DNS protection against Chat Control: encrypted DNS in 5 minutes
DNS is the internet's phone book. when you type signal.org in your browser, your computer asks a DNS server "what's the IP address for signal.org?" and the server responds.
by default, that query is unencrypted. your ISP sees every DNS query you make. every website you visit. every app you open. every API call. it's a complete log of your online activity.
under Chat Control, this metadata is gold. imagine a surveillance system that knows:
- you visited signal.org (you use encrypted messaging)
- you visited getsession.org (you're looking for anonymous messaging)
- you visited mullvad.net (you're getting a VPN)
- you visited nanogpt.ai (you use AI tools)
all without reading a single message.
switching to encrypted DNS takes 5 minutes and it's free. here's how.
how DNS encryption works
DNS over HTTPS (DoH) — encrypts DNS queries inside HTTPS traffic. your ISP can see you're connecting to a DNS server but can't see the queries. supported by most modern browsers and operating systems.
DNS over TLS (DoT) — encrypts DNS queries using TLS. similar to DoH but uses a dedicated port (853). some ISPs block this port.
DNSCrypt — an older protocol, less widely supported but still works.
for most people, DoH is the best choice — it's supported everywhere and hard to block because it looks like regular HTTPS traffic.
the providers i recommend
1. NextDNS — my daily driver
price: free for up to 300,000 queries/month; $2/month for unlimited features:
- encrypted DNS (DoH, DoT)
- built-in ad blocking and tracker blocking
- custom blocklists
- analytics dashboard (see what's being blocked)
- allowlisting for false positives
- parental controls (if you need them)
why i like it: it's like uBlock Origin but at the DNS level. blocks trackers and ads before they even reach your browser. the analytics dashboard is surprisingly useful — you can see exactly which domains your devices are connecting to.
setup:
- go to nextdns.io and create a free account
- it gives you a unique configuration ID
- install the NextDNS app for your platform (one-click setup)
- or configure manually using the settings below
affiliate link: go/dns-nextdns
2. Cloudflare 1.1.1.1 — simplest option
price: free features:
- encrypted DNS (DoH, DoT)
- no ad blocking (just DNS resolution)
- fast (Cloudflare has servers everywhere)
- no query logging (audited by KPMG)
why i like it: dead simple. no account needed. no configuration. just point your DNS to 1.1.1.1 and you're done.
setup:
- go to 1.1.1.1
- download the app (one-click setup)
- or configure manually
3. Quad9 — security-focused
price: free features:
- encrypted DNS (DoH, DoT)
- blocks known malicious domains
- based in switzerland (good jurisdiction)
- no personal data logging
why i like it: if security is your primary concern, Quad9 blocks known malware and phishing domains. it's run by a non-profit with backing from IBM and the Global Cyber Alliance.
device-specific setup
iOS (iPhone/iPad)
method 1: configuration profile (recommended)
- go to your DNS provider's website (NextDNS or Cloudflare)
- download the configuration profile
- settings → general → VPN & Device Management → install the profile
- done — DNS is now encrypted
method 2: native DoH
- settings → wifi → tap the (i) next to your network
- scroll to configure DNS → manual
- add servers:
1.1.1.1and1.0.0.1 - this uses plain DNS — for DoH, use the app or configuration profile
android
method 1: private DNS (Android 9+)
- settings → network & internet → private DNS
- select "private DNS provider hostname"
- enter:
dns.cloudflare-dns.com(Cloudflare) or your NextDNS hostname - save
method 2: app
- download the 1.1.1.1 or NextDNS app from the Play Store
- enable the DNS connection
- done
windows
method 1: system settings (Windows 11)
- settings → network & internet → wifi (or ethernet) → hardware properties
- DNS server assignment → edit → manual
- enable IPv4, enter
1.1.1.1as preferred,1.0.0.1as alternate - enable "encrypted only (DNS over HTTPS)"
- save
method 2: app
- download the Cloudflare WARP or NextDNS app
- install and enable
- done
macOS
method 1: system settings
- system settings → network → wifi (or ethernet) → details → DNS
- add
1.1.1.1and1.0.0.1 - for DoH, use the app instead
method 2: app
- download the Cloudflare WARP or NextDNS app
- install and enable
linux
method 1: systemd-resolved (most distros)
edit /etc/systemd/resolved.conf:
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
DNSOverTLS=yes
then restart: sudo systemctl restart systemd-resolved
method 2: /etc/resolv.conf
add:
nameserver 1.1.1.1
nameserver 1.0.0.1
for DoH, use cloudflared proxy or the NextDNS CLI.
router-level
if you configure DNS on your router, all devices on your network get encrypted DNS automatically.
- log into your router (usually 192.168.1.1 or 192.168.0.1)
- find DNS settings (usually under WAN or internet settings)
- enter
1.1.1.1and1.0.0.1 - note: most routers don't support DoH/DoT natively — you'll get encrypted DNS on the router-to-server connection but not device-to-router
for full encryption on all devices, use the app on each device or set up a Pi-hole with DNS-over-HTTPS.
beyond DNS: DNS-level ad blocking
if you're using NextDNS, you can enable ad and tracker blocking at the DNS level. this means:
- ads are blocked before they load (faster page loads)
- trackers are blocked before they execute (better privacy)
- works on all apps, not just your browser (blocks in-app tracking)
- works on all devices on your network (if configured at the router)
recommended blocklists for NextDNS:
- NextDNS Ads & Trackers Blocklist (default)
- OISD (comprehensive, low false positives)
- Steven Black's Unified Hosts List
- notracking (aggressive, may break some sites)
if something breaks, check the NextDNS analytics dashboard — it shows which domains are being blocked so you can allowlist the ones you need.
testing your setup
after configuring encrypted DNS, verify it's working:
- go to dnsleaktest.com and run the extended test
- the results should show your DNS provider (Cloudflare, NextDNS, etc.) — not your ISP
- go to 1.1.1.1/help to verify DoH/DoT is active
- if you're using NextDNS, check the analytics dashboard — you should see queries coming in
the limits of DNS encryption
encrypted DNS protects your queries from your ISP and from network-level surveillance. it does not protect against:
- SNI (Server Name Indication) — when you connect to an HTTPS website, the domain name is sent in plaintext during the TLS handshake. Encrypted Client Hello (ECH) fixes this but isn't widely deployed yet.
- IP-based tracking — if you connect directly to an IP address, DNS encryption doesn't help. this is less common but happens with some apps.
- browser fingerprinting — DNS encryption doesn't prevent websites from identifying you through other means.
DNS encryption is one layer. combine it with a VPN (which encrypts all traffic including DNS) and uBlock Origin (which blocks trackers at the browser level) for comprehensive protection.
last updated: july 2026
related articles
- VPN Guide — encrypt all your traffic
- Adblockers for Privacy — browser-level blocking
- Complete Protection Guide — the full checklist
- Anti-Chat Control Hub — everything in one place