DNS over TLS (DoT) encrypts your DNS queries, preventing ISPs and network administrators from seeing which websites you visit. Unlike traditional unencrypted DNS, DoT protects your browsing privacy at the network level. This guide covers implementing DoT on Linux and Windows systems.
Understanding DNS Over TLS
Traditional DNS Problem:
- You visit example.com
- DNS query: “What’s example.com’s IP?”
- Query sent unencrypted to your ISP’s DNS server
- ISP sees which sites you visit
- Governments can mandate surveillance
DNS over TLS Solution:
- Same DNS query encrypted with TLS
- ISP sees encrypted query, not destination
- Only query metadata visible (timestamp, size)
- Prevents most DNS-level tracking
DNS over TLS differs from DNS over HTTPS (DoH):
- DoH: Uses HTTPS, port 443 (harder to block, some privacy concerns)
- DoT: Uses TLS, port 853 (cleaner separation, more transparent)
Both encrypt DNS. This guide covers DoT specifically.
Linux Setup
Using systemd-resolved (Easiest)
Modern Linux systems use systemd, which supports DoT natively.
Check Current Configuration:
resolvectl statusThis shows current DNS settings.
Enable DNS over TLS:
Edit /etc/systemd/resolved.conf:
sudo nano /etc/systemd/resolved.confModify these lines:
DNS=1.1.1.1 8.8.8.8
FallbackDNS=9.9.9.9
DNSSEC=yes
DNSSECNegativeTrustAnchors=
DNS over TLS=yesConfiguration Explanation:
DNS=: Primary DNS servers (Cloudflare 1.1.1.1, Google 8.8.8.8)FallbackDNS=: Backup if primary fails (Quad9 9.9.9.9)DNSSEC=yes: Validate DNS authenticityDNS over TLS=yes: Enable DoT encryption
Apply Changes:
sudo systemctl restart systemd-resolvedVerify DoT Enabled:
resolvectl statusOutput should show “DNS over TLS: yes”
Using Unbound (Advanced)
Unbound is a recursive DNS resolver offering maximum control:
Install Unbound:
sudo apt update
sudo apt install unbound unbound-anchorConfigure Unbound for DoT:
Edit /etc/unbound/unbound.conf:
sudo nano /etc/unbound/unbound.confAdd this configuration:
server:
interface: 127.0.0.1
interface: ::1
port: 53
protocol: do53
verbosity: 1
access-control: 127.0.0.1 allow
access-control: ::1 allow
auto-trust-anchor-file: "/var/lib/unbound/root.key"
trust-anchor-file: "/var/lib/unbound/root.key"
# Forward queries to public resolvers over TLS
forward-zone:
name: "."
forward-addr: 1.1.1.1@853 # Cloudflare with TLS
forward-addr: 8.8.8.8@853 # Google with TLS
forward-ssl-upstream: yesStart Unbound:
sudo systemctl start unbound
sudo systemctl enable unboundPoint System to Unbound:
Edit /etc/resolv.conf:
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.confVerify Resolution:
nslookup example.comShould resolve successfully through Unbound.
Using dnscrypt-proxy
dnscrypt-proxy is lightweight and straightforward:
Install:
sudo apt install dnscrypt-proxyConfigure:
Edit /etc/dnscrypt-proxy/dnscrypt-proxy.conf:
sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.confFind and modify:
listen_addresses = ['127.0.0.1:53']
server_names = ['cloudflare', 'quad9-doh', 'google-dns']
require_dnssec = true
require_nolog = true
require_nofilter = trueStart Service:
sudo systemctl start dnscrypt-proxy
sudo systemctl enable dnscrypt-proxyUpdate resolv.conf:
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.confWindows Setup
Using Windows 11 Built-In DoT
Windows 11 includes native DoT support:
Enable via Settings:
- Open Settings → Network & Internet
- Click Advanced network settings
- Scroll to DNS server assignment
- Click Edit
- Set DNS protocol to Encrypted only (DNS over TLS)
- Select provider:
- Cloudflare (1.1.1.1)
- Google (8.8.8.8)
- Quad9 (9.9.9.9)
Verify Configuration:
Open PowerShell as administrator:
Get-DnsClientGlobalSetting | Select-Object InformationLevelOutput should show “Encrypted” status.
Using Cloudflare Warp+ (Easiest)
Cloudflare’s Warp client includes DoT:
Download and Install:
- Visit 1.1.1.1 on Windows
- Download Cloudflare Warp client
- Run installer
- Grant administrative permissions
- Launch Warp
Configure:
- Click Warp icon in system tray
- Go to Preferences
- Set DNS over TLS in security section
- Choose DNS provider (Cloudflare recommended)
- Enable Family-friendly mode (optional, blocks adult sites)
Warp automatically encrypts all DNS queries.
