How to Choose and Configure a Secure DNS Provider
Your DNS provider sees every website you visit. Switch to a secure, privacy-respecting DNS service for better protection.
WiFiSecurityPros
The Domain Name System (DNS) is often called the phonebook of the internet. Every time you visit a website, your device makes a DNS query to translate the domain name into an IP address. By default, these queries go to your Internet Service Provider DNS servers, giving your ISP a complete record of every website you visit. Switching to a secure, privacy-respecting DNS provider is one of the simplest yet most impactful privacy improvements you can make.
How DNS Works
When you type a website address into your browser, your device sends a DNS query to a DNS resolver asking for the IP address associated with that domain. The resolver checks its cache, and if it does not have the answer, it queries authoritative DNS servers until it finds the correct IP address. This process happens for virtually every internet request you make.
Traditional DNS queries are sent in plain text, meaning anyone on the network path between you and the DNS resolver can see exactly which websites you are looking up. This includes your ISP, network administrators, and anyone conducting surveillance on the network.
Why Your ISP DNS Is a Privacy Risk
ISPs can and do log DNS queries for their customers. This data is valuable for advertising, analytics, and in some jurisdictions, can be sold to third parties. Some ISPs even inject their own content into DNS responses, redirecting failed lookups to advertising pages or injecting tracking data.
Using your ISP DNS also means that all your DNS queries are concentrated with a single entity that already knows your identity and physical address. This creates a comprehensive record of your online activities tied directly to your real-world identity.
Popular Secure DNS Providers
Cloudflare (1.1.1.1) offers one of the fastest DNS resolvers available. They have committed to never selling user data and purge all logs within 24 hours. Cloudflare supports DNS over HTTPS (DoH) and DNS over TLS (DoT) for encrypted queries. Their 1.1.1.2 and 1.1.1.3 addresses also offer malware and adult content filtering.
Quad9 (9.9.9.9) focuses on security. It automatically blocks DNS lookups for known malicious domains, providing a layer of protection against phishing, malware, and command-and-control servers. Quad9 is operated by a nonprofit organization and does not log personally identifiable information.
Google Public DNS (8.8.8.8) is one of the most widely used public DNS services. While Google does log some query data, they provide fast and reliable DNS resolution. Google supports DoH and DoT for encrypted queries.
NextDNS offers a highly customizable DNS service that combines privacy-focused resolution with configurable filtering. You can block ads, trackers, and malicious domains while creating custom allow and deny lists. NextDNS provides detailed analytics about your DNS queries without sharing this data with third parties.
Encrypted DNS Protocols
DNS over HTTPS (DoH) encrypts DNS queries by sending them over the standard HTTPS port (443). This makes DNS traffic indistinguishable from regular web browsing traffic, preventing network observers from seeing your DNS queries. DoH is supported by most modern browsers, including Firefox and Chrome.
DNS over TLS (DoT) encrypts DNS queries using the TLS protocol on a dedicated port (853). While this is just as secure as DoH, the dedicated port makes it possible for network administrators to identify and potentially block encrypted DNS traffic. DoT is commonly used for system-wide configuration on mobile devices and routers.
Configuring DNS on Your Router
The most effective approach is to configure DNS at the router level, which applies to all devices on your network. Log into your router administration panel and navigate to the network or internet settings. Look for DNS server settings and replace the ISP-provided addresses with your chosen provider addresses.
If your router supports DoH or DoT, enable it for encrypted DNS queries. If your router does not support encrypted DNS, consider upgrading to one that does, or use a device like a Pi-hole as a DNS proxy that handles encryption before forwarding queries.
Configuring DNS on Individual Devices
If you cannot change router DNS settings or want additional protection for mobile devices outside your home, configure DNS on individual devices. On Windows, go to Network Settings and change the DNS server addresses for your network adapter. On macOS, go to System Settings, Network, and modify the DNS settings for your connection.
On Android 9 and later, go to Settings, Network, and configure Private DNS using your chosen provider DoT address. On iOS, you can use configuration profiles provided by DNS providers to enable encrypted DNS system-wide.
Testing Your DNS Configuration
After changing your DNS settings, verify that they are working correctly. Visit a DNS leak test website to confirm that your queries are going to your chosen provider rather than your ISP. Check that websites load correctly and that DNS resolution times are acceptable.
If you experience issues after changing DNS providers, try an alternative provider. In rare cases, certain ISPs or network configurations may have compatibility issues with specific DNS providers.
Conclusion
Switching to a secure DNS provider takes just a few minutes but provides lasting privacy and security benefits. By choosing a provider that respects your privacy, supports encrypted protocols, and offers malware protection, you remove a significant surveillance point from your internet experience.