Quick question: When you type a website into your browser, who actually sees that first request?
You probably think it’s just you and the website. Maybe you see that little padlock icon (HTTPS) in the URL bar and think, “I’m safe. Nobody knows what I’m doing.”
Wrong.
That little padlock protects the content of what you are doing (your passwords, the video you’re watching), but it doesn’t protect the destination. Before you ever connect to a secure site, your computer has to ask where that site lives.
That request is called DNS. And by default? You are shouting it across the room.
Your Internet Service Provider (ISP), the coffee shop Wi-Fi owner, and anyone sitting in between can see exactly who you are visiting. And that metadata, the “who”, is gold for advertisers.
Today, we’re going to fix that. We are going to turn that shout into a whisper using Encrypted DNS. It’s boring, it’s not flashy, but it is one of the most effective 2-minute privacy upgrades you can make.
The Problem: The “Phone Book” Leak
Think of DNS (Domain Name System) like the phone book of the internet. Computers don’t know what google.com is; they only know IP addresses (numbers).
- You type
example.com. - Your computer shouts: “Hey, what is the IP address for example.com?”
- A DNS Resolver answers.
- Your computer connects.
The problem is step #2. By default, that shout is unencrypted text. Even if the website itself is secure, the lookup isn’t.
Reputable ISPs take this data, aggregate it, bundle it into trends, and use it for advertising products. It passes audits, but it’s still your life’s data exhaust.
The Fix: Encrypted DNS (DoH and DoT)
You don’t need to memorize the acronyms, but here is the gist. We are going to force your device to send that lookup through an encrypted tunnel.
- DoH (DNS over HTTPS): Blends in with regular web traffic. Harder for networks to block.
- DoT (DNS over TLS): Uses a dedicated port. Clean and simple.
Instead of asking your ISP, “Where is this site?”, you are asking a trusted provider (like Cloudflare, Quad9, or NextDNS) inside a secure envelope. Your ISP sees that you are using the internet, but they can’t easily see where you are going.
Here is how to lock this down on every device you own.
How to Enable Encrypted DNS
1. The Quickest Win: Your Browser (Chrome/Edge/Firefox)
If you only care about your web browsing on a laptop, start here. This only encrypts traffic for the browser, not your whole system, but it’s instant.
- Chrome / Edge:
- Go to Settings.
- Search for “Secure DNS”.
- Toggle it ON.
- Select a provider (like Cloudflare 1.1.1.1) or enter a custom one.
- Firefox:
- Go to Settings.
- Search for “DNS”.
- Enable “DNS over HTTPS” and pick a provider.
2. Windows 11 (System-Wide)
Windows 11 finally supports this natively. This covers your browser, your Spotify app, your games—everything.
- Open Settings > Network & internet.
- Click on your active network (Wi-Fi or Ethernet).
- Click Edit next to DNS server assignment.
- Switch to Manual.
- Turn on IPv4.
- Enter your provider’s IP (e.g., for Cloudflare:
1.1.1.1as Preferred and1.0.0.1as Alternate). - Crucial Step: In the dropdown below the Preffered/Alternate fields, for the DNS over HTTPS field select “On (automatic template)”
- Also make sure Fallback to plaintext is set to Off. This decreases the chances for DNS leaks.
3. Android (The Easiest Method)
Android makes this incredibly easy with a feature called “Private DNS.”
- Open Settings.
- Go to Network & internet > Private DNS.
- Select Private DNS provider hostname.
- Type the hostname of your provider.
- Cloudflare:
1dot1dot1dot1.cloudflare-dns.com - Google:
dns.google - NextDNS: Your custom ID (e.g.,
YourID.dns.nextdns.io).
- Cloudflare:
- Hit Save. Done.
4. iPhone / iPad (iOS)
Apple supports encrypted DNS via Configuration Profiles. You don’t need an app running in the background draining your battery.
- Go to your chosen provider’s website (e.g., search “Cloudflare DNS profile” or “NextDNS”).
- Download the Configuration Profile.
- Go to iOS Settings, tap Profile Downloaded, and install it.
- It will now appear under Settings > General > VPN & Device Management.
Which Provider Should You Trust?
Remember, you are shifting trust. You are telling your ISP, “I don’t trust you with my data,” and telling a DNS provider, “I trust you instead.” Pick a provider with a solid track record.
| Provider | Best For… | The Details |
| Cloudflare (1.1.1.1) | Speed | Fast, minimal logging, privacy-focused. Great default. |
| Quad9 (9.9.9.9) | Security | Non-profit. Focuses heavily on blocking malicious domains. |
| NextDNS | Control | My personal favorite. Allows you to block ads, trackers, and view logs. Great for families. |
| Google (8.8.8.8) | Reliability | Massive scale, but it is corporate-backed. Read their privacy policy first. |
“Wait, isn’t a VPN better?”
I get this question a lot. “Sorin, why don’t I just use a VPN?”
A VPN and Encrypted DNS are different tools.
- VPN: Hides your IP address and your DNS. It tunnels everything.
- Encrypted DNS: Only hides the “lookup.” It does not hide your IP address from the website you visit.
The Reality: You can’t (or won’t) run a VPN 24/7 on every device. It breaks some streaming apps, banking apps, and slows down your speed. Encrypted DNS is a “set it and forget it” layer of security that works 100% of the time with zero speed loss.
The Takeaway & video version
Privacy isn’t about one giant move; it’s about layers.
By switching to Encrypted DNS, you stop leaking the “who you visit” to your ISP. It’s free, it takes two minutes, and it breaks (almost) nothing.
Go do this right now on your phone.
Thanks for reading, and I’ll see you in the next one.
