Encrypted DNS: What It Is and Why Your DNS Provider Matters¶
Before your browser loads a single byte of a website, your device makes a DNS query. And by default, that query goes straight to your ISP.
π The Basics¶
What It Is¶
DNS, the Domain Name System, is the internet's phone book. Every time you visit a website, your device needs to look up the IP address behind the domain name you typed. You enter wikipedia.org and a DNS resolver translates that into a numerical address your device can actually route to. This lookup happens for nearly every website and every app your device connects to.
By default, those lookups travel unencrypted to a DNS resolver operated by your internet service provider. Your ISP sees a complete list of every domain you queryβthat's a detailed behavioral record of your life online, sitting in plain text on infrastructure you don't control.
How It Works¶
Why plain DNS is a privacy problem¶
When your device asks for a domain name resolution, that query typically includes the full domain in readable plaintext: your-health-concern.com, addiction-support-forum.org, competitor-product.com. Anyone positioned between your device and the resolver can read it.
In the United States, ISPs can legally use DNS query data for advertising purposes and share it with government agencies under current law. ISPs have been documented selling browsing data derived from DNS queries. Outside the US, the legal framework varies, but no matter what, unencrypted DNS is readable by your ISP regardless of local law.
The Main Encrypted DNS Protocols¶
- DNS over HTTPS (DoH) wraps DNS queries inside regular HTTPS traffic on port 443, the same port used for all normal web browsing. This makes DNS queries visually indistinguishable from any other HTTPS connection to your ISP. DoH is natively supported in Firefox, Chrome, Brave, and most modern browsers with a simple settings change.
- DNS over TLS (DoT) encrypts DNS using TLS on a dedicated port (853). It provides the same privacy protection against passive eavesdropping as DoH, but because it uses a distinct port, it's easier for network administrators or ISPs to identify and block.
- DNS over QUIC (DoQ) is the newer protocol on the block, running DNS over QUIC (the same modern transport HTTP/3 uses). It offers lower latency than DoT and similar censorship resistance properties to DoH. Support is growing in clients and resolvers but isn't yet as universal as DoH.
The practical recommendation: DoH for most users due to its censorship resistance and wide browser support. DoT on system-level configurations where DoH isn't available. DoQ where your client and resolver both support it. Any of the three is a meaningful improvement over unencrypted DNS.
What Encrypted DNS Doesn't Protect¶
Encrypted DNS hides your domain queries from your ISP and local network observers. It does not encrypt all your traffic, a VPN does that. Your ISP can still see the IP addresses your device connects to, which are often correlated with domains even without the DNS query.
To put it simply: encrypted DNS meaningfully reduces what your ISP can observe about your browsing, but it's one layer, not a complete solution. For full traffic privacy, it pairs with other tools like a VPN.
SNI, ECH, and the Remaining Gaps¶
Even with encrypted DNS and HTTPS in place, there was historically one piece of every connection still visible in plaintext to your ISP and any network observer: Server Name Indication (SNI). SNI is a field in the TLS handshake that tells the server which domain the client is trying to reach, which is necessary since many sites share the same IP address. That handshake happened in the open, even if everything after it was encrypted. Your ISP couldn't read your messages, but they could see you were connecting to mental-health-forum.org at 2am.
Encrypted Client Hello (ECH) is the fix. ECH encrypts the entire initial TLS handshake, including SNI. ECH is directly dependent on encrypted DNS to work: the client fetches the ECH configuration via a DNS query, so if that query isn't encrypted, the domain leaks at that step instead. DoH is effectively a prerequisite for ECH to deliver its full benefit.
QUIC (the transport protocol under HTTP/3) works the same way; ECH extends naturally to QUIC connections, which matters because a growing share of web traffic now runs over HTTP/3.
In regards to browser support in 2026: Chrome and Firefox both have ECH enabled by default where servers support it. Safari has announced support but hasn't shipped it broadly yet. Server-side adoption is accelerating; Cloudflare enabled ECH across its network, which immediately covered a significant share of the web. For supported sites in Chrome or Firefox, the SNI gap is getting closed with nothing extra to configure.
The practical takeaway: DoH + ECH together provide substantially more complete protection at the connection layer than either does alone. If you're using DoH in a modern browser, ECH is likely already working silently in the background.
How DNS Shifts Trust¶
Switching to an encrypted DNS resolver doesn't eliminate the trust requirement, it just moves it. So your ISP may no longer see your queries, but your DNS provider does instead. Some common services people in our community use:
- Quad9 (9.9.9.9): operated by a Swiss non-profit under Swiss data protection law. No IP address logging. Built-in blocking of known malicious domains. Strong default for users who want privacy with passive malware protection at no cost.
