====== Networking - DNS - DNS over TLS ====== DNS is insecure because by default DNS queries are not encrypted, which can be exploited (man-in-the-middle). This is DNS Cache Poisoning. As DNS is based on UDP, which is a connection-less protocol, any DNS response can easily be manipulated to provide a spoofed IP. So there is no guarantee that what the DNS query resolves to the real IP. **DNS over TLS** means that DNS queries are sent over a secure connection encrypted with TLS, the same technology that encrypts HTTP traffic, so no third parties can see your DNS queries. ---- ===== Stubby ===== Stubby is an open-source DNS stub resolver which supports DNS over TLS by default and therefore it will only send DNS requests encrypted. **NOTE:** A **stub resolver** is a small DNS client on the end-user’s computer that receives DNS requests from applications such as Firefox and forwards requests to a recursive resolver like 1.1.1.1 or 8.8.8.8. There are other stub resolvers that also support DNS over HTTPS, such as cloudflared, but Stubby is very easy to use.