A lot of people who already use a VPN ask me whether they also need encrypted DNS. The answer is probably yes, but the why is usually explained either in too much detail (acronym soup, RFC numbers, certificate chains) or too little (a sentence that doesn’t actually clarify what the problem is). This piece is the version I wish someone had handed me when I first asked.
It’s structured as questions because that’s how the topic actually shows up in conversation.
Q: I already use a VPN. Doesn’t that already encrypt everything?
It encrypts almost everything, and the part it doesn’t encrypt — DNS lookups — is the part most people don’t realize they were leaking.
When you visit example.com, the very first thing your computer does is ask “what IP address does example.com live at?” That question, by default since the 1980s, is sent in plain text to whatever DNS server your network is configured to use — usually your ISP, or a hotel, or whoever else owns the wifi you’re on. They see every hostname you visit, even when the actual website connection is encrypted with HTTPS.
A VPN tunnels the IP traffic, but unless the VPN is also handling DNS through the tunnel (most of them are these days, but not all, and not in all configurations), DNS lookups can still leak to your ISP. Even when DNS is tunneled, you’ve now moved the visibility from your ISP to your VPN provider — which is an improvement if you trust the VPN more than the ISP, but you’re still trusting somebody with the list of every domain you visit.
Encrypted DNS solves a different problem. It encrypts the DNS query itself, between you and a DNS server you specifically chose, so that nobody in between (your ISP, your wifi network, anyone snooping) can see the plain-text hostname.
Q: Wait, so do I need both? Encrypted DNS and VPN?
In most cases yes, because they protect against different things.
- VPN: hides the content and destination of your traffic from your ISP and from anyone snooping on your local network. Doesn’t necessarily encrypt DNS.
- Encrypted DNS: hides the list of hostnames you look up from anyone in between you and your DNS provider. Doesn’t hide your IP traffic.
If you only use encrypted DNS, your ISP still sees what IPs you connect to. If you only use a VPN, your DNS lookups may still leak (depending on configuration). Together, the picture is much tighter.
There’s an important subtlety: if your VPN provider is also acting as your DNS provider (most do this by default), the VPN provider sees both your IP traffic and your DNS lookups. You’re consolidating trust into one entity. That’s still better than leaking to your ISP, but if you’re comfortable using a separate encrypted-DNS service that you trust more than your VPN provider, you can split the trust by using both.
Q: What’s actually meant by “encrypted DNS”? Is there a standard?
There are two main standards in use today:
- DoH (DNS over HTTPS) — DNS lookups are sent inside HTTPS requests on port 443, so they look indistinguishable from regular web traffic. Hardest to block.
- DoT (DNS over TLS) — DNS lookups are sent over TLS on a dedicated port (853). Slightly easier to block as a category, but cleaner protocol.
Both encrypt the DNS query in transit. Both work fine for most users. DoH is more common in browsers and consumer apps; DoT is more common in router-level configuration. If you have a choice and don’t have a strong opinion, pick DoH.
There’s also DNSCrypt, which predates both DoH and DoT and is still used by some providers. It works fine if a provider you trust uses it. Don’t sweat the protocol choice; the provider you choose matters more than the protocol.
Q: Which encrypted DNS providers are reasonable choices?
Three categories, roughly:
Free/freemium, run by larger entities:
- Cloudflare 1.1.1.1 (free, DoH/DoT supported). Cloudflare logs queries for 24 hours per their stated policy, deletes after. Solid uptime and speed. Trusted by many; some people are uncomfortable with how much of the internet’s edge Cloudflare already touches.
- Quad9 9.9.9.9 (free, DoH/DoT supported, also blocks malicious domains by default). Operated by a non-profit (Global Cyber Alliance). Less commercial than Cloudflare. Mainly useful if the malware-blocking matters to you.
- Google 8.8.8.8 (free, DoH/DoT). Fast, reliable, run by Google. Don’t pick this if you’re trying to reduce your Google-touchable surface area.
Paid services with more configurability:
- NextDNS (free tier with 300K queries/month, paid plans from ~$2/month). Very granular configuration: per-device profiles, blocklist customization, parental controls, query logs you can review or disable. Has become the privacy-community favorite.
- ControlD (free tier, paid from ~$2/month). Similar feature set to NextDNS, somewhat newer, with slightly different blocklist focus and a slick interface.
- AdGuard DNS (free public servers, paid premium DNS for more features). The DNS half of the AdGuard ecosystem.
Specialty:
- Mullvad’s DNS (free for Mullvad VPN customers, runs encrypted by default through the VPN tunnel). Ad and tracker blocking optional. Aligned with their broader privacy stance.
- dnscrypt-proxy (open-source, you run it yourself). For people who want to control everything end-to-end and pick exactly which upstream resolvers to use.
For most people: NextDNS or ControlD if you want configurability, Cloudflare 1.1.1.1 if you just want a fast free option that “just works.”
Q: Does encrypted DNS slow things down?
In practice, no — sometimes it’s faster than your ISP’s DNS, because the providers above run more aggressive caching and have closer servers than many consumer ISPs. The crypto overhead is small (the DNS messages themselves are tiny). The bigger latency factor is geographical — pick a provider with a server near you.
In our informal testing, NextDNS and Cloudflare both consistently resolved faster than Comcast’s default DNS. Your mileage will vary by region; the ISPs in some areas (especially developing-market deployments) are surprisingly slow at DNS, and switching feels like a noticeable upgrade.
Q: How do I actually turn this on?
Three places you can configure it, in increasing order of “covers more devices”:
1. Per-app, in your browser.
Firefox, Chrome, Edge, Brave, and Safari all support DoH in their settings. Look for “DNS-over-HTTPS” under Privacy & Security. You set the provider URL (e.g., https://dns.cloudflare-dns.com/dns-query) and the browser handles its own lookups via that endpoint.
Limitation: only the browser uses encrypted DNS. Your other apps (email client, system updates, native apps) still use the system DNS.
2. Per-device, in your OS.
- macOS / iOS: install a DNS configuration profile (
.mobileconfigfile). NextDNS, ControlD, Cloudflare, Quad9 all provide them. - Windows 11: built-in DoH support in Settings → Network → DNS server assignment.
- Linux: configure systemd-resolved or similar.
- Android: Settings → Network & Internet → Private DNS → enter a provider hostname.
This covers everything on the device. Recommended starting point.
3. Network-wide, in your router.
Set encrypted DNS at the router level so every device on your wifi gets it automatically. Best for households or anyone who has guests/kids/family members who won’t configure their own devices.
Most consumer routers don’t support DoH/DoT directly. Workarounds:
- A router running OpenWrt or DD-WRT with the right packages
- A Raspberry Pi running Pi-hole or AdGuard Home on your local network
- Travel routers like the GL.iNet Beryl AX which have AdGuard Home built in
- A subscription router service like NextDNS-as-router
Q: What about DNS leaks when I’m on a VPN?
This is the part people forget. Even with a VPN active, you can leak DNS to your ISP if:
- The VPN client doesn’t tunnel DNS (older OpenVPN configs sometimes don’t)
- IPv6 is enabled but the VPN doesn’t tunnel it (your IPv6 DNS leaks)
- Browser DNS-over-HTTPS bypasses the VPN tunnel entirely (this happens; it’s a feature, not a bug, but it leaks DNS choices)
- You manually configured DNS at the OS level that the VPN doesn’t override
Test for leaks: visit dnsleaktest.com with your VPN connected. Run the “extended test.” If you see your VPN’s DNS servers, you’re good. If you see your ISP’s DNS, you have a leak.
If you find a leak, the fix depends on the cause: usually either disable IPv6, change the VPN’s protocol from OpenVPN to WireGuard, or disable the browser’s DNS-over-HTTPS in favor of the VPN’s DNS.
Q: Is any of this overkill for a normal person?
Honestly, the per-device OS configuration (option 2 above) takes about ten minutes for an iPhone or Mac, and after that you don’t think about it again. The benefit is that nobody on your network — coffee shop, hotel, flatmate — can see the list of domains you visit.
Whether that’s worth ten minutes depends on whether you’ve internalized the “DNS is unencrypted by default” thing. Once you have, it’s hard to leave it un-fixed.
If you also use a VPN, encrypted DNS is the small follow-on improvement. Almost free, almost effortless, completes the picture.
We’ll publish full reviews of NextDNS, ControlD, and AdGuard DNS in the coming weeks. For now, the recommendation: pick NextDNS or Cloudflare 1.1.1.1, configure at the OS level on each device, run a leak test, you’re done.