DoT
DoT is the standard DNS protocol, just encapsulated within TLS. DoT by default is implemented on port tcp/853, which means it won't conflict with DNS (udp/53 and tcp/53) or DoH (tcp/443)—all three services can be run on the same host if the DNS server application supports all three.
DoT name resolution is supported on most modern operating systems (as a client). It's not always running by default, but it's available to enable if not.
Verifying a DoT server remotely is as simple as using Nmap to verify that tcp/853 is listening, as illustrated in the following code snippet:
$ nmap -p 853 8.8.8.8 Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-21 13:33 PST Nmap scan report for dns.google (8.8.8.8) Host is up (0.023s latency). PORT STATE SERVICE 853/tcp open domain-s Doing a version scan gives us more good information, but the fingerprint (at the time of this book being published) is not in nmape: $ nmap -p 853 -sV...
