
DNS over TLS vs. DNS over HTTPS - searchableguy
https://www.cloudflare.com/learning/dns/dns-over-tls/
======
m3047
The article is factually wrong about DNS over TLS. The article states: "DoT
adds TLS encryption on top of the user datagram protocol (UDP)...".

In fact, it uses TCP which is also an acceptable protocol for DNS queries. It
encapsulates the traffic in a TLS session, just like SSL or HTTPS encapsulate
TCP connections. When UDP packets are sent in a TCP tunnel, they are properly
termed "tunneled".

This is demonstrable to the average web programmer in the fact that e.g. nginx
can be used to front TCP connections to a DNS server and provide DoT.

When DNS requests/responses are sent over TCP they are prepended by a length
field. Here is a working Python asyncio TCP-only forwarder which supports
plain TCP as well as DoT:
[https://github.com/m3047/tcp_only_forwarder](https://github.com/m3047/tcp_only_forwarder)

~~~
xg15
Thanks! I was already wondering if they actually respecified TLS for UDP for
this...

