Table of Contents
How DNS Works
The Domain Name System is the internet's phone book. Every time you type a website address like safetoolshub.com into your browser, your device sends a DNS query to a resolver that translates the human-readable domain name into a numerical IP address that computers use to route traffic. This lookup happens before your browser can connect to the website, making DNS a critical first step in every internet interaction.
By default, DNS queries are sent in plain text over the network. This means that anyone who can observe your network traffic — including your internet service provider, network administrators, and attackers on shared networks — can see every website you visit simply by monitoring your DNS queries. This visibility makes DNS both a privacy weak point and a target for attacks.
DNS Attacks and Threats
DNS Hijacking
DNS hijacking occurs when an attacker redirects your DNS queries to a malicious resolver. This can happen through malware that changes your device's DNS settings, router compromise, or ISP-level interception. Once your queries are redirected, the attacker controls which IP addresses your device connects to, potentially directing you to convincing phishing sites even when you type the correct URL.
DNS Spoofing and Cache Poisoning
DNS spoofing involves sending forged DNS responses to a resolver, causing it to cache incorrect IP addresses. When you or anyone else using that resolver requests the poisoned domain, the resolver returns the attacker's IP address instead of the legitimate one. Cache poisoning can affect thousands of users who rely on the compromised resolver.
DNS Surveillance
Because traditional DNS traffic is unencrypted, ISPs can log every domain you visit and sell this data to advertisers or share it with government agencies. Even when you use HTTPS to encrypt the content of your communication with a website, the initial DNS query reveals which website you are connecting to. This metadata alone can reveal detailed information about your habits, interests, and associations.
Encrypted DNS: DoH and DoT
DNS over HTTPS (DoH)
DNS over HTTPS encrypts DNS queries by wrapping them in standard HTTPS traffic on port 443. Because DoH traffic looks identical to regular web browsing traffic, it is extremely difficult to block or filter. This makes DoH the preferred option in environments where network administrators or governments attempt to censor or monitor DNS queries.
DoH is built into all major browsers. Firefox, Chrome, Edge, and Safari all support DoH and can be configured to use it by default. When enabled, your DNS queries are encrypted end-to-end between your browser and the DoH resolver, preventing anyone on the network path from reading or tampering with them.
DNS over TLS (DoT)
DNS over TLS encrypts DNS queries using the TLS protocol on a dedicated port, typically port 853. Unlike DoH, which blends in with HTTPS traffic, DoT uses a distinct port that can be identified and potentially blocked by network administrators. However, DoT is simpler to implement at the operating system level and is the preferred method for system-wide encrypted DNS on Android and many Linux distributions.
Android 9 and later include a Private DNS feature that enables DoT system-wide. This encrypts DNS queries from all applications, not just the browser, providing comprehensive DNS privacy for the entire device.
Recommended Secure DNS Providers
Cloudflare 1.1.1.1
Cloudflare's 1.1.1.1 resolver is one of the fastest public DNS services available. Cloudflare commits to never selling user data and purges all DNS query logs within 24 hours. The service supports both DoH and DoT, and Cloudflare publishes regular third-party audits of their privacy practices. Configuration is straightforward on all major platforms, and Cloudflare provides free apps for mobile devices.
Quad9 (9.9.9.9)
Quad9 is a nonprofit DNS resolver that combines privacy with built-in security filtering. In addition to encrypting queries via DoH and DoT, Quad9 blocks connections to known malicious domains using threat intelligence from over 25 security partners. This provides a layer of malware and phishing protection at the DNS level. Quad9 is headquartered in Switzerland, benefiting from strong European privacy laws.
Google Public DNS (8.8.8.8)
Google's public DNS resolver supports DoH and DoT and offers excellent performance worldwide. However, Google's broader data collection practices make it a less ideal choice for privacy-focused users compared to Cloudflare or Quad9. Google does log some query data, though they state it is anonymized and used for service improvement.
How to Configure Encrypted DNS
On Windows
Open Settings, go to Network and Internet, then select your active network connection. Under DNS server assignment, click Edit and switch to Manual. Enter your preferred DoH resolver addresses and enable DNS over HTTPS for each. Windows 11 supports DoH natively for configured DNS servers.
On macOS
In macOS Ventura and later, go to System Settings, then Network, and select your active connection. Click Details, then DNS, and add your preferred resolver addresses. For DoH or DoT support, you can install configuration profiles from your DNS provider or use a third-party DNS client.
On Android
Go to Settings, then Network and Internet, then Private DNS. Select "Private DNS provider hostname" and enter the DoT hostname for your chosen provider, such as one.one.one.one for Cloudflare or dns.quad9.net for Quad9.
In Your Browser
Firefox users can enable DoH by going to Settings, then Privacy and Security, and scrolling to DNS over HTTPS. Chrome users can enable Secure DNS in Settings under Privacy and Security. Both browsers allow you to select from a list of trusted DoH providers.
Combining DNS Security with Other Protections
Encrypted DNS is one layer of a comprehensive privacy strategy. Combine it with HTTPS-only browsing, a reputable VPN, and proper browser privacy settings for maximum protection. Test your DNS configuration to ensure queries are actually being encrypted, and check your connection performance with a speed test to verify that switching DNS providers has not negatively impacted your browsing speed.
For complete privacy, also consider how you share links and data online. Use our URL shortener to share links without exposing tracking parameters, and be aware that even with encrypted DNS, the websites you visit can still track you through cookies and fingerprinting.
Conclusion
DNS security is a fundamental but often overlooked aspect of online privacy and safety. Switching to an encrypted DNS resolver takes just a few minutes and immediately protects your browsing activity from surveillance, hijacking, and spoofing. Whether you choose Cloudflare, Quad9, or another trusted provider, enabling DoH or DoT is one of the highest-impact privacy improvements available to every internet user.
Share this article
Raimundo Coelho
Cybersecurity specialist and technology professor with over 20 years of experience in IT. Graduated from Universidade Estácio de Sá. Writing practical guides to help you protect your data and stay safe in the digital world.
