dns

Secure DNS: How to Encrypt Your DNS (DoH, DoT & DNSSEC Explained)

Q: Does DNSSEC encrypt my DNS?

No. DNSSEC authenticates DNS responses to prevent spoofing, but it does not encrypt them — the network can still see your queries. For privacy you need DoH or DoT; for authenticity you need DNSSEC. They're complementary.

secure-os· Updated June 16, 2026· 9 min read #dns#privacy#encryption#doh#network

Rows of network servers with cables in a data center

Every time you open a website, your device first asks a DNS resolver to translate the name (like example.com) into an IP address. By default that lookup travels unencrypted — anyone between you and the resolver can read it. Secure DNS closes that gap by encrypting the lookup so the network can no longer see, log, or tamper with the domains you visit. This guide explains how plain DNS leaks, what DoH, DoT and DNSSEC actually do, how to switch encrypted DNS on per platform, and which public resolvers are worth using.

The short answer

Plain DNS is a privacy hole. Classic DNS runs over port 53 in cleartext, so your ISP, public Wi-Fi, or anyone on the network can see every domain you look up.
Encrypt it with DoH or DoT. DNS over HTTPS (DoH) and DNS over TLS (DoT) both encrypt your DNS queries. Most browsers and operating systems support one or both today.
DNSSEC is different. DNSSEC authenticates responses to stop spoofing — but it does not encrypt them. Encryption (DoH/DoT) and authentication (DNSSEC) solve different problems; ideally you want both.
Pick a trustworthy resolver. Cloudflare (1.1.1.1), Quad9 (9.9.9.9), Mullvad DNS, NextDNS and AdGuard DNS all offer encrypted endpoints.
A VPN encrypts DNS too. A good VPN tunnels all your traffic, DNS included, so the lookup never leaks at the network level.

Why plain DNS is a problem

Classic DNS was designed in the 1980s with no privacy in mind. Queries go out in plaintext over UDP/TCP port 53, which means:

Your ISP can see and log every domain you resolve — even if the page itself is HTTPS, the name of the site you’re visiting is exposed at lookup time.
Anyone on the same network (public Wi-Fi, an office, a hotel) can passively watch your DNS traffic and build a picture of what you do online.
DNS can be tampered with. Without authentication, a network can return a wrong answer — sending you to a malicious or blocked server (DNS hijacking and censorship both rely on this).

HTTPS encrypts the contents of the pages you load, but it doesn’t hide which sites you ask for. Plain DNS does the leaking before the connection is even made. That’s the gap secure DNS is built to close.

Ethernet network cables plugged into a switch. — Network cables plugged into a switch — by default your DNS lookups cross this hardware in cleartext, readable by anyone on the path.

DoH vs DoT: the two ways to encrypt DNS

Both DNS over HTTPS and DNS over TLS wrap your DNS queries in encryption so the network can’t read them. The difference is mostly how they travel:

DNS over TLS (DoT) runs DNS inside a TLS-encrypted connection on a dedicated port (853). Because it has its own port, a network administrator can easily see that you’re doing encrypted DNS (even if they can’t read it) and could block the port. Android’s “Private DNS” setting uses DoT.
DNS over HTTPS (DoH) sends DNS queries over a normal HTTPS connection (port 443), the same port used for all web traffic. This makes DoH harder to single out and block, because it blends in with ordinary web browsing. Most browsers implement DoH.

Neither is universally “better.” DoT is cleaner to manage on a network; DoH is harder to censor. For an individual who just wants their lookups hidden from the ISP and local network, either one is a big improvement over plain port-53 DNS.

DNSSEC: authentication, not encryption

DNSSEC (DNS Security Extensions) is frequently confused with DoH/DoT, but it does something else entirely. DNSSEC adds cryptographic signatures to DNS records so your resolver can verify a response genuinely came from the authoritative source and wasn’t forged or modified in transit. It protects against DNS spoofing and cache poisoning.

The honest distinction:

DNSSEC = authentication. It proves the answer is genuine. It does not hide your queries — DNSSEC traffic is still readable by the network.
DoH/DoT = encryption. They hide your queries from the network. They don’t, by themselves, prove the answer is authentic.

They are complementary. A validating resolver reached over DoH or DoT gives you both: queries the network can’t read and answers it can’t forge.

How to turn on secure DNS, by platform

You can enable encrypted DNS in three places: your browser, your operating system, or your router. Setting it at the OS or router level covers more apps than the browser alone.

Browser

Firefox: Settings → Privacy & Security → DNS over HTTPS. Choose a protection level and a provider (Cloudflare and NextDNS are built-in options).
Chrome / Edge: Settings → Privacy and security → Security → Use secure DNS. You can keep your current provider or pick one from the list.

Browser DoH only protects DNS for that browser — other apps on the device still use the system resolver.

Windows 11

Windows 11 supports DoH natively: Settings → Network & internet → your connection → DNS server assignment → Edit, set DNS to Manual, enter your resolver’s IP, and set DNS over HTTPS to On (automatic template) for a supported provider.

Android

Android has built-in Private DNS, which uses DoT: Settings → Network & internet → Private DNS → Private DNS provider hostname, then enter the provider’s hostname (for example dns.quad9.net or your NextDNS/AdGuard hostname). This applies system-wide.

iOS and macOS

Apple doesn’t expose encrypted DNS in the standard settings UI, but it supports it through configuration profiles (a .mobileconfig file) using DoH or DoT. Providers like NextDNS, Quad9 and AdGuard distribute ready-made profiles you install once; the setting then applies system-wide.

Router

Setting encrypted DNS on your router covers every device on the network, including ones that can’t be configured individually (smart TVs, IoT devices). Support varies by router firmware — many modern routers and firmware like OpenWrt can forward DNS over DoT/DoH to an upstream resolver.

Recommended public resolvers

These are well-known public resolvers that offer encrypted (DoH/DoT) endpoints. Pick based on what you value — speed, malware filtering, or customization. Don’t over-think it: any of them beats your ISP’s default plaintext DNS.

Cloudflare (1.1.1.1 / 1.0.0.1) — a widely used resolver known for being fast, with a privacy-focused stance. A 1.1.1.1 app and DoH/DoT endpoints are available.
Quad9 (9.9.9.9) — a Swiss non-profit resolver that blocks known malicious domains using threat-intelligence feeds. A solid default if you want security filtering built in.
Mullvad DNS — public encrypted DNS run by the privacy-focused VPN provider Mullvad, with optional ad/tracker/malware-blocking variants. No account required for the public resolver.
NextDNS — a highly customizable resolver: you create a configuration and choose your own blocklists, logging, and rules. Has a free tier with a monthly query allowance.
AdGuard DNS — offers resolvers that block ads and trackers at the DNS level, with encrypted endpoints, alongside a non-filtering option.

A note on honesty: real-world DNS speed depends heavily on your location and network, so treat any single “fastest resolver” claim with skepticism — the right choice is the one whose trust model and filtering match your needs.

Where a VPN fits in

Encrypted DNS hides your lookups, but a VPN goes further: it encrypts all your traffic — DNS included — inside a single tunnel to the VPN server, so your ISP and local network can’t see the domains you resolve or what you do afterward. A well-built VPN also routes DNS through its own resolvers inside the tunnel, which prevents DNS leaks (the failure mode where your device quietly falls back to the ISP’s plaintext DNS).

Frequently asked questions

What is secure DNS? Secure DNS means encrypting your DNS lookups (usually with DoH or DoT) so the network between you and the resolver can’t read, log, or tamper with the domains you visit. Plain DNS sends those lookups in cleartext on port 53.

Is DoH or DoT better? They encrypt DNS equally well; the difference is the channel. DoH uses port 443 (the normal HTTPS port), which makes it harder for a network to single out and block. DoT uses a dedicated port (853), which is easier to manage but also easier to spot and block. For privacy from your ISP, either is a big improvement.

Does DNSSEC encrypt my DNS? No. DNSSEC authenticates DNS responses to prevent spoofing, but it does not encrypt them — the network can still see your queries. For privacy you need DoH or DoT; for authenticity you need DNSSEC. They’re complementary.

Is changing my DNS resolver enough for privacy? It’s a real improvement — your queries become encrypted and your ISP can’t log them — but it only covers DNS. The rest of your traffic (and which IPs you connect to) is still visible at the network level. A VPN encrypts everything, including DNS, in one tunnel.

Which secure DNS resolver should I use? Quad9 if you want malware-blocking from a non-profit, Cloudflare for a fast general-purpose resolver, NextDNS or AdGuard if you want to customize filtering, or Mullvad DNS for a privacy-first public resolver. All offer encrypted endpoints.

The bottom line

Plain DNS quietly leaks every site you visit to your ISP and anyone on your network. Secure DNS — encrypted with DoH or DoT, ideally over a DNSSEC-validating resolver — closes that leak, and you can turn it on in your browser, OS, or router in minutes. Pick a resolver whose trust model fits you (Cloudflare, Quad9, Mullvad, NextDNS or AdGuard), and if you want the leak closed for all your traffic at once, run it through a no-logs VPN.