← back to home FR

Set Up DNS-over-TLS (DoT)

Dedicated encrypted DNS channel

DNS-over-TLS runs DNS through a dedicated TLS-encrypted channel on port 853. Unlike DoH, it uses its own port rather than hiding inside HTTPS — which means it’s easier for network tools to identify (and optionally block), but also simpler to configure at the system level without a proxy.

le_dns DoT endpoint: ledns.eu port 853

Android 9+ (Private DNS)

Android’s “Private DNS” feature is actually DoT under the hood. It’s the easiest setup of any platform:

  1. Open SettingsNetwork & internet
  2. Tap Private DNS
  3. Select Private DNS provider hostname
  4. Enter: ledns.eu
  5. Tap Save

That’s it. Android will automatically encrypt all DNS queries to le_dns over TLS. The setting applies system-wide, covering every app on your device.

Linux (systemd-resolved)

systemd-resolved supports DoT natively since version 237:

  1. Edit /etc/systemd/resolved.conf:
[Resolve]
DNS=51.75.96.82#ledns.eu 51.89.95.33#ledns.eu
DNSOverTLS=yes
  1. Restart the resolver:
sudo systemctl restart systemd-resolved
  1. Verify:
resolvectl status

Look for DNS over TLS: yes in the output. The #ledns.eu suffix after each IP tells systemd-resolved which hostname to verify in the TLS certificate.

macOS / Linux (Stubby)

Stubby is a lightweight standalone DoT client maintained by the DNS Privacy Project:

# macOS (Homebrew)
brew install stubby

# Debian/Ubuntu
sudo apt install stubby

Edit /etc/stubby/stubby.yml (or /usr/local/etc/stubby/stubby.yml on macOS):

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
listen_addresses:
  - 127.0.0.1
  - 0::1
upstream_recursive_servers:
  - address_data: 51.75.96.82
    tls_auth_name: "ledns.eu"
  - address_data: 51.89.95.33
    tls_auth_name: "ledns.eu"

Then set your system DNS to 127.0.0.1 and restart stubby:

sudo systemctl enable --now stubby

Verify it works

If you have BIND 9.18+ or a dig build with TLS support:

dig +tls @ledns.eu example.com

A successful response confirms le_dns is responding over TLS. You can also run:

openssl s_client -connect ledns.eu:853 </dev/null 2>/dev/null | grep subject

This checks that the TLS certificate for port 853 is valid and matches ledns.eu.

Note on firewalls

DoT uses port 853, which is non-standard and may be blocked by restrictive networks (corporate firewalls, hotel Wi-Fi, some ISPs). If DoT doesn’t work in a particular environment, DoH is the better fallback — it uses port 443, indistinguishable from regular HTTPS traffic.