{"id":524,"date":"2026-01-20T07:33:23","date_gmt":"2026-01-20T07:33:23","guid":{"rendered":"https:\/\/hackingwithj.com\/?p=524"},"modified":"2026-01-19T07:48:42","modified_gmt":"2026-01-19T07:48:42","slug":"dns-over-tls","status":"publish","type":"post","link":"https:\/\/hackingwithj.com\/?p=524","title":{"rendered":"DNS over TLS"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">DNS over TLS in my homelab<\/h1>\n\n\n\n<p>Because I like to tinker with my homelab <em>and<\/em> I\u2019m working toward becoming an ethical hacker (purple team energy \ud83d\ude09), securing my home network feels like a natural next step.<\/p>\n\n\n\n<p>In this post, I\u2019ll walk through <strong>why and how I implemented DNS over TLS (DoT)<\/strong> at home, and why I deliberately chose it over DNS over HTTPS.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is DNS over TLS (DoT)?<\/h2>\n\n\n\n<p>Normally, DNS requests are sent over the network <strong>in plaintext<\/strong>.<br>That means anyone on the same network \u2014 or anywhere in between \u2014 can:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>See which domains you\u2019re resolving<\/li>\n\n\n\n<li>Manipulate DNS responses<\/li>\n\n\n\n<li>Redirect traffic without you noticing<\/li>\n<\/ul>\n\n\n\n<p>DNS over TLS encrypts these DNS queries, similar to how HTTPS encrypts web traffic.<br>DoT runs on <strong>port 853<\/strong> and ensures DNS requests can\u2019t be read or altered in transit.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How about DNS over HTTPS (DoH)?<\/h3>\n\n\n\n<p>DNS over HTTPS works in a similar way but uses <strong>port 443<\/strong> (regular HTTPS traffic).<\/p>\n\n\n\n<p>The main difference:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>DoH blends in with normal HTTPS traffic<\/strong>, making it harder to detect or filter<\/li>\n\n\n\n<li><strong>DoT is explicit DNS traffic<\/strong>, just encrypted<\/li>\n<\/ul>\n\n\n\n<p>For my use case, I deliberately chose <strong>DoT<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>I run an IPS at home<\/li>\n\n\n\n<li>I still want visibility into DNS traffic<\/li>\n\n\n\n<li>I want encryption <em>without<\/em> hiding DNS inside HTTPS<\/li>\n<\/ul>\n\n\n\n<p>Both have their place \u2014 choose based on what you value more: stealth or control.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Hijacking DNS traffic (why this matters)<\/h2>\n\n\n\n<p>Before implementing DoT, I wanted to <strong>prove to myself<\/strong> that my network was vulnerable.<\/p>\n\n\n\n<p>Using <strong>bettercap<\/strong>, I simulated a DNS hijacking attack. Because I don\u2019t run an enterprise-grade managed switch, my network is vulnerable to <strong>ARP spoofing<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-08cd12b83d10a54be3c3f766bdf79024\"><code>sudo bettercap -iface eth0\nnet.probe on\nset arp.spoof targets &lt;ip target>\narp.spoof on\nset dns.spoof.domains www.hackingwithj.com\nset dns.spoof.address &lt;ip attacker>\ndns.spoof on<\/code><\/pre>\n\n\n\n<p>The target was my phone. Results:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Before:<\/strong> DNS resolved to the legitimate host<\/li>\n\n\n\n<li><strong>After:<\/strong> DNS was spoofed and redirected to my attacker IP<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"473\" height=\"1024\" data-id=\"525\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/1000055553-473x1024.jpg\" alt=\"\" class=\"wp-image-525\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/1000055553-473x1024.jpg 473w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/1000055553-138x300.jpg 138w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/1000055553-768x1664.jpg 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/1000055553-709x1536.jpg 709w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/1000055553-945x2048.jpg 945w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/1000055553.jpg 1080w\" sizes=\"auto, (max-width: 473px) 100vw, 473px\" \/><figcaption class=\"wp-element-caption\">Before<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"473\" height=\"1024\" data-id=\"526\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/1000055555-473x1024.jpg\" alt=\"\" class=\"wp-image-526\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/1000055555-473x1024.jpg 473w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/1000055555-138x300.jpg 138w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/1000055555-768x1664.jpg 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/1000055555-709x1536.jpg 709w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/1000055555-945x2048.jpg 945w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/1000055555.jpg 1080w\" sizes=\"auto, (max-width: 473px) 100vw, 473px\" \/><figcaption class=\"wp-element-caption\">After<\/figcaption><\/figure>\n<\/figure>\n\n\n\n<p>(The timeout you see is expected \u2014 I didn\u2019t enable IPv4 forwarding for passthrough.) This confirmed the risk: <strong>unencrypted DNS is easy to abuse on local networks<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Setting up DNS over TLS<\/h2>\n\n\n\n<p>I\u2019m running <strong>OPNsense<\/strong> as my dedicated firewall \u2014 an excellent open-source firewall for homelabs. Most home routers can do something similar, as long as you have a local DNS resolver.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Choosing a DNS provider<\/h3>\n\n\n\n<p>There are plenty of DNS providers that support DoT.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">First attempt: Mullvad DNS<\/h3>\n\n\n\n<p>I initially chose Mullvad because I trust them as a VPN provider. They offer multiple DNS profiles, including malware blocking:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"770\" height=\"335\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-13.png\" alt=\"\" class=\"wp-image-529\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-13.png 770w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-13-300x131.