Every website you visit begins with a question your device asks before you ever see a page load - a DNS query that translates a human-readable address into the numerical coordinates servers actually use. For most of internet history, those questions traveled in plain text, visible to your internet service provider, the operator of any Wi-Fi network you joined, and anyone positioned to monitor unencrypted traffic. Private DNS changes that by wrapping those lookups in encryption, closing one of the most consistently overlooked gaps in everyday online privacy.
The relevance of that gap has grown considerably. As more sensitive activity - banking, healthcare access, professional communications, identity verification - moves through mobile and web applications, the metadata embedded in DNS traffic becomes genuinely revealing. Knowing which domains a device queries, and when, can expose patterns of behavior even when the content of communications remains hidden. Private DNS addresses precisely this exposure.
What DNS Actually Exposes - and Why Encryption Matters
The Domain Name System functions as a global directory service. When you type a website address, your device contacts a DNS resolver - typically operated by your ISP by default - which returns the corresponding IP address. The exchange happens in milliseconds and is almost entirely invisible to the user. What most users do not consider is that this exchange, in its traditional form, is unencrypted.
That means an ISP can log every domain your device requests. On a public Wi-Fi network - a coffee shop, an airport, a hotel - the network operator, or anyone conducting a passive interception on that network, can see the same. DNS monitoring has long been used for content filtering, behavioral advertising profiling, and, in more authoritarian contexts, surveillance and censorship enforcement. Even in jurisdictions with robust data protection laws, ISP-level DNS logging represents a structural privacy weakness that regulation alone cannot fully close.
Private DNS resolves this by implementing encryption at the DNS layer itself, most commonly through two protocols: DNS-over-TLS, which Android's built-in Private DNS feature uses, and DNS-over-HTTPS, which major browsers have adopted. Both protocols encrypt the query so that a passive observer on the network sees only that a connection occurred - not which domain was requested. The distinction matters: it is the difference between a sealed envelope and a postcard.
How the Two Main Protocols Differ in Practice
DNS-over-TLS operates on a dedicated port and applies the same TLS encryption layer used by HTTPS websites. Because it runs on a distinct port, it is straightforward for network administrators to identify DNS-over-TLS traffic - and, if they choose, to block it. That transparency is also a security feature: it makes the protocol purpose-specific and easy to audit.
DNS-over-HTTPS routes encrypted DNS queries through standard HTTPS connections on port 443, the same port used by ordinary secure web traffic. The practical effect is that DNS queries become indistinguishable from regular browsing traffic to a network observer. This makes DNS-over-HTTPS harder to selectively block, which is one reason it has been favored in browser implementations - and one reason some network administrators resist its adoption, since it bypasses centralized DNS controls they rely on for legitimate network management.
Neither protocol hides your IP address or encrypts the full content of your internet traffic. They protect the lookup process specifically. A user who wants broader traffic concealment needs a VPN, which tunnels all traffic through an encrypted connection to a remote server, masking both DNS queries and data payloads. Private DNS and a VPN are not competing choices so much as tools operating at different layers of the privacy stack - and they can be used together.
Enabling Private DNS: What the Settings Actually Do
Android devices have included a native Private DNS option since Android 9. The setting allows users to specify a custom DNS-over-TLS resolver by hostname. Providers such as Cloudflare, Quad9, and NextDNS publish their resolver hostnames for this purpose, each with different policies on logging, filtering, and data retention. Choosing a resolver means choosing which organization receives your DNS queries - so reviewing a provider's stated privacy policy before configuring the setting is a reasonable step.
On iOS, system-wide encrypted DNS requires a configuration profile or a VPN application that manages DNS at the OS level; there is no single native toggle equivalent to Android's Private DNS field. On Windows and macOS, encrypted DNS can be configured through network adapter settings or through the operating system's DNS settings in newer versions, though the steps vary by version and the feature is not always enabled by default. In browsers, Chrome, Firefox, Edge, and others offer Secure DNS or DNS-over-HTTPS options within their privacy settings, which apply only to DNS queries made through that browser rather than system-wide.
- Android: Settings → Network & Internet → Private DNS → enter a provider hostname
- iOS: requires a configuration profile or a supporting VPN or DNS application
- Windows 11: Settings → Network & Internet → hardware adapter properties → DNS server assignment
- Browsers: found under privacy or security settings, labeled Secure DNS or Use secure DNS
The most important variable after enabling the feature is which resolver you point it toward. Using an encrypted connection to a resolver that logs and sells query data undermines the privacy benefit. Independent resolvers with published, audited no-logging policies provide meaningfully stronger guarantees than default ISP resolvers, even when encryption is in place at the transport layer.
Realistic Expectations and Remaining Limitations
Private DNS is a targeted protection, not a comprehensive privacy solution. It secures the lookup step - the moment your device asks where a website lives. It does not encrypt the data exchanged after the connection is established, does not conceal your IP address from the websites you visit, and does not prevent tracking through cookies, device fingerprinting, or behavioral analytics. Those require additional measures: HTTPS-enforcing browsers, tracker-blocking extensions, and where appropriate, a reputable VPN.
There is also a subtler limitation. Even with DNS-over-TLS or DNS-over-HTTPS active, the Server Name Indication field included in TLS handshakes can still reveal the domain a user is connecting to - a gap that the emerging Encrypted Client Hello standard is designed to address, though deployment remains uneven across the web infrastructure.
What Private DNS reliably accomplishes is the elimination of the easiest, most passive form of DNS surveillance: the unencrypted query visible to anyone on your network path. That is a meaningful, achievable improvement for any user who accesses sensitive services over public or shared connections. In an environment where data collection is pervasive and often invisible, closing a known structural gap - even a partial one - is worth the five minutes the configuration requires.
