diff --git a/numa.toml b/numa.toml
index 5ca95f8..92b5411 100644
--- a/numa.toml
+++ b/numa.toml
@@ -93,7 +93,7 @@ tld = "numa"
 
 # DNS-over-TLS listener (RFC 7858) — encrypted DNS on port 853
 # [dot]
-# enabled = false             # opt-in: accept DoT queries
+# enabled = true              # on by default; set false to disable
 # port = 853                  # standard DoT port
 # bind_addr = "0.0.0.0"       # IPv4 or IPv6; unspecified binds all interfaces
 # cert_path = "/etc/numa/dot.crt"  # PEM cert; omit to use self-signed (proxy CA if available)
diff --git a/src/config.rs b/src/config.rs
index 708ed4f..6480883 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -411,7 +411,7 @@ pub struct DnssecConfig {
 
 #[derive(Deserialize, Clone)]
 pub struct DotConfig {
-    #[serde(default)]
+    #[serde(default = "default_dot_enabled")]
     pub enabled: bool,
     #[serde(default = "default_dot_port")]
     pub port: u16,
@@ -428,7 +428,7 @@ pub struct DotConfig {
 impl Default for DotConfig {
     fn default() -> Self {
         DotConfig {
-            enabled: false,
+            enabled: default_dot_enabled(),
             port: default_dot_port(),
             bind_addr: default_dot_bind_addr(),
             cert_path: None,
@@ -437,6 +437,9 @@ impl Default for DotConfig {
     }
 }
 
+fn default_dot_enabled() -> bool {
+    true
+}
 fn default_dot_port() -> u16 {
     853
 }