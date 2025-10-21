DNS over TLS (DoT)
By default, DNS is sent over a plaintext connection. DNS over TLS (DoT) is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications.
Cloudflare supports DoT on standard port
853 over TLS 1.2 and TLS 1.3 in compliance with RFC7858 ↗.
Each Gateway DNS location has a unique DoT hostname. DNS locations and corresponding DoT hostnames have policies associated with them.
- In Zero Trust ↗, go to Gateway > DNS locations.
- Add a new location or select an existing location from the list.
- Under DoT endpoint, copy the value in DoT addresses.
The DoT hostname contains your unique location name. For example, if the DoT hostname is
9y65g5srsm.cloudflare-gateway.com, the location name is
9y65g5srsm.
To configure a DoT client such as
dig, specify the IP address and the DoT hostname for your location in your query. For example:
Alternatively, you can use the generic DoT endpoint (
dns.cloudflare-gateway.com) and include an
OPT record with code
65011. You can select a specific location for the value of the
OPT record. For example:
Some stub resolvers support DoT natively. For example, you can configure Unbound to send a DoT query:
