🌐 Secure DNS Configuration

Prevent your internet service provider from tracking your browsing

⚠️ Disclaimer

No service is endorsed. This is educational content only. DNS providers can log queries and may be compelled to cooperate with law enforcement. Jurisdiction matters - consider where DNS providers are located. Always research current practices and consider your specific threat model.

Why DNS Privacy Matters

DNS (Domain Name System) queries reveal every website you visit to your ISP and potentially other third parties. Without DNS privacy:

  • ISPs can log and sell your browsing history
  • Government surveillance can track your internet activity
  • Malicious actors can intercept and modify DNS responses
  • Your location and browsing patterns can be correlated
  • Censorship can be implemented through DNS blocking

💡 DNS-over-HTTPS (DoH) & DNS-over-TLS (DoT)

These protocols encrypt DNS queries, preventing ISPs and network monitors from seeing which sites you visit. However, the DNS provider can still log queries, so choosing a privacy-focused provider is crucial.

Recommended DNS Providers

Quad9

★★★★★

Address: 9.9.9.9 / 149.112.112.112

Strengths: No logging, malware blocking, Swiss jurisdiction

Weaknesses: Potential performance impact

Best For: Privacy-conscious users, families

Cloudflare

★★★★☆

Address: 1.1.1.1 / 1.0.0.1

Strengths: Very fast, no logging policy, global network

Weaknesses: US jurisdiction, corporate entity

Best For: Speed-focused users, general use

DNS.Watch

★★★★☆

Address: 84.200.69.80 / 84.200.70.40

Strengths: No logging, Germany-based, uncensored

Weaknesses: Smaller network, less performance

Best For: European users, privacy maximalists

NextDNS

★★★★☆

Address: Customizable

Strengths: Customizable filtering, analytics, privacy controls

Weaknesses: Freemium model, US-based

Best For: Power users, custom filtering needs

OpenDNS

★★☆☆☆

Address: 208.67.222.222 / 208.67.220.220

Strengths: Family filtering, malware protection

Weaknesses: Owned by Cisco, data collection

Best For: Families (with privacy tradeoffs)

AdGuard DNS

★★★★☆

Address: 94.140.14.14 / 94.140.15.15

Strengths: Ad blocking, no logging, multiple variants

Weaknesses: Russian company, jurisdiction concerns

Best For: Ad blocking, non-sensitive browsing

DNS Configuration Methods

Router-Level DNS

Advantages

  • Protects all devices on your network
  • Single point of configuration
  • Works with IoT devices
  • Consistent across all devices

Configuration Steps

  1. Access router admin panel (usually 192.168.1.1 or 192.168.0.1)
  2. Find DNS settings (often under WAN or Internet settings)
  3. Replace ISP DNS with privacy-focused provider
  4. Save settings and reboot router
  5. Test with DNS leak test tools

Device-Level DNS

Windows Configuration

  1. Open Settings → Network & Internet → Change adapter options
  2. Right-click your connection → Properties
  3. Select "Internet Protocol Version 4 (TCP/IPv4)"
  4. Click Properties → Use the following DNS server addresses
  5. Enter preferred DNS addresses
  6. Click OK and restart network connection

macOS Configuration

  1. Open System Preferences → Network
  2. Select your connection → Advanced
  3. Click DNS tab
  4. Remove existing DNS servers (- button)
  5. Add new DNS servers (+ button)
  6. Click OK → Apply

iOS Configuration

  1. Settings → Wi-Fi → Tap (i) next to network
  2. Scroll down to DNS
  3. Tap "Configure DNS"
  4. Select "Manual"
  5. Remove existing servers and add new ones
  6. Tap Save

Android Configuration

  1. Settings → Network & Internet → Advanced → Private DNS
  2. Select "Private DNS provider hostname"
  3. Enter DNS provider hostname (e.g., 1dot1dot1dot1.cloudflare-dns.com)
  4. Tap Save

DNS-over-HTTPS (DoH) Configuration

Firefox DoH Setup

  1. Type about:preferences#general in address bar
  2. Scroll to Network Settings → Settings
  3. Check "Enable DNS over HTTPS"
  4. Select provider or use custom URL
  5. Click OK

Chrome DoH Setup

  1. Settings → Privacy and security → Security
  2. Turn on "Use secure DNS"
  3. Select provider or enter custom DNS address
  4. Chrome will automatically use DoH if available

Advanced DNS Privacy

DNS Filtering and Blocking

  • Pi-hole: Network-wide ad blocking via DNS
  • AdGuard Home: Self-hosted DNS filtering
  • NextDNS: Cloud-based custom filtering
  • Custom filters: Block tracking, malware, ads

DNS-over-Tor

  • Route DNS queries through Tor network
  • Maximum anonymity for DNS queries
  • Higher latency but better privacy
  • Use with tools like dnscrypt-proxy

DNS Security Considerations

👁️

DNS Logging

Even "no-log" DNS providers may be compelled to start logging or may have hidden logging practices. Consider using multiple providers or Tor.

🚫

DNS Blocking

Authoritarian regimes may block certain DNS providers. Have backup providers and consider using Tor for DNS queries.

🔍

DNS Leaks

VPNs may leak DNS queries, revealing your browsing despite VPN use. Always configure DNS to match your threat model.

🎯

DNS Hijacking

Malicious actors may redirect DNS queries to malicious servers. Use DNSSEC validation and multiple DNS sources.

Testing DNS Configuration

DNS Leak Testing

  • dnsleaktest.com: Check for DNS leaks
  • ipleak.net: Comprehensive IP and DNS leak testing
  • whoer.net: DNS and privacy testing
  • Command line: Use nslookup or dig commands

Performance Testing

  • namebench: Google's DNS benchmarking tool
  • DNSPerf: Real-world DNS performance data
  • GRC DNS Benchmark: Windows DNS testing tool

Self-Hosted DNS Solutions

Pi-hole Setup

  1. Install on Raspberry Pi or Linux server
  2. Configure as network DNS server
  3. Add blocklists for ads and tracking
  4. Monitor DNS queries and blocks
  5. Use DoH/DoT for upstream queries

Unbound DNS Server

  • Recursive DNS server with privacy focus
  • No reliance on third-party DNS providers
  • DNSSEC validation built-in
  • Can be combined with Pi-hole
  • Maximum privacy but requires maintenance

Mobile DNS Privacy

Mobile-Specific Considerations

  • Carrier DNS: Mobile carriers often use their own DNS
  • Wi-Fi vs. Cellular: Different DNS servers on different networks
  • App bypassing: Some apps may bypass system DNS
  • Battery impact: Encrypted DNS may affect battery life

Mobile DNS Apps

  • 1.1.1.1 (Cloudflare): Easy DoH/DoT setup
  • NextDNS: Customizable filtering
  • AdGuard: Ad blocking and DNS filtering
  • Quad9 Connect: Secure DNS with malware protection

Quick Start Guide

Immediate Actions (5 minutes)

  1. Change device DNS to Quad9 (9.9.9.9) or Cloudflare (1.1.1.1)
  2. Test DNS change with dnsleaktest.com
  3. Enable DoH in Firefox
  4. Configure secure DNS on mobile device

This Week

  1. Configure router-level DNS for network protection
  2. Set up DNS filtering (Pi-hole or NextDNS)
  3. Test DNS performance and privacy
  4. Configure all devices with secure DNS
  5. Set up backup DNS providers

Next Steps

DNS privacy is one layer of comprehensive internet security:

VPN Strategy Tor Basics Back to Guides