eastbaycyber

What Is DNS over TLS?

Glossary 6 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Definition

DNS over TLS is a way to send DNS traffic through an encrypted TLS connection instead of traditional plaintext DNS.

DNS over TLS (DoT) is a protocol that encrypts DNS queries and responses between a device and a DNS resolver using Transport Layer Security. The main goal of DNS over TLS is to improve privacy and reduce the chance that someone on the network path can read or modify DNS traffic in transit.

If you’re comparing encrypted DNS options, it also helps to understand what is dns and what is dns over https.

How DNS over TLS Works

To understand DoT, start with the problem it solves: standard DNS is often sent unencrypted. That means observers on the network may be able to inspect DNS lookups or, in some cases, tamper with them.

DNS over TLS wraps DNS traffic inside a TLS session.

1. The Client Selects a Resolver

A device, operating system, app, or network administrator configures the client to use a DNS resolver that supports DoT.

This may be:

  • a public DNS provider
  • an ISP resolver that supports DoT
  • an enterprise protective resolver
  • a security or privacy-focused DNS service

2. A TLS Connection Is Established

Before DNS queries are sent, the client opens a TLS-encrypted session to the resolver.

This encrypted channel helps provide:

  • confidentiality in transit
  • integrity protection
  • validation that the client is talking to the intended resolver, depending on configuration

3. DNS Queries Travel Inside the Encrypted Channel

Once the TLS session is active, DNS queries and responses move through that protected connection.

An observer on the network can often still tell that the device is connecting to a resolver, but usually cannot see the exact domain names being requested.

4. The Resolver Performs the Lookup

The resolver then answers from cache or performs the broader DNS lookup on the client’s behalf.

At this point, the resolver itself still sees the requested domain names. DoT protects the transport path, not the resolver from its own visibility.

5. The Encrypted Response Returns to the Client

The answer is sent back through the same TLS-protected session, helping prevent simple interception or modification while the response is in transit.

What DNS over TLS Protects

DoT is mainly a transport privacy improvement. It can help defend against:

  • passive monitoring of DNS traffic on local networks
  • plaintext DNS inspection by untrusted Wi-Fi operators
  • some in-transit tampering between the client and resolver
  • easy visibility into browsing-related destination lookups

This can be especially useful on public Wi-Fi, guest networks, hotel networks, or other environments where you do not fully trust the local network.

For users who regularly connect from untrusted networks, encrypted DNS is often part of a broader privacy stack that may also include a VPN such as Check NordVPN pricing → or Try Proton VPN →, depending on whether the goal is only DNS privacy or broader traffic protection.

What DNS over TLS Does Not Protect

DNS over TLS is useful, but it has important limits.

The Resolver Still Sees the Query

DoT encrypts the connection to the resolver. It does not hide the query from the resolver itself.

That means you are shifting trust from the local network path to the resolver operator.

It Does Not Solve All DNS Security Problems

DoT protects DNS in transit, but it does not by itself verify the authenticity of DNS data the way DNSSEC is meant to help with.

In simple terms:

  • DoT = transport encryption
  • DNSSEC = response authenticity and integrity validation

They solve different problems.

It Does Not Hide All Metadata

Even if the DNS query is encrypted, other network signals may still reveal useful information about where a device is connecting.

Depending on the application and protocol, destination IPs, SNI behavior, traffic timing, and other metadata may still expose patterns.

It Can Change Security Visibility

Organizations that rely on plaintext DNS inspection may lose some traditional monitoring when clients use encrypted DNS directly.

That is not automatically bad, but it means defenders may need alternate visibility through:

  • endpoint telemetry
  • secure DNS resolvers
  • proxy logging
  • protective DNS services
  • network architecture changes

DNS over TLS vs. Regular DNS

The core difference is straightforward.

Traditional DNS

Traditional DNS queries are often readable in transit. That makes them easy to inspect, filter, or intercept on many networks.

DNS over TLS

DNS over TLS encrypts those same queries between the client and resolver. That makes passive observation much harder on the path between them.

So DoT is best understood as a privacy and transport security upgrade over plaintext DNS.

DNS over TLS vs. DNS over HTTPS

DoT is often compared with DNS over HTTPS, or DoH.

DNS over TLS

  • uses TLS for encrypted DNS transport
  • typically uses a dedicated DNS service channel
  • is often easier to recognize as DNS traffic in managed environments

DNS over HTTPS

  • sends DNS through HTTPS
  • blends with regular web traffic more easily
  • may be preferred by some browsers and applications

Both encrypt DNS in transit. The choice usually comes down to policy, platform support, visibility, and management needs.

When You’ll Encounter DNS over TLS

DNS over TLS usually comes up in a few practical settings.

On Privacy-Focused Devices and Networks

Many modern devices, mobile platforms, and home routers support encrypted DNS settings.

In those cases, DoT is often enabled to reduce exposure of DNS lookups on shared or untrusted networks.

In Enterprise Endpoint and Network Design

Security and IT teams discuss DoT when deciding:

  • which resolvers employees should use
  • whether off-network devices should use encrypted DNS
  • how to maintain policy enforcement
  • how to preserve monitoring without plaintext DNS

This is common in remote work, zero trust, and SSE or SASE design conversations.

During Troubleshooting

Analysts may notice DoT when:

  • packet captures no longer show plaintext DNS requests
  • domain-based detections stop working as expected
  • endpoints appear to bypass local DNS infrastructure
  • filtering behavior changes after OS or browser updates

In Security Architecture Reviews

DoT often appears in conversations about:

  • DNS privacy
  • encrypted traffic visibility
  • resolver trust
  • remote user protection
  • internet access control design

Bottom Line

DNS over TLS encrypts DNS traffic between a device and its resolver, making domain lookups harder to read or tamper with while they travel across the network. It is a meaningful privacy improvement, but it does not eliminate the resolver’s visibility into queries or replace the need for deliberate DNS security and monitoring design.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.