Skip to content
Cloudflare for Teams
Visit Cloudflare for Teams on GitHub
Set theme to dark (⇧+D)

DNS over TLS

By default, DNS is sent over a plaintext connection. DNS over TLS (DoT) is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications.

Cloudflare supports DoT on standard port 853 and is compliant with RFC7858.


Obtain your DoT hostname

Each Gateway location has a unique DoT hostname. Locations and corresponding DoT hostnames have policies associated with them.

  1. Visit your Teams dashboard.

  2. Navigate to the Locations page to visualize your location.

    Go to teams dash

  3. If you have more than one location set up, you will see a list of all your locations.

    Go to locations page

  4. Expand the location card for the location whose DoT hostname you'd like to retrieve.

    Expand location card

  5. Get the DoT hostname for the location.

    In the example below, the DoT hostname is:

    Get unique subdomain

  6. Take note of the DoT hostname.

Configure your DoT client

Depending on your operating system, you can choose from a variety of standalone DoT clients.

To configure your DoT client, use the following IP address and hostname:

Hostname: DoT hostname for a chosen location (above this is
IP address:

Alternatively, stub resolvers (e.g., Unbound) support DoT natively.

# Unbound TLS Config
tls-cert-bundle: "/etc/ssl/cert.pem"
# Forwarding Config
name: "."
forward-tls-upstream: yes

Supported TLS versions

Cloudflare's DNS over TLS supports TLS 1.3 and TLS 1.2.