The TLDR

Every time you type a website name into your browser, your device asks a DNS server to translate that name into an IP address. By default, that request goes to your ISP’s DNS server, in plaintext, unencrypted. Your ISP sees every domain you visit — even when the content is encrypted with HTTPS. They log it. In many countries, they sell it. Encrypted DNS (DoH or DoT) fixes this by encrypting the lookup itself, but it requires configuration and most people don’t know it exists.

The Reality

HTTPS encrypts what you do on a website. DNS reveals which websites you go to — and it does it in plaintext, by default, through your ISP’s servers. In the US, ISPs can legally collect and sell this data. The FTC’s 2021 ISP surveillance report documented how AT&T, Verizon, Comcast, and others monetize subscriber browsing data — including DNS logs — for advertising. You locked the front door with HTTPS but left the mailbox wide open.

The fix exists: encrypted DNS (DoH and DoT) has been available since 2018. Most browsers and operating systems support it. Almost nobody has turned it on. Here’s why it matters and how to change that.

How It Works

The Resolution Chain

When you type example.com into your browser:

  1. Your device checks its local cache — have you visited this site recently? If yes, use the cached IP.
  2. Your device asks the recursive resolver — usually your ISP’s DNS server (assigned automatically when you connect to the network). “What’s the IP for example.com?”
  3. The recursive resolver asks the root servers — “Who handles .com?”
  4. The root server responds with the address of the .com TLD (Top-Level Domain) server.
  5. The resolver asks the TLD server — “Who handles example.com?”
  6. The TLD server responds with the address of example.com’s authoritative nameserver.
  7. The resolver asks the authoritative server — “What’s the IP for example.com?”
  8. The authoritative server responds with the IP address.
  9. Your device connects to that IP address.

This entire chain happens in milliseconds. And by default, every step between your device and the recursive resolver is in plaintext — readable by anyone on your network.

What Your ISP Sees

Your ISP’s recursive resolver processes every DNS query from your connection. This means they have a log of:

HTTPS encrypts the content of your connection to a website. But the DNS lookup that happens before the connection is established is separate — and usually unencrypted.

TTL Caching

DNS responses include a TTL (Time to Live) value that tells your device how long to cache the result. Popular sites have short TTLs (minutes). Less-trafficked sites may have longer TTLs (hours or days). Caching reduces the number of DNS queries but doesn’t eliminate them — and every cache miss goes to the resolver.

Why DNS Privacy Matters

ISP Data Retention and Sale

In the United States, ISPs can legally collect and sell your browsing data. The FTC’s 2021 ISP surveillance report documented how major ISPs monetize subscriber data, including DNS query logs, for advertising.

Even in jurisdictions with stronger privacy laws, ISPs retain DNS logs for compliance purposes — often for years.

DNS-Based Censorship

Governments and organizations use DNS filtering to block access to websites. If your DNS resolver refuses to resolve a domain, your browser can’t find it. This is how:

DNS censorship is trivially bypassed by changing your DNS resolver — which is why authoritarian regimes also block access to alternative resolvers.

DNS Poisoning

An attacker who can modify DNS responses can redirect you to a malicious server. On an unsecured network (public WiFi), DNS responses can be spoofed — your device asks for bank.com and receives the IP address of a phishing server instead.

DNSSEC (DNS Security Extensions) prevents this by cryptographically signing DNS responses. Adoption is growing but not universal.

Encrypted DNS

DNS over HTTPS (DoH)

DoH encrypts DNS queries inside standard HTTPS connections (port 443). To an observer on your network — including your ISP — DoH queries look identical to regular HTTPS web traffic. They can see you’re connecting to the DoH resolver’s IP but can’t see which domains you’re looking up.

Supported by:

DNS over TLS (DoT)

DoT encrypts DNS queries using TLS on a dedicated port (853). It provides the same privacy benefit as DoH but is easier for network operators to detect and block (since it uses a specific port).

Android’s “Private DNS” setting uses DoT — enter a hostname like dns.google or one.dot.dns.google or 1dot1dot1dot1.cloudflare-dns.com.

What Encrypted DNS Doesn’t Fix

The resolver still sees your queries. If you use Cloudflare’s 1.1.1.1 with DoH, your ISP can’t see your DNS queries — but Cloudflare can. You’re moving trust from your ISP to your DNS resolver provider.

Also: the IP address you connect to after the DNS lookup is still visible to your ISP (unless you use a VPN). So while they can’t see the domain name from the DNS query, they can often infer it from the IP address — especially for sites hosted on dedicated IPs.

Resolver Choice

Cloudflare (1.1.1.1)

Privacy claim: Logs are purged within 24 hours. No IP addresses are stored in permanent logs. Audited by KPMG.

Why it’s popular: Fast, private, supports DoH and DoT, and Cloudflare’s business model is CDN/security services, not advertising.

Google (8.8.8.8)

Privacy concern: Google’s business model is advertising. While Google states they don’t use DNS data for ad targeting, they do log queries temporarily and may use aggregated data for service improvement. If you’re trying to reduce Google’s visibility into your life, using Google’s DNS defeats the purpose.

Quad9 (9.9.9.9)

Unique feature: Quad9 blocks known malicious domains by default — it checks DNS queries against threat intelligence feeds and refuses to resolve domains associated with malware, phishing, and botnets. Based in Switzerland. Nonprofit. Supports DoH and DoT.

NextDNS

Unique feature: Configurable filtering — block ads, trackers, adult content, and specific domains. Essentially a customizable DNS firewall. Supports DoH and DoT. Free tier available; paid tier for unlimited queries and logging features.

DNS Leaks in VPNs

A DNS leak occurs when your device sends DNS queries outside the VPN tunnel — typically to your ISP’s resolver — even while the VPN is active. This completely undermines the VPN’s privacy benefit because your ISP sees every domain you query.

Common causes:

How to test: Visit dnsleaktest.com while your VPN is active. If you see your ISP’s DNS servers instead of your VPN provider’s, you have a leak.

How to fix: Use a VPN that forces all DNS through the tunnel (most reputable VPNs do this). Enable the VPN’s DNS leak protection setting. Consider setting your system DNS to an encrypted resolver as a backup.

What You Can Do

Router-Level DNS

Configure your home router to use an encrypted DNS resolver. This protects every device on your network without configuring each one individually.

Most routers support custom DNS in their DHCP settings. Set primary DNS to 1.1.1.1 (Cloudflare) or 9.9.9.9 (Quad9) and secondary to the provider’s backup IP.

For DoH/DoT at the router level, you’ll need a router that supports it (some Asus, Synology, and pfSense routers do).

Browser DoH Settings

Android Private DNS

Settings → Network & Internet → Private DNS → enter one.dot.dns.google or 1dot1dot1dot1.cloudflare-dns.com

Testing Your DNS

After configuring encrypted DNS:

  1. Visit 1.1.1.1/help to verify Cloudflare DoH is working
  2. Visit dnsleaktest.com to check for DNS leaks
  3. Verify your resolver with nslookup or dig commands if you’re comfortable in the terminal

Sources & Further Reading