Every time you open a website, your device first asks a DNS server to turn the name (like example.com) into an IP address. By default that question and its answer travel in plain text on port 53, which means anyone between you and your DNS server - your internet provider, a stranger on the same public WiFi, or a compromised router - can see every domain you look up, even when the sites themselves use HTTPS. Encrypted DNS closes that gap. Here is what it is, whether it is worth turning on, and how to switch it on.

Encrypting DNS is not the same as changing it

It is easy to confuse two different upgrades. Changing your DNS server swaps who answers your lookups - for example, using Cloudflare or Quad9 instead of your ISP. That can make browsing faster and more reliable, but the questions still travel unencrypted for anyone on the path to read. Encrypted DNS changes how the lookup travels, wrapping it so no one in between can see or tamper with it. For real privacy you want both: a resolver you trust, reached over an encrypted connection.

DoH and DoT: the two main types

There are two widely supported ways to encrypt DNS, plus a newer third:

  • DNS over TLS (DoT) runs on its own dedicated port, 853. Because it has a port to itself, a network can cleanly allow or block it - convenient when you manage the network, but also easy to filter on restrictive ones.
  • DNS over HTTPS (DoH) hides the lookup inside ordinary HTTPS traffic on port 443. To anyone watching, it looks like a normal web connection, so it is very hard to single out or block - which is why most browsers use it.
  • DNS over QUIC (DoQ) is the newest option. It carries DNS over the QUIC transport for lower latency, which helps on mobile connections. Support is still growing.

For most people the practical difference is small: DoT and DoH both encrypt your lookups and confirm the resolver with a certificate. Phones tend to use DoT (Android calls it Private DNS), while browsers and desktops lean on DoH.

Should you turn it on?

For most home users, yes - it is a low-effort privacy win. It stops your ISP from logging and monetizing the list of sites you visit, and it protects you on networks you do not control, like coffee-shop or hotel WiFi. Two things are worth understanding before you flip it on, though.

  • It is not a VPN. Encrypted DNS hides which names you look up, but the connection still goes to a visible IP address, and unless your browser also uses Encrypted Client Hello, the site name can still leak during the TLS handshake. It is one useful layer of privacy, not a cloak.
  • It can bypass your own controls. If you run network-wide filtering, parental controls, or an ad-blocker that works by inspecting DNS, a device using its own encrypted DNS will sail straight past them. More on that below.

It also helps to know that encryption is not the same as authentication: DNSSEC verifies that an answer was not forged, while DoH and DoT keep it private in transit. They solve different problems and are best used together where available.

How to enable encrypted DNS

First pick a resolver that supports it, then turn it on. Three common choices and their addresses:

  • Cloudflare - 1.1.1.1, DoH URL https://cloudflare-dns.com/dns-query, DoT hostname one.one.one.one.
  • Google - 8.8.8.8, DoH URL https://dns.google/dns-query, DoT hostname dns.google.
  • Quad9 - 9.9.9.9, DoH URL https://dns.quad9.net/dns-query, DoT hostname dns.quad9.net (it also blocks known malicious domains).

Windows 11: go to Settings > Network & Internet > your connection > Edit DNS server assignment, switch to Manual, turn on IPv4, and enter one of the addresses above. Under it, set DNS over HTTPS to On (automatic template) - Windows recognizes Cloudflare, Google, and Quad9 automatically. Turn off the "fall back to plaintext" option so a failed handshake never silently reverts to unencrypted lookups.

macOS and iPhone/iPad: Apple has no built-in menu for adding a resolver, so you install a small configuration profile from your provider (Cloudflare, Quad9, and NextDNS all publish one). Once installed, every app on the device uses encrypted DNS system-wide.

Android 9 and later: open Settings > Network & Internet > Private DNS, choose "Private DNS provider hostname," and enter a hostname such as dns.google or one.one.one.one. This uses DoT and applies to both WiFi and mobile data.

Browsers: Chrome and Edge have a "Use secure DNS" switch in their privacy and security settings; Firefox has "DNS over HTTPS" (on by default in some regions). A browser setting only protects that browser, so enabling it at the system level is better if you want everything covered.

Your router: most stock ISP routers still cannot do encrypted DNS. If yours cannot, set it per device, or run custom firmware such as OpenWrt or Asuswrt-Merlin, or a resolver like AdGuard Home, to encrypt lookups for the whole network at once. You will need to log in to your router to check what it supports.

Check that it is actually on

After enabling it, open a browser and visit 1.1.1.1/help. That page reports whether your queries are encrypted and which resolver is handling them - look for "Using DNS over HTTPS (DoH): Yes" (or the DoT equivalent). If it still shows plaintext, something upstream is overriding your choice - most often a separate browser setting or a VPN with its own DNS.

Watch out: it can bypass filtering on your own network

The same feature that protects you on public WiFi can work against you at home. Many smart TVs, streaming sticks, and IoT gadgets now ship with encrypted DNS hard-coded to Google or Cloudflare, so they ignore the DNS server your router hands out over DHCP and quietly skip any filtering or parental controls you have set. If you rely on network-wide DNS filtering, you can push devices back through it by:

  • Blocking outbound port 853 so DoT fails and devices fall back to your resolver.
  • Redirecting all outbound port 53 traffic to your own resolver at the router or firewall.
  • Blocking the IP addresses of known public DoH servers - DoH cannot be stopped by port alone, since it shares 443 with normal web traffic.

This is really a "my network, my rules" decision: encrypted DNS is good for privacy, but on a network you control you may want to stay the trusted resolver. Fit these steps into the wider setup in the best home network security plan, and if a device stops resolving after you tighten things up, our guide to WiFi connected but no internet will help you track it down.