Using Quad9 DNS
Quad9 blocks malware-serving DNS entries:
Manual Configuration:
- Open Control Panel → Network and Internet → Network Connections
- Right-click your network → Properties
- Click Configure
- Go to IP Settings
- Set Preferred DNS: 9.9.9.9
- Set Alternate DNS: 149.112.112.112
- Select Encrypted DNS (DNS over TLS)
- Click Save
Using NextDNS (Advanced)
NextDNS provides customizable DoT with analytics:
Create Account:
- Visit nextdns.io
- Create free account
- Configure blocking preferences:
- Security: Blocks malware
- Privacy: Blocks tracking
- Parental control: Age-appropriate filtering
Windows Configuration:
- Download NextDNS Windows app from website
- Install and launch
- Sign in with NextDNS account
- DNS queries automatically encrypted
- Dashboard shows DNS queries in real-time
Verifying DoT Is Working
Test 1: Check Port 853
# Linux/Mac
telnet 1.1.1.1 853
# Windows PowerShell
Test-NetConnection -ComputerName 1.1.1.1 -Port 853Should show connection successful.
Test 2: Wireshark Packet Inspection
- Download Wireshark (wireshark.org)
- Start packet capture
- Make DNS query:
nslookup example.com - Filter packets by “dns”
- Encrypted queries show “TLS” or encrypted payload
- No plain-text DNS queries visible
Test 3: Online DoT Verification
- Visit 1.1.1.1/help (from Cloudflare)
- Page displays your DNS encryption status
- Should show “DNS over TLS: Yes”
Test 4: Check Resolution Speed
time nslookup example.comDoT adds minimal latency (< 5ms typically).
Choosing a DNS Provider
Cloudflare (1.1.1.1):
- Fast, global network
- No logging policy
- Simple configuration
- Cloudflare can see queries (trust depends on you)
Google DNS (8.8.8.8):
- Fast, reliable
- Google has privacy concerns
- Good fallback option
Quad9 (9.9.9.9):
- Blocks malware/phishing
- Recommended for security
- Slight performance cost for blocking
- Privacy-friendly
NextDNS:
- Maximum customization
- Real-time dashboard
- Family filtering options
- Small performance cost
Troubleshooting
Websites Won’t Resolve:
Verify recursive resolution:
# Linux
sudo systemctl restart systemd-resolved
resolvectl status
# Windows
ipconfig /flushdnsSlow Resolution:
Try fallback provider:
# Linux, edit /etc/systemd/resolved.conf
FallbackDNS=1.0.0.1 1.1.1.1
# Windows, add secondary DNS in settingsDoT Not Connecting:
Check firewall rules:
sudo ufw allow 853/tcp # Linux UFWWindows Firewall usually allows outbound 853.
Testing Failed Connections:
Verify port 853 open:
# Linux
sudo ss -tlnp | grep 853
# Windows PowerShell
netstat -an | findstr 853Advanced: Local DNS Over TLS Proxy
Forward all DNS through DoT locally:
Linux script:
#!/bin/bash
# Route all DNS to DoT upstream
echo "nameserver 127.0.0.1" > /etc/resolv.conf
# Use unbound configured for DoT (see above)
systemctl restart unboundWindows batch:
REM Set static DoT DNS servers
netsh int ip set dnsservers name="Ethernet" static 9.9.9.9 primary validate=no
netsh int ip add dnsservers name="Ethernet" 149.112.112.112 validate=noPerformance Impact
Modern DoT implementation has minimal overhead:
- Query latency: +1-5ms typically
- CPU usage: Negligible
- Bandwidth: Identical to unencrypted DNS
Performance should not be a concern.
Privacy Considerations
DoT Limitations:
- ISP still sees encrypted queries happening
- Timing/size of queries leaks some information
- DNS server logs queries (depends on provider policy)
- Metadata still visible (when you query, size)
DoT Strengths:
- Prevents ISP DNS hijacking
- Stops DNS-based censorship
- Protects from government surveillance
- Hides browsing from network monitoring
Combine DoT with VPN for maximum privacy.
Conclusion
DNS over TLS encrypts your DNS queries, preventing ISPs from seeing which websites you visit. Implementation is straightforward on both Linux (systemd-resolved) and Windows (built-in settings or Warp).
By following this guide, you’ve added a critical privacy layer protecting your DNS queries from surveillance and blocking.
Your DNS privacy is now encrypted.