VPN Transparency Project

DNS-over-TLS

Home » Glossary » DNS-over-TLS

DNS over TLS (DoT) is a security protocol for encrypting and authenticating DNS queries and responses over a Transport Layer Security (TLS) connection. It is designed to improve the privacy and security of DNS queries by encrypting them and making them harder to intercept or tamper with.

Traditionally, DNS queries are sent over an unencrypted connection, which means that they can be intercepted and monitored by third parties, such as internet service providers (ISPs) or government agencies. This can compromise the privacy of users and make it easier for attackers to perform DNS spoofing or other types of cyber attacks.

By using DoT, users can send DNS queries over an encrypted TLS connection, which makes it more difficult for third parties to intercept or monitor the queries. This can help protect the privacy of users and improve the security of the DNS system.

DoT is supported by a number of DNS resolvers, including Cloudflare, Google Public DNS, and Quad9, and is also available as a standalone service that can be used with any device that supports TLS.

DoT vs DoH

DNS over TLS (DoT) and DNS over HTTPS (DoH) are protocols for encrypting and authenticating DNS queries and responses. Both protocols are designed to improve the privacy and security of DNS queries by encrypting them and making them harder to intercept or tamper with.

Here are the main differences between DoT and DoH:

  1. Transport protocol: DoT uses TLS (Transport Layer Security) as the underlying transport protocol, while DoH uses HTTPS (Hypertext Transfer Protocol Secure). TLS is a widely-used security protocol for encrypting internet traffic, while HTTPS is a variant of HTTP that uses TLS to secure the communication between the client and the server.
  2. Encryption: DoT encrypts the DNS queries and responses using TLS, while DoH encrypts the queries using HTTPS. Both protocols use encryption to protect the data exchanged between the client and the server and to prevent attackers from intercepting or tampering with the traffic.
  3. Deployment: DoT is supported by a number of DNS resolvers, including Cloudflare, Google Public DNS, and Quad9, and is also available as a standalone service that can be used with any device that supports TLS. DoH is supported by a number of web browsers, including Firefox and Google Chrome, and is also available as a standalone service that can be used with any device that supports HTTPS.

Overall, both DoT and DoH are secure protocols that can improve the privacy and security of DNS queries, but they have different underlying transport protocols and deployment models. The choice of which protocol to use will depend on the specific needs and requirements of the user.