diff --git a/numa.toml b/numa.toml
index 4fa0a3d..b7f98de 100644
--- a/numa.toml
+++ b/numa.toml
@@ -83,6 +83,14 @@ tld = "numa"
 # enabled = false             # opt-in: verify chain of trust from root KSK
 # strict = false              # true = SERVFAIL on bogus signatures
 
+# DNS-over-TLS listener (RFC 7858) — encrypted DNS on port 853
+# [dot]
+# enabled = false             # opt-in: accept DoT queries
+# port = 853                  # standard DoT port
+# bind_addr = "0.0.0.0"       # IPv4 or IPv6; unspecified binds all interfaces
+# cert_path = "/etc/numa/dot.crt"  # PEM cert; omit to use self-signed (proxy CA if available)
+# key_path = "/etc/numa/dot.key"   # PEM private key; must be set together with cert_path
+
 # LAN service discovery via mDNS (disabled by default — no network traffic unless enabled)
 # [lan]
 # enabled = true              # discover other Numa instances via mDNS (_numa._tcp.local)