DNS over TLS (DoT)
By default, DNS is sent over a plaintext connection. DNS over TLS (DoT) is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications.
Cloudflare supports DoT on standard port 853 over TLS 1.2 and TLS 1.3 in compliance with RFC7858 ↗.
Each Gateway DNS location has a unique DoT hostname. DNS locations and corresponding DoT hostnames have policies associated with them.
- In Zero Trust ↗, go to Gateway > DNS locations.
- Add a new location or select an existing location from the list.
- Under DoT endpoint, copy the value in DoT addresses.
The DoT hostname contains your unique location name. For example, if the DoT hostname is 9y65g5srsm.cloudflare-gateway.com, the location name is 9y65g5srsm.
To configure a DoT client such as dig, specify the IP address and the DoT hostname for your location in your query. For example:
Hostname: 9y65g5srsm.cloudflare-gateway.comIP address: 162.159.36.5Alternatively, you can use the generic DoT endpoint (dns.cloudflare-gateway.com) and include an OPT record with code 65011. You can select a specific location for the value of the OPT record. For example:
Hostname: dns.cloudflare-gateway.comIP address: 162.159.36.5OPT Record: - Code: 65011 - Value: 9y65g5srsmSome stub resolvers support DoT natively. For example, you can configure Unbound to send a DoT query:
# Unbound TLS Configtls-cert-bundle: "/etc/ssl/cert.pem"# Forwarding Configforward-zone: name: "." forward-tls-upstream: yes forward-addr: 162.159.36.5@853#9y65g5srsm.cloudflare-gateway.com forward-addr: 2001:db8:abcd::1234#9y65g5srsm.cloudflare-gateway.comWas this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark