How to set up encrypted DNS at the network level
Stop your ISP from logging every site you visit. Configure DoH/DoT once at your router and protect every device on your home Wi-Fi.
Choose a privacy-respecting DNS resolver (NextDNS, Cloudflare 1.1.1.3, AdGuard DNS, Quad9). Configure it on your router so every device on your network uses it. If your router doesn't support encrypted DNS, configure it per-device (Windows, macOS, iOS, Android all support DoH/DoT in 2026). Verify it works at dnscheck.tools.
Key takeaways
- Configure DNS at the router level to protect every device automatically.
- Per-device config works but requires per-device maintenance.
- NextDNS, Cloudflare 1.1.1.3, AdGuard DNS, Quad9 — pick one based on features you want.
- Verify with dnscheck.tools after changing.
- Encrypted DNS hides queries from ISP; combine with VPN for full network privacy.
Pick your DNS resolver
The big four privacy-respecting public DNS resolvers in 2026:
NextDNS — most configurable, strong logging controls, free tier of 300K queries/month covers most households. Custom blocklists for ads/trackers/malware.
Cloudflare 1.1.1.3 — privacy-tier 1.1.1.3 includes built-in malware and adult-content filtering. Fast, well-distributed, free.
AdGuard DNS — strong ad-blocking integrated, free tier with reasonable limits.
Quad9 — non-profit Swiss-based, malware-blocking by default, no logging.
Avoid your ISP's default DNS (logs your queries) and any 'free DNS' from companies you don't recognize.
Configure at the router (best — protects all devices)
1. Sign in to your router's admin interface (usually 192.168.1.1 or 192.168.0.1; admin/admin or check the sticker on the back).
2. Find DNS settings — usually under WAN, Internet, or Network settings.
3. Set Primary DNS and Secondary DNS to your chosen provider's addresses.
4. Save and reboot the router.
5. Some modern routers (eero, Asus, Ubiquiti, OpenWrt, Mikrotik) support DNS-over-HTTPS or DNS-over-TLS at router level — enable it. If not, plain DNS to a privacy-respecting resolver still beats ISP DNS.
Important: DNS configured at the router protects every device automatically — TVs, fridges, smart speakers, kid's tablets. This is the highest-leverage configuration.
Configure per-device (if router doesn't support)
Windows 11: Settings → Network & Internet → Wi-