How DNS Works (And Why It Matters for Privacy)

DNS is the internet’s phone book, but it’s also a privacy weak point. This guide explains how DNS works, why it matters for your privacy, and how to secure your DNS traffic.

Quick Answer

DNS (Domain Name System) translates human-readable website names (like google.com) into computer-readable IP addresses (like 142.250.185.206). Without it, you’d need to memorize numbers for every website. The privacy concern? Your DNS requests reveal every site you visit – and by default, your ISP sees all of them.

How DNS Works

When you type “google.com” into your browser, here’s what happens:

  1. Your browser asks: “What’s the IP address for google.com?”
  2. DNS resolver receives the query: Usually your ISP’s DNS server
  3. Resolver checks its cache: If it knows the answer, it responds immediately
  4. If not cached, it queries other servers: Root servers → TLD servers → Authoritative servers
  5. IP address returned: “google.com is at 142.250.185.206”
  6. Your browser connects: Using the IP address to load the page

This happens in milliseconds, every time you visit any website.

The DNS Hierarchy

  • Root Servers: Know where to find .com, .org, .net, etc.
  • TLD Servers: Know where to find domains within their zone (.com knows where google.com is)
  • Authoritative Servers: Hold the actual IP address for specific domains
  • Recursive Resolvers: Do the work of querying all these servers for you (usually your ISP)

Why DNS Is a Privacy Problem

Traditional DNS Is Unencrypted

Standard DNS queries are sent in plain text. This means:

  • Your ISP sees every website you visit (even if you use HTTPS)
  • Anyone on your network can monitor DNS (WiFi operator, attacker)
  • DNS queries can be logged and sold to advertisers
  • Governments can monitor DNS for surveillance

DNS Logging

Many DNS providers log queries. This data can be:

  • Used for targeted advertising
  • Sold to data brokers
  • Subpoenaed by law enforcement
  • Breached and exposed

DNS Manipulation

Unencrypted DNS can be modified in transit:

  • Censorship: Governments block sites by returning wrong DNS answers
  • Hijacking: Attackers redirect you to fake sites
  • ISP redirection: Some ISPs redirect “not found” pages to their own ads

What Is a DNS Leak?

A DNS leak occurs when your DNS queries bypass your VPN and go through your regular ISP, even though the rest of your traffic is encrypted.

How DNS Leaks Happen

  • Poorly configured VPN: Doesn’t route DNS through the tunnel
  • Windows “Smart Multi-Homed Name Resolution”: Sends DNS to all available interfaces
  • IPv6 leaks: VPN handles IPv4 but not IPv6 DNS
  • WebRTC leaks: Browser feature can bypass VPN for certain requests

Why DNS Leaks Matter

Even with a VPN, DNS leaks reveal every website you visit to your ISP. Your IP is hidden, but your browsing habits are exposed. This defeats a major purpose of using a VPN.

How to Check for DNS Leaks

Connect to your VPN, then visit a DNS leak test site. If you see your ISP’s DNS servers (instead of your VPN’s), you have a leak.

Encrypted DNS Solutions

Two main protocols now encrypt DNS traffic:

DNS over HTTPS (DoH)

Sends DNS queries through regular HTTPS connections (port 443). Since it looks like normal web traffic, it’s hard to block.

Pros:

  • Encrypts DNS queries
  • Difficult to block
  • Supported by major browsers

Cons:

  • Slightly slower than traditional DNS
  • Centralizes DNS with browser’s chosen provider

DNS over TLS (DoT)

Uses TLS encryption on a dedicated port (853). More traditional approach, implemented at the system level.

Pros:

  • Encrypts DNS queries
  • Works system-wide (all apps)
  • Easier to identify as DNS for network admins

Cons:

  • Easy to block (distinct port)
  • Less browser support

Privacy-Focused DNS Providers

These providers don’t log your queries (or log minimal data):

ProviderPrimary DNSPrivacy Policy
Cloudflare1.1.1.1No logging, audited
Quad99.9.9.9No logging + malware blocking
NextDNSCustomOptional logging, highly customizable
AdGuard DNS94.140.14.14No logging + ad blocking
Mullvad DNS100.64.0.1No logging, ad/tracker blocking

Avoid: Google (8.8.8.8) logs queries. Your ISP’s default DNS logs everything.

How to Change Your DNS

On Windows 11

  1. Settings → Network & Internet → WiFi (or Ethernet)
  2. Click your connection → Edit (next to DNS server assignment)
  3. Change from Automatic to Manual
  4. Enable IPv4 and enter:
    • Preferred DNS: 1.1.1.1 (or your choice)
    • Alternate DNS: 1.0.0.1
    • DNS over HTTPS: On (automatic template)
  5. Save

On macOS

  1. System Settings → Network → WiFi → Details
  2. Go to DNS tab
  3. Click + to add DNS servers
  4. Enter 1.1.1.1 and 1.0.0.1
  5. Click OK

On Your Router (Protects All Devices)

  1. Access your router’s admin panel (usually 192.168.1.1)
  2. Find DNS settings (often under WAN, Internet, or DHCP)
  3. Replace ISP DNS with your preferred servers
  4. Save and restart router

In Your Browser (DoH)

Firefox: Settings → Privacy & Security → DNS over HTTPS → Enable

Chrome: Settings → Privacy & Security → Security → Use secure DNS → Choose a provider

Edge: Settings → Privacy → Security → Use secure DNS

DNS and VPNs

Most quality VPNs run their own DNS servers and automatically route your DNS through the VPN tunnel. This provides:

  • DNS queries encrypted with VPN traffic
  • No DNS leaks (if configured properly)
  • DNS requests not logged (with no-log VPNs)

If you’re using a VPN, you usually don’t need to separately configure encrypted DNS – the VPN handles it. But check for DNS leaks to confirm.

Frequently Asked Questions

Does changing DNS make my internet faster?

Possibly. If your ISP’s DNS is slow, switching to Cloudflare (1.1.1.1) or Google (8.8.8.8) may improve DNS lookup times. However, this only affects the initial lookup – actual download speeds depend on your internet plan.

Does encrypted DNS replace a VPN?

No. Encrypted DNS hides your DNS queries, but your actual traffic (the websites you visit) is still visible to your ISP. A VPN encrypts everything. For complete privacy, you need both – or just a VPN with proper DNS leak protection.

Can DNS block ads and trackers?

Yes! Some DNS providers (AdGuard, NextDNS, Pi-hole) block known ad and tracker domains at the DNS level. When your device requests “ad-server.com,” the DNS returns nothing, and the ad never loads. This works for all devices without installing anything.

Is Google DNS (8.8.8.8) private?

No. Google logs DNS queries (temporarily, they say) and uses the data for analytics. For privacy, use Cloudflare (1.1.1.1), Quad9 (9.9.9.9), or another privacy-focused provider that doesn’t log.

Should I use DoH or DoT?

For most users, DoH is more practical – it’s built into browsers and harder to block. DoT is better if you want system-wide encrypted DNS on a device that supports it (Android 9+, some routers). Both provide encryption; the difference is implementation.

Summary

  • DNS translates domain names to IP addresses – essential for internet to work
  • Traditional DNS is unencrypted – your ISP and network operators see every site you visit
  • DNS leaks can expose your browsing even when using a VPN
  • Encrypted DNS (DoH/DoT) protects your queries from eavesdropping
  • Privacy-focused providers like Cloudflare (1.1.1.1) don’t log your queries
  • A good VPN handles DNS automatically – but verify there are no leaks

Related Guides