DNS over TLS#Public resolvers

BIND supports DoT connections as of version 9.17.{{Cite web|title=4. BIND 9 Configuration Reference — BIND 9 documentation|url=https://bind9.readthedocs.io/en/latest/reference.html?highlight=DoT#interfaces|access-date=2021-11-14|website=bind9.readthedocs.io|language=en}} Earlier versions offered DoT capability by proxying through stunnel.{{cite web|title=Bind - DNS over TLS|url=https://kb.isc.org/article/AA-01386/0/DNS-over-TLS.html|access-date=2018-05-15|archive-date=2017-10-20|archive-url=https://web.archive.org/web/20171020030829/https://kb.isc.org/article/AA-01386/0/DNS-over-TLS.html|url-status=dead}} Unbound has supported DNS over TLS since 22 January 2023.{{Cite web|url=https://nlnetlabs.nl/svn/unbound/tags/release-1.7.3/doc/Changelog|title=Unbound version 1.7.3 Changelog|access-date=2018-08-07|archive-date=2018-08-07|archive-url=https://web.archive.org/web/20180807064027/https://nlnetlabs.nl/svn/unbound/tags/release-1.7.3/doc/Changelog|url-status=dead}}{{Cite news|url=https://www.ctrl.blog/entry/unbound-tls-forwarding|title=Actually secure DNS over TLS in Unbound|last=Aleksandersen|first=Daniel|work=Ctrl blog|access-date=2018-08-07|language=en}} Unwind has supported DoT since 29 January 2023.{{Cite web|url=https://marc.info/?l=openbsd-cvs&m=154859286717496&w=2|title=openbsd-cvs mailing list archives}}{{Cite web|url=https://marc.info/?l=openbsd-cvs&m=155408952506689&w=2|title=openbsd-cvs mailing list archives}} With Android Pie's support for DNS over TLS, some ad blockers now support using the encrypted protocol as a relatively easy way to access their services versus any of the various work-around methods typically used such as VPNs and proxy servers.{{Cite web|url=https://blockerdns.com/|title=blockerDNS - Block Ads and Online Trackers So You Can Browse the Web Privately on Your Android Phone Without Installing an App!|website=blockerdns.com|access-date=2019-08-14}}{{Cite web|url=https://adguard.com/en/blog/adguard-dns-announcement.html|title=The official release of AdGuard DNS — a new unique approach to privacy-oriented DNS|website=AdGuard Blog|language=en|access-date=2019-08-14}}{{Cite web|url=https://blahdns.com/|title=Blahdns -- Dns service support DoH, DoT, DNSCrypt|website=blahdns.com|access-date=2019-08-14}}{{Cite web |title=NextDNS |url=https://nextdns.io/ |access-date=2023-12-16 |website=NextDNS |language=en}}

Android clients running Android Pie or newer support DNS over TLS and will use it by default if the network infrastructure, for example the ISP, supports it.{{Cite web|url=https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html|title=DNS over TLS support in Android P Developer Preview|website=Android Developers Blog|language=en|access-date=2019-12-07}}{{Cite web|date=August 23, 2018|first=Jack|last=Wallen|title=How to enable DNS over TLS in Android Pie|url=https://www.techrepublic.com/article/how-to-enable-dns-over-tls-in-android-pie/|access-date=2021-03-17|website=TechRepublic|language=en}}

In April 2018, Google announced that Android Pie will include support for DNS over TLS,{{cite web|date=April 17, 2018|title=DNS over TLS support in Android P Developer Preview|url=https://security.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html|work=Google Security Blog}} allowing users to set a DNS server phone-wide on both Wi-Fi and mobile connections, an option that was historically only possible on rooted devices. DNSDist, from PowerDNS, also announced support for DNS over TLS in version 1.3.0.{{cite web|title=DNS-over-TLS|url=https://dnsdist.org/guides/dns-over-tls.html|access-date=25 April 2018|website=dnsdist.org}}

