What Is DNS over TLS?
DNS over TLS is a way to send DNS traffic through an encrypted TLS connection instead of traditional plaintext DNS.
DNS over TLS (DoT) is a protocol that encrypts DNS queries and responses between a device and a DNS resolver using Transport Layer Security. The main goal of DNS over TLS is to improve privacy and reduce the chance that someone on the network path can read or modify DNS traffic in transit.
If you’re comparing encrypted DNS options, it also helps to understand what is dns and what is dns over https.
How DNS over TLS Works
To understand DoT, start with the problem it solves: standard DNS is often sent unencrypted. That means observers on the network may be able to inspect DNS lookups or, in some cases, tamper with them.
DNS over TLS wraps DNS traffic inside a TLS session.
1. The Client Selects a Resolver
A device, operating system, app, or network administrator configures the client to use a DNS resolver that supports DoT.
This may be:
- a public DNS provider
- an ISP resolver that supports DoT
- an enterprise protective resolver
- a security or privacy-focused DNS service
2. A TLS Connection Is Established
Before DNS queries are sent, the client opens a TLS-encrypted session to the resolver.
This encrypted channel helps provide:
- confidentiality in transit
- integrity protection
- validation that the client is talking to the intended resolver, depending on configuration
3. DNS Queries Travel Inside the Encrypted Channel
Once the TLS session is active, DNS queries and responses move through that protected connection.
An observer on the network can often still tell that the device is connecting to a resolver, but usually cannot see the exact domain names being requested.
4. The Resolver Performs the Lookup
The resolver then answers from cache or performs the broader DNS lookup on the client’s behalf.
At this point, the resolver itself still sees the requested domain names. DoT protects the transport path, not the resolver from its own visibility.
5. The Encrypted Response Returns to the Client
The answer is sent back through the same TLS-protected session, helping prevent simple interception or modification while the response is in transit.
What DNS over TLS Protects
DoT is mainly a transport privacy improvement. It can help defend against:
- passive monitoring of DNS traffic on local networks
- plaintext DNS inspection by untrusted Wi-Fi operators
- some in-transit tampering between the client and resolver
- easy visibility into browsing-related destination lookups
This can be especially useful on public Wi-Fi, guest networks, hotel networks, or other environments where you do not fully trust the local network.
For users who regularly connect from untrusted networks, encrypted DNS is often part of a broader privacy stack that may also include a VPN such as Check NordVPN pricing → or Try Proton VPN →, depending on whether the goal is only DNS privacy or broader traffic protection.
What DNS over TLS Does Not Protect
DNS over TLS is useful, but it has important limits.
The Resolver Still Sees the Query
DoT encrypts the connection to the resolver. It does not hide the query from the resolver itself.
That means you are shifting trust from the local network path to the resolver operator.
It Does Not Solve All DNS Security Problems
DoT protects DNS in transit, but it does not by itself verify the authenticity of DNS data the way DNSSEC is meant to help with.
In simple terms:
- DoT = transport encryption
- DNSSEC = response authenticity and integrity validation
They solve different problems.
It Does Not Hide All Metadata
Even if the DNS query is encrypted, other network signals may still reveal useful information about where a device is connecting.
Depending on the application and protocol, destination IPs, SNI behavior, traffic timing, and other metadata may still expose patterns.
It Can Change Security Visibility
Organizations that rely on plaintext DNS inspection may lose some traditional monitoring when clients use encrypted DNS directly.
That is not automatically bad, but it means defenders may need alternate visibility through:
- endpoint telemetry
- secure DNS resolvers
- proxy logging
- protective DNS services
- network architecture changes
DNS over TLS vs. Regular DNS
The core difference is straightforward.
Traditional DNS
Traditional DNS queries are often readable in transit. That makes them easy to inspect, filter, or intercept on many networks.
DNS over TLS
DNS over TLS encrypts those same queries between the client and resolver. That makes passive observation much harder on the path between them.
So DoT is best understood as a privacy and transport security upgrade over plaintext DNS.
DNS over TLS vs. DNS over HTTPS
DoT is often compared with DNS over HTTPS, or DoH.
DNS over TLS
- uses TLS for encrypted DNS transport
- typically uses a dedicated DNS service channel
- is often easier to recognize as DNS traffic in managed environments
DNS over HTTPS
- sends DNS through HTTPS
- blends with regular web traffic more easily
- may be preferred by some browsers and applications
Both encrypt DNS in transit. The choice usually comes down to policy, platform support, visibility, and management needs.
When You’ll Encounter DNS over TLS
DNS over TLS usually comes up in a few practical settings.
On Privacy-Focused Devices and Networks
Many modern devices, mobile platforms, and home routers support encrypted DNS settings.
In those cases, DoT is often enabled to reduce exposure of DNS lookups on shared or untrusted networks.
In Enterprise Endpoint and Network Design
Security and IT teams discuss DoT when deciding:
- which resolvers employees should use
- whether off-network devices should use encrypted DNS
- how to maintain policy enforcement
- how to preserve monitoring without plaintext DNS
This is common in remote work, zero trust, and SSE or SASE design conversations.
During Troubleshooting
Analysts may notice DoT when:
- packet captures no longer show plaintext DNS requests
- domain-based detections stop working as expected
- endpoints appear to bypass local DNS infrastructure
- filtering behavior changes after OS or browser updates
In Security Architecture Reviews
DoT often appears in conversations about:
- DNS privacy
- encrypted traffic visibility
- resolver trust
- remote user protection
- internet access control design
Bottom Line
DNS over TLS encrypts DNS traffic between a device and its resolver, making domain lookups harder to read or tamper with while they travel across the network. It is a meaningful privacy improvement, but it does not eliminate the resolver’s visibility into queries or replace the need for deliberate DNS security and monitoring design.