DNS over TLS · Cloudflare 1.1.1.1 docs
developers.cloudflare.com › 1 › dns-over-tlsBefore the connection, the DNS stub resolver has stored a base64 encoded SHA256 hash of the TLS certificate from cloudflare-dns.com (called SPKI). DNS stub resolver establishes a TCP connection with cloudflare-dns.com:853. DNS stub resolver initiates a TLS handshake. In the TLS handshake, cloudflare-dns.com presents its TLS certificate.