Linux and Windows users can use DNS over TLS as a client through the NLnet Labs stubby daemon or Knot Resolver.{{Cite web|url=https://www.knot-resolver.cz/|title=Knot Resolver}} Alternatively they may install getdns-utils{{Citation |url=https://packages.ubuntu.com/search?keywords=getdns-utils|title=Package: getdns-utils|access-date=2019-04-04|language=en}} to use DoT directly with the getdns_query tool. The unbound DNS resolver by NLnet Labs also supports DNS over TLS.{{Cite web|title=Unbound - About|url=https://nlnetlabs.nl/projects/unbound/about/|website=NLnet Labs|language=en|access-date=2020-05-26}}

Apple's iOS 14 introduced OS-level support for DNS over TLS (and DNS over HTTPS). iOS does not allow manual configuration of DoT servers, and requires the use of a third-party application to make configuration changes.{{Cite web|last=Cimpanu|first=Catalin|title=Apple adds support for encrypted DNS (DoH and DoT)|url=https://www.zdnet.com/article/apple-adds-support-for-encrypted-dns-doh-and-dot/|access-date=2020-10-03|website=ZDNet|language=en}}

systemd-resolved is a Linux-only implementation that can be configured to use DNS over TLS, by editing /etc/systemd/resolved.conf and enabling the setting DNSOverTLS.{{cite web |title=resolved.conf manual page |url=https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS= |access-date=16 December 2019}}{{cite web |title=Fedora Magazine: Use DNS over TLS |date=10 July 2020 |url=https://fedoramagazine.org/use-dns-over-tls/ |access-date=4 September 2020}} Most major Linux distributions have systemd installed by default.{{cite web |title=Systemd adoption |url=https://en.wikipedia.org/wiki/Systemd#Adoption |access-date=16 December 2019}}{{Circular reference|date=November 2020}}

DNS over TLS was first implemented in a public recursive resolver by Quad9 in 2017.{{cite web |last1=Band |first1=Alex |title=Privacy: Using DNS-over-TLS with the Quad9 DNS Service |url=https://medium.com/nlnetlabs/privacy-using-dns-over-tls-with-the-new-quad9-dns-service-1ff2d2b687c5 |publisher=Medium |access-date=17 July 2021 |date=2017-11-20 |quote=Recently the Quad9 DNS service was launched. Quad9 differentiates from similar services by focusing on security and privacy. One interesting feature is the fact that you can communicate with the service using DNS-over-TLS. This encrypts the communication between your client and the DNS server, safeguarding your privacy.}}{{cite web |last1=Bortzmeyer |first1=Stéphane |title=Quad9 is a public DNS resolver, with promises of better privacy, and a DNS-over-TLS access |url=https://labs.ripe.net/author/stephane_bortzmeyer/quad9-a-public-dns-resolver-with-security/ |publisher=RIPE Labs |access-date=17 July 2021 |date=2017-11-21 |quote=Last week, the new DNS resolver Quad9 has been announced. It is a public DNS resolver with the additional benefit that it is accessible in a secure way over TLS (RFC 7858). There are plenty of public DNS resolvers, but the link to them is not secure. This allows hijackings, as seen in Turkey, as well as third-party monitoring. The new Quad9 service on the other hand is operated by the not-for-profit Packet Clearing House (PCH), which manages large parts of the DNS infrastructure, and it allows access to the DNS over TLS. This makes it very difficult for third parties to listen in. And it makes it possible to authenticate the resolver.}} Other recursive resolver operators such as Google and Cloudflare followed suit in subsequent years, and now it is a broadly-supported feature generally available in most large recursive resolvers.{{Cite web|title=Public DNS resolver Anycast DNS for All|url=https://www.dnslify.com/services/resolver/|website=www.dnslify.com|access-date=2020-05-26|archive-date=2020-07-24|archive-url=https://web.archive.org/web/20200724052150/https://www.dnslify.com/services/resolver/|url-status=dead}}{{Cite web|title=Telsy TRT|url=https://blog.telsy.com/strengthen-android-privacy-and-security-via-telsy-free-secure-dns-over-tls/|language=en-US|access-date=2020-05-26|archive-date=2021-01-31|archive-url=https://web.archive.org/web/20210131092723/https://blog.telsy.com/strengthen-android-privacy-and-security-via-telsy-free-secure-dns-over-tls/|url-status=dead}}{{Cite news|url=https://arstechnica.com/information-technology/2018/04/how-to-keep-your-isps-nose-out-of-your-browser-history-with-encrypted-dns/|title=How to keep your ISP's nose out of your browser history with encrypted DNS|work=Ars Technica|access-date=2018-04-08|language=en-us}}{{Cite web|url=https://developers.cloudflare.com/1.1.1.1/dns-over-tls/|title=DNS over TLS - Cloudflare Resolver|website=developers.cloudflare.com|language=en|access-date=2018-04-08}}{{Cite web|url=https://security.googleblog.com/2019/01/google-public-dns-now-supports-dns-over.html|title=Google Public DNS now supports DNS-over-TLS|website=Google Online Security Blog|language=en|access-date=2019-01-10}}{{Cite web|url=https://labs.ripe.net/Members/stephane_bortzmeyer/quad9-a-public-dns-resolver-with-security|title=Quad9, a Public DNS Resolver - with Security|website=RIPE Labs|date=21 November 2017 |access-date=2018-04-08}}{{cite web|title=Troubleshooting DNS over TLS|date=13 May 2018|url=https://medium.com/@nykolas.z/troubleshooting-dns-over-tls-e7ca570b6337}}{{User-generated source|date=January 2019}}{{Cite web|url=https://libredns.gr/|title=LibreDNS|website=LibreDNS|language=en|access-date=2019-10-20}}

