To protect your DNS privacy settings, you need to switch from your ISP’s default DNS resolver to an encrypted alternative using DNS over HTTPS (DoH) or DNS over TLS (DoT), then configure your operating system and browser to enforce those encrypted queries. The most immediate step most people can take is enabling DoH in their browser settings — Firefox, Chrome, and Edge all support it natively — and pointing their system DNS to a privacy-respecting resolver like Cloudflare’s 1.1.1.1 or Quad9’s 9.9.9.9. For example, if you are using your ISP’s default DNS right now, every website you visit is being logged in plaintext, which means your internet provider can see, store, and potentially sell your entire browsing history without you ever knowing.
Beyond changing your resolver, genuine DNS privacy requires a layered approach. You need to verify that your device is not leaking DNS queries through fallback connections, that your VPN (if you use one) is not bypassing your chosen DNS settings, and that your router is not overriding your device-level configuration. This article walks through the specific risks of unprotected DNS, how to configure encrypted DNS on every major platform, what the tradeoffs are between different resolvers, and where even the best DNS privacy tools fall short.
Table of Contents
- Why Are Default DNS Settings a Privacy Risk?
- How DNS over HTTPS and DNS over TLS Actually Work
- Configuring Encrypted DNS on Windows, macOS, and Linux
- Choosing Between DNS Privacy Providers
- Common DNS Leaks and How to Detect Them
- Using DNS Privacy on Mobile Devices
- The Future of DNS Privacy
- Conclusion
- Frequently Asked Questions
Why Are Default DNS Settings a Privacy Risk?
Every time you type a URL into your browser, your device sends a DNS query to translate that domain name into an IP address. By default, those queries travel in plaintext over port 53, meaning anyone positioned between you and the DNS server — your ISP, a network administrator, or an attacker on public Wi-Fi — can see exactly which domains you are requesting. This is not a theoretical concern. In 2017, the U.S. Congress voted to allow ISPs to sell customer browsing data without consent, and DNS logs are one of the easiest datasets for them to monetize. Comcast, AT&T, and Verizon have all been documented collecting DNS query data for advertising profiles. What makes this particularly insidious is that DNS queries happen before any encrypted HTTPS connection is established.
You might think that visiting a site over HTTPS means your traffic is private, but the DNS lookup that gets you to that site happens first, in the clear. Your ISP may not be able to see what you do on a website, but they know you visited it. They know how often, at what time, and from which device. For users who assume a padlock icon means full privacy, this is a significant blind spot. There is also the issue of DNS hijacking. Some ISPs intercept failed DNS queries and redirect them to ad-filled search pages. Others inject tracking identifiers into DNS responses. Without encrypted DNS, you have no way to verify that the answers you receive are authentic or that your queries have not been tampered with in transit.
How DNS over HTTPS and DNS over TLS Actually Work
DNS over HTTPS (DoH) wraps your DNS queries inside standard HTTPS traffic on port 443, making them indistinguishable from regular web browsing. DNS over TLS (DoT) encrypts queries using TLS but sends them over a dedicated port, 853. Both protocols prevent eavesdropping on your DNS traffic, but they differ in one important way: DoH is harder to block because it blends in with all other HTTPS traffic, while DoT runs on its own port and can be easily filtered by a firewall or network administrator. However, encryption alone does not solve every privacy problem. When you use DoH or DoT, you are shifting trust from your ISP to whichever DNS resolver you choose. If you pick Google’s 8.8.8.8, you have moved your query logs from Comcast to Google — which may or may not be an improvement depending on your threat model.
Cloudflare claims to purge query logs within 24 hours and has undergone independent audits to verify this. Google retains anonymized DNS data for longer periods. The resolver you choose matters as much as the encryption you use. One limitation that catches people off guard: DoH and DoT encrypt the query between your device and the resolver, but they do not encrypt the query between the resolver and the authoritative DNS server. If you query a small, obscure domain, the resolver still contacts that domain’s nameserver in plaintext. Protocols like Oblivious DNS over HTTPS (ODoH) address this by separating the identity of the querier from the query itself, but ODoH support is still limited to a handful of resolvers as of early 2026.
Configuring Encrypted DNS on Windows, macOS, and Linux
On Windows 11, you can enable DoH natively through Settings > Network & internet > Wi-Fi (or Ethernet) > DNS server assignment. Set your preferred DNS to 1.1.1.1 or 9.9.9.9 and select “Encrypted only (DNS over HTTPS)” from the dropdown. Windows 10 added DoH support in later builds, but it requires editing the registry to enable the feature, which is not practical for most users. A specific gotcha on Windows: if you are connected to both Wi-Fi and Ethernet, you must configure DNS separately for each adapter, or queries may leak through the unconfigured connection. On macOS Ventura and later, Apple supports encrypted DNS through configuration profiles. You can install a .mobileconfig file from providers like Cloudflare or NextDNS, which applies DoH or DoT system-wide.
