This is an old revision of the document!
Networking - DNS - Stubby
DNS traffic is usually unencrypted. Your ISP can see all your DNS requests, regardless of which upstream server you use, unless you encrypt them in some manner (Stubby does this). However, even if you encrypt your DNS, if you follow it up immediately with a clear text request for that IP address, your ISP knows where you are browsing anyway. So, there is no obvious privacy gain.
Encrypted DNS protects against third parties tampering with the DNS return and providing false information (man in middle attack).
Stubby acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine to a DNS Privacy resolver increasing end user privacy.
Stubby uses only DNS-over-TLS to provide privacy, it does not implement DNSCrypt.
NOTE: DNSCrypt is a method of authenticating communications between a DNS client and a DNS resolver.
It prevents DNS spoofing.
It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered with (the messages are still sent over UDP).
As a side effect it provides increased privacy because the DNS message content is encrypted.
It is an open specification but it has not been standardized by the IETF.