DNS over TLS – All the things you need to know

DNS over TLS is a protocol where DNS queries will be encrypted to the same level as HTTPS. This means the provider can’t actually log or see the websites you visit. Is it really better? We will find it out – hang on!

DNS over TLS
How to send DNS over anything encrypted – Picture Source: Men and Mice

Here is an example how it looks like.

//Example DNS data returned via TLS
openssl s_client -tls1_2 -ign_eof \
   -connect -verify 9 <<eof
   GET /resolve?\&type=dnskey HTTP/1.1^M
   Connection: keep-alive^M
   GET /resolve?\&type=dnskey HTTP/1.1^M
   Connection: close^M
//Check the IP

Theoretically any attacker can still see the domain name through the host header. It does nothing to stop them from intercepting/modifying the request/response. This alone is already a bummer!

In case the protocol is SSL/TLS the domain name is in the SNI (SNI leak). That said, SNi itself isn’t encrypted. You’ll inevitably have to disable it every time you use public wifi to e.g. get the captive portal to show up. Using TLS adds higher latency, because of the tcp handshake required (unless they’re using DTLS), and it exposes all the domain names you visit to google, so it’s actually worse than a regular DNS. A workaround is to use TCp fast open which gets rid of the mentioned problem, it removes the TCP handshake latency. 

What about DNSSEC?

DNSSEC gives you something the ohter things don’t: authenticated data, including authenticated non-existence. That’s in my opinion a big deal. Point being DNSSEC can be used to secure more hops than DNS-over-TLS, but DNS-over-TLS can secure the last hop without any opt-in by the domain owner.

DNSSEC is secure enough – cause the root is protected. DNSSEC is not trying to solve the problem of privacy, only authentication.


DNSCrypt is some homebrew DNS over TLS protocol and very similar it’s client has to explicitly trust the public signing key of the chosen provider (pub. key).


TLS over DNS will not lead to full privacy with the flip of a simple toggle. If a different DNS service provider you decide to connect to does opt to enable DNS over TLS, they’ll get your DNS traffic instead of your ISP. DNS requests will be encrypted, but the DNS over TLS server still gets to see your entire DNS traffic, though that alone might be a step above using your ISP’s servers without TLS over DNS. At least this way, your ISP won’t be able to attach your queries to the IP you’ve been assigned, and thus your name.

DNS-over-TLS and DNSCrypt are more about authentication than privacy. They are useful against the guy sitting behind you at Starbucks doing DNS injection.

  • It won’t replace a VPN – unless you are using a VPN or Tor, the IP of the site you’re connecting to is present in every TCP / UDP / ICMP packet you send out!
  • If DNS is over TLS, it can’t be transparently proxied. That said, we talking then about censorship circumvention and their possibilities.


12 replies on “DNS over TLS – All the things you need to know”

Do you mind if I quote a few of your posts as long as I
provide credit and sources back to your site? My website is
in the very same niche as yours and my visitors would
really benefit from some of the information you present here.
Please let me know if this ok with you. Many thanks!


I feel that iss one of the so much important information for me.
And i am satisfied reading your article. But want to remark
oon some general issues, The web site taste is great,
the articles iss really nice : D. Excellent process, cheers


First of all I want to say excellent blog! I had a quick question in which I’d like to ask if you do
not mind. I was interested to know how you center yourself and clear your thoughts prior
to writing. I have had trouble clearing my thoughts
in getting my ideas out. I do take pleasure in writing but it just seems like the first 10 to 15 minutes are wasted simply just
trying to figure out how to begin. Any recommendations or tips?



Hey, I think your website might be having browser compatibility issues.

When I look at your website in Firefox, it looks fine but when opening in Internet Explorer,
it has some overlapping. I just wanted to give you
a quick heads up! Other then that, awesome blog!


Oi! Você se importaria ѕe eᥙ compartilhar ѕeu blog cߋm meu facebook grupo?
Há սm monte dе pessoal qսe еu acho quе seria realmente desfrutar
ѕeu conteúⅾо. Ρor favor mе avise. Mսito obrigado


Ԝe’re a group of volunteers and opening a new scheme in our
community. Your sіte provided us with valuable info to ᴡork on. Yߋu һave
done a formidable job and our wһole community will
be thankful to you.


I loved as much as you’ll receive carried out right here.
The sketch is attractive, your authored subject matter stylish.
nonetheless, you command get got an impatience over that you wish be delivering the following.
unwell unquestionably come further formerly again as
exactly the same nearly a lot often inside case you shield this hike.


How about trusting your VPN on its DNS servers? We already somehow trust them to have zero log policy and their clients automatically make us use their DNS servers.


There is no such thing as ‘no logging’ – logging is a part of each backend and removing this requires to re-write almost everything to avoid it. I doubt that anyone is gonna doing it. Besides this, we already know from some VPN provider that they log.

You should’t use an alternative DNS while you’re behind of a VPN it would slow down the dns requests and there is no security benefit except that the alternative might ends up leaking data.


Comments are closed.