DNS over TLS/ DNS over HTTPS in DDI Central

What is DNS over TLS (DoT)?

DNS over TLS (DoT) is a protocol that encrypts DNS queries and responses using Transport Layer Security (TLS)—the same cryptographic protocol used in HTTPS connections. Traditional DNS queries are sent in plaintext, which means anyone on the network path (e.g., ISPs, attackers, or surveillance systems) can intercept and view which websites a user is trying to access. DoT solves this by encrypting the DNS traffic between a client (like a user’s device) and the DNS server (resolver).

Key properties:

  • Runs on port 853 (a port dedicated for DoT traffic).
  • Protects confidentiality and integrity of DNS communications.
  • Blocks on-path attackers from intercepting or tampering with DNS responses.
  • Still uses the standard DNS format (unlike DoH), just wrapped inside TLS.

Suitable for:

  • Network environments where control and monitoring of DNS traffic is needed (e.g., enterprises, ISPs).
  • Admins who prefer separation of DNS and web traffic, to avoid interference with content filtering or DPI.

What is DNS over HTTPS (DoH)?

DNS over HTTPS (DoH) also encrypts DNS queries, but it transmits them using HTTPS (port 443), making DNS requests indistinguishable from regular web traffic. This provides strong privacy and evasion capabilities—especially in environments where traditional DNS traffic might be blocked or monitored.

Key properties:

  • Runs over HTTPS on port 443.
  • Uses HTTP/2 or HTTP/3 to deliver DNS queries and receive responses.
  • DNS traffic is hidden among web traffic, making it harder to censor or block.
  • Originally popularized by browsers (like Firefox and Chrome) to improve user privacy.

Suitable for:

  • Privacy-centric user environments (e.g., personal devices, public Wi-Fi).
  • Scenarios where censorship circumvention or ISP-level DNS snooping is a concern.
  • Less suitable for enterprise environments where administrators need visibility into DNS traffic.

Why does a network infrastructure need DoT or DoH?

Traditional DNS traffic is unencrypted, making it:

  • Vulnerable to eavesdropping, where attackers or ISPs can see which websites users visit.
  • Susceptible to DNS spoofing, allowing attackers to redirect traffic to malicious sites.
  • Prone to censorship or surveillance, especially in sensitive or geo-restricted environments.

Enabling DoT/DoH:

  • Boosts user privacy and trust, by hiding DNS queries from third parties.
  • Improves security, ensuring DNS responses come from authenticated sources.
  • Aligns with compliance mandates, like GDPR or CCPA, which emphasize user data protection.
  • Future-proofs infrastructure, as modern operating systems, browsers, and apps increasingly default to encrypted DNS.

Accessing DoT/DoH Configuration

  1. Log in to the DDI Central web console.
  2. In the left sidebar, click on Config under the DNS section.
  3. Navigate to the DoT/DoH tab on the top navigation bar.

Configuring DNS over TLS (DoT) / DNS over HTTPS (DoH)

DDI Central - DNS threat detection and response

Step 1: Enable DoT and/or DoH

  • Enable just DoH, DoT, or both by checking the respective boxes next to:
    • TLS to enable DNS over TLS (typically uses port 853).
    • HTTPS to enable DNS over HTTPS (typically uses port 443).

Step 2: Set Port Numbers

  • DoT Port: Enter the port for TLS (default: 853).
  • DoH Port: Enter the port for HTTPS (default: 443).

Step 3: Review Protocol

  • The Protocol field will auto-populate with {TLSv1.2;}.

Step 4: Specify the Endpoint

  • Endpoints: Input the DoH path endpoint. For example, the default value here is dns-query.

This will be appended to your HTTPS server address, e.g., https://dns.example.com/dns-query.

Step 5: Upload Certificate and Key

  • Upload your TLS certificate (.crt or .pem) using the Certificate File field.
  • Upload the corresponding Private Key file using the Key File field.
  • Select from available options.

Step 6: Save Configuration

  • Click the Save button at the bottom.
  • Once saved, the top right corner status will change from “NOT CONFIGURED” to “CONFIGURED”.

Note

  • Certificates must be valid and correctly signed by a trusted CA. Self-signed certs should be used only in internal, controlled environments.
  • Ensure port 853 and 443 are open on your firewall or network device.
  • Endpoints must match clients' expectations (e.g., /dns-query for DoH).

Once you’ve configured DoT or DoH for your DNS servers in a cluster using DDI Central, you can enforce its use on client machines by integrating with your endpoint control solution. By combining server-side DoT/DoH configuration with client-side policy enforcement, you guarantee that all endpoints use only encrypted DNS, maintaining privacy and preventing DNS-based attacks.