DNS over TLS

DNS over TLS
AbbreviationDoT
StatusProposed Standard
Latest versionRFC 7858, RFC 8310
May 2016 and March 2018
OrganizationIETF
Authors

DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. The well-known port number for DoT is 853.

While DNS over TLS is applicable to any DNS transaction, it was first standardized for use between stub or forwarding resolvers and recursive resolvers, in RFC 7858 in May of 2016. Subsequent IETF efforts specify the use of DoT between recursive and authoritative servers ("Authoritative DNS over TLS" or "ADoT")[1] and a related implementation between authoritative servers (Zone Transfer-over-TLS or "xfr-over-TLS").[2]

  1. ^ Henderson, Karl; April, Tim; Livingood, Jason (2020-02-14). "Authoritative DNS-over-TLS Operational Considerations". Ietf Datatracker. Internet Engineering Task Force. Retrieved 17 July 2021.
  2. ^ Mankin, Allison (2019-07-08). "DNS Zone Transfer-over-TLS". Ietf Datatracker. Internet Engineering Task Force. Retrieved 17 July 2021.