DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify that the answer they received has not been tampered with in transit. It protects against cache poisoning attacks where an attacker injects forged DNS responses.
However, DNSSEC does not encrypt DNS traffic — it only signs it. For confidentiality, combine DNSSEC with DNS-over-HTTPS or DNS-over-TLS. DNSSEC is most critical for high-value domains: banking, healthcare, and government sites.