<p>If set to</p><ul><li><code>"true"</code>: all DNS lookups will be encrypted. This requires that the DNS server supports DNS-over-TLS and has a valid certificate. If the hostname was specified via the <code>address#hostname</code> format in <span class="mnos-option"><a href="/nixpkgs/option/services.resolved.domains"><a href="/nixpkgs/option/services.resolved.domains" rel="nofollow">services.resolved.domains</a></a></span> then the specified hostname is used to validate its certificate.</li><li><code>"opportunistic"</code>: all DNS lookups will attempt to be encrypted, but will fallback to unecrypted requests if the server does not support DNS-over-TLS. Note that this mode does allow for a malicious party to conduct a downgrade attack by immitating the DNS server and pretending to not support encryption.</li><li><code>"false"</code>: all DNS lookups are done unencrypted.</li></ul>

services.resolved.dnsovertls

If set to"true": all DNS lookups will be encrypted