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-13-768x334.png 768w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/figure>\n\n\n\n<p>I chose the option with malware protection \u2014 great on paper. However, after about a month, my girlfriend\u2019s iPhone had <strong>terrible network performance<\/strong>. After some troubleshooting, I decided to switch.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Final choice: Cloudflare 1.1.1.2<\/h3>\n\n\n\n<p>Cloudflare\u2019s <strong>1.1.1.2<\/strong> offers:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DNS over TLS<\/li>\n\n\n\n<li>Malware protection<\/li>\n\n\n\n<li>Much better performance in my environment<\/li>\n<\/ul>\n\n\n\n<p>Reference:<br><a>https:\/\/developers.cloudflare.com\/1.1.1.1\/setup\/#dns-over-tls-dot<\/a><\/p>\n\n\n\n<p>These \u201csecurity-focused\u201d DNS servers don\u2019t just block random sites \u2014 they mainly block <strong>known malicious domains<\/strong>, which adds a nice baseline of protection for less technical users on the network. Other servers:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"824\" height=\"785\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-14.png\" alt=\"\" class=\"wp-image-530\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-14.png 824w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-14-300x286.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-14-768x732.png 768w\" sizes=\"auto, (max-width: 824px) 100vw, 824px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Configuring OPNsense (Unbound DNS)<\/h3>\n\n\n\n<p>OPNsense uses <strong>Unbound DNS<\/strong> as its resolver, which supports DoT natively.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Enable DNS over TLS<\/h3>\n\n\n\n<p>In <strong>Unbound DNS<\/strong>, add a new DNS server:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Server IP<\/li>\n\n\n\n<li>Port <code>853<\/code><\/li>\n\n\n\n<li>Verify CN<\/li>\n\n\n\n<li>Description<\/li>\n<\/ul>\n\n\n\n<p>The domain field can be left empty for public resolvers. At this point, <em>most<\/em> clients will already start using DoT \u2014 but not all.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"345\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-15-1024x345.png\" alt=\"\" class=\"wp-image-531\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-15-1024x345.png 1024w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-15-300x101.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-15-768x258.png 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-15-1536x517.png 1536w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-15.png 1572w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Forcing all devices to use secure DNS<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Remove DHCP-provided DNS servers<\/h3>\n\n\n\n<p>Go to: Services > ISC DHCPv4<\/p>\n\n\n\n<p>Select your VLAN or interface and <strong>clear the DNS server fields<\/strong>. This ensures clients don\u2019t bypass your firewall DNS:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"425\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-16-1024x425.png\" alt=\"\" class=\"wp-image-532\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-16-1024x425.png 1024w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-16-300x124.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-16-768x319.png 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-16-1536x637.png 1536w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-16.png 1897w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Block and redirect DNS traffic<\/h3>\n\n\n\n<p>To enforce DNS usage, I created <strong>floating firewall rules<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>One rule to <strong>block outgoing DNS<\/strong><\/li>\n\n\n\n<li>One rule to <strong>pass DNS traffic to the firewall<\/strong><\/li>\n<\/ul>\n\n\n\n<p>This ensures all DNS traffic is intercepted:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"148\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-17-1024x148.png\" alt=\"\" class=\"wp-image-533\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-17-1024x148.png 1024w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-17-300x43.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-17-768x111.png 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-17-1536x222.png 1536w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-17.png 1569w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: NAT port forwarding<\/h3>\n\n\n\n<p>Finally, create a NAT rule: Firewall > NAT > Port Forward<\/p>\n\n\n\n<p>This rule redirects all DNS traffic to the firewall\u2019s local DNS resolver.<\/p>\n\n\n\n<p>Important:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Under <strong>Filter rule association<\/strong>, select the floating rule created earlier<\/li>\n<\/ul>\n\n\n\n<p>Now <strong>every device on the network is forced to use DNS over TLS<\/strong>, whether it likes it or not:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"178\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-18-1024x178.png\" alt=\"\" class=\"wp-image-534\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-18-1024x178.png 1024w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-18-300x52.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-18-768x134.png 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-18-1536x268.png 1536w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-18.png 1567w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Testing the setup<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Browser test<\/h3>\n\n\n\n<p>Visit:<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-18862c9adb4485b24c3ecd5e117d0423\"><code>https:&#47;&#47;1.1.1.1\/help<\/code><\/pre>\n\n\n\n<p>This confirms:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The correct resolver is being used<\/li>\n\n\n\n<li>DNS over TLS is active<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"398\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-19-1024x398.png\" alt=\"\" class=\"wp-image-535\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-19-1024x398.png 1024w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-19-300x117.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-19-768x299.png 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-19-1536x597.png 1536w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-19.png 1909w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Malware blocking test<\/h3>\n\n\n\n<p>Visit:<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-884e5d94ca1ec577fc01848ec9ceb099\"><code>malware.testcategory.com<\/code><\/pre>\n\n\n\n<p>If it\u2019s blocked \u2014 it works:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"851\" height=\"638\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-20-edited.png\" alt=\"\" class=\"wp-image-537\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-20-edited.png 851w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-20-edited-300x225.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-20-edited-768x576.png 768w\" sizes=\"auto, (max-width: 851px) 100vw, 851px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Attacker perspective<\/h3>\n\n\n\n<p>Finally, I repeated the earlier bettercap attack from my Kali machine. This time:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DNS spoofing failed<\/li>\n\n\n\n<li>Encrypted DNS traffic could not be manipulated<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"355\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-21-1024x355.png\" alt=\"\" class=\"wp-image-538\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-21-1024x355.png 1024w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-21-300x104.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-21-768x266.png 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-21.png 1323w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"172\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-22-1024x172.png\" alt=\"\" class=\"wp-image-540\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-22-1024x172.png 1024w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-22-300x50.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-22-768x129.png 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-22-1536x258.png 1536w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/01\/image-22.png 1860w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Every query gets forced through the firewall.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Final thoughts<\/h2>\n\n\n\n<p>This setup gave me:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Encrypted DNS<\/li>\n\n\n\n<li>Centralized control<\/li>\n\n\n\n<li>Better visibility than DoH<\/li>\n\n\n\n<li>Extra protection for non-technical users<\/li>\n<\/ul>\n\n\n\n<p>It\u2019s not enterprise-grade perfection \u2014 but for a homelab, it\u2019s a <strong>huge security improvement<\/strong>. And honestly? Breaking your own network first is still the best way to learn how to defend it.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Learning notes<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">DNS security fundamentals<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DNS is plaintext by default and easy to abuse on local networks.<\/li>\n\n\n\n<li>ARP spoofing + DNS spoofing is still very effective without encrypted DNS.<\/li>\n\n\n\n<li>Encrypting DNS protects <strong>integrity and confidentiality<\/strong>, not just privacy.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">DNS over TLS vs DNS over HTTPS<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DoT uses port 853 and keeps DNS traffic identifiable but encrypted.<\/li>\n\n\n\n<li>DoH hides DNS inside HTTPS (port 443), which reduces visibility.<\/li>\n\n\n\n<li>Choose based on goals: <strong>control and monitoring (DoT)<\/strong> vs <strong>stealth and privacy (DoH)<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network enforcement matters<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Simply configuring secure DNS is not enough \u2014 clients will bypass it if allowed.<\/li>\n\n\n\n<li>Blocking outbound DNS and redirecting traffic ensures consistency.<\/li>\n\n\n\n<li>DHCP settings, firewall rules, and NAT must work together.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Offensive testing improves defense<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Actively attacking your own network validates assumptions.<\/li>\n\n\n\n<li>Tools like bettercap make weaknesses immediately visible.<\/li>\n\n\n\n<li>If you can break it easily, so can someone else.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Homelab mindset<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security controls should match your environment, not marketing claims.<\/li>\n\n\n\n<li>Iterating and adjusting (like switching DNS providers) is normal.<\/li>\n\n\n\n<li>Understanding <em>why<\/em> something breaks is more valuable than blindly following guides.<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>DNS over TLS in my homelab Because I like to tinker with my homelab and I\u2019m working toward becoming an ethical hacker (purple team energy \ud83d\ude09), securing my home network feels like a natural next step. In this post, I\u2019ll walk through why and how I implemented DNS over TLS (DoT) at home, and why [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[20,9,7,12],"tags":[41,42,44,43,45,46],"class_list":["post-524","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-network-hacking","category-realworld","category-wi-fi-security","tag-bettercap","tag-dns","tag-dns-over-tls","tag-homelab","tag-network-security","tag-opnsense"],"_links":{"self":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/524","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=524"}],"version-history":[{"count":4,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/524\/revisions"}],"predecessor-version":[{"id":541,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/524\/revisions\/541"}],"wp:attachment":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=524"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=524"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=524"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}