Your ISP Can See Every Website You Visit — Here's How Encrypted DNS Fixes That

I need to clear something up, because it's giving millions of people a false sense of privacy.

Most people figure that because they see the padlock icon in their browser — meaning the website uses HTTPS — their internet provider can't see what they're doing online. They assume their browsing is private.

It's not. Not even close.

HTTPS encrypts the content of your communication with a website. Your ISP can't read what you're typing, what you're buying, what files you're downloading. That part is true, and it matters.

But HTTPS does not encrypt which websites you visit. Every time you type a URL or click a link, your device sends a DNS query — a little request to translate the human-readable domain name (like "reddit.com") into the IP address your browser needs to connect. And traditionally, that DNS query goes out in complete plain text. Zero encryption. Nothing.

Your ISP sees every DNS query. They know you hit your bank's site. They know you browsed a job board. They know you visited a medical information page about a specific condition. They know you were on a dating app. They know you checked a competitor's site. Every single domain, exactly when, how often.

In many countries, ISPs are legally allowed to collect and sell this data. In the United States, ISPs can sell your browsing history to advertisers without your explicit consent — Congress rolled back the FCC's privacy rules in 2017 and they've never been restored. Your ISP doesn't need to hack you. They just read your DNS queries, which you've been broadcasting in plain text this whole time.

Encrypted DNS fixes this. And honestly, it's one of the simplest, most impactful privacy upgrades you can make.

How DNS works (and why it's a privacy disaster)

DNS — the Domain Name System — gets called the phonebook of the internet. When you type "google.com" into your browser, your device doesn't know how to reach it directly. It needs the IP address — something like 142.250.80.46. So it sends a DNS query to a DNS server (a resolver) asking: "What's the IP for google.com?"

The resolver answers with the IP, your browser connects. That happens for every website, every app connection, every service your device talks to. Hundreds of queries a day. Often thousands.

By default, these queries go to your ISP's DNS resolver. The ISP provides it automatically when your device connects. And because traditional DNS uses UDP port 53 with zero encryption, every query is visible to your ISP and anyone positioned to watch your network traffic — the coffee shop network operator, a compromised router, government surveillance.

Even if you switch to a privacy-focused resolver like Cloudflare (1.1.1.1) or Quad9 (9.9.9.9), if you don't encrypt the connection, your ISP can still see your queries as they pass through their network. They might not be the ones answering anymore, but they can still read them.

That's the gap encrypted DNS closes.

DoH and DoT: what they are and how they differ

Two protocols solve this. Both encrypt your DNS queries so nobody between you and the resolver can read them. They just go about it differently.

DNS-over-HTTPS (DoH)

DoH wraps DNS queries inside normal HTTPS traffic — the same encryption every secure website uses. It runs on port 443, the standard HTTPS port. So DoH traffic looks identical to regular web browsing to anyone watching the network. Your ISP can see you're talking to a DoH resolver (like cloudflare-dns.com), but they can't see which domains you're looking up.

DoH is supported directly in all major browsers — Chrome, Firefox, Edge, Brave. Firefox has had DoH enabled by default for US users since 2020. Google reports that over 35% of Chrome DNS queries now use encrypted DNS.

The big advantage: DoH is nearly impossible to block because it uses the same port as all other HTTPS traffic. Blocking DoH would mean blocking all secure web traffic — something no ISP can realistically do.

DNS-over-TLS (DoT)

DoT encrypts DNS queries using TLS (same encryption that powers HTTPS), but sends them over a dedicated port — port 853. Same encryption strength as DoH, but because it uses its own port, it's easier for network admins to identify and potentially block.

DoT is commonly supported at the operating system level, especially on Android (which calls it "Private DNS"). It's the go-to for router-level implementation because it can protect every device on a network at once.

Which one should you use?

For most people, DoH in your browser is the simplest starting point. Takes about 30 seconds to enable and immediately protects all your browser-based DNS queries.

For broader protection covering your whole device (including apps outside the browser), enable DoT at the operating system level.

For whole-home protection covering every device on your network — smart TVs, IoT gadgets, game consoles you can't configure individually — set up encrypted DNS on your router.

How to turn it on, device by device

Chrome (DoH)

Settings, Privacy and Security, Security, scroll to "Use secure DNS." Turn it on. Select "With" and pick Cloudflare (1.1.1.1), Google (8.8.8.8), or Quad9 (9.9.9.9). Done.

From this point on, all DNS queries through Chrome are encrypted.

Firefox (DoH)

Settings, Privacy & Security, scroll to "DNS over HTTPS." Enable it and pick your provider. Firefox defaults to Cloudflare for US users.

Firefox was the first major browser to deploy DoH at scale and has the most mature implementation.

Android (DoT — "Private DNS")

Settings, Network & Internet, Private DNS. Select "Private DNS provider hostname" and enter one of these:

• one.one.one.one (Cloudflare)
• dns.google (Google)
• dns.quad9.net (Quad9)

This enables DoT system-wide. Every app on your phone — not just the browser — uses encrypted DNS.

iPhone / iPad (DoH)

iOS doesn't have a built-in Private DNS toggle like Android. You've got a few options:

Option 1: Use the 1.1.1.1 app from Cloudflare (free). Install it, flip it on, and your DNS routes through Cloudflare's encrypted resolver.

