** Installing and configuring an encrypted dns server is straightforward, there is no reason to use an unencrypted dns service. **
DNS is not secure or private
DNS traffic is insecure and runs over UDP port 53 (TCP for zone transfers ) unecrypted by default.
This make your unencrypted DNS traffic a privacy risk and a security risk:
- anyone that is able to sniff your network traffic can collect a lot information from your leaking DNS traffic.
- with a DNS spoofing attack an attacker can trick you let go to malicious website or try to intercept your email traffic.
Encrypt your dns traffic
Encrypting your network traffic is always a good idea for privacy and security reasons - ** we encrypt, because we can! ** - .
More information about dns privacy can be found at https://dnsprivacy.org/
On this site you’ll find also the DNS Privacy Daemon - Stubby that let’s you send your DNS request over TLS to an alternative DNS provider. You should use a DNS provider that you trust and has a no logging policy. quad9, cloudflare and google dns are well-known alternative dns providers. At https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers you can find a few other options.
You’ll find my journey to setup Stubby on a few operation systems I use (or I’m force to use) below …