The full form of C-DOT is DNS over TLS.

DNS over TLS (DoT) is a security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks.

As of 2020, Cloudflare, Quad9, Google, Quadrant Information Security, CleanBrowsing, LibreOps, DNSlify  Telsy, AdGuard and Digitalcourage are providing public DNS resolver services via DNS over TLS.  In April 2018, Google announced that Android Pie will include support for DNS over TLS, allowing users to set a DNS server phone-wide on both Wi-Fi and mobile connections, an option that was historically only possible on rooted devices. DNSDist, from PowerDNS, also announced support for DNS over TLS in its latest version 1.3.0. BIND users can also provide DNS over TLS by proxying it through stunnel. Unbound has supported DNS over TLS since 22 January 2018. Unwind has supported DoT since 29 January 2019. With Android Pie’s support for DNS over TLS, some ad blockers now support using the encrypted protocol as a relatively easy way to access their services versus any of the various work-around methods typically used such as VPNs and proxy servers

Traditional DNS queries and responses are sent over UDP or TCP without encryption. This is vulnerable to eavesdropping and spoofing (including DNS-based Internet filtering). Responses from recursive resolvers to clients are the most vulnerable to undesired or malicious changes, while communications between recursive resolvers and authoritative name servers often incorporate additional protection.

To address these problems, Google Public DNS offers DNS resolution over TLS-encrypted TCP connections as specified by RFC 7858. DNS-over-TLS improves privacy and security between clients and resolvers. This complements DNSSEC and protects DNSSEC-validated results from modification or spoofing on the way to the client.

A client system can use DNS-over-TLS with one of two profiles: strict or opportunistic privacy. With the strict privacy profile, the user configures a DNS server name (the authentication domain name in RFC 8310) for DNS-over-TLS service and the client must be able to create a secure TLS connection on port 853 to the DNS server. Failure to establish a secure connection is a hard error and will result in no DNS service for the client.

With the opportunistic privacy profile, the DNS server IP address may be configured directly by the user or obtained from the local network (using DHCP or some other means). The client resolver attempts to establish a secure connection on port 853 to the specified DNS server. If a secure connection is established, this provides privacy for the user’s queries from passive observers on the path. Since the client does not verify the authenticity of the server it is not protected from an active attacker. If the client cannot establish a secure connection on port 853, it falls back to communicating with the DNS server on the standard DNS port 53 over UDP or TCP without any security or privacy. The use of Opportunistic Privacy is intended to support incremental deployment of increased privacy with a view to widespread adoption of the strict privacy profile.