DNS-over-TLS encrypts the connection between your device and a DNS resolver using TLS (Transport Layer Security), the same protocol that secures HTTPS websites. Standard DNS queries travel unencrypted over port 53, meaning your internet service provider, router, or anyone monitoring your network can see every domain you look up.
DoT works by establishing a TLS connection to a DNS resolver (typically on port 853) before sending encrypted DNS queries through that tunnel. This hides your browsing activity from network-level observation, though your ISP can still see that you're using DoT itself.
Why it matters. DNS is fundamental to how the internet works, but it was designed before privacy became a concern. Without encryption, your DNS queries reveal which sites you visit, even if the actual web traffic is encrypted with HTTPS. DoT closes this privacy gap.
Common gotchas. DoT can be slower than standard DNS because establishing a TLS connection takes extra time and resources. Some networks and firewalls block port 853, breaking DoT entirely. Not all devices support it natively, though most modern operating systems (Windows 11, macOS, iOS, Android 9+) offer built-in support. DoT differs from DNS-over-HTTPS (DoH), which uses port 443 and typically works better through restrictive firewalls.
What to do with this knowledge. If your device supports DoT, enable it in network settings or router configuration to improve privacy. Check whether your ISP or network allows port 853 traffic, as some corporate and public networks block it. Consider using a privacy-focused DNS resolver like Quad9 or Cloudflare that supports DoT.