP connection to the configured DNS resolver (e.

g., 1.1.1.1) on port 853. Step 4: A TLS handshake occurs: the resolver presents its certificate, the client verifies it (e.g., against a trusted root CA), and they exchange encryption keys.

Step 5: The client sends the DNS query for 'www.example.com' inside the encrypted TLS tunnel. Step 6: The resolver decrypts the query, looks up the IP address (93.184.216.34), and sends the response back through the same encrypted tunnel.

Step 7: The client receives the response, caches it, and the browser connects to the IP address via HTTPS. Throughout this process, any eavesdropper on the network sees only encrypted traffic on port 853—they cannot see the domain name or the IP address returned.

Common Mistakes

Students think DoT uses port 53, the same as unencrypted DNS.

DoT uses a dedicated port 853 to distinguish encrypted DNS traffic from unencrypted DNS (port 53). Using port 53 would break compatibility with existing DNS infrastructure and prevent network administrators from filtering encrypted vs. unencrypted traffic.

Remember: DoT = port 853; plain DNS = port 53; DoH = port 443.

Students believe DoT provides authentication of DNS data, similar to DNSSEC.

DoT encrypts the DNS query and response, but does not cryptographically sign the DNS records. DNSSEC provides origin authentication and integrity through digital signatures. DoT and DNSSEC are complementary; you can use both for full security.

DoT = encryption (privacy); DNSSEC = signatures (authenticity). They are not the same.

Students think DoT is the same as DNS over HTTPS (DoH).

DoT uses TLS directly over TCP port 853, while DoH uses HTTPS (HTTP/2 or HTTP/1.1 over TLS) on port 443. DoT is easier to block or filter by network administrators because it uses a dedicated port; DoH blends with web traffic and is harder to block.

DoT = port 853, dedicated; DoH = port 443, blends with web traffic. They are different protocols.

Exam Trap — Don't Get Fooled

{"trap":"The most dangerous trap: A question asks 'Which protocol encrypts DNS queries and uses port 853?' and the answer choices include 'DNS over HTTPS (DoH)'. Students see 'encrypts DNS' and 'port 853' and think DoH uses 853, but DoH uses 443.

They select DoH and get it wrong.","why_learners_choose_it":"Learners often confuse DoT and DoH because both encrypt DNS. They may misremember the port numbers or think that 'over TLS' and 'over HTTPS' are interchangeable.

The similarity in names and purpose makes it easy to pick the wrong one, especially under time pressure.","how_to_avoid_it":"Memorize this rule: 'DoT = 853, DoH = 443.' When you see a question about port numbers, immediately associate DoT with 853 and DoH with 443.

If the question mentions 'dedicated port', it's DoT. If it mentions 'uses HTTPS', it's DoH. Practice this distinction until it's automatic."

Commonly Confused With

DoTvsDNS over HTTPS (DoH)

DoT uses TLS directly on port 853, while DoH encapsulates DNS queries in HTTPS (HTTP/2 or HTTP/1.1 over TLS) on port 443. DoT is easier to filter by network administrators because it uses a dedicated port; DoH is harder to block because it blends with regular web traffic.

Use DoT when you want to encrypt DNS but still allow your network administrator to easily block or monitor DNS traffic; use DoH when you want to hide DNS traffic from network filters (e.g., on a public Wi-Fi that blocks port 853).

DoTvsDNSSEC

DNSSEC adds digital signatures to DNS records to provide authentication and integrity, but does not encrypt the query or response. DoT encrypts the entire DNS exchange but does not validate the authenticity of the DNS data. They are complementary: DoT provides privacy, DNSSEC provides trust.

Use DNSSEC to ensure that the IP address for 'example.com' hasn't been tampered with; use DoT to ensure that no one can see that you are looking up 'example.com'.

Step-by-Step Breakdown

1

Step 1 — Client initiates TCP connection to DNS resolver on port 853

The client (stub resolver) opens a TCP connection to the configured DNS server's IP address on port 853. This is the dedicated port for DoT, distinguishing it from unencrypted DNS on port 53.

2

Step 2 — TLS handshake begins

The client and server perform a TLS handshake. The server presents its digital certificate (e.g., from a public CA like Let's Encrypt). The client verifies the certificate's validity, checks the hostname, and ensures the certificate is not expired or revoked.

3

Step 3 — Encryption keys are exchanged

After successful certificate validation, the client and server negotiate a symmetric session key using the TLS key exchange algorithm (e.g., ECDHE). This key will be used to encrypt all subsequent DNS messages.

4

Step 4 — DNS query is sent encrypted

The client constructs a standard DNS query (e.g., for 'www.example.com') and encrypts it using the session key. The encrypted query is sent over the TCP connection as a TLS record. The server decrypts it using the same key.

