Installing and configuring an encrypted dns server is straightforward, there is no reason to use an unencrypted dns service.
DNS is not secure or private
DNS traffic is insecure and runs over UDP port 53 (TCP for zone transfers ) unecrypted by default.
This make your encrypted DNS traffic a privacy risk and a security risk:
- anyone that is able to sniff your network traffic can collect a lot information from your leaking DNS traffic.
- with a DNS spoofing attack an attacker can trick you let go to malicious website or try to intercept your email traffic.
Encrypting your network traffic is always a good idea for privacy and security reasons - we encrypt, because we can! - . More information about dns privacy can be found at https://dnsprivacy.org/
On this site you’ll find also the DNS Privacy Daemon - Stubby that let’s you send your DNS request over TLS to an alternative DNS provider. You should use a DNS provider that you trust and has a no logging policy. quad9, cloudflare and google dns are well-known alternative dns providers.
At https://dnsprivacy.o...cy Test Servers you can find a few other options.
You’ll find my journey to setup Stubby on a few operation systems I use (or I’m force to use) below …
He explains how to set it up on Archlinux, Debian and the manual way on other distros.