US English (US)
FR French
DE German
ES Spanish
IT Italian
NL Dutch
JP Japanese

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • Contact Us
English (US)
US English (US)
FR French
DE German
ES Spanish
IT Italian
NL Dutch
JP Japanese
  • Home
  • CyberFOX DNS Filtering
  • Roaming Clients

DNS over TLS (DoT): Secure, Encrypted DNS with UUID Tracking

Written by Owen Parry

Updated at September 30th, 2025

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • AutoElevate Knowledgebase
    New to AutoElevate? START HERE General & Troubleshooting Managing Rules Integrations Announcements FAQ Sales & Marketing How to Videos
  • Password Boss Knowledgebase
    Using Password Boss Business Administration Password Boss Partner Documents
  • CyberFOX DNS Filtering
    Getting Started Filtering Policies Company and Location Setup Roaming Clients Reporting and Logging Troubleshooting
  • Marketing Toolkit
    MSP Marketing & Education Toolkit
  • Changelogs for Autoelevate and Password Boss
  • CyberFOX Product Roadmap
  • Current Status
+ More

Table of Contents

What Is DNS over TLS (DoT)? Key Benefits of CyberFOX DoT End-to-End Encryption UUID-Based Device Tracking Improved Stability in Managed Networks Considerations and Limitations Port-Based Blocking Device Compatibility When to Use DoH Instead When to Use the CyberFOX Agent Summary: DoT vs. DoH vs. Agent Final Thoughts

 

DNS over TLS (DoT) is a modern, encrypted DNS protocol that enhances privacy and security by wrapping DNS queries in TLS encryption. At CyberFOX, our DoT implementation goes beyond the standard: it supports UUID-based device tracking and integrates seamlessly with our DNS filtering infrastructure by converting DoT traffic to DoH at the resolver level.

This article explains how DoT works, its benefits and limitations, and when to consider using DNS over HTTPS (DoH) or the CyberFOX Agent instead.

 

What Is DNS over TLS (DoT)?


DoT encrypts DNS queries using the TLS protocol over port 853, shielding them from interception or tampering. Unlike traditional DNS (which uses plaintext over port 53), DoT ensures that DNS traffic is private and secure from the moment it leaves the device.

 

Key Benefits of CyberFOX DoT


End-to-End Encryption

DoT protects DNS queries from being read or modified by third parties, including ISPs, attackers, or misconfigured networks.

UUID-Based Device Tracking

CyberFOX’s DoT implementation supports UUID tracking, enabling:

  • Per-device DNS policy enforcement
  • Consistent visibility across networks
  • Granular logging and audit trails

This capability is typically associated with agent-based DoH solutions, but CyberFOX also brings it to DoT, without requiring an endpoint agent.

Improved Stability in Managed Networks

DoT can resolve issues such as:

  • DNS resolution failures after agent installation
  • Filtering policies not applying correctly
  • Conflicts with ISP-level DNS filtering (e.g., eero Secure blocking port 53)

 

Considerations and Limitations


Port-Based Blocking

DoT uses a dedicated port (853), which makes it easier to detect and block on restrictive networks. This can cause issues on public Wi-Fi, captive portals, or networks with aggressive firewall rules.

Device Compatibility

  • Google Pixel and some Android builds default to DoT.
  • Samsung and other Android vendors increasingly support DoH.
  • macOS and iOS support DoT via configuration profiles, but DoH is more widely integrated into browsers and apps.

 

When to Use DoH Instead


DNS over HTTPS (DoH) is ideal for:

  • Devices that frequently connect to public or restricted networks
  • Environments where port 853 is blocked
  • Scenarios requiring maximum privacy and firewall evasion

DoH uses port 443 (HTTPS), making it indistinguishable from regular web traffic and far more resistant to blocking or redirection.

 

When to Use the CyberFOX Agent


The CyberFOX Agent is a lightweight endpoint service that:

  • Sets DNS to 127.0.0.1
  • Encrypts queries using DoH
  • Assigns a UUID to each device
  • Manages fallback behavior and policy enforcement

The agent is ideal for:

  • Roaming users
  • Devices requiring persistent policy enforcement
  • Environments where DNS must remain encrypted regardless of network conditions

 

Summary: DoT vs. DoH vs. Agent

 

Feature DNS over TLS (DoT) DNS over HTTPS (DoH) CyberFOX Agent
Encryption TLS over port 853 HTTPS over port 443 HTTPS over 443
UUID Tracking ✅ Supported ✅ Supported ✅ Supported
Firewall Evasion ❌ Easily blocked ✅ Hard to block ✅ Hard to block
Performance Slightly slower  Faster Fastest (local resolver)
Best Use Case Trusted networks Public Wi-Fi, mobile, roaming Roaming, full control, split-tunnel
Requires Agent ❌ No ❌ No ✅ Yes

 

Final Thoughts


CyberFOX’s implementation of DNS over TLS (DoT) offers encrypted DNS traffic, UUID-based tracking, and seamless integration into our DoH-based filtering engine—all without requiring an agent. It’s a strong choice for secure, stable DNS in trusted environments.

However, for mobile users, those relying on public networks, or those seeking maximum privacy, DNS over HTTPS (DoH) or the CyberFOX Agent may offer better resilience and control.

protocol secure dns

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Roaming Devices
  • Deploying Roaming client via RMM tools
  • Agent-Based Devices
  • Understanding DNS over HTTPS (DoH)
  • Products
    • Privileged Access Management
    • Password Management
  • Solutions
    • For MSPs
    • For IT Pros
    • By Industry
  • Resources
    • Weekly Demos
    • Events
    • Blog
    • FAQ
  • Company
    • Leadership
    • Culture + Values
    • Careers
    • Awards
    • News & Press
    • Trust Center
    • Distributors
  • Get Pricing
  • Free Trial
  • Request a Demo
  • Support
  • Login
  • Contact
4925 Independence Parkway
Suite 400
Tampa, FL 33634
CALL US (813) 578-8200
  • Link to Facebook
  • Link to Linkedin
  • Link to Twitter
  • Link to Youtube
© 2023 CYBERFOX LLC ALL RIGHTS RESERVED  |  Privacy Policy

Knowledge Base Software powered by Helpjuice

Expand