Encrypting Your DNS Traffic
What It Is, Why It Matters, and How to Do It
In today’s digital landscape, protecting your privacy isn’t just a technical concern, it’s a human rights issue. With a background in law and a strong interest in digital rights and security, I believe privacy should be a right that everyone can understand and protect, regardless of their technical background.
This newsletter is designed to teach everyday users simple, practical steps to better protect their digital footprint and regain a bit more control online. Along the way, it explains important concepts so we can better understand how our data moves and how to keep it safe.
Encrypting Your DNS Traffic
What It Is, Why It Matters, and How to Do It
Let’s start with the basics: What the heck is DNS traffic, anyway?
Say you want to perform a Google search. You type www.google.com into your browser’s address bar and hit enter. But for your browser to take you there, it needs to know Google’s actual internet address—called an IP address. That’s where DNS comes in.
When you press enter, your computer sends a request to a DNS server (think of it as a phone book for the internet). The DNS server looks up the right IP address by contacting a chain of other DNS servers, and, once it finds the answer, it sends it back to your browser. In a fraction of a second, you’re connected to Google. Pretty cool, right?
All that back-and-forth between your browser and the DNS servers? That’s DNS traffic.
So, why does your DNS traffic need to be encrypted?
When your DNS requests aren’t encrypted, it’s like sending a postcard instead of a sealed envelope. Anyone watching your internet traffic—your ISP (internet service provider), network administrators, hackers, or the government—can see which websites you’re trying to visit.
Even if the site itself uses HTTPS (that little padlock icon), your DNS traffic still exposes the domain name (i.e., the website address you're trying to reach). So someone monitoring your connection can tell you’re visiting, say, a mental health site, a political organization, or a legal aid resource, even if they can’t see exactly what you’re doing once you get there.
Why should you care?
Because your DNS traffic reveals your habits, interests, and routines. It builds a profile: which news outlets you read, whether you’re researching immigration issues, seeking medical help, or looking into privacy tools. That data has real value and real consequences, especially in countries with limited privacy protections, authoritarian surveillance, or laws that criminalize certain types of information-seeking.
Some ISPs even log this data and sell it to advertisers or data brokers. Others might hand it over to law enforcement, sometimes without a warrant. Depending on the jurisdiction, they may not even need a judge’s sign-off. And once your data is collected, there’s often little transparency about where it goes, who sees it, or how long it’s kept.
Encrypting your DNS requests helps close that window. It scrambles those queries in transit so that only you and the DNS resolver you trust can read them.
It’s one of the simplest, most effective ways to push back against mass data collection and take back a bit of your digital privacy.
Okay, I’m in! How do I encrypt my DNS traffic?
Even though your internet provider can’t see your DNS traffic when you use a third-party resolver, the resolver itself can, so it knows which websites you query.
Some DNS resolvers claim to enhance privacy but still collect usage data behind the scenes. Others may redirect queries for advertising, use weak encryption by default, or be operated by companies with questionable privacy practices. That’s why it’s important to choose a trustworthy and secure DNS resolver.
What are key features of a secure DNS resolver?
🧹 Open Source: Is the service’s code publicly available for independent security audits?
🔒 No-Logs Policy: Does the resolver avoid logging IP addresses or query data?
🗝️ Supports DNS Encryption: Does it support DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) to encrypt queries and prevent eavesdropping?
🛡️ Built-in Protections: Does it block access to phishing, malware, or other harmful domains?
⚡ Fast Response: Does it respond quickly to DNS requests for smooth browsing?
🔄 Reliability & Uptime: Does it maintain consistent availability to avoid service interruptions?
⚙️ Ease of Use: Is it simple to set up and configure on your device or router?
🙈 No Personal Info Required: Can you sign up without giving a phone number or revealing your identity?
⚖️ Privacy-Friendly Jurisdiction: Is the provider based in countries with strong privacy laws and minimal surveillance mandates?
Comparison Chart of Well-Known DNS Resolvers
The chart below compares four well-known DNS resolvers—Cloudflare, Quad9, Mullvad, and NextDNS—based on the criteria outlined above.
The best choice for you will depend on your desired level of privacy, security, and anonymity
💡 Pro Tip: DNS resolvers are especially useful when you’re on public Wi-Fi where network admins or bad actors can more easily see or manipulate unencrypted DNS traffic.
💡 Pro Tip: None of the VPN providers listed above require you to reveal your identity through a phone number or email address. However, when signing up for online services that do require contact information, consider using email aliases or forwarding addresses. This helps reduce spam, avoid phishing attempts, and prevent long-term tracking tied to a single, consistent email identity.
How to Get Started
Below are setup instructions for Cloudflare and Quad9. For Mullvad’s DNS Resolver setup, click here. Details on NextDNS setup can be found here.
Cloudflare Setup
📱 For iPhone / Android / Amazon Fire:
Go to your app store
Search Cloudflare
Download 1.1.1.1: Faster Internet
Open the app and turn it on
Now all DNS traffic from your device is encrypted via Cloudflare. It's that simple.
