Contents
6 sections · 8 min read
Shield icon protecting DNS query traveling between device and encrypted resolver
Domain Security

What Is Private DNS? DNS over HTTPS and Encrypted DNS Explained

A
Domain 360 Team
·July 10, 2026·8 min read

Every single website visit starts the same way: your device asks a DNS resolver to translate a domain name into an IP address. By default, that question travels the network in plain text. The coffee shop Wi-Fi can read it. Your ISP logs it. Anyone positioned on the path sees a complete, timestamped list of every domain you look up — which is very close to a list of everything you do online.

Private DNS exists to close that gap. It is one of the highest-value, lowest-effort privacy upgrades available, and it takes about two minutes to enable on any device. Here is what it actually does, what it does not do, and how to set it up.

The Problem: DNS Was Designed in Public

Classic DNS dates from an era when encryption was expensive and threats were theoretical. Queries go out unencrypted on port 53, and the consequences in 2026 are concrete.

On any shared network, your DNS queries are readable by whoever controls it — the hotel, the airport, the person running a rogue hotspot. ISPs in many countries log DNS queries and, in some markets, monetise the browsing patterns they reveal. And because the queries are unauthenticated as well as unencrypted, a hostile network can answer them dishonestly — redirecting a banking domain to a phishing server without the URL ever looking wrong. That attack, DNS spoofing, is a cousin of the domain hijacking threats that target the domains themselves.

The Fix: Encrypt the Lookup

Encrypted DNS wraps queries in the same TLS encryption that protects https websites. Two protocols do the job, and the practical difference is what they look like to the network in between.

DNS over TLS (DoT) runs on its own dedicated port, 853. It is clean and efficient, but the dedicated port makes it visible: a network that wants to block encrypted DNS can simply block port 853. Android Private DNS is built on DoT.

DNS over HTTPS (DoH) hides DNS queries inside ordinary HTTPS traffic on port 443 — the same port as every website on earth. A network cannot block DoH without blocking the web itself, which is precisely why browsers adopted it as their default approach to encrypted DNS.

Either way, the payoff is the same: the network sees that you are talking to a resolver, but not what you are asking it.

Turning It On: Every Major Device

Android ships the feature under the exact name Private DNS. Open Settings, search for Private DNS, choose Private DNS provider hostname, and enter one.one.one.one for Cloudflare or dns.google for Google. Save, and every app on the device now uses encrypted DNS on every network.

Windows 11 supports DoH system-wide. In Settings, Network and Internet, open your connection, edit DNS settings manually, enter 1.1.1.1 or 8.8.8.8, and set the encryption preference to Encrypted only.

Chrome and Edge have Use secure DNS in the Privacy and Security settings — either upgrading your current resolver to DoH when possible or letting you pick a specific provider.

Firefox enables DoH by default in several regions under Settings, Privacy and Security, DNS over HTTPS, with configurable protection levels.

iPhone and Mac support encrypted DNS system-wide via configuration profiles — Cloudflare and other providers offer one-tap profiles, and the 1.1.1.1 app configures it automatically.

Routers are the one-change-covers-everything option: some modern firmware supports DoH or DoT directly, encrypting lookups for every device on the network without touching each one.

Choosing a Resolver

Three public resolvers dominate, and all are good choices.

Cloudflare 1.1.1.1 leads on privacy policy — query logs are not used to identify users and are purged within 24 hours, with independent audits backing the claim — and consistently ranks fastest worldwide.

Google 8.8.8.8 offers unmatched reliability on Google infrastructure.

Quad9 at 9.9.9.9 adds security filtering: it refuses to resolve domains on curated malware and phishing blocklists, blocking bad destinations at the DNS layer before a connection ever opens.

Pick Cloudflare for speed and privacy, Quad9 for built-in threat blocking. There is no wrong answer among the three.

What Private DNS Does Not Do

Honest limits, because encrypted DNS is often oversold. Your ISP still sees the IP addresses you connect to, and usually the hostname too via the SNI field in TLS connections — so private DNS narrows what observers learn, it does not blind them. It is not a VPN: your traffic still travels your normal route with your normal IP. And the resolver you choose sees all your queries — you are shifting trust from your ISP to Cloudflare, Google, or Quad9, which is a good trade given their published policies, but it is a trade.

The Domain Owner Angle

If you run websites, encrypted DNS changes nothing about how you configure your domains — resolvers fetch your records from your nameservers exactly as before, and your A, MX, and TXT records work identically for encrypted and plain-text users.

What it quietly changes is the failure economics of DNS-level problems. As DoH adoption grows, resolver caches refresh on their own schedules, and diagnosing why a domain resolves differently for different users increasingly means querying specific resolvers directly — the exact skill covered in our DNS lookup commands guide. And the fundamentals still rule everything: the most private, most encrypted DNS setup in the world resolves nothing if the domain behind it lapses. Keeping every domain renewed and monitored through a domain management dashboard remains the unglamorous foundation the entire stack sits on.

Never lose a domain again

Track every domain you own in one dashboard. Free for up to 15 domains.