...
- MUST: Enable DNSSEC validation.
- MUST: Enable QNAME minimization to minimize leakage of domain names.
MAY: Enable DoT (DNS-over-TLS). DoT is the easiest way to protect against eavesdropping and manipulation of DNS queries and man-in-the-middle attacks by encrypting DNS queries between stub and recursive resolvers.
Note: Enabling DoT does reduce the visibility that local administrators have into the queries being forwarded by the local recursive resolver to an upstream DoT service. However, it will still be possible to analyze queries between clients and the local DNS resolver before they are forwarded to a DoT upstream service, or by logging queries.
...