The complete guide to DNS encryption

What is DNS Encryption?

DNS was originally conceived as a simple, clear-text protocol where a client would ask a server “What IP address should I use for” The Server would then respond with

A lot has happened since the birth of DNS. In the modern era, we have two key protocols that offer DNS encryption:


Also usually notes as DoT. This is standardized to use TCP port 853 and experiences some adoption in the open source community, in general.


Also usually written as DoH, the protocol uses HTTPS and usually runs over TCP port 443 (although it can technically be over any port). Some motivation behind this protocol was to offer end-users:

  • DNS security and encryption in transit
  • Interception-proof, man-in-the-middle proof
  • DNS availability to anyone, anywhere

For the most part, this has been achieved, but when applying the best adam:ONE® has to offer, the recommended CISA approach is achievable, namely this logical flow:

Endpoint (encrypted DNS query) → Organization’s Secure DNS service → Recursive/Public resolver query (encrypted DNS query).

For example:

DeviceA → DoT query → → recursive DoT query →
DeviceB → DoH query → → recursive DoH query →

What NOT to do:

Specifically what any security-conscious environment must consider is to disallow this scenario:

Endpoint → DoH/DoT → Public Resolvers (Google, CloudFlare, etc)

The blocking of external DNS services (enforcing internal DNS services) of any kind will be the the default when your adam:ONE® policy enforces:

  • DTTS® which prevents endpoints from using public IP addresses for anything, including DoT, DoH
  • Zero Trust connectivity (whitelist) policy which explicitly blocks known DoH URLs
  • Even if a DoH server is found on a whitelisted domain, any IPs obtained are not reachable due to DTTS® enforcement

How to use DNS encryption with best practices

  • use adam:ONE® muscle version 4.11 and later
  • ensure your firewall rules are the latest standard as per
  • have a managed/commercial plan on your adam:ONE® subscription
  • Select your hostname and enable DNS Encryption and Secure MyTools

At that point, the muscle offers legacy DNS, DoT and DoH on all of its interfaces.

Testing DNS Encryption

RFC 9462 is a standard for Discover of Designated Resolvers. The assumption is that your DHCP server is offering the adam:ONE® gateway instance as its legacy DNS resolver, which is then asked by the endpoint to upgrade its DNS encryption.

If you’re running the latest version of dig you can test by making a SVCB type query to the gateway for host like this:

[2.7.1-RELEASE][]/root: dig SVCB @

; <<>> DiG 9.18.14 <<>> SVCB @
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7888
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0


;; ANSWER SECTION:	60	IN	SVCB	1 alpn="h2" port=443 ipv4hint= key7="/dns-query{?dns}"	60	IN	SVCB	1 alpn="dot" port=853 ipv4hint=

;; Query time: 0 msec
;; WHEN: Tue Nov 21 18:17:12 EST 2023
;; MSG SIZE  rcvd: 159

Then to test the query, again using the latest dig, try with dig +tls @ like this:

[2.7.1-RELEASE][]/root: dig +tls @

; <<>> DiG 9.18.14 <<>> +tls @
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59694
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;			IN	A


;; Query time: 0 msec
;; WHEN: Tue Nov 21 18:20:08 EST 2023
;; MSG SIZE  rcvd: 45

And finally, to test with a DoH query like this:

[2.7.1-RELEASE][]/root: curl -H 'accept: application/dns-json' ''


Upstreaming DNS Encryption

Each upstream Resolver set can be be defined using DoH or DoT. Here’s an example of setting Cloudflare upstream resolver on the dashboard → My Rules → DNS Resolvers:


This DNS encryption stack offers legacy compatibility while offering best-in-class encryption for modern endpoints.