5

Step 5 — DNS response is returned encrypted

The server processes the query, looks up the IP address, and sends the response back encrypted within a TLS record. The client decrypts the response and uses the IP address to establish a connection to the target website.

Practical Mini-Lesson

Core Concept: DNS over TLS (DoT) is a protocol that encrypts DNS queries and responses using TLS, preventing eavesdropping and tampering. How It Works: A client (stub resolver) establishes a TCP connection to a DNS server on port 853. They perform a TLS handshake, authenticating the server (usually via a certificate) and negotiating a symmetric encryption key.

All subsequent DNS messages are encrypted within TLS records. The server decrypts the query, processes it normally, and encrypts the response. The client decrypts and uses the response.

Comparison to Similar Technologies: DoT vs. DoH (DNS over HTTPS): DoH uses HTTPS (port 443) and is often harder to block because it blends with web traffic. DoT uses a dedicated port (853) and is easier to filter by network administrators.

DoT vs. DNSSEC: DNSSEC adds digital signatures to DNS records for authenticity and integrity, but does not encrypt the query or response. DoT provides encryption but does not validate the authenticity of the DNS data itself.

They are complementary—you can use both. Configuration Notes: On Windows, you can enable DoT via the 'Settings > Network & Internet > Ethernet > DNS server assignment > Edit > Preferred DNS encryption: Encrypted only (DNS over HTTPS)'—note that Windows calls it 'DNS over HTTPS' but actually supports both DoT and DoH depending on the server. On Android, go to 'Settings > Network & Internet > Private DNS' and select 'Private DNS provider hostname' (e.

g., 'cloudflare-dns.com'). On Linux, use 'systemd-resolved' with 'DNSOverTLS=yes' in '/etc/systemd/resolved.conf'. Key Takeaway: DoT is a simple, effective way to encrypt DNS traffic, but it requires firewall rules to allow port 853 and proper certificate validation to prevent man-in-the-middle attacks.

Always verify that your resolver supports DoT before configuring it.

Memory Tip

Remember 'DoT' as 'DNS over TLS' — the 'T' stands for TLS, which uses TCP port 853. Think 'TLS = 853' (T is the 20th letter, but 8+5+3=16, T is 20—close enough to remember the port). Or use the mnemonic: 'DNS over TLS keeps your queries private, like a sealed envelope.'

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

N10-008N10-009(current version)
SY0-601SY0-701(current version)

Related Glossary Terms

Frequently Asked Questions

Does DoT work with any DNS resolver?

No, the DNS resolver must explicitly support DoT. Public resolvers like Cloudflare (1.1.1.1), Quad9 (9.9.9.9), and Google (8.8.8.8) support DoT. You can check by configuring your device to use DoT with their hostnames (e.g., 'cloudflare-dns.com'). If the resolver does not support DoT, the connection will fail.

What is the difference between DoT and DoH in terms of network visibility?

DoT uses a dedicated port (853), making it easy for network administrators to identify and filter encrypted DNS traffic. DoH uses port 443 (HTTPS) and blends with regular web traffic, making it harder to block without also blocking HTTPS. DoT is preferred in enterprise environments where DNS traffic needs to be monitored or controlled.

Can DoT prevent DNS spoofing?

DoT encrypts the DNS query and response, preventing an attacker from seeing or modifying the traffic in transit. However, it does not authenticate the DNS data itself. An attacker could still spoof a DNS response if they can intercept the TLS handshake (e.g., with a rogue certificate). For full protection, combine DoT with DNSSEC.

Is DoT supported on all operating systems?

DoT is supported on Android (since Pie), iOS (since 14), Windows (since 10 build 19628, but labeled as 'DNS over HTTPS' in settings), and most Linux distributions via systemd-resolved or stubby. However, configuration methods vary. Always verify that your OS and DNS resolver support DoT before enabling it.

Why would an organization block DoT?

Organizations may block DoT to enforce DNS security policies, such as using a corporate DNS server for content filtering or logging. DoT bypasses these controls because the encrypted traffic goes directly to an external resolver. Blocking port 853 forces devices to use the corporate DNS server, but users could still use DoH on port 443.

Summary

1. DNS over TLS (DoT) is a protocol that encrypts DNS queries and responses using TLS, typically on TCP port 853, to protect against eavesdropping and tampering. 2. Its key technical property is that it establishes an encrypted tunnel between a DNS client and server, but does not authenticate the DNS data itself (that's DNSSEC's job).

3. The most important exam fact: DoT uses port 853, not 53 (plain DNS) or 443 (DoH). Remember that DoT is easier for network administrators to filter than DoH because it uses a dedicated port.

On the exam, if you see a question about encrypting DNS traffic and the answer choices include port numbers, look for 853.