There are many articles out there, regarding DNSSEC.
A quote from one of these articles
Ideally, the DNSSEC validation will occur as close as possible to the end user (either a person or a device) so that the attack surface where an attacker could inject bogus DNS packets is minimized.
If you are using raspbian (version february 2017) and want to implement DNSSEC, read this topic to get a working solution.