Page History
...
- MUST: Enable DNSSEC validation.
- MUST: Enable QNAME minimization to minimize leakage of domain names.
MAY: Enable DoT (DNS-over-TLS). DoT is the easiest way to protect against eavesdropping and manipulation of DNS queries and man-in-the-middle attacks by encrypting DNS queries between stub and recursive resolvers.
Footnote It is worth noting that, while DoH (DNS-over-HTTPS) improves end-user privacy, in the same way that DoT does, it is somewhat more complicated and its benefits to network operators are still being debated.
Note: Enabling DoT does reduce the visibility that local administrators have into the queries being forwarded by the local recursive resolver to an upstream DoT service. However, it will still be possible to analyze queries between clients and the local DNS resolver before they are forwarded to a DoT upstream service, or by logging queries.
...
