diagrams
Networking

DNS over TLS Flow

DNS over TLS (DoT, RFC 7858) is a protocol that encrypts DNS queries and responses by establishing a TLS session on a dedicated port (853), preventing eavesdropping and modification of DNS traffic while maintaining the standard DNS wire format.

diagram.mmd — sequence
Edit in Graphlet →
DNS over TLS Flow sequence diagram
About Source

DNS over TLS (DoT, RFC 7858) is a protocol that encrypts DNS queries and responses by establishing a TLS session on a dedicated port (853), preventing eavesdropping and modification of DNS traffic while maintaining the standard DNS wire format.

Like DNS over HTTPS, DoT solves the fundamental privacy problem with traditional DNS: plaintext queries on port 53 reveal every hostname you look up to anyone observing the network. DoT and DoH achieve similar privacy guarantees but differ in implementation.

Port 853: DoT operates on TCP port 853, which is dedicated exclusively to encrypted DNS. This makes DoT easy to identify and either allow or block at the network level — an advantage for enterprise administrators who want to enforce specific DoT resolver usage, and a disadvantage in environments where encrypted DNS is actively blocked.

Protocol Flow: The client opens a TCP connection to the DoT resolver on port 853, then performs a standard TLS handshake to authenticate the resolver (via X.509 certificate) and establish an encrypted channel. DNS queries are then sent in the standard DNS wire format (RFC 1035), with a 2-byte length prefix added (since DNS over TCP requires length framing, unlike UDP).

Connection Reuse: DoT explicitly encourages connection reuse. After authentication, multiple DNS queries can be sent over the same TLS connection, amortizing the connection setup cost. This is analogous to how HTTP keep-alive works.

Strict vs. Opportunistic Mode: In strict mode, the client validates the DoT server's certificate against a pinned or system-trusted CA — if validation fails, DNS resolution fails entirely. In opportunistic mode, encryption is used if available but falls back to plaintext on failure, providing weaker privacy guarantees.

Comparison with DoH: DoH sends DNS queries disguised as HTTPS traffic on port 443, making it harder to block without affecting regular web browsing. DoT uses a distinct port, making it more transparent and manageable in enterprise environments.

Free online editor
Edit this diagram in Graphlet
Fork, modify, and export to SVG or PNG. No sign-up required.
Open in Graphlet →

Frequently asked questions

DNS over TLS (DoT, RFC 7858) encrypts DNS queries by establishing a TLS session on port 853 before sending standard DNS wire-format messages. Like DoH, it prevents eavesdropping on DNS traffic, but it uses a dedicated port that makes it easy to identify and manage at the network level.
The client opens a TCP connection to the DoT resolver on port 853, then completes a standard TLS handshake to authenticate the resolver via X.509 certificate and establish an encrypted channel. DNS queries are then sent in standard wire format with a 2-byte length prefix. Multiple queries can reuse the same TLS connection, amortising the handshake cost.
Prefer DoT in enterprise or managed network environments where you need explicit control over which DNS resolvers are used and want to monitor or filter encrypted DNS traffic at the firewall level. Its dedicated port 853 makes it straightforward to allow DoT to specific resolvers while blocking others — a policy impossible to enforce with DoH on port 443.
In strict mode, the client validates the DoT server's certificate and refuses to fall back to plaintext if validation fails, providing strong privacy guarantees. In opportunistic mode, the client uses TLS when available but silently falls back to plaintext on failure, providing weaker but still better-than-nothing privacy. Strict mode is recommended for security-conscious deployments.
mermaid
sequenceDiagram participant Client as DNS Client\n(stub resolver) participant DoTResolver as DoT Resolver\n(port 853) note">Note over Client: Traditional plaintext DNS\nreplaced by DoT note">Note over Client,DoTResolver: TCP connection to port 853 Client->>DoTResolver: TCP SYN to port 853 DoTResolver-->>Client: TCP SYN-ACK Client->>DoTResolver: TCP ACK note">Note over Client,DoTResolver: TLS Handshake Client->>DoTResolver: ClientHello (TLS 1.3) DoTResolver-->>Client: ServerHello + Certificate note">Note over Client: Validate resolver certificate\n(strict mode — reject on failure) Client->>DoTResolver: Finished [encrypted] DoTResolver-->>Client: Finished note">Note over Client,DoTResolver: Encrypted DNS exchange Client->>DoTResolver: DNS query (2-byte length prefix)\nQTYPE=A, QNAME=example.com [encrypted] DoTResolver-->>Client: DNS response\nA 93.184.216.34 TTL 3600 [encrypted] note">Note over Client,DoTResolver: Connection reuse for next query Client->>DoTResolver: DNS query: api.example.com [encrypted] DoTResolver-->>Client: DNS response: 203.0.113.42 [encrypted]
Copied to clipboard