Encrypted DNS
Every time you open a website, your device asks a Domain Name System server for the site’s address. Those DNS lookups reveal which sites you visit, even when the page itself is protected with HTTPS. Encrypted DNS wraps those lookups inside an encrypted tunnel so your Internet provider, public Wi-Fi operator, or anyone on the same network cannot easily see or tamper with your requests.
What is Encrypted DNS?
Plain DNS (legacy)
- Lookups are sent in the clear.
- Network operators can log, sell, or block your requests.
- Attackers can spoof responses on insecure networks.
Encrypted DNS (modern)
- Requests are encrypted in transit.
- Harder for others to monitor the domains you look up.
- Helps prevent tampering and downgrade attacks.
How it Works
| Protocol | Where you’ll see it | How it encrypts |
|---|---|---|
| DoH — DNS over HTTPS | Chrome, Edge, Firefox, iOS/macOS profiles, many routers | Wraps DNS inside standard HTTPS, blends with web traffic |
| DoT — DNS over TLS | Android Private DNS, some routers, system resolvers | Uses TLS on port 853 dedicated to DNS queries |
| Private DNS (Android) | System setting under Network & Internet → Private DNS | Configures a DoT hostname for all apps on the device |
Why It’s Important
- Privacy on public Wi-Fi. Hotspots can see and log DNS queries. Encryption blocks casual surveillance.
- Integrity and safety. Prevents easy spoofing of DNS answers that can send you to fake sites.
- Consistent security policy. System-wide encrypted DNS ensures all apps use the same trusted resolver.
- Parental or security filtering (optional). Providers like Quad9 or NextDNS add malware blocking or custom rules.
What Encrypted DNS Doesn’t Do
- It does not make you anonymous on the web.
- It does not block tracking on its own, though some resolvers offer filtering.
- It does not replace HTTPS or a VPN — it complements them.
How to Turn It On (Quick Reference)
Android
Settings → Network & Internet → Private DNS → choose “Private DNS provider hostname” and enter a provider like dns.quad9.net or one.one.one.one.
Windows 11
Settings → Network & Internet → your network → DNS → set to Manual and enable DNS over HTTPS.
Chrome / Edge
Settings → Privacy & Security → Security → enable Use secure DNS.
Firefox
Settings → General → Network Settings → enable DNS over HTTPS.
iOS / macOS
Install a DNS profile from a trusted provider (Quad9, Cloudflare, NextDNS). On iOS: Settings → General → VPN & Device Management.
Routers
Many support DoH/DoT or provider-specific apps. Consult your router docs or use a capable firmware.