DNS over TLS

DNS over TLS
Abbreviation	DoT
Status	Proposed Standard
Latest version	RFC 7858, RFC 8310; May 2016 and March 2018
Organization	IETF
Authors	Zi Hu; Liang Zhu; John Heidemann; Allison Mankin; Duane Wessels; Paul Hoffman;

DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. The well-known port number for DoT is 853.

While DNS over TLS is applicable to any DNS transaction, it was first standardized for use between stub or forwarding resolvers and recursive resolvers, in RFC 7858 in May of 2016. Subsequent IETF efforts specify the use of DoT between recursive and authoritative servers ("Authoritative DNS over TLS" or "ADoT")^[1] and a related implementation between authoritative servers (Zone Transfer-over-TLS or "xfr-over-TLS").^[2]

^ Henderson, Karl; April, Tim; Livingood, Jason (2020-02-14). "Authoritative DNS-over-TLS Operational Considerations". Ietf Datatracker. Internet Engineering Task Force. Retrieved 17 July 2021.
^ Mankin, Allison (2019-07-08). "DNS Zone Transfer-over-TLS". Ietf Datatracker. Internet Engineering Task Force. Retrieved 17 July 2021.

[1] Henderson, Karl; April, Tim; Livingood, Jason (2020-02-14). "Authoritative DNS-over-TLS Operational Considerations". Ietf Datatracker. Internet Engineering Task Force. Retrieved 17 July 2021.

[2] Mankin, Allison (2019-07-08). "DNS Zone Transfer-over-TLS". Ietf Datatracker. Internet Engineering Task Force. Retrieved 17 July 2021.

[1]

[2]

Internet security protocols
Key management
Kerberos RPKI PKIX Web of trust X.509 XKMS
Application layer
DKIM DMARC HTTPS PGP Sender ID SPF S/MIME SSH TLS/SSL
Domain Name System
DANE DNSSEC DNS over HTTPS DNS over TLS CAA
Internet Layer
IKE IPsec L2TP OpenVPN PPTP WireGuard
v t e