DNS over TLS (DoT)
What is Port 853?
Port 853 is used for DNS over TLS (DoT), a protocol defined in RFC 7858 that encrypts DNS queries between clients and recursive resolvers. Traditional DNS on port 53 transmits queries in plaintext, allowing ISPs, network operators, and attackers to see which domains a user is visiting. DoT wraps standard DNS queries in TLS encryption, providing confidentiality similar to HTTPS for web traffic. Major DNS providers including Cloudflare (1.1.1.1), Google (8.8.8.8), and Quad9 (9.9.9.9) support DoT. Android 9+ includes built-in DoT support via the Private DNS feature. DoT uses a dedicated port (853), making it easy for network administrators to identify and manage encrypted DNS traffic, which is a key difference from DNS over HTTPS (DoH) that runs on port 443.
Common Uses
- Encrypted DNS resolution for privacy
- Android Private DNS configuration
- Preventing DNS query eavesdropping by ISPs
- Secure DNS for enterprise environments
Technical Details
Copy-paste commands to check port 853 (DNS over TLS (DoT)) from your terminal
Test connectivity
nc -zv example.com 853
curl -v --max-time 5 http://example.com:853/
telnet example.com 853
nmap -p 853 -sV example.com
(echo > /dev/tcp/example.com/853) 2>/dev/null && echo "open" || echo "closed"
Open port in firewall
sudo ufw allow 853/tcp
sudo iptables -A INPUT -p tcp --dport 853 -j ACCEPT
sudo firewall-cmd --permanent --add-port=853/tcp && sudo firewall-cmd --reload
Security Considerations
DoT provides encryption but the dedicated port makes it possible for network operators to block encrypted DNS. Some argue this is a feature (enterprise control) while others see it as a limitation (censorship). Ensure the DoT resolver you use is trustworthy — encryption protects the path but the resolver still sees your queries. Consider using both DoT and DoH for redundancy.
Popular Ports Reference
The most commonly used and referenced network ports