---
title: DNS over TLS (DoT)
description: DNS over TLS (DoT) in Zero Trust networking.
image: https://developers.cloudflare.com/zt-preview.png
---

> Documentation Index  
> Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt  
> Use this file to discover all available pages before exploring further. 

[Skip to content](#%5Ftop) 

# DNS over TLS (DoT)

By default, DNS is sent over a plaintext connection. DNS over TLS (DoT) is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications.

Cloudflare supports DoT on standard port `853` over TLS 1.2 and TLS 1.3 in compliance with [RFC7858 ↗](https://tools.ietf.org/html/rfc7858).

## Configure DoT queries

### 1\. Obtain your DoT hostname

Each Gateway DNS location has a unique DoT hostname. DNS locations and corresponding DoT hostnames have policies associated with them.

1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Networks** \> **Resolvers & Proxies**.
2. Under **DNS locations**, [add a new location](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) or select an existing location from the list.
3. Under **DoT endpoint**, copy the value in **DoT addresses**.

The DoT hostname contains your unique location name. For example, if the DoT hostname is `9y65g5srsm.cloudflare-gateway.com`, the location name is `9y65g5srsm`.

### 2\. Configure your DoT client

To configure a DoT client such as `dig`, specify the IP address and the DoT hostname for your location in your query. For example:

```
Hostname: 9y65g5srsm.cloudflare-gateway.comIP address: 162.159.36.5
```

Alternatively, you can use the generic DoT endpoint (`dns.cloudflare-gateway.com`) and include an `OPT` record with code `65011`. You can select a specific location for the value of the `OPT` record. For example:

```
Hostname: dns.cloudflare-gateway.comIP address: 162.159.36.5OPT Record:  - Code: 65011  - Value: 9y65g5srsm
```

Some stub resolvers support DoT natively. For example, you can configure Unbound to send a DoT query:

```
# Unbound TLS Configtls-cert-bundle: "/etc/ssl/cert.pem"# Forwarding Configforward-zone: name: "." forward-tls-upstream: yes forward-addr: 162.159.36.5@853#9y65g5srsm.cloudflare-gateway.com forward-addr: 2001:db8:abcd::1234#9y65g5srsm.cloudflare-gateway.com
```

```json
{"@context":"https://schema.org","@type":"TechArticle","@id":"https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/dns-over-tls/#page","headline":"DNS over TLS (DoT) · Cloudflare One docs","description":"DNS over TLS (DoT) in Zero Trust networking.","url":"https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/dns-over-tls/","inLanguage":"en","image":"https://developers.cloudflare.com/zt-preview.png","dateModified":"2026-04-17","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"},"keywords":["DNS","TLS"]}
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/networks/","name":"Networks"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/networks/resolvers-and-proxies/","name":"Resolvers and proxies"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/networks/resolvers-and-proxies/dns/","name":"DNS"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/networks/resolvers-and-proxies/dns/dns-over-tls/","name":"DNS over TLS (DoT)"}}]}
```