Configure DNS over TLS
By default, DNS is sent over a plaintext connection. DNS over TLS (DoT) is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications.
1. Obtain your DoT hostname
Each Gateway DNS location has a unique DoT hostname. DNS locations and corresponding DoT hostnames have policies associated with them.
- In , go to Gateway > DNS Locations.
- If you have more than one location set up, you will see a list of all your locations.
- Expand the location card for the location whose DoT hostname you’d like to retrieve.
- Get the DoT hostname for the location.
In the example below, the DoT hostname is:
Next, configure your DoT client with the DoT hostname.
2. Configure your DoT client
Depending on your operating system, you can choose from a variety of standalone DoT clients.
To configure your DoT client, enter the following IP address and the DoT hostname for your location (for example,
Hostname: <DoT hostname>IP address: 184.108.40.206
Alternatively, stub resolvers (e.g., Unbound) support DoT natively. An example configuration is shown below.
# Unbound TLS Configtls-cert-bundle: "/etc/ssl/cert.pem"# Forwarding Configforward-zone:name: "."forward-tls-upstream: yesforward-addr: 220.127.116.11@853#9y65g5srsm.cloudflare-gateway.comforward-addr: <IPv6 address>#<DoT hostname>
Supported TLS versions
Cloudflare’s DNS over TLS supports TLS 1.3 and TLS 1.2.