Skip to content

DNS over TLS (DoT)

By default, DNS is sent over a plaintext connection. DNS over TLS (DoT) is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications.

Cloudflare supports DoT on standard port 853 and is compliant with RFC7858.

1. Obtain your DoT hostname

Each Gateway DNS location has a unique DoT hostname. DNS locations and corresponding DoT hostnames have policies associated with them.

  1. In Zero Trust, go to Gateway > DNS Locations.
  2. If you have more than one location set up, you will see a list of all your locations.
  3. Expand the location card for the location whose DoT hostname you’d like to retrieve.
  4. Get the DoT hostname for the location.

In the example below, the DoT hostname is: 9y65g5srsm.cloudflare-gateway.com.

Getting the DoT hostname for a DNS location from the dashboard

Next, configure your DoT client with the DoT hostname.

2. Configure your DoT client

Depending on your operating system, you can choose from a variety of standalone DoT clients.

To configure your DoT client, enter the following IP address and the DoT hostname for your location (for example, 9y65g5srsm.cloudflare-gateway.com):

Hostname: <DoT hostname>
IP address: 162.159.36.5

Alternatively, stub resolvers (e.g., Unbound) support DoT natively. An example configuration is shown below.

# Unbound TLS Config
tls-cert-bundle: "/etc/ssl/cert.pem"
# Forwarding Config
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 172.64.36.1@853#9y65g5srsm.cloudflare-gateway.com
forward-addr: <IPv6 address>#<DoT hostname>

Supported TLS versions

Cloudflare’s DNS over TLS supports TLS 1.3 and TLS 1.2.