DNS Privacy: The Overlooked Leak in Your Internet Activity

You use HTTPS for websites. You have a VPN. Your messages are encrypted. But every time you type a web address into your browser, there is a good chance you are broadcasting that domain name in plaintext for anyone on your network to see. This is the DNS privacy problem, and it is one of the most overlooked leaks in internet privacy.

What DNS Reveals About You

The Domain Name System (DNS) is the internet's phone book. When you type example.com into your browser, your device sends a DNS query to a DNS server asking for the IP address associated with that domain. Only then can your browser actually connect to the website.

Traditionally, these DNS queries are sent completely unencrypted over port 53 using UDP. This means:

• Your ISP sees every domain you visit. Even if you use HTTPS, your ISP can see the DNS query for the domain name. They know you visited a medical website, a political forum, or an adult site, even though they cannot see what you did there.
• Anyone on your local network can see your queries. On public Wi-Fi, other users with basic network tools can watch your DNS queries scroll by in real time.
• DNS logs create a complete browsing history. ISPs and DNS providers can store logs of every DNS query you make, creating a detailed record of your internet activity over time.
• Queries can be intercepted and modified. Without encryption or authentication, DNS responses can be spoofed by attackers to redirect you to malicious websites.

Encrypting DNS: DoH and DoT

Two protocols have been developed to encrypt DNS queries and solve this problem:

DNS over HTTPS (DoH)

DoH wraps DNS queries inside standard HTTPS traffic on port 443. This makes DNS queries indistinguishable from regular web traffic, which means they cannot be selectively blocked or intercepted by network operators. DoH is supported natively in Firefox, Chrome, Edge, and Brave, making it the easiest option for most users to enable.

DNS over TLS (DoT)

DoT encrypts DNS queries using TLS on a dedicated port (853). Because it uses a separate port, network administrators can identify and potentially block DoT traffic, unlike DoH which blends in with HTTPS. However, DoT is slightly more efficient since it does not have the overhead of HTTP. Android (version 9 and later) natively supports DoT through its "Private DNS" setting.

Both protocols achieve the same goal: preventing anyone between you and your DNS provider from seeing or tampering with your DNS queries. The choice between them depends on your environment. DoH is better for evading network-level blocking; DoT is slightly more straightforward for system-level configuration.

Privacy-Respecting DNS Providers

Cloudflare (1.1.1.1)

Cloudflare operates one of the fastest DNS resolvers available. It commits to never selling user data, never using DNS data for ad targeting, and purging all query logs within 24 hours. KPMG audits Cloudflare annually to verify these claims. Supports both DoH and DoT.

Quad9 (9.9.9.9)

Operated by a non-profit foundation based in Switzerland, Quad9 blocks access to known malicious domains by default, adding a security layer on top of privacy. It does not log individual IP addresses and is subject to Swiss privacy law. Supports DoH and DoT.

NextDNS

NextDNS offers customizable filtering with a privacy-first approach. You can configure ad blocking, tracker blocking, and parental controls at the DNS level. It offers detailed analytics for your own queries (which you can disable) and deletes logs based on your chosen retention period. NextDNS supports DoH, DoT, and DNSCrypt.

DNSSEC: Authentication Without Encryption

DNSSEC (DNS Security Extensions) is a complementary technology that solves a different problem. While DoH and DoT encrypt queries so they cannot be read, DNSSEC authenticates responses so they cannot be forged. DNSSEC uses digital signatures to verify that DNS responses genuinely came from the authoritative DNS server and were not tampered with in transit.

It is important to understand that DNSSEC does not encrypt your queries. Your ISP can still see which domains you are looking up. What DNSSEC prevents is DNS spoofing attacks where an attacker returns a fake IP address for a domain. For complete DNS security, you want both encrypted DNS (DoH or DoT) and DNSSEC validation.

Setting Up Private DNS

Browser-Level DoH

The quickest method. In Firefox, go to Settings > Privacy & Security > DNS over HTTPS and select your provider. In Chrome, go to Settings > Privacy and Security > Security > Use Secure DNS. This protects browser traffic but not other applications on your device.

System-Level Configuration

• Windows 11 supports DoH natively. Go to Settings > Network & Internet > your connection > DNS server assignment, and enter a DoH-capable DNS server address. Windows will automatically use encrypted DNS.
• macOS does not have a built-in GUI for DoH/DoT, but you can configure it using a DNS profile from your chosen provider or by installing a lightweight resolver like dnscrypt-proxy.
• Linux users can configure systemd-resolved for DoT by editing /etc/systemd/resolved.conf and setting DNSOverTLS=yes with a compatible server.
• Android 9+ supports DoT natively. Go to Settings > Network > Private DNS and enter your provider's hostname (e.g., dns.quad9.net).
• iOS/iPadOS supports encrypted DNS through configuration profiles. Providers like Cloudflare and NextDNS offer downloadable profiles that enable DoH system-wide.

DNS encryption is one of the simplest and most impactful privacy improvements you can make. It takes minutes to configure and closes a significant gap that most people never knew existed.