DNS over TLS (DoT)
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/glossary/dns-over-tls/" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/glossary/dns-over-tls/Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/glossary/dns-over-tls/)Use the native HTML custom element.
Definición
Un protocolo que cifra consultas DNS envolviéndolas en TLS en un puerto dedicado (853). A diferencia de DNS over HTTPS, DoT utiliza un puerto separado, facilitando a los administradores de red identificar y gestionar el tráfico DNS.
DoT vs. DoH: A Key Distinction
DNS over TLS (DoT, RFC 7858) encrypts DNSDomain Name System. The hierarchical, distributed naming system that translates human-readable domain names (e.g., example.com) into IP addresses (e.g., 93.184.216.34). Often called the "phonebook of the internet." queries using the TLS protocol on a dedicated TCP port — 853 — rather than tunneling inside HTTPS. This makes DoT easy for network administrators to identify and manage: firewalls can selectively allow or block port 853 without impacting regular web traffic on port 443, unlike DNS over HTTPS (DoH)A protocol that encrypts DNS queries by sending them over HTTPS (port 443), preventing ISPs and network operators from inspecting or tampering with DNS traffic. Supported by browsers like Firefox and Chrome. which is indistinguishable from HTTPS.
How DoT Establishes Security
The client opens a TLS connection to the resolver on port 853, validates the resolver's certificate (typically against a pinned public key or standard CA chain), and then sends standard DNS wire-format queries over the encrypted channel. The TLS handshake adds a small latency overhead on the first connection, but subsequent queries within the same session reuse the established TLS session, keeping round-trip times low.
Deployment in Enterprise and Mobile
Android devices (version 9+) support DoT natively via the "Private DNS" setting, making it the most widely deployed encrypted DNS protocol on mobile. Enterprise environments often deploy DoT to internal resolversA server that receives DNS queries from clients and resolves domain names by querying the DNS hierarchy on their behalf. Public resolvers like 1.1.1.1 (Cloudflare) and 8.8.8.8 (Google) are widely used alternatives to ISP resolvers. to satisfy compliance requirements for encrypted DNS traffic. Unlike DNSSECDomain Name System Security Extensions. A suite of IETF specifications that adds cryptographic authentication to DNS responses using digital signatures, preventing DNS spoofing and cache poisoning attacks., which verifies record integrity but not confidentiality, DoT prevents passive eavesdropping on which domainsA human-readable address (e.g., example.com) that identifies a website or service on the internet. Domain names are registered through registrars and resolved to IP addresses by the DNS system. users query. DNS Lookup