DNS-over-TLS Resolution Failure — Secure DNS Queries Not Working on Linux

Fix DNS-over-TLS (DoT) resolution failures on Linux where secure DNS queries fail while standard DNS works, caused by systemd-resolved or stubby misconfiguration. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.

Here are the key things to understand: DNS-over-TLS (DoT) encrypts DNS queries by sending them over a TLS connection on port 853. systemd-resolved supports DoT natively since systemd 239+. Alternative DoT clients include stubby, knot-resolver, and unbound. DoT prevents DNS query snooping by ISPs and network operators. Port 853 must be allowed in firewalls for DoT to work (some corporate firewalls block it). Understanding these fundamentals will help you diagnose and resolve this issue more effectively.

The most common reasons this occurs include: DNS-over-TLS server certificate not trusted by the system's CA bundle. Port 853 blocked by firewall or corporate network policy. systemd-resolved not configured for DNSOverTLS in resolved.conf. DoT server unreachable or experiencing downtime. Identifying the root cause is the first step toward finding the right solution.

To resolve this, follow these recommended steps: Configure systemd-resolved: edit /etc/systemd/resolved.conf set DNSOverTLS=yes and DNS=1.1.1.1#cloudflare-dns.com. Restart systemd-resolved: systemctl restart systemd-resolved. Test DoT connectivity: 'kdig -d @1.1.1.1 +tls example.com' (requires knot-dnsutils package). Check if port 853 is reachable: 'openssl s_client -connect 1.1.1.1:853'. If port 853 is blocked: use DNS-over-HTTPS (DoH) as an alternative (port 443 is rarely blocked). If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.

This article is part of our Linux Error Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.