Specification for DNS over Transport Layer Security (TLS)
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/entity//" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/entity//Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/entity//)Use the native HTML custom element.
Z. Hu, L. Zhu, J. Heidemann, A. Mankin, D. Wessels, P. Hoffman · 2016-05
Abstract
RFC 7858 specifies DNS over TLS (DoT), a protocol that encrypts DNS queries and responses using TLS over TCP port 853. DoT provides confidentiality and integrity for DNS traffic, preventing passive eavesdropping and active manipulation of DNS messages by on-path observers.
Why This RFC Matters
Until RFC 7858, DNS traffic was transmitted in plaintext, making every DNS query visible to any network observer — ISPs, governments, and attackers alike. Leaked DNS queries reveal browsing habits even when HTTPS protects the content. RFC 7858 was the first standardized solution, encrypting DNS over a dedicated TLS connection on port 853. While DoT provides strong privacy guarantees, its use of a distinct port makes it easily blockable by firewalls, which led to the subsequent development of DoH (RFC 8484) on port 443. Together, DoT and DoH represent the shift from treating DNS privacy as optional to recognizing it as a fundamental requirement.