DNS stands for Domain Name System: the protocol that translates human-readable domain names (predaxia.com) into IP addresses (the underlying numeric routing identifiers). The phone book of the internet, with around 500 billion queries per day globally. Originally designed in 1983 with no encryption or authentication; the modern internet retrofits these properties through DNSSEC (authentication) and DoH/DoT (encryption) without removing the underlying plaintext fallback.
What it means in practice
DNS is the structural privacy weak point most users underestimate. Without encrypted DNS, every site you visit produces a plaintext DNS query that the local network sees: the ISP, the hotel Wi-Fi, the coffee-shop network, the corporate proxy. The visit to predaxia.com generates a query for predaxia.com that the network observer logs. With encrypted DNS (DoH or DoT), the query is encrypted between your device and a DNS resolver of your choice (Cloudflare 1.1.1.1, Quad9 9.9.9.9, NextDNS, Mullvad DNS); the network observer sees encrypted traffic but not the destination. The trade-off is that you have moved the trust from the ISP to the DNS resolver. The choice of resolver matters for both performance and privacy posture: Quad9 is a Swiss nonprofit with a no-log policy, Mullvad runs encrypted DNS for paying customers, Cloudflare is a US for-profit with the largest infrastructure footprint and a privacy-friendly stance.
Where it shows up
Operationally relevant for: every internet connection where the local network can observe DNS queries, which is most contexts unless encrypted DNS is configured. Most consequential against: ISP-level DNS logging (the practice exists in the US under the 2017 ISP-privacy regulatory rollback, with several major ISPs selling DNS-derived data into the advertising market), local-network observers in coffee shops, hotels, schools, and corporate environments, some censorship systems that operate at the DNS level (which encrypted DNS bypasses), and the structural threat that DNS metadata identifies which sites you visit even when the underlying TLS connection is encrypted. Less consequential against: TLS Server Name Indication (SNI) leakage, where the encrypted-DNS-resolved IP still produces a TLS handshake that includes the destination hostname in plaintext until ECH is widely deployed (which is in progress as of 2026 but not yet universal).
What you can change today
Three configurations. iOS 14+: Settings, General, VPN and Device Management, install a DNS profile from Quad9 (quad9.net) or Mullvad customers can use Mullvad DNS via the Mullvad app. Android 9+: Settings, Network and internet, Private DNS, set to “dns.quad9.net” or “doh.mullvad.net” or your chosen DoT-capable resolver. Browser-level: Firefox enables DoH by default with Cloudflare; switch to NextDNS or Quad9 in Settings, Privacy and Security, DNS over HTTPS, Custom Provider. For VPN users: Mullvad and Proton VPN tunnel DNS through the VPN by default, so encrypted DNS is automatic for connections inside the tunnel. Verify with dnsleaktest.com that the configuration is working as intended.
