DoT (DNS over TLS)

DNS is one of the last widely used protocols that isn’t being encrypted, the only right way to do this is by implementing DoT. On the bottom of this page there are some reference links that can inform you about why this is the case.


When running bind9 you can use stunnel to enable DNS over TLS, below an example on how to accomplish this. In this examples both stunnel and bind are running on the same server, but this can also be used in a distributed environment.

This example assumes that there is already a dns server running and will not cover that part. For the stunnel part, install stunnel with the help of your os repository or build it from source.

user@host:~$ sudo apt-get install stunnel

Configure stunnel for DoT operation:

user@host:~$ vi /etc/stunnel/stunnel4.conf
debug = warning
foreground = no
pid = /var/run/stunnel4/stunnel4.pid
output = /var/log/stunnel4/stunnel4.log
options = -NO_SSLv3
setuid = stunnel4
setgid = stunnel4
include = /etc/stunnel/conf.d

user@host:~$ vi /etc/stunnel/conf.d/dsntls.conf
accept = 853
connect =
CAfile = ca.pem
cert = host.crt
key = host.pem

You can test the config by running the command in the foreground by setting foreground = yes and run the command stunnel4 /etc/stunnel/stunnel4.conf if everything looks OK then enable the service. On a systemd system this is done via sudo systemctl enable stunnel4 and then to run the service systemctl start stunnel4.


To test if this is working one can use the following tools:

Other solutions:

Other dns solutions you can use to enable DoT are:


Some reference material on encrypting DNS can be found on the following links: Centralised DoH is bad for privacy and DNS over HTTPS (and all its friends & relations).


PowerDNS: DNS over TLS