Option 2: iCloud Private Relay (needs an iCloud+ subscription). This goes beyond encrypted DNS — it routes your traffic through two separate relays so neither Apple nor any relay knows both your identity and what you're browsing.

Option 3: Install a DNS profile. Security-focused DNS providers offer downloadable configuration profiles for iOS that enable DoH or DoT system-wide. Check 1.1.1.1/dns or quad9.net for their iOS setup guides.

Windows (DoH)

Windows 11: Settings, Network & Internet, Wi-Fi (or Ethernet), your connection, DNS server assignment, Edit. Enter a DNS provider that supports encryption (like 1.1.1.1) and set "DNS over HTTPS" to "On."

Windows 10: Native DoH support is limited. Simplest approach is encrypted DNS through your browser (Chrome or Firefox) or a third-party tool like DNSCrypt-proxy.

Mac (DoH)

macOS doesn't have a native encrypted DNS toggle in System Settings. Options:

Use browser-level DoH (Chrome or Firefox settings).

Install the Cloudflare 1.1.1.1 app for macOS.

Install a DNS configuration profile from your preferred provider.

Router level (protects your whole home)

If you're technically inclined, configuring encrypted DNS on your router protects every device on your network — including stuff you can't configure individually.

Not all consumer routers support DoH or DoT. Check your router's docs. Some that do: ASUS routers with Merlin firmware, routers running OpenWrt, and Pi-hole with cloudflared for DoH proxying.

Picking a DNS provider

Not all providers are the same when it comes to privacy.

Cloudflare (1.1.1.1): Fastest DNS resolver globally. Committed to purging all logs within 24 hours. Independently audited. US-based, which is a jurisdictional consideration for some.

Quad9 (9.9.9.9): Swiss non-profit. Strict no-logging policy. Blocks known malicious domains automatically. Strong privacy jurisdiction (Switzerland). Slightly slower than Cloudflare, excellent for privacy.

NextDNS: Highly customizable. Lets you configure ad blocking, parental controls, analytics. You control the logging — enable it for troubleshooting or turn it off entirely. Free tier supports up to 300,000 queries per month.

Google (8.8.8.8): Fast and reliable, but Google logs full query data for two weeks and retains anonymized data indefinitely. If your goal is privacy from big tech companies, Google DNS isn't your best pick. If you just want encryption against ISP snooping, it works.

Mullvad DNS: Run by the Swedish VPN company Mullvad. Zero logs, fully open source, strong privacy jurisdiction. Less mainstream but excellent for privacy-focused users.

Avoid your ISP's DNS. It's almost always unencrypted, logged, and potentially monetized. Switching away from it is the whole point.

What encrypted DNS actually protects (and what it doesn't)

The boundaries matter. Encrypted DNS is useful, not magic.

What it DOES protect: Your DNS queries — the list of domains you look up — are hidden from your ISP, your network operator, and anyone monitoring your connection. Your ISP can't build a browsing profile from your DNS traffic anymore.

What it does NOT protect:

IP addresses. Your ISP can still see the IP addresses you connect to after DNS resolution. Often the IP address reveals the website — especially for sites on dedicated IPs. For full IP-level privacy, you need a VPN.

SNI (Server Name Indication). During the TLS handshake, your browser sends the domain name in plain text through the SNI field. So your ISP can see which domain you're hitting even with encrypted DNS. Encrypted Client Hello (ECH) is being deployed to fix this, but adoption isn't complete yet in 2026.

Traffic patterns. Your ISP can see volume, timing, and destination IPs of your traffic, which can sometimes be used to infer what you're doing even without DNS data.

Bottom line: Encrypted DNS is a significant privacy improvement but not complete anonymity. It closes one of the biggest and easiest-to-exploit privacy gaps. For full protection, combine encrypted DNS with a VPN and a privacy-focused browser.

Making sure it's actually working

After enabling encrypted DNS, verify it.

DNS Leak Test: Visit dnsleaktest.com and run the extended test. Results should show your encrypted DNS provider (Cloudflare, Quad9, etc.) — not your ISP. If your ISP shows up, your DNS is leaking.

Browser verification (Chrome): Go to chrome://net-internals/#dns and look for "Secure DNS" entries.

Browser verification (Firefox): Go to about:networking#dns and check for "TRR" (Trusted Recursive Resolver) status.

If any test shows your ISP's DNS, go back through the setup and make sure encrypted DNS is properly enabled for your device and browser.

The two-minute privacy upgrade

Encrypted DNS is one of those rare things that's both highly impactful and stupidly easy to do. Enabling DoH in your browser takes 30 seconds. Private DNS on Android takes a minute. Neither costs a dime or slows down your browsing — Cloudflare and Quad9 are usually faster than your ISP's DNS anyway.

Yet most people have never done it. They didn't know the problem existed. Now you do.

Your ISP has been reading your browsing history in plain text for as long as you've had internet. Today's a good day to stop letting them.

Open your browser settings. Enable secure DNS. Pick Cloudflare or Quad9. Done.

Two minutes. Lifetime of privacy improvement.

Sources and Further Reading

• Cloudflare 1.1.1.1
• Google Public DNS
• Quad9
• Mozilla — DNS over HTTPS