Being the backbone of the internet, the Domain Name System (DNS) protocol has undergone a series of improvements and enhancements over the past few years. The lack of stringent protections in the original DNS specification and discovery of security weaknesses over time, such as the decade-old Kaminsky bug, gave birth to the Domain Name System Security Extensions (DNSSEC) in 2010.
DNSSEC was created to build cryptographic protections through digital signatures so that the DNS clients around the world could authoritatively verify that a DNS response was coming from an authoritative DNS server and that the response wasn’t altered in transit.
Well then, some of you may wonder if DNSSEC can adequately provide security, what is the need for DNS over HTTPS and DNS over TLS?
DNSSEC only ensures the authenticity of the DNS responses and data integrity but does not ensure privacy. Protocols like DNS over HTTPS (DoH) or DNS over TLS (DoT) provide end-to-end encryption, therefore guaranteeing data confidentiality. In other words, your DNS traffic now benefits from the same end-to-end encryption as your web traffic to and from HTTPS sites.