Alternatively, tools like DNSCrypt-proxy give you fine-grained control over which resolver handles your queries and allow you to rotate between multiple resolvers for additional privacy. The downside of configuration profiles is that they are all-or-nothing: if the encrypted resolver goes down, your DNS stops working rather than falling back to plaintext, which can be frustrating but is actually the more secure behavior. Linux users have the most flexibility. systemd-resolved supports DoT natively — edit /etc/systemd/resolved.conf, set DNS= to your resolver’s IP and DNSOverTLS=yes, then restart the service. For DoH, stubby or dnscrypt-proxy are the standard tools. For example, a working dnscrypt-proxy configuration might use Cloudflare and Quad9 as primary and secondary resolvers with server_names set to cloudflare and quad9-dnscrypt-ip4-nofilter-pri. The catch on Linux is that NetworkManager, systemd-resolved, and resolvconf can all fight over /etc/resolv.conf, so you need to verify which component actually controls your DNS after configuration.
Choosing Between DNS Privacy Providers
The three most commonly recommended privacy-focused DNS resolvers are Cloudflare (1.1.1.1), Quad9 (9.9.9.9), and Mullvad DNS (100.64.0.2 via their VPN, or accessible through DoH at dns.mullvad.net). Each makes different tradeoffs. Cloudflare emphasizes speed and has consistently ranked as one of the fastest public resolvers, with median query times under 12 milliseconds globally. They undergo annual privacy audits by a third-party firm and publish the results. However, Cloudflare is a U.S. company subject to U.S. legal processes, which matters if your threat model includes government surveillance. Quad9 is a nonprofit based in Switzerland, which places it under Swiss privacy law — generally considered stronger than U.S.
equivalents. Quad9 also blocks known malicious domains by default, adding a layer of security on top of privacy. The tradeoff is that this filtering means Quad9 is making decisions about which domains you can access, and false positives occasionally block legitimate sites. You can use their unfiltered resolver at 9.9.9.10 if you prefer no blocking. Mullvad DNS is operated by the team behind Mullvad VPN and is designed for users who want no logging whatsoever. They do not offer malware blocking, and their resolver is slower than Cloudflare in most regions, but their privacy stance is among the most aggressive in the industry. Avoid using your ISP’s DNS or any resolver that does not publish a clear privacy policy. Free DNS services from companies like Comodo or Norton often inject advertising or collect query data for commercial purposes. If you are evaluating a resolver, look for three things: a published data retention policy, independent auditing, and support for both DoH and DoT.
Common DNS Leaks and How to Detect Them
Even after configuring encrypted DNS, leaks can quietly expose your queries. The most common cause is VPN misconfiguration. Many VPN clients claim to handle DNS internally, but under certain conditions — particularly during reconnection or when switching networks — they fall back to the system’s default DNS, sending queries through your ISP in plaintext. NordVPN and ExpressVPN have both had documented DNS leak incidents in past versions. You should routinely test for leaks using sites like dnsleaktest.com or Cloudflare’s browsing experience security check at one.one.one.one/help, which tells you whether your queries are actually reaching Cloudflare over an encrypted connection. Another subtle leak vector is WebRTC. Browsers that support WebRTC can make DNS requests outside the normal resolution path, bypassing your configured DNS settings entirely.
Firefox allows you to disable WebRTC through about:config by setting media.peerconnection.enabled to false, though this breaks video calling in the browser. Chrome-based browsers require extensions like WebRTC Leak Prevent. If you are on a corporate or school network, be aware that captive portals and proxy auto-configuration (PAC) files can also override your DNS settings without warning. A limitation worth noting: DNS leak tests only check the resolver your browser is using at that moment. Background processes, system updates, and other applications on your device may use a different DNS path. On Windows, for instance, the Smart Multi-Homed Name Resolution feature sends DNS queries to all available network interfaces simultaneously, which means your encrypted DNS query might also be sent in plaintext over a secondary adapter. Disabling this feature through Group Policy is recommended if you are serious about DNS privacy.