- Cloudflare 1.1.1.1: Cloudflare's public resolver, independently audited with confirmed no-selling of query data, no ad targeting, and source IP anonymization within 24 hours. A small amount of aggregated, non-personally identifiable data is retained.
- NextDNS: the most configurable option with custom blocklists, granular filtering by category, optional query logging for your own visibility and troubleshooting, with logs under your control. Free tier covers 300,000 queries per month; paid plan (~$20/year) is unlimited. Best for users who want active customizable control on top of private DNS.
- Mullvad DNS: available to anyone, not just Mullvad VPN subscribers. RAM-only servers (nothing persists after reboot), no query logs, with optional content-blocking variants for ads, trackers, or malware. Strong option for users who want zero logging without a customization layer. Mullvad offers different lists that include social media, NSFW content, malware, etc.
Where To Configure DNS¶
Actually configuring DNS results in a lot of confusion for users. The main locations you can set your DNS are:
- Browser level: Firefox, Chrome, Brave, and most modern browsers have DoH settings in their privacy or network configuration. This is the easiest starting point, it protects queries through that browser but not other apps.
- System level: configured in OS network settings, dedicated clients, or third-party tools. This protects all DNS queries from that device regardless of browser. Coverage is broader; configuration varies by OS.
- VPN level: when a VPN is active, it typically routes your DNS through its own resolver by default, which is part of the privacy model and prevents DNS leaks outside the tunnel. Most VPN clients let you override this with a custom DNS provider if you have a reason to (a filtering service like NextDNS, for example). But using a non-VPN DNS provider while on a VPN means your DNS queries go to a different party than your traffic, which could theoretically make you slightly more distinguishable to websites. In practice, this can be an acceptable tradeoff since the privacy benefits of a filtering DNS can outweigh the marginal fingerprinting concern. If anonymity is the goal, Tor is the right tool regardless. That said, the VPN's native DNS is always the first option to try; only change it if you have a specific reason.
- Router level: configured on your home router, protects every device on the network without individual configuration. Highest coverage, more complex to set up.
DNS as a System-Wide Filter¶
Several DNS providers (NextDNS, Mullvad's blocking variants, etc.) support blocklists that refuse to resolve known tracker, ad network, and analytics domains.
This is especially valuable on mobile and IoT devices. On a desktop browser, extensions like uBlock Origin can block trackers and ads at the page level. But inside a mobile app or a closed operating system, there's no equivalent mechanism. You can't install an extension into your banking app or your news reader. But those apps still make DNS queries every time they phone home to analytics services, ad SDKs, and crash reporters. Setting a filtering DNS provider at the system level on these more limited devices can offer a lot of control. It's one of the few tools available for reducing in-app and IoT tracking without technical workarounds.
The trade-off is occasional breakage: aggressive blocklists sometimes catch domains that apps depend on for legitimate functionality. Services like NextDNS let you review blocked queries and whitelist specific domains, which makes it easy to tune. Starting with a well-maintained default list and adjusting from there is a common approach.
π― Why It Matters¶
DNS queries are the metadata of your browsing. And metadata, as the Metadata article covers in depth, can be as revealing as content. A complete timestamped log of every domain your device queried over a month reconstructs a detailed portrait of your interests, health concerns, political attention, relationships, and habits.
In the US, ISPs can use this data commercially without explicit user consent. This isn't theoretical, as ISPs have sold aggregated browsing data, and DNS query logs are a core data asset in that market.
Encrypted DNS is one of the lowest-effort, highest-impact privacy improvements available. Changing your DNS resolver takes a few minutes in your browser settings. The day-to-day experience of browsing is nearly unchanged. What changes is that your ISP's resolver is no longer the default recipient of everything your device looks up.
But there are limits! Encrypted DNS isn't a VPN. Your ISP still sees the IP addresses your device connects to, which are often correlated with the domains you queried. It doesn't encrypt your traffic, prevent fingerprinting, or hide the content of your browsing from the sites you visit. What it does, specifically, is remove the unencrypted DNS query record from your ISP's visibility. And it can provide helpful filtering to offer privacy in other contexts.
For most people, switching to Quad9 or Mullvad DNS at the browser or system level is a five-minute change with no downside and a meaningful privacy improvement.
π‘ Common Misconceptions¶
"DNS is too technical to bother with."¶
The actual change is a single setting in your browser, OS, or router. After you flip it, the day-to-day experience of browsing is identical, the only difference is that your ISP's logging pipeline is no longer the first thing every website connection touches.
