Protect your DNS requests with DNS over TLS

Posted date 04/07/2019
Ignacio Porro Sáez (INCIBE)

As a reminder, DNS (Domain Name System) is a protocol used by computers, services, IoT devices or any resource connected to a network. Although it has several uses, the main one is to resolve the IP address of a web page.  When DNS was created, it was not developed with security in mind, so DNS queries are sent in text via UDP or TCP protocols, without any type of encryption.

For this reason, an attacker could see which sites checks a device and perform a phishing attack on a web page using a DNS cache poisoning attack, which consists of exploiting vulnerabilities in the servers, to send them wrong information about the IP addresses of certain domains. In this way, all users who use this service will be visiting fake pages, since their cache has been manipulated by the attackers.

Performance Comparison

- Example of DNS modification set by the user or ISP -

To solve this problem, DNS over TLS (DoT) is being implemented. DoT is a security protocol for encrypting and packaging DNS queries and responses through the TLS protocol (Transport Layer Security), in order to increase the privacy and security of users, avoiding unwanted eavesdropping or manipulation of DNS data, as a result of man-in-the-middle (MitM) attacks.

We should not mislead DoT with DoH (DNS over HTTPS), which resolves domain names through HTTPS, and attempts to increase privacy and prevent MitM attacks, but which sometimes has the drawback of excessively slow load times. A problem that gets worse when it is necessary to resolve many directions when loading a web page.

What is DNS over TLS (DoT)?

The DNS over TLS (DoT) standard is specified in RFC 7858. Its implementation is simple, since once a certain port is established (0-1023), clients and servers negotiate and agree to start a secure TLS session. This connection requires clients to authenticate using PKIX certificates (Public Key Infrastructure X.509) based on domain names as set out in RFC 8310.

By default, a DNS server that supports DoT, listens through port 853. It is possible to use another port (except port 53 to prevent problems with downgrade type attacks), although for this it would be necessary to configure servers and clients. It should also be borne in mind that some firewalls can block port 853, which could cause complications and malfunction of this protocol. We must also emphasize that this protocol only uses TCP.

How does it work?

This protocol has two operating modes, the strict mode and the opportunistic mode, in relation to the level of privacy provided:

  • Strict mode creates a secure TLS connection, and the client authenticates using PKIX certificates based on domain names. Should the authentication fail, the server will respond with an error.
  • In the opportunistic privacy mode, the client tries to authenticate with the server, if this is not possible, it will automatically begin to communicate through UDP port 53 or TCP port 53 without encryption.

The strict mode is much safer because, if this protocol fails, it will not send the request, again, insecurely, it will simply not resolve the request. On the contrary, the opportunistic mode guarantees greater availability of the service.

Currently, RFCs do not define important matters such as the implementation and revocation of certificates, integration of trusted CA (Certification Authority), use of the CRL (Certificate Revocation List) to look up revoked certificates, etc. These aspects are left in the hands of DNS service providers, who will be responsible for implementing them.


What advantages and disadvantages does it offer?

The advantages of using DoT are:

  • Since they are TCP communications are encrypted with TLS, it improves security and privacy.
  • In strict operating mode, it prevents tampering by intercepting and modifying DNS queries or responses.
  • Any intrusion between the user and the DNS server that resolves the queries will not be able to obtain information.
  • The implementation is simple: anyone with average knowledge could install it in their network for platforms that do not incorporate it natively.
  • On platforms that incorporate it natively, any user can use it.

As regards the disadvantages, it seems that there are not many, but we must bear them in mind.

  • In strict mode, if we look up a page and it does not return results, we will get an error message.
  • The latency may be somewhat greater using DoT.
  • The implementation, validation and revocation requirements of DNS server certificates are not defined.

What public DNS do DoT implement and what platforms support it?

Not all public servers support DNS-over-TLS. Among those that do apply it are  Cloudflare, Quad9, Google and CleanBrowsing, which have been implementing this security measure since 2019.

The following table shows a comparison of the security mechanisms implemented by some of the most extensively used public DNS servers.

Public DNS Privacy policy DNSSEC DoT DoH DNSCrypt
CleanBrowsing ? ? ? ? ?
Cloudflare ? ? ? ? ?
Google ? ? ? ? ?
Quad9 ? ? ? ? ?
UncesoredDNS ? ? ? ? ?
SafeDNS ? ? ? ? ?
OpenDNS ? ? ? ? ?

In Windows, macOS and iOS is not implemented by any client natively. For Windows you can use third-party client programs that allow you to use DoT, such as Stubby. It is expected that in the future all platforms will incorporate this security measure natively.

Certain distributions of Linux already incorporate DoT, for example Ubuntu 18.10, but they have it deactivated by default, and only support the opportunistic mode. And for those who do not implement it, the program Stubby can be used.

As for Android devices, it is only possible to configure DoT from version 9.0 Pie, but for previous versions Cloudflare has an application that allows it to be used.


It must be borne in mind that, at the time of the publication of this article, the DNS over TLS protocol is still being perfected, and that the number of platforms with which it is compatible is gradually increasing. The blog has indicated that, currently, very few customers implement it natively, but this small problem can be solved with third-party programs.

Something as simple as a DNS query, which at first sight may seem unimportant, since it only provides information about the pages visited, can be the starting point for an attack that is more likely to succeed.