Using DNS Privacy on Mobile Devices
On Android 9 and later, go to Settings > Network & Internet > Private DNS and enter a DoT hostname like one.one.one.one (Cloudflare) or dns.quad9.net. This applies encrypted DNS system-wide, including to apps. iOS does not have a native DoT/DoH toggle in Settings, but you can install configuration profiles from providers like Cloudflare’s 1.1.1.1 app or NextDNS, which enforce encrypted DNS across all connections.
One real-world example: a 2023 study by the University of Iowa found that over 60 percent of the top Android apps made DNS queries that bypassed the system resolver entirely, contacting hardcoded DNS servers. Even with Private DNS enabled, apps like Facebook and TikTok were observed sending DNS queries to their own infrastructure, which no device-level setting can prevent. For comprehensive mobile DNS privacy, pairing a privacy-focused DNS app with a firewall like NetGuard (Android) or Lockdown Privacy (iOS) gives you visibility into which apps are making DNS requests and where those queries are going. This is particularly important on mobile, where apps frequently phone home to analytics and advertising domains in the background.
The Future of DNS Privacy
DNS privacy is evolving rapidly. Oblivious DNS over HTTPS (ODoH), co-developed by Cloudflare and Apple, adds a proxy layer between you and the resolver so that no single entity sees both your IP address and your query. Apple’s iCloud Private Relay uses a similar architecture for Safari traffic. Encrypted Client Hello (ECH), which encrypts the SNI field in TLS handshakes, addresses the last major metadata leak that DNS encryption alone cannot fix — the fact that the domain name is still visible in the TLS handshake even after the DNS query is encrypted.
The regulatory landscape is shifting too. The EU’s Digital Markets Act and proposed ePrivacy Regulation may eventually require ISPs to offer encrypted DNS by default, and browser vendors are under increasing pressure to enable DoH for all users rather than making it opt-in. Google enabled DoH by default in Chrome for users whose ISP supports it, and Mozilla has done the same in the United States. The direction is clear: plaintext DNS is on its way out. But for now, protecting your DNS privacy still requires deliberate configuration, and the default on most networks remains completely unencrypted.
Conclusion
Protecting your DNS privacy starts with three concrete actions: switch to an encrypted DNS resolver like Cloudflare 1.1.1.1 or Quad9 9.9.9.9, enable DoH or DoT on your operating system and browser, and test for DNS leaks regularly. Each of these steps takes minutes to implement but closes a surveillance gap that most users do not realize exists. The choice of resolver matters — consider the provider’s jurisdiction, logging policy, and whether independent audits have been conducted before trusting them with your query history.
No single tool provides complete DNS privacy. Encrypted DNS prevents eavesdropping on your queries in transit, but it does not hide your traffic from the resolver itself, and it does not prevent apps from bypassing your settings with hardcoded DNS servers. A layered approach — combining encrypted DNS with a trustworthy VPN, browser-level protections against WebRTC leaks, and regular leak testing — is the most effective strategy available today. As protocols like ODoH and ECH mature, the gap between what is technically possible and what is practically deployed will narrow, but until then, the responsibility falls on individual users to configure their own defenses.
Frequently Asked Questions
Does using encrypted DNS make me anonymous online?
No. Encrypted DNS prevents your ISP and network observers from seeing your DNS queries, but it does not hide your IP address from the websites you visit. For anonymity, you need additional tools like Tor or a VPN. DNS privacy is one layer of a broader strategy.
Will changing my DNS settings break anything?
In most cases, no. However, some corporate and school networks require their own DNS servers for internal resources. If you switch to an external encrypted resolver on such a network, internal sites like intranet portals may stop resolving. You may need to configure split DNS or disable encrypted DNS on managed networks.
Is DNS over HTTPS better than DNS over TLS?
For most users, DoH is more practical because it uses port 443 and is harder for network administrators to block. DoT uses a dedicated port (853) that can be easily filtered. However, some privacy advocates prefer DoT because it keeps DNS traffic separate from web traffic, making it easier to audit. The encryption strength is equivalent.
Does a VPN already protect my DNS?
A properly configured VPN should route DNS queries through its own encrypted tunnel, but this is not guaranteed. Many VPNs have had DNS leak bugs, and some free VPNs intentionally route DNS through third-party servers for monetization. Always verify with a DNS leak test, even when connected to a VPN you trust.
Can my ISP see that I am using encrypted DNS?
Your ISP can see that you are connecting to a known DNS resolver’s IP address, but they cannot see the content of your queries if you are using DoH or DoT. With DoH specifically, the traffic looks identical to regular HTTPS browsing, so the ISP knows you contacted Cloudflare but cannot distinguish DNS queries from normal web requests.