"Switching DNS will break things."¶
The risk is real but small, and almost always recoverable. The more common scenario is that nothing visible changes at all. The exceptions tend to be specific apps that hardcode a particular resolver, or aggressive filtering blocklists that catch a domain your bank or workplace VPN actually needs. Both are fixable; neither is a reason not to start. You have a lot of control over which DNS tool you choose to use, and many are at low risk for false positives.
"All encrypted DNS providers are doing the same thing."¶
A privacy-respecting DNS provider (like Quad9 or Mullvad DNS) replaces your ISP's logging with no logging. A filtering DNS provider (like NextDNS or Mullvad's blocking variants) also refuses to resolve known tracker, ad, and malware domains across every app on your device, which is a second role on top of the first, and it's optional. The choice between providers is downstream of what role you want your DNS to have.
"Encrypted DNS hides your browsing from your ISP."¶
Partially. Your ISP can no longer read your DNS queries in plaintext. But it can still see the IP addresses your device connects to, and those addresses often correlate to specific sites without the DNS layer needing to be readable. Encrypted DNS is one layer of protection, not full traffic privacy. For full traffic privacy, you need a VPN or Tor.
"Switching DNS will slow down my browsing."¶
DNS lookup speed depends primarily on how close a resolver is to you and how well its infrastructure is provisioned, not on whether it's encrypted. The major public resolvers (Cloudflare, Quad9, Mullvad) have global infrastructure specifically optimized for low latency. In practice, many people see no change in perceived speed, and some see an improvement over a sluggish ISP resolver. DNS over QUIC (DoQ) is specifically designed to reduce lookup latency. If speed is genuinely a concern, tools like dnsperftest can compare resolver latency from your actual location and help you pick the fastest option that also meets your privacy requirements.
π£οΈ Henry's Take¶
The clearest way I've found to think about encrypted DNS is that it plays two distinct roles, and most of the confusion in this space comes from collapsing them into one.
Role one, everyone should fill this. Stop sending your queries to your ISP. Pick a non-harvesting resolver and configure it at the system or browser level. Quad9, Mullvad DNS, and Cloudflare 1.1.1.1 all do this without charging you anything. The day-to-day experience doesn't change. The change is that your ISP's logging pipeline stops getting fed.
Role two, some people should fill this. Use a filtering DNS provider to block tracker, ad, and analytics domains across your devices. This is the only practical way to reduce in-app tracking on a phone or your IoT devices, because you cannot install an extension into your banking app or your Roku. NextDNS and Mullvad's blocking variants both handle this well, with NextDNS being more configurable and gives you a log of what's being blocked, which makes troubleshooting and tuning much easier.
My own setup runs NextDNS through a Tailscale connection that also passes through Mullvad VPN, giving me filtered DNS, VPN coverage, and access to my home network in a single VPN connection. That's an advanced setup and not what most people need. The point is that you can layer these pieces in interesting ways once the basics are in place.
One pro tip worth knowing: browsers like Mullvad Browser and Tor Browser deliberately ignore system DNS and use their own resolvers. This is by design, and it's also a useful diagnostic. If a site loads in Mullvad Browser but not in your default browser, your DNS provider is almost certainly blocking something. Open the NextDNS log, find the entry, and decide whether to whitelist or leave the block in place.
β Henry's Picks¶
Quad9: a strong default for users who want the role-one benefit (private resolution) with passive malware protection layered in. No IP logging. Free. Easy to configure on every modern OS and browser.
Mullvad DNS: public resolver from Mullvad, available to anyone (not just VPN subscribers). RAM-only servers, no query logs, and optional content-blocking variants for ads, trackers, social media, NSFW, and malware. Strong pick if you want zero logging plus optional baseline filtering without the customization layer.
NextDNS: the right pick when role two (active filtering) is what you're after. Custom blocklists, granular per-category control, optional query logging under your own account for visibility and troubleshooting, and a per-device configuration model that's easier to manage than per-router. Free tier covers 300,000 queries per month. The paid plan (~$20/year) is unlimited.
Cloudflare 1.1.1.1: independently audited no-selling-of-query-data, source IP anonymization within 24 hours, and broad infrastructure that makes it consistently fast. A solid choice when speed matters and you trust the operator.
See the broader recommendation set at Techlore's SPA Tools.
π Go Deeper¶
Related wiki articles:
Techlore content:
- Go Incognito v2, Lesson 4.8βEncrypted DNS
External sources:
- Quad9βnon-profit encrypted DNS
- NextDNSβconfigurable encrypted DNS
- Mullvad DNSβno-log public resolver
Found an error? Report it here β