Encrypted DNS is the family of protocols that protect DNS queries from observation by network intermediaries. The two main standards: DoH (DNS over HTTPS, RFC 8484) and DoT (DNS over TLS, RFC 7858). Both encrypt the lookup of “what is the IP for example.com” so that the local network, ISP, or coffee-shop Wi-Fi cannot see which sites you are visiting via the DNS query. Adopted as a default by Firefox (DoH via Cloudflare or NextDNS), increasingly by Chrome and Safari, and supported on iOS 14+ and Android 9+ at the OS level.
What it means in practice
Without encrypted DNS, every site you visit produces a plaintext DNS query that the local network sees. The visit to example.com generates a DNS query for example.com that the ISP logs, the coffee-shop Wi-Fi captures, and the school network filters. With encrypted DNS, the query is encrypted between your device and the DNS resolver, which is a third party (Cloudflare 1.1.1.1, Quad9 9.9.9.9, NextDNS, Mullvad DNS) rather than the local ISP. The trade-off: you have moved the trust from the ISP to the resolver. The choice of resolver matters: Quad9 is a Swiss nonprofit with a no-log policy, Mullvad runs encrypted DNS for paying customers, Cloudflare is a US for-profit with a privacy-friendly stance and the largest infrastructure footprint.
Where it shows up
Most consequential against: local-network observers (ISP, hotel Wi-Fi, public networks, school and corporate networks where DNS is logged or filtered), some censorship systems that operate at the DNS level (which encrypted DNS bypasses), and advertising networks that buy ISP-level DNS data (the practice exists in the US under the 2017 ISP-privacy regulatory rollback). Less consequential against: TLS Server Name Indication (SNI) leakage, where the encrypted-DNS-resolved IP still produces a TLS handshake that includes the destination hostname in plaintext until ESNI/ECH is widely deployed (which is in progress as of 2026).
What you can change today
Three layers. iOS 14+: Settings, General, VPN and Device Management, install a DNS profile from Quad9 (quad9.net) or Mullvad customers can use Mullvad DNS via their app. Android 9+: Settings, Network and internet, Private DNS, set to “dns.quad9.net” or “doh.mullvad.net.” Browser-level: Firefox enables DoH by default with Cloudflare; switch to NextDNS or Quad9 in Settings, Privacy and Security, DNS over HTTPS, Custom Provider. For VPN users: Mullvad and Proton VPN tunnel DNS through the VPN by default, so encrypted DNS is automatic for connections inside the tunnel. Verify with dnsleaktest.com.