DoT can impede analysis and monitoring of DNS traffic for cybersecurity purposes. DoT has been used to bypass parental controls which operate at the (unencrypted) standard DNS level; However, there are DNS providers that offer filtering and parental controls along with support for both DoT and DoH.{{cite news |last1=Gallagher |first1=Sean |title=New Quad9 DNS service blocks malicious domains for everyone |url=https://arstechnica.com/information-technology/2017/11/new-quad9-dns-service-blocks-malicious-domains-for-everyone/ |access-date=14 November 2021 |publisher=Ars Technica |date=16 November 2017 |quote=The system blocks domains associated with botnets, phishing attacks, and other malicious Internet hosts.}} In that scenario, DNS queries are checked against block lists once they are received by the provider rather than prior to leaving the user's router.

As with any communication, encryption of DNS requests by itself does not protect privacy. It protects against third-party observers, but does not guarantee what the endpoints do with the (then decrypted) data.

DoT clients do not necessarily directly query any authoritative name servers. The client may rely on the DoT server using traditional (port 53 or 853) queries to finally reach authoritative servers. Thus, DoT does not qualify as an end-to-end encrypted protocol, only hop-to-hop encrypted and only if DNS over TLS is used consistently.

DNS over HTTPS (DoH) is a similar protocol standard for encrypting DNS queries, differing only in the methods used for encryption and delivery from DoT. On the basis of privacy and security, whether or not a superior protocol exists among the two is a matter of controversial debate, while others argue the merits of either depend on the specific use case.{{Cite web |last=Claburn |first=Thomas |title=Google rolls out pro-privacy DNS-over-HTTPS support in Chrome 83... with a handy kill switch for corporate IT |date=2020-05-20 |url=https://www.theregister.com/2020/05/20/google_chrome_83/ |access-date=2021-02-03 |website=The Register |language=en}}

DNSCrypt is another network protocol that authenticates and encrypts DNS traffic, although it was never proposed to the Internet Engineering Task Force (IETF) with a Request for Comments (RFC).

• DNSCurve

{{reflist}}

• {{IETF RFC|7858}} – Specification for DNS over Transport Layer Security (TLS)
• {{IETF RFC|8310}} – Usage Profiles for DNS over TLS and DNS over DTLS
• [https://dnsprivacy.org/wiki/ DNS Privacy Project: dnsprivacy.org]

{{IETF RFC standards}}

Category:Domain Name System

Category:Internet protocols

Category:Application layer protocols

Category:Internet security

Category:Transport Layer Security