====== Networking - DNS - DNS over TLS ======

DNS is insecure because by default DNS queries are not encrypted, which can be exploited (man-in-the-middle).  This is DNS Cache Poisoning.

As DNS is based on UDP, which is a connection-less protocol, any DNS response can easily be manipulated to provide a spoofed IP.  So there is no guarantee that what the DNS query resolves to the real IP.

**DNS over TLS** means that DNS queries are sent over a secure connection encrypted with TLS, the same technology that encrypts HTTP traffic, so no third parties can see your DNS queries.

----

===== Stubby =====

Stubby is an open-source DNS stub resolver which supports DNS over TLS by default and therefore it will only send DNS requests encrypted.

<WRAP info>
**NOTE:**  A **stub resolver** is a small DNS client on the end-user’s computer that receives DNS requests from applications such as Firefox and forwards requests to a recursive resolver like 1.1.1.1 or 8.8.8.8.

There are other stub resolvers that also support DNS over HTTPS, such as cloudflared, but Stubby is very easy to use.

</WRAP>