Your ISP Can See Every Website You Visit — Here's How Encrypted DNS Fixes That

There's a common misconception that I need to clear up, because it's giving millions of people a false sense of privacy.

Most people believe that because they see the padlock icon in their browser — meaning the website uses HTTPS — their Internet Service Provider can't see what they're doing online. They think their browsing is private.

It's not. Not even close.

HTTPS encrypts the content of your communication with a website. Your ISP can't see what you're reading, what you're typing, what you're buying, or what files you're downloading. That part is true and it matters.

But HTTPS does not encrypt which websites you visit. Every single time you type a URL into your browser or click a link, your device sends a DNS query — a request to translate the human-readable domain name (like "reddit.com") into the IP address your browser needs to connect. And traditionally, that DNS query is sent in complete plain text. No encryption. No protection.

Your ISP sees every DNS query. They know you visited your bank's website. They know you visited a job search site. They know you visited a medical information page about a specific condition. They know you visited a dating app. They know you visited a competitor's website. They know every single domain you've connected to, exactly when, and how often.

In many countries, ISPs are legally allowed to collect and sell this data. In the United States, ISPs can sell your browsing history to advertisers without your explicit consent — Congress rolled back the FCC's privacy rules in 2017, and they've never been restored. Your ISP doesn't need to hack you. They just read your DNS queries, which you've been broadcasting in plain text this entire time.

Encrypted DNS fixes this. And it's one of the simplest, most impactful privacy upgrades you can make.

How DNS Works (And Why It's a Privacy Problem)

DNS — the Domain Name System — is often called the phonebook of the internet. When you type "google.com" into your browser, your device doesn't know how to reach "google.com" directly. It needs the IP address — something like 142.250.80.46. So it sends a DNS query to a DNS server (called a resolver) asking: "What's the IP address for google.com?"

The resolver answers with the IP address, and your browser connects. This happens for every website, every app connection, every service your device communicates with. Hundreds of DNS queries per day, often thousands.

By default, these queries go to your ISP's DNS resolver. The ISP provides it automatically when your device connects to the network. And because traditional DNS uses UDP port 53 with zero encryption, every query is visible to your ISP and anyone else positioned to observe your network traffic — the coffee shop network operator, a compromised router, or a government surveillance system.

Even if you switch to a privacy-focused DNS resolver like Cloudflare (1.1.1.1) or Quad9 (9.9.9.9), if you don't encrypt the connection, your ISP can still see your queries in transit. They may not be the ones answering the queries anymore, but they can still read them as they pass through their network.

This is the critical gap that encrypted DNS closes.

DoH and DoT: What They Are and How They Differ

Two protocols solve this problem. Both encrypt your DNS queries so no one between you and the DNS resolver can read them. They just do it differently.

DNS-over-HTTPS (DoH)

DoH wraps DNS queries inside normal HTTPS traffic — the same encryption used by every secure website. It uses port 443, the standard HTTPS port. This means DoH traffic looks identical to regular web browsing to anyone observing the network. Your ISP can see that you're communicating with a DoH resolver (like cloudflare-dns.com), but they can't see what domains you're looking up.

DoH is supported directly in all major browsers — Chrome, Firefox, Edge, and Brave. Firefox has had DoH enabled by default for US users since 2020. Google reports that over 35% of Chrome DNS queries now use encrypted DNS.

The key advantage of DoH is that it's nearly impossible to block because it uses the same port as all other HTTPS traffic. Blocking DoH would mean blocking all secure web traffic — which no ISP can do.

DNS-over-TLS (DoT)

DoT encrypts DNS queries using TLS (the same encryption protocol that powers HTTPS), but sends them over a dedicated port — port 853. This provides the same encryption strength as DoH, but because it uses a distinct port, it's easier for network administrators to identify and potentially block.

DoT is commonly supported at the operating system level, particularly on Android (which calls it "Private DNS"). It's the preferred protocol for router-level implementation because it can protect all devices on a network simultaneously.

Which One Should You Use?

For most individual users, DoH in your browser is the simplest starting point — it takes about 30 seconds to enable and immediately protects all your browser-based DNS queries.

For broader protection covering your entire device (including apps outside the browser), enable DoT at the operating system level.

For whole-home protection covering every device on your network (including smart TVs, IoT devices, and game consoles that you can't configure individually), set up encrypted DNS on your router.

How to Enable Encrypted DNS — Device by Device

Chrome (DoH)

Go to Settings → Privacy and Security → Security → scroll to "Use secure DNS." Turn it on. Select "With" and choose Cloudflare (1.1.1.1), Google (8.8.8.8), or Quad9 (9.9.9.9). Done.

From this point on, all DNS queries made through Chrome are encrypted.

Firefox (DoH)

Go to Settings → Privacy & Security → scroll to "DNS over HTTPS." Enable it and select your preferred provider. Firefox defaults to Cloudflare for US users.

Firefox was the first major browser to deploy DoH at scale and has the most mature implementation.

Android (DoT — "Private DNS")

Go to Settings → Network & Internet → Private DNS. Select "Private DNS provider hostname" and enter one of these:

• one.one.one.one (Cloudflare)
• dns.google (Google)
• dns.quad9.net (Quad9)

This enables DoT system-wide — every app on your phone, not just the browser, will use encrypted DNS.

iPhone / iPad (DoH)

iOS doesn't have a built-in Private DNS toggle like Android. You have two main options:

Option 1: Use the 1.1.1.1 app from Cloudflare (free). Install it, enable it, and it routes your DNS through Cloudflare's encrypted resolver.

