DNS over TLS (DoT)
By default, DNS is sent over a plaintext connection. DNS over TLS (DoT) is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications.
Cloudflare supports DoT on standard port 853
and is compliant with RFC7858 ↗.
Each Gateway DNS location has a unique DoT hostname. DNS locations and corresponding DoT hostnames have policies associated with them.
- In Zero Trust ↗, go to Gateway > DNS Locations.
- If you have more than one location set up, you will see a list of all your locations.
- Expand the location card for the location whose DoT hostname you’d like to retrieve.
- Get the DoT hostname for the location.
In the example below, the DoT hostname is: 9y65g5srsm.cloudflare-gateway.com
.
Next, configure your DoT client with the DoT hostname.
Depending on your operating system, you can choose from a variety of standalone DoT clients.
To configure your DoT client, enter the following IP address and the DoT hostname for your location (for example, 9y65g5srsm.cloudflare-gateway.com
):
Alternatively, stub resolvers (e.g., Unbound) support DoT natively. An example configuration is shown below.
Each DNS location has a unique DoT hostname and IPv6 address. Remember to substitute your location’s values into the <IPv6 address>
and <DoT hostname>
fields.
Cloudflare’s DNS over TLS supports TLS 1.3 and TLS 1.2.