Privacy controls
CyberFurl can load analytics only after you opt in. Core product features work without analytics consent.
Check whether your DNS servers support DNS over TLS (DoT). DoT encrypts DNS queries using TLS on port 853, protecting against eavesdropping and tampering.
DNS over TLS (DoT) is a security protocol that encrypts DNS queries using Transport Layer Security (TLS) on port 853. Standard DNS queries are sent in plain text, making them visible to anyone monitoring network traffic including ISPs, attackers on public Wi-Fi, and governments. DoT wraps DNS queries inside TLS encryption, preventing eavesdropping, tampering, and DNS-based censorship. When a client supports DoT, it establishes a TLS connection to the DNS server and sends queries over the encrypted channel. The server responds with encrypted answers. This protects both the query content (which domains you're visiting) and the responses (IP addresses and record data). DoT is specified in RFC 7858 and is supported by major DNS providers including Cloudflare, Google Public DNS, Quad9, and CleanBrowsing.
Without DoT, your DNS queries travel in plain text across the internet. Anyone with network access can see which domains you visit. DoT prevents this by encrypting all DNS traffic, protecting your browsing privacy and preventing DNS-based attacks like cache poisoning and man-in-the-middle tampering.
Assuming your DNS provider supports DoT without checking, not configuring DoT on client devices, using default ISP DNS that doesn't support DoT, and not verifying that DoT is actually active after configuration changes.
Type the domain to test for DoT support.
We find the authoritative name servers for the domain.
We attempt a TLS handshake on the DoT port (853) for each server.
If the TLS handshake succeeds, we verify DoT support and report results.
Automatically discovers all authoritative name servers for the target domain. Tests each name server individually since DoT support may vary between servers in the same zone.
Attempts a full TLS handshake on port 853 for each discovered name server. Verifies that the server presents a valid TLS certificate and accepts DNS queries over the encrypted channel.
Validates the TLS certificate presented by each DoT-capable server. Checks certificate validity, expiration, chain of trust, and whether the certificate is signed by a trusted CA.
Reports the TLS cipher suites and protocol versions supported by each DoT server. Flags servers using weak or deprecated cipher suites that could compromise encryption strength.
Distinguishes between DNS over TLS (DoT, port 853) and DNS over HTTPS (DoH, port 443). Some servers support one but not the other. We report which protocol each server supports.
If DoT is supported, we provide configuration examples for common DNS clients including systemd-resolved, dnscrypt-proxy, Unbound, and Windows DNS settings.
Automate DoT support checks, monitor TLS certificate expiration, track DNS security configuration drift, and get alerted when DNS encryption is disabled.