security
DNS Privacy
What your DNS queries reveal about you, and the encrypted protocols closing that gap
Your DNS queries are a browsing history
Every website you visit, every app you open, every email your client checks — each begins with a DNS query that reveals the destination in plaintext. Traditional DNS sends these queries over unencrypted UDP, meaning anyone on the network path can see exactly where you’re going.
This is not theoretical. Your DNS traffic creates a comprehensive profile of your behavior:
| Observer | What they see |
|---|---|
| Wi-Fi network operator | Every domain queried by every connected device |
| ISP | Complete DNS query history for every subscriber |
| Transit providers | DNS queries passing through their network |
| DNS resolver operator | Logs of all queries from users of that resolver |
A DNS query log reveals more than a browsing history. It shows when you woke up (first query of the day), which health conditions you’re researching, which political news you read, which dating apps you use, which smart home devices you own, and which streaming services you watch — all without requiring cookies, tracking pixels, or any client-side cooperation.
In many countries, ISPs can legally sell or share DNS query data with advertisers and data brokers. Even users who clear cookies, use private browsing, or block trackers still generate DNS queries visible to their ISP and resolver.
Encrypted DNS protocols
Three protocols exist to encrypt the link between your device and the DNS resolver. Each takes a different approach to the same problem.
DNS over TLS (DoT)
DoT wraps DNS in TLS on a dedicated port 853. The resolver is authenticated via its TLS certificate, and all queries are encrypted.
Adoption: DoT is the default encrypted DNS on Android 9+ through the “Private DNS” feature. Most major resolvers support it.
Limitation: Port 853 is easily identified and blocked by firewalls and censors. In countries with DNS-based censorship, DoT is often the first encrypted protocol to be blocked.
DNS over HTTPS (DoH)
DoH sends DNS queries as HTTPS requests on port 443 — the same port used by every HTTPS website. This makes DoH traffic indistinguishable from regular web browsing to network observers.
Adoption: Firefox enables DoH by default for US users (using Cloudflare). Chrome enables it if the system resolver supports it. Over 90% of US Firefox users now have DoH active.
Controversy: DoH moves DNS resolution into the browser, bypassing the operating system’s resolver. This means enterprise security policies, parental controls, and split-horizon DNS configurations that rely on the OS resolver can be circumvented. The UK’s Internet Services Providers’ Association (ISPA) nominated Mozilla as “Internet Villain of the Year” in 2019 over DoH — a nomination the ISPA later retracted after public backlash.
DNS over QUIC (DoQ)
DoQ uses the QUIC transport on UDP port 853, providing encryption with zero head-of-line blocking. It is the newest encrypted DNS protocol (RFC 9250, 2022) and performs within 2% of plain UDP DNS despite full encryption.
Adoption: Early but growing. AdGuard DNS and NextDNS support DoQ. Cloudflare’s 1.1.1.1 supports it. DoQ and DoH combined with DoT account for less than 14% of global DNS traffic as of 2024.
What encrypted DNS does not protect
Encrypted DNS is not a VPN. It protects one specific link — the connection between your device and the resolver — but leaves other privacy gaps:
Server Name Indication (SNI): When your browser connects to a website over HTTPS, the TLS handshake includes the hostname in plaintext (so the server knows which certificate to present). Even with encrypted DNS, an observer can see which sites you visit by reading the SNI field. Encrypted Client Hello (ECH) is designed to fix this, but deployment is still early.
IP addresses: Even if your DNS query is encrypted, the resolver’s response arrives, and your device connects to the destination IP address. Many IP addresses host only one website — seeing a connection to that IP reveals the destination without needing DNS.
Traffic analysis: Timing patterns, packet sizes, and connection metadata can reveal visited sites even when both DNS and SNI are encrypted. A determined observer with access to your network traffic can often infer your browsing activity from these side channels.
The resolver still sees everything. Encrypting DNS protects against on-path observers (your ISP, Wi-Fi operator), but the resolver you send queries to sees every query in plaintext. You are shifting trust from your ISP to the resolver operator. Choosing a resolver with strong privacy commitments — Cloudflare (independent audits, no IP logging), Quad9 (non-profit, threat blocking), or a self-hosted resolver (Unbound, Pi-hole) — matters as much as enabling encryption.
The centralization concern
Encrypted DNS has an unintended side effect: it concentrates DNS traffic. When Firefox enables DoH for US users with Cloudflare as the default, millions of queries that were previously distributed across thousands of ISP resolvers now flow to a single provider.
Google and Cloudflare together handle approximately 50% of public DNS queries. If Google’s resolver experienced a prolonged outage, roughly 30% of the internet’s DNS lookups would fail — a concentration of risk that the original DNS architecture was designed to prevent.
This centralization also creates surveillance opportunities. A government that could compel Cloudflare or Google to share query logs would gain visibility into a much larger share of internet activity than any single ISP could provide.
The gap between DNS and web encryption
The contrast between web encryption and DNS encryption is stark:
| Technology | Adoption |
|---|---|
| HTTPS among top 1,000 websites | 96% |
| Encrypted DNS (DoH + DoT + DoQ) | ~14% |
| DNSSEC signing (.com/.net zones) | ~4–5% |
| DNSSEC validation by resolvers | ~34% |
HTTPS adoption happened because browsers started marking HTTP sites as “Not Secure” — a visible warning that motivated website operators to upgrade. DNS encryption lacks an equivalent forcing function. Users don’t see a warning when their DNS queries are unencrypted, and most don’t know what DNS is.
The gap is closing, but slowly. Browser defaults (Firefox DoH, Android Private DNS) are the most effective driver. Each time a major platform enables encrypted DNS by default, hundreds of millions of users gain protection without changing a single setting.
Choosing a privacy-respecting setup
The strongest privacy posture for DNS combines three elements:
- Use an encrypted protocol — DoH or DoT to prevent on-path observation.
- Choose a trustworthy resolver — one with a no-logging policy, independent audits, and a clear privacy commitment.
- Run your own resolver (optional) — deploying Unbound or Pi-hole with an upstream encrypted forwarder eliminates the need to trust any third party with your query data.
For most people, switching to Cloudflare 1.1.1.1 or Quad9 9.9.9.9 with encrypted transport enabled provides a meaningful privacy improvement over default ISP DNS with minimal configuration effort.