DNS over TLS is a security protocol for encrypting and wrapping Domain Name System queries and answers via the Transport Layer Security protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. , Cloudflare, Quad9, Google, Quadrant Information Security, CleanBrowsing, LibreOps, DNSlify :it:Telsy|Telsy and AdGuard are providing public DNS resolver services via DNS over TLS. In April 2018, Google announced that Android Pie will include support for DNS over TLS, allowing users to set a DNS server phone-wide on both WiFi and mobile connections, an option that was historically only possible on rooted devices. DNSDist, from PowerDNS also announced support for DNS over TLS in its latest version 1.3.0. BIND users can also provide DNS over TLS by proxying it through stunnel. Unbound has supported DNS over TLS since 22 January 2018. Unwind has supported DoT since 29 January 2019. With Android Pie's support for DNS over TLS, some ad blockers now support using the encrypted protocol as a relatively easy way to access their services versus any of the various work-around methods typically used such as VPNs and proxy servers.
Implementations
Many public recursive servers support DoT, but client systems are often required to opt in. Android clients running Android 9 or newer support DNS over TLS. Linux and Windows users can use DNS over TLS as a client through the NLnet Labs stubby daemon or Knot Resolver. Alternatively they may install getdns-utils to use DoT directly with the getdns_query tool. The unboundDNS resolver by NLnet Labs also supports DNS over TLS. systemd-resolved is a Linux-only implementation that can be configured to use DNS over TLS, by editing /etc/systemd/resolved.conf and enabling the setting DNSOverTLS. Most major Linux distributions have systemd installed by default. personalDNSfilter is an open source DNS filter with support for DoT and DoH for Java enabled devices including Android. Nebulo is an Open Source DNS changer application for Android which supports DNS over TLS and DNS over HTTPS.
Criticisms and implementation considerations
DoT can impede analysis and monitoring of DNS traffic for cybersecurity purposes. DoT has been used to bypass parental controls which operate at a DNS level; Circle, a parental control router which relies on DNS queries to check domains against a blocklist, blocks DoT by default due to this. Encryption by itself does not protect privacy, encryption is simply a method to obfuscate the data. DoT clients do not directly query any authoritative name servers. Instead, the client relies on the DoT server using traditional queries to finally reach authoritative servers. Thus DoT does not qualify as an end-to-end encrypted protocol, only hop-to-hop encrypted and only if DNS over TLS is used consistently.