💻 For Mac / Windows / Linux:
Download and install the WARP client
Follow setup instructions
Once running, WARP encrypts all outbound internet traffic from your device (not just DNS), routing it through Cloudflare’s servers for privacy and speed.
⚠️ Note: WARP encrypts all outbound internet traffic from your device (not just DNS), routing it through Cloudflare’s servers for privacy and speed. A traditional VPN does this too, but usually offers stronger security and more features (see Hiding Your IP Address).
Quad9 Setup
📱 For iPhone:
Open Safari
Visit Quad9 iOS Setup
Scroll to “Download Profile” and tap Recommended: HTTPS (.9)
Follow the prompts to download and install the configuration profile (Go to Settings > Profile Downloaded > Install)
Now all DNS traffic from your device is encrypted via Quad9.
💻 For Mac (macOS Big Sur or later):
Open Safari
Visit Quad9 macOS Setup
Download the Recommended: HTTPS (.9) profile
Go to System Settings > Profiles
Install the Quad9 DNS profile
Once installed, all DNS requests from your device will be encrypted through Quad9’s secure servers.
🤖 For Android (via F-Droid):
Step 1: Install F-Droid — F-Droid is a free and open-source app store focused on privacy-focused apps.
Open your browser and go to f-droid.org
Tap “Download F-Droid” to get the official .apk (the file format used to distribute and install apps on Android devices)
When prompted, allow your browser to install apps from unknown sources
Once downloaded, tap the file to install
When prompted, tap Install, then Open
Wait 2–10 minutes while F-Droid updates its app catalog
You’re now ready to search and install apps from F-Droid
Step 2: Install Quad9 Connect
In F-Droid, tap the search icon and search for Quad9 Connect
Select Install
Open the app and select your preferred encryption (DoT or DoUDP)
Accept the VPN prompt (used only to route DNS traffic securely)
Once installed, all DNS requests from your device will be encrypted through Quad9’s secure servers.
🪟 For Windows 11:
⚠️ Note: DoT (DNS over TLS) encrypts your DNS safely and works well most of the time. DoUDP (DNS over UDP with encryption) is faster but not as reliable or common. For most people, DoT is the better choice.
💡 Pro Tip: If you go with Quad9, it’s worth checking back occasionally to reinstall the latest version of the profile for ongoing updates.
An Important Note on Jurisdiction
Where a privacy service is based and where it operates its servers can significantly affect how your data is managed.
Some countries have strong privacy laws that require court orders or due process before authorities can access user data. Others are part of intelligence-sharing alliances or have laws that allow broad surveillance or secret government demands. This means even trustworthy services may be forced to collect or share your information. Sometimes without telling you.
Some privacy-focused companies, like Mullvad, go a step further by carefully choosing where their servers are located. They may avoid placing servers in countries with weak privacy laws, mass surveillance programs, or aggressive data retention mandates. Others operate globally without these precautions, meaning your data could pass through and be stored in high-risk jurisdictions, even if the company itself is based in a privacy-friendly country.
When evaluating a service, it’s worth considering:
Where the company is headquartered
Where it runs its servers
Whether it owns and controls its infrastructure or relies on third-party hosting
For more detailed information on data protection laws by country, visit DLA Piper’s comprehensive guide, which covers over 160 jurisdictions worldwide. The platform offers an interactive heatmap and in-depth summaries of each country’s privacy laws.
💡 Pro Tip: Where a service is based matters, but strong privacy protections—like open-source code, no-logs policies, and DNS-over-HTTPS (DoH) or DNS-over-TLS encryption (DoT)—can reduce risks even in less private jurisdictions.
For more advanced readers: Router Setup
If you access your router’s settings, you can manually enter your preferred DNS resolver addresses in the DNS configuration. This helps ensure that all devices connected to your home network (including those you can’t individually configure, like e-readers, home security cameras, or smart TVs) send their DNS queries to a privacy-focused resolver instead of your ISP.
That said, manually entering a resolver address into your router’s settings doesn’t automatically encrypt your DNS traffic. It only changes where your DNS requests go, not how they’re transmitted.
Unless your router specifically supports encrypted DNS protocols like DoH (DNS over HTTPS) or DoT (DNS over TLS), those requests may still be sent in plaintext, meaning they aren’t encrypted and can still be intercepted by someone monitoring your network.
If your router supports encrypted DNS natively, you can enable DoH or DoT directly in the settings to ensure all DNS traffic is encrypted at the network level.
Even without encryption, switching away from your ISP’s DNS still helps improve privacy and reduce data collection, especially when combined with encrypted DNS settings on individual devices.
If you wish to manually enter DNS resolver addresses, simply add at least two or three of the following into your router’s DNS settings:
IPv4:
1.1.1.1 — Cloudflare — Standard DNS resolver (fast, privacy-focused, no filtering)
1.1.1.2 — Cloudflare — Malware blocking resolver (blocks known malicious sites)
1.1.1.3 — Cloudflare — Malware and adult content blocking resolver (blocks malware + adult sites)
9.9.9.9 — Quad9 — Malware blocking resolver (blocks known malicious sites)
149.112.112.112 — Quad9 — Malware blocking resolver (blocks known malicious sites)
100.64.0.1 — Mullvad — Privacy-focused DNS resolver (available only while connected to Mullvad VPN)
45.90.28.0 — NextDNS — Customizable DNS with optional logging and content filtering; IP address varies based on your account configuration.
