Edgerouter_configuring_dns_over_tls

Why Do I need DNS over TLS/SSL?

I am already using privacy first 1.1.1.1 as my DNS resolver. My DNS queries are still unencrypted. Tcpdump on edgerouter shows which queries my home devices making continously.

ubnt@ubnt:~$ sudo tcpdump -i eth0 host 1.1.1.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:30:20.440277 IP 143.142.86.116.starhub.net.sg.46173 > one.one.one.one.domain: 47433+ AAAA? www.google.com. (32)
08:30:20.440327 IP 143.142.86.116.starhub.net.sg.34814 > one.one.one.one.domain: 2184+ A? www.google.com. (32)
08:30:20.442713 IP one.one.one.one.domain > 143.142.86.116.starhub.net.sg.34814: 2184 6/0/0 A 172.217.194.104, A 172.217.194.106, A 172.217.194.99, A 172.217.194.103, A 172.217.194.147, A 172.217.194.105 (142)
08:30:20.442980 IP one.one.one.one.domain > 143.142.86.116.starhub.net.sg.46173: 47433 1/0/0 AAAA 2404:6800:4003:c03::6a (74)
08:30:20.811393 IP 143.142.86.116.starhub.net.sg.12868 > one.one.one.one.domain: 8631+ A? fonts.gstatic.com. (35)
08:30:20.811436 IP 143.142.86.116.starhub.net.sg.13733 > one.one.one.one.domain: 43728+ AAAA? fonts.gstatic.com. (35)
08:30:20.813900 IP one.one.one.one.domain > 143.142.86.116.starhub.net.sg.13733: 43728 2/0/0 CNAME gstaticadssl.l.google.com., AAAA 2404:6800:4003:c04::5e (116)
08:30:20.814139 IP one.one.one.one.domain > 143.142.86.116.starhub.net.sg.12868: 8631 2/0/0 CNAME gstaticadssl.l.google.com., A 172.217.194.94 (104)
^C
8 packets captured
119 packets received by filter
96 packets dropped by kernel

There are two methods that can be used to provide DNS services to clients: