A standard DNS response is just UDP — easy to spoof. DNSSEC adds RRSIG (signature) and DNSKEY records so a resolver can verify the answer chain all the way up to the signed root zone.
IPFerret's DNS lookup tool surfaces a "DNSSEC ✓" badge when the upstream resolver (Cloudflare 1.1.1.1) validated the chain successfully.
Try it on IPFerret
See also
- DNSThe distributed directory that maps human-readable names like example.com to IP addresses (and other records).
- DoHDNS queries encrypted inside HTTPS so neither your ISP nor the local network can read or modify them.
- DoTDNS encrypted with TLS on dedicated port 853 — same goal as DoH but uses its own protocol port.