(May 11, 2023)

2. DNS-over-TLS

DNS-over-TLS encrypts your DNS query using Transport Layer Security (TLS). TLS ensures that your DNS query is encrypted end-to-end, preventing man-in-the-middle (MITM) attacks.

When you use DNS-over-TLS (DoT), your DNS query is sent to a DNS-over-TLS resolver instead of an unencrypted resolver. The DNS-over-TLS resolver decrypts your DNS query and sends it to the authoritative DNS server on your behalf.

The default port for DoT is TCP port 853. When you connect using DoT, both the client and the resolver perform a digital handshake. Then, the client sends its DNS query through the encrypted TLS channel to the resolver.