DNS over TLS
By default, DNS is sent over a plaintext connection. DNS over TLS (DoT) is one way to send DNS queries over an encrypted connection. Cloudflare supports DNS over TLS on standard port 853 and is compliant with RFC 7858 ↗. With DoT, the encryption happens at the transport layer, where it adds TLS encryption on top of a TCP connection.
Cloudflare supports DNS over TLS (DoT) on 1.1.1.1
, 1.0.0.1
, and the corresponding IPv6 addresses (2606:4700:4700::1111
and 2606:4700:4700::1001
) on port 853
. If your DoT client does not support IP addresses, Cloudflare's DoT endpoint can also be reached by hostname on one.one.one.one
. A stub resolver (the DNS client on a device that talks to the DNS resolver) connects to the resolver over a TLS connection:
- Before the connection, the DNS stub resolver has stored a base64 encoded SHA256 hash of the TLS certificate from 1.1.1.1 (called SPKI).
- DNS stub resolver establishes a TCP connection with
1.1.1.1:853
. - DNS stub resolver initiates a TLS handshake.
- In the TLS handshake, 1.1.1.1 presents its TLS certificate.
- Once the TLS connection is established, the DNS stub resolver can send DNS over an encrypted connection, preventing eavesdropping and tampering.
- All DNS queries sent over the TLS connection must comply with specifications of sending DNS over TCP ↗.
Cloudflare's DNS over TLS supports TLS 1.3 and TLS 1.2.