DNS protection against Chat Control: encrypted DNS in 5 minutes

DNS is the internet's phone book. when you type signal.org in your browser, your computer asks a DNS server "what's the IP address for signal.org?" and the server responds.

by default, that query is unencrypted. your ISP sees every DNS query you make. every website you visit. every app you open. every API call. it's a complete log of your online activity.

under Chat Control, this metadata is gold. imagine a surveillance system that knows:

  • you visited signal.org (you use encrypted messaging)
  • you visited getsession.org (you're looking for anonymous messaging)
  • you visited mullvad.net (you're getting a VPN)
  • you visited nanogpt.ai (you use AI tools)

all without reading a single message.

switching to encrypted DNS takes 5 minutes and it's free. here's how.


how DNS encryption works

DNS over HTTPS (DoH) — encrypts DNS queries inside HTTPS traffic. your ISP can see you're connecting to a DNS server but can't see the queries. supported by most modern browsers and operating systems.

DNS over TLS (DoT) — encrypts DNS queries using TLS. similar to DoH but uses a dedicated port (853). some ISPs block this port.

DNSCrypt — an older protocol, less widely supported but still works.

for most people, DoH is the best choice — it's supported everywhere and hard to block because it looks like regular HTTPS traffic.


the providers i recommend

1. NextDNS — my daily driver

price: free for up to 300,000 queries/month; $2/month for unlimited features:

  • encrypted DNS (DoH, DoT)
  • built-in ad blocking and tracker blocking
  • custom blocklists
  • analytics dashboard (see what's being blocked)
  • allowlisting for false positives
  • parental controls (if you need them)

why i like it: it's like uBlock Origin but at the DNS level. blocks trackers and ads before they even reach your browser. the analytics dashboard is surprisingly useful — you can see exactly which domains your devices are connecting to.

setup:

  1. go to nextdns.io and create a free account
  2. it gives you a unique configuration ID
  3. install the NextDNS app for your platform (one-click setup)
  4. or configure manually using the settings below

affiliate link: go/dns-nextdns

2. Cloudflare 1.1.1.1 — simplest option

price: free features:

  • encrypted DNS (DoH, DoT)
  • no ad blocking (just DNS resolution)
  • fast (Cloudflare has servers everywhere)
  • no query logging (audited by KPMG)

why i like it: dead simple. no account needed. no configuration. just point your DNS to 1.1.1.1 and you're done.

setup:

  1. go to 1.1.1.1
  2. download the app (one-click setup)
  3. or configure manually

3. Quad9 — security-focused

price: free features:

  • encrypted DNS (DoH, DoT)
  • blocks known malicious domains
  • based in switzerland (good jurisdiction)
  • no personal data logging

why i like it: if security is your primary concern, Quad9 blocks known malware and phishing domains. it's run by a non-profit with backing from IBM and the Global Cyber Alliance.


device-specific setup

iOS (iPhone/iPad)

method 1: configuration profile (recommended)

  1. go to your DNS provider's website (NextDNS or Cloudflare)
  2. download the configuration profile
  3. settings → general → VPN & Device Management → install the profile
  4. done — DNS is now encrypted

method 2: native DoH

  1. settings → wifi → tap the (i) next to your network
  2. scroll to configure DNS → manual
  3. add servers: 1.1.1.1 and 1.0.0.1
  4. this uses plain DNS — for DoH, use the app or configuration profile

android

method 1: private DNS (Android 9+)

  1. settings → network & internet → private DNS
  2. select "private DNS provider hostname"
  3. enter: dns.cloudflare-dns.com (Cloudflare) or your NextDNS hostname
  4. save

method 2: app

  1. download the 1.1.1.1 or NextDNS app from the Play Store
  2. enable the DNS connection
  3. done

windows

method 1: system settings (Windows 11)

  1. settings → network & internet → wifi (or ethernet) → hardware properties
  2. DNS server assignment → edit → manual
  3. enable IPv4, enter 1.1.1.1 as preferred, 1.0.0.1 as alternate
  4. enable "encrypted only (DNS over HTTPS)"
  5. save

method 2: app

  1. download the Cloudflare WARP or NextDNS app
  2. install and enable
  3. done

macOS

method 1: system settings

  1. system settings → network → wifi (or ethernet) → details → DNS
  2. add 1.1.1.1 and 1.0.0.1
  3. for DoH, use the app instead

method 2: app

  1. download the Cloudflare WARP or NextDNS app
  2. install and enable

linux

method 1: systemd-resolved (most distros) edit /etc/systemd/resolved.conf:

[Resolve]
DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
DNSOverTLS=yes

then restart: sudo systemctl restart systemd-resolved

method 2: /etc/resolv.conf add:

nameserver 1.1.1.1
nameserver 1.0.0.1

for DoH, use cloudflared proxy or the NextDNS CLI.

router-level

if you configure DNS on your router, all devices on your network get encrypted DNS automatically.

  1. log into your router (usually 192.168.1.1 or 192.168.0.1)
  2. find DNS settings (usually under WAN or internet settings)
  3. enter 1.1.1.1 and 1.0.0.1
  4. note: most routers don't support DoH/DoT natively — you'll get encrypted DNS on the router-to-server connection but not device-to-router

for full encryption on all devices, use the app on each device or set up a Pi-hole with DNS-over-HTTPS.


beyond DNS: DNS-level ad blocking

if you're using NextDNS, you can enable ad and tracker blocking at the DNS level. this means:

  • ads are blocked before they load (faster page loads)
  • trackers are blocked before they execute (better privacy)
  • works on all apps, not just your browser (blocks in-app tracking)
  • works on all devices on your network (if configured at the router)

recommended blocklists for NextDNS:

  • NextDNS Ads & Trackers Blocklist (default)
  • OISD (comprehensive, low false positives)
  • Steven Black's Unified Hosts List
  • notracking (aggressive, may break some sites)

if something breaks, check the NextDNS analytics dashboard — it shows which domains are being blocked so you can allowlist the ones you need.


testing your setup

after configuring encrypted DNS, verify it's working:

  1. go to dnsleaktest.com and run the extended test
  2. the results should show your DNS provider (Cloudflare, NextDNS, etc.) — not your ISP
  3. go to 1.1.1.1/help to verify DoH/DoT is active
  4. if you're using NextDNS, check the analytics dashboard — you should see queries coming in

the limits of DNS encryption

encrypted DNS protects your queries from your ISP and from network-level surveillance. it does not protect against:

  • SNI (Server Name Indication) — when you connect to an HTTPS website, the domain name is sent in plaintext during the TLS handshake. Encrypted Client Hello (ECH) fixes this but isn't widely deployed yet.
  • IP-based tracking — if you connect directly to an IP address, DNS encryption doesn't help. this is less common but happens with some apps.
  • browser fingerprinting — DNS encryption doesn't prevent websites from identifying you through other means.

DNS encryption is one layer. combine it with a VPN (which encrypts all traffic including DNS) and uBlock Origin (which blocks trackers at the browser level) for comprehensive protection.


last updated: july 2026