DNS is the internet’s address book. Every time you visit a website, your device asks a recursive resolver to translate the domain name into an IP address. For three decades that lookup happened over UDP port 53 in clear text. Anyone in a position to observe the traffic, your ISP, your employer’s network, the airport Wi-Fi, the country-level firewall, the network attacker on the same coffee-shop network, could see every domain you queried.
The transition to encrypted DNS that has played out from 2016 to 2026 is one of the most important and least-discussed privacy improvements of the modern internet.
What unencrypted DNS reveals
A list of DNS queries from a single device is a remarkably detailed record of activity. It reveals:
Every website you visit, including subdomains that often encode functional information.
Every app’s backend services. Banking apps query bank APIs; dating apps query their analytics endpoints; news apps query their CDNs.
The timing of activity. When you wake up, when you go to bed, when you watch streaming, when you start work.
Health-related and other sensitive lookups, in plain text.
The Princeton Web Transparency study and various ISP transparency reports have made clear that ISPs in many countries log DNS queries by default, and that those logs are commercially and politically valuable. Verizon’s DNS-based advertising program, Comcast’s DNS error pages with sponsored ads, and the broader history of "DNS hijacking" by ISPs to insert content all underline the point: DNS is a high-value surveillance signal.
DoT and DoH
The two practical encryption standards:
DNS over TLS (DoT). RFC 7858, published in May 2016. Wraps DNS queries in a TLS connection on TCP port 853. Network operators can see that you are doing encrypted DNS but not what you are looking up. DoT is widely supported in operating systems (Android since 9, iOS since 14, Windows 11, modern Linux distributions through systemd-resolved or stubby).
DNS over HTTPS (DoH). RFC 8484, published in October 2018. Wraps DNS queries in HTTPS on TCP port 443, indistinguishable from regular web traffic. Browsers (Firefox, Chrome, Edge, Safari to varying degrees) implement DoH directly; operating systems also support it.
The functional difference is mostly visibility. DoT runs on a dedicated port and is identifiable as DNS traffic; DoH blends in with HTTPS. The privacy properties are otherwise similar.
DNS over QUIC (DoQ), specified in RFC 9250, is the same idea over QUIC and is gaining adoption.
What encrypted DNS does and does not do
It encrypts the query content from the local network and ISP. They no longer see what you are looking up.
It does not hide the destination. Your subsequent connection to the resolved IP address is still visible. The destination IP often reveals which service you are connecting to even without the DNS query.
It does not hide the SNI. The TLS handshake to the destination includes Server Name Indication in clear text by default, the same domain name leaks again at the TLS layer. Encrypted SNI (ESNI) and its successor Encrypted Client Hello (ECH) address this; see below.
It moves trust from your ISP to your DNS resolver. Whoever operates your encrypted DNS resolver now sees what your ISP used to see. This is a real consideration; resolver choice matters.
Choosing a resolver
Major public encrypted-DNS resolvers in 2026:
Cloudflare 1.1.1.1. The largest privacy-marketed public resolver. Audited by KPMG annually; published privacy policy commits to no logging of queries beyond 25 hours of operational data. Available at 1.1.1.1.
Google Public DNS (8.8.8.8). Large, fast, well-engineered. Logs more than Cloudflare; the data is used for Google’s own infrastructure rather than advertising. Privacy policy at developers.google.com/speed/public-dns/privacy.
Quad9 (9.9.9.9). Operated by a Swiss non-profit foundation. Includes malware-domain blocking by default. Strong jurisdictional positioning. At quad9.net.
NextDNS (configurable). Customer-customisable filtering, blocklists, parental controls. Free tier with usage limits; paid tiers for more. At nextdns.io.
AdGuard DNS. Filtering-focused; blocks ads and trackers at the DNS layer. At adguard-dns.io.
Mullvad DNS. Privacy-first; no logging; no business model that benefits from queries. Standalone DNS service from the VPN provider. At mullvad.net/en/help/dns-over-https-and-dns-over-tls.
ISP-operated and country-level resolvers vary widely. Some, Deutsche Telekom’s, Swisscom’s, have credible privacy practices. Others have documented histories of monitoring or hijacking.
The key question: who do you trust more with your DNS log, your ISP or the resolver provider? In most jurisdictions, an audited foreign provider with explicit no-logging policies is a meaningful upgrade over a domestic ISP.
The SNI problem and ECH
Encrypted DNS solved the most visible leak. The TLS handshake itself contained another. The Server Name Indication extension, used by virtually every modern HTTPS site, sent the destination domain in clear text in the initial ClientHello.
Encrypted Client Hello (ECH), specified through draft-ietf-tls-esni and now nearing finalisation, encrypts the entire ClientHello using a public key fetched from DNS via an HTTPS resource record. The result: the domain name is no longer leaked at the TLS layer.
Cloudflare and Mozilla have implemented ECH in production; Chrome’s support has been on-and-off as the spec evolved. As of 2026, ECH is rolling out broadly but not universally; an unencrypted SNI is still common across the web for sites that have not configured the necessary DNS records and TLS support.
When ECH is fully deployed alongside encrypted DNS, the network observer’s visibility into your activity drops dramatically: they see only that you connected to some IP address, not which domain or service.
Practical setup
For most users:
Enable encrypted DNS at the OS level. iOS Settings → Wi-Fi → DNS Configuration; Android Settings → Network → Private DNS; Windows 11 Settings → Network → DNS encryption. Pick a credible resolver from the list above.
For browsers, encrypted DNS at the application level is also available. Firefox enables DoH by default in many regions; Chrome can be configured via Settings → Privacy → Use secure DNS.
For network-wide deployment, run a DNS forwarder like Pi-hole, AdGuard Home, or Unbound that itself uses DoT or DoH upstream. This puts encrypted DNS on every device on the network without per-device configuration.
For ECH, ensure your browser is current and your destination sites have ECH configured. Most users do not need to do anything specific; the support is automatic where available.
The contested politics
Encrypted DNS has been opposed in several jurisdictions:
UK ISPs and content-blocking. The UK’s voluntary content-blocking system (for child-protection and copyright reasons) operates through DNS at the ISP level. Encrypted DNS bypasses ISP-level blocks; the UK government has at various points considered limiting it. The Internet Watch Foundation has publicly engaged with browser vendors on the question.
China’s Great Firewall. China actively blocks public DoH/DoT resolvers and has experimented with detection and blocking of ECH traffic. Encrypted DNS does not solve the censorship problem on its own.
Russia’s "sovereign internet." Similar to China; mandatory use of state-controlled DNS resolvers. Encrypted DNS to outside resolvers is at risk of blocking.
Enterprise environments. Some organisations want to inspect DNS for security purposes (DNS-based threat detection). Encrypted DNS to external resolvers bypasses this; the enterprise response is to operate internal encrypted DNS resolvers and require their use through configuration.
The state in 2026
Encrypted DNS is now the default in major browsers and modern operating systems. Adoption is incomplete, many corporate networks, many older devices, many countries with regulatory pushback, but the trend is clear and continuing.
ECH adoption is meaningful and accelerating. The combination of encrypted DNS plus ECH plus HTTPS finally produces what most users have always assumed encrypted browsing meant: a network observer can see that you are using the internet, but not what specifically you are doing.
This is one of the privacy victories of the modern era. It is not complete; it is real and worth using.