Networking - DNS - DNS over TLS

DNS is insecure because by default DNS queries are not encrypted, which can be exploited (man-in-the-middle). This is DNS Cache Poisoning.

As DNS is based on UDP, which is a connection-less protocol, any DNS response can easily be manipulated to provide a spoofed IP. So there is no guarantee that what the DNS query resolves to the real IP.

DNS over TLS means that DNS queries are sent over a secure connection encrypted with TLS, the same technology that encrypts HTTP traffic, so no third parties can see your DNS queries.


Stubby

Stubby is an open-source DNS stub resolver which supports DNS over TLS by default and therefore it will only send DNS requests encrypted.

NOTE: A stub resolver is a small DNS client on the end-user’s computer that receives DNS requests from applications such as Firefox and forwards requests to a recursive resolver like 1.1.1.1 or 8.8.8.8.

There are other stub resolvers that also support DNS over HTTPS, such as cloudflared, but Stubby is very easy to use.