Option 2: Use iCloud Private Relay (requires iCloud+ subscription). This goes beyond encrypted DNS — it routes your traffic through two separate relays so neither Apple nor any relay knows both your identity and what you're browsing.

Option 3: Install a DNS profile. Security-focused DNS providers offer downloadable configuration profiles for iOS that enable DoH or DoT system-wide. Visit 1.1.1.1/dns or quad9.net for their iOS setup guides.

Windows (DoH)

Windows 11: Go to Settings → Network & Internet → Wi-Fi (or Ethernet) → your connection → DNS server assignment → Edit. Enter a DNS provider that supports encryption (like 1.1.1.1) and set "DNS over HTTPS" to "On."

Windows 10: Native DoH support is limited. The simplest approach is to use encrypted DNS through your browser (Chrome or Firefox) or install a third-party tool like DNSCrypt-proxy.

Mac (DoH)

macOS doesn't have a native encrypted DNS toggle in System Settings. Your options:

Use browser-level DoH (Chrome or Firefox settings, as described above).

Install the Cloudflare 1.1.1.1 app for macOS.

Install a DNS configuration profile from your preferred provider.

Router Level (Protects Your Entire Home)

For technically inclined users, configuring encrypted DNS on your router protects every device on your network — including smart TVs, game consoles, and IoT devices that you can't configure individually.

Not all consumer routers support DoH or DoT. Check your router's documentation. Some popular options that do: ASUS routers with Merlin firmware, routers running OpenWrt, and Pi-hole with cloudflared for DoH proxying.

Choosing a DNS Provider

Not all DNS providers are equal when it comes to privacy.

Cloudflare (1.1.1.1): Fastest DNS resolver globally. Committed to purging all logs within 24 hours. Independently audited. US-based, which is a jurisdictional consideration for some users.

Quad9 (9.9.9.9): Swiss non-profit. Strict no-logging policy. Blocks known malicious domains automatically. Strong privacy jurisdiction (Switzerland). Slightly slower than Cloudflare but excellent for privacy.

NextDNS: Highly customizable. Lets you configure ad blocking, parental controls, and analytics. You control the logging — you can enable it for troubleshooting or disable it entirely. Free tier supports up to 300,000 queries per month.

Google (8.8.8.8): Fast and reliable, but Google logs full query data for two weeks and retains anonymized data indefinitely. If your goal is privacy from large tech companies, Google DNS is not the best choice. If your goal is simply encrypting against ISP snooping, it works.

Mullvad DNS: Run by the Swedish VPN company Mullvad. Zero logs, fully open source, strong privacy jurisdiction. Less mainstream but excellent for privacy-focused users.

Avoid your ISP's DNS. Your ISP's default DNS is almost always unencrypted, logged, and potentially monetized. Switching away from it is the entire point.

What Encrypted DNS Does and Doesn't Protect

Let me be clear about the boundaries of encrypted DNS, because overstating its capabilities would do you a disservice.

What it DOES protect:

Your DNS queries — the list of domains you look up — are hidden from your ISP, your network operator, and anyone monitoring your connection. Your ISP can no longer build a browsing profile based on your DNS traffic.

What it does NOT protect:

IP addresses. Your ISP can still see the IP addresses you connect to after DNS resolution. In many cases, the IP address reveals the website (especially for sites hosted on dedicated IPs). For full IP-level privacy, you need a VPN.

SNI (Server Name Indication). During the TLS handshake, your browser sends the domain name in plain text via the SNI field. This allows your ISP to see which domain you're connecting to even with encrypted DNS. Encrypted Client Hello (ECH) is being deployed to fix this, but adoption is still incomplete in 2026.

Traffic patterns. Your ISP can see the volume, timing, and destination IPs of your traffic, which can sometimes be used to infer activity even without DNS data.

Bottom line: Encrypted DNS is a significant privacy improvement but not complete anonymity. It closes one of the biggest and easiest-to-exploit privacy gaps. For full protection, combine encrypted DNS with a VPN and a privacy-focused browser.

How to Verify It's Working

After enabling encrypted DNS, verify that it's actually working.

DNS Leak Test: Visit dnsleaktest.com and run the extended test. The results should show your encrypted DNS provider (Cloudflare, Quad9, etc.) — not your ISP. If your ISP appears, DNS is leaking.

Browser verification (Chrome): Visit chrome://net-internals/#dns and look for "Secure DNS" entries.

Browser verification (Firefox): Visit about:networking#dns and check for "TRR" (Trusted Recursive Resolver) status.

If any test shows your ISP's DNS, go back through the setup steps and ensure encrypted DNS is properly enabled for your device and browser.

The Two-Minute Privacy Upgrade

Encrypted DNS is one of those rare security improvements that's both highly impactful and trivially easy to implement. Enabling DoH in your browser takes 30 seconds. Enabling Private DNS on Android takes one minute. Neither costs anything or affects your browsing speed — in fact, Cloudflare and Quad9 are usually faster than your ISP's DNS.

Yet most people have never done it, because they didn't know the problem existed. Now you do.

Your ISP has been reading your browsing history in plain text for as long as you've had an internet connection. Today's the day you stop letting them.

Open your browser settings. Enable secure DNS. Pick Cloudflare or Quad9. Done.

Two minutes. Lifetime of privacy improvement.