The Domain Name System (DNS) is key to making the internet work: virtually everything you do online begins with a DNS lookup. DNS lookups are automatically performed for users via recursive resolvers. Recursive resolver service has historically been offered by a user’s Internet Service Provider (ISP) or other connectivity provider, such as an employer, a student's school, etc.

 Of late, third parties have been offering free alternative recursive resolver services, for example, Google's 8.8.8.8 or Cloudflare's 1.1.1.1. These services, and others like them, have been touted as an alternative to default recursive resolver services that may have been "slow," "unreliable," "filtered," or "intrusively monitored."

More recently still, third party recursive resolver operators have begun offering encryption of DNS recursive resolver traffic between the stub resolver (running on the user's system or device) and the third party recursive resolver. Multiple competing encryption standards have emerged for that purpose, including DNSCrypt, DNS over TLS, and DNS over HTTPS.

This paper provides the basic information to evaluate the benefits and potential issues with encrypting DNS traffic. It is written for both end-users who want to implement encrypted DNS on their personal devices or home broadband networks and for ISPs and enterprise administrators who are considering it as an additional layer of security on their corporate networks. This paper also includes specific recommendations on how M³AAWG members and the online anti-abuse eco-system can apply this technology.

A separate supplemental document, "M³AAWG Companion Document: Recipes for Encrypting DNS Stub Resolver-to-Recursive Resolver Traffic" outlines the specific steps to install and configure a third party encrypted DNS service on popular end-user hardware and mobile devices. It is available at www.m3aawg.org/dns-crypto-recipes and in the Best Practices section of the M³AAWG website.