This is an old revision of the document!
Table of Contents
Networking - DNS - DNS over TLS
Problem Statement
DNS is insecure because by default DNS queries are not encrypted, which can be exploited (man-in-the-middle). This is DNS Cache Poisoning.
As DNS is based on UDP, which is a connection-less protocol, any DNS response can easily be manipulated to provide a spoofed IP. So there is no guarantee that what the DNS query resolves to the real IP.
Solution
DNS over TLS means that DNS queries are sent over a secure connection encrypted with TLS, the same technology that encrypts HTTP traffic, so no third parties can see your DNS queries.
One approach is to use Stubby for DNS over TLS.
Stubby is an open-source DNS stub resolver developed by the getdns team, which uses the getdns library. Stubby supports DNS over TLS and by default, it will only send DNS requests encrypted.
NOTE: A stub resolver is a small DNS client on the end-user’s computer that receives DNS requests from applications such as Firefox and forwards requests to a recursive resolver like 1.1.1.1 or 8.8.8.8.
There are other stub resolvers that also support DNS over HTTPS, such as cloudflared, but Stubby is very easy to use.