45.90.30.0 — NextDNS — Customizable DNS with optional logging and content filtering; IP address varies based on your account configuration.
IPv6:
2606:4700:4700::1111 — Cloudflare — Standard DNS resolver (fast, privacy-focused, no filtering)
2606:4700:4700::1112 — Cloudflare — Malware blocking resolver (blocks known malicious sites)
2606:4700:4700::1113 — Cloudflare — Malware and adult content blocking resolver (blocks malware + adult sites)
2620:fe::9 — Quad9 — Malware blocking resolver (blocks known malicious sites)
2620:fe::fe — Quad9 — Malware blocking resolver (blocks known malicious sites)
fd00:abcd::1 — Mullvad — Privacy-focused DNS resolver (available only while connected to Mullvad VPN)
2a07:a8c0:: — NextDNS — Customizable DNS with optional logging and content filtering; IP address varies based on your account configuration.
2a07:a8c1:: — NextDNS — Customizable DNS with optional logging and content filtering; IP address varies based on your account configuration.
💡 Pro Tip: To ensure your devices are protected regardless of the type of internet connection they use, it’s best to configure both IPv4 and IPv6 addresses in your router’s DNS settings. Many networks support IPv6, but some still rely on IPv4, so including both covers all bases.
⚠️ Note: Encrypting DNS is a great privacy step, but it’s not the same as using a traditional VPN. DNS encryption hides which websites you're trying to reach, but not necessarily your IP address or the full content of your traffic.
A detailed, easy-to-use Digital Privacy Log now accompanies this newsletter. It’s designed to help you keep track of the privacy tools you’ve installed, document your setup across devices, and securely store recovery codes, configuration notes, and other key settings all in one place.
Stay tuned for Hiding Your IP Address w/ Virtual Private Networks (VPNs)—What VPNs Are, Why They Matter, and How to Use Them to Protect Your Privacy
Questions or feedback? Drop them below or send a private message.
#DNS #Encryption #Cloudflare #Quad9 #Mullvad #NextDNS #DigitalRights #DigitalPrivacy #DigitalSecurity #DigitalFreedom #HumanRights
Cloudflare , Quad9 DNS , Mullvad VPN , and NextDNS offer DNS resolvers committed to privacy. None sponsor this article, and each offers free tools designed to help create a safer, more private, and censorship-resistant internet.
If you’re interested, I encourage you to explore these options and choose the one that best fits your needs.
Newsletter Summary: Everyday Digital Privacy
This newsletter shares simple steps everyday users can take to strengthen our digital privacy, security, and anonymity:
🔒 Encrypting Your DNS Traffic — Learn how DNS requests reveal which websites you're trying to visit and how to encrypt them using services like Cloudflare, Quad9, Mullvad, and NextDNS.
🛡️ Hiding Your IP Address with a VPN — Understand what an IP address is, how your IP address exposes your location and identity, and how a trustworthy VPN like Mullvad VPN, Proton VPN, Riseup VPN, and Windscribe can encrypt all your traffic and hide where you’re connecting from.
📡 Hiding Your MAC Address — Discover how your devices' unique hardware IDs can be tracked by Wi-Fi networks (even when they're not online) and how to enable MAC address to limit passive tracking.
🌐 Privacy-Focused Browsers — Explore how your choice of browser impacts your online privacy, why mainstream browsers often collect extensive data, and how privacy-focused browsers like Mullvad, Tor, Firefox, and Brave can help block trackers, fingerprinting, and unwanted data collection.
💬 Private Messaging Apps — Understand what makes a messaging app truly private, how end-to-end encryption protects your conversations, why metadata still matters, and how to choose secure apps like Session or Signal that safeguard your communications from surveillance and hacking.
📧 Encrypted Email Services — Find out why email is one of the least private forms of communication by default, how end-to-end encryption works, and how to choose secure email providers like Posteo, Proton Mail, and Tuta that protect your messages (even from themselves).
💾 Secure Cloud Storage & File Sharing — Learn why mainstream cloud services leave your files exposed, how end-to-end encrypted storage tools keep your documents private, and how to share files securely using services like Cryptomator, Filen, Proton Drive, Tresorit or Sync.
🗝️ Encrypted Password Managers — Learn how password managers work, what makes one secure, and how to choose tools that use end-to-end encryption and zero-knowledge architecture. Compare options like KeePassXC, LessPass, Proton Pass, and Bitwarden to find the right balance of privacy, usability, and control.
🔎 Private Search Engines — Learn how search engines track what you’re curious about, how that data is used to profile you, and how private alternatives like Startpage, Mojeek, Brave Search, Qwant, and DuckDuckGo let you search the web without being watched, logged, or targeted.
