Which DoT server should I use?

Popular options: Cloudflare (1.1.1.1), Google (8.8.8.8), Quad9 (9.9.9.9). Cloudflare and Quad9 do not log queries. Choose based on privacy policy, performance, and filtering preferences (Quad9 blocks malware domains).

Does DoT slow down DNS resolution?

The initial TLS handshake adds latency (~50ms). Subsequent queries reuse the connection and have minimal overhead. With connection keepalive, the performance impact is negligible for normal browsing.

DNS-over-TLS Resolution Failure — Secure DNS Queries Not Working on Linux

Warningnetwork

Overview

Fix DNS-over-TLS (DoT) resolution failures on Linux where secure DNS queries fail while standard DNS works, caused by systemd-resolved or stubby misconfiguration.

Key Details

DNS-over-TLS (DoT) encrypts DNS queries by sending them over a TLS connection on port 853
systemd-resolved supports DoT natively since systemd 239+
Alternative DoT clients include stubby, knot-resolver, and unbound
DoT prevents DNS query snooping by ISPs and network operators
Port 853 must be allowed in firewalls for DoT to work (some corporate firewalls block it)

Common Causes

DNS-over-TLS server certificate not trusted by the system's CA bundle
Port 853 blocked by firewall or corporate network policy
systemd-resolved not configured for DNSOverTLS in resolved.conf
DoT server unreachable or experiencing downtime

Steps

1Configure systemd-resolved: edit /etc/systemd/resolved.conf set DNSOverTLS=yes and DNS=1.1.1.1#cloudflare-dns.com
2Restart systemd-resolved: systemctl restart systemd-resolved
3Test DoT connectivity: 'kdig -d @1.1.1.1 +tls example.com' (requires knot-dnsutils package)
4Check if port 853 is reachable: 'openssl s_client -connect 1.1.1.1:853'
5If port 853 is blocked: use DNS-over-HTTPS (DoH) as an alternative (port 443 is rarely blocked)

Related Items

linux-wireguard-vpn-handshake-timeout

More in Network

windows-651-pppoe-connection-failedWindows Error 651 — PPPoE Connection Failed

Warning

windows-691-authentication-failedWindows Error 691 — Authentication Failed

Warning

windows-720-ppp-connection-failedWindows Error 720 — PPP Connection Failed

Error

windows-800-vpn-tunnel-failedWindows Error 800 — VPN Tunnel Failed

Warning

windows-network-error-619Windows VPN Error 619 — Connection Could Not Be Established

Warning

windows-network-error-868Windows VPN Error 868 — Remote Server Not Resolved

Warning

Frequently Asked Questions

DNS-over-TLS (DoT) uses a dedicated port 853 and is easier for network admins to identify and manage. DNS-over-HTTPS (DoH) uses port 443 (same as HTTPS) and is harder to block. DoH is better for bypassing restrictive firewalls.

DNS-over-TLS Resolution Failure — Secure DNS Queries Not Working on Linux

Overview

Key Details

Common Causes

Steps

Tags

Related Items

More in Network

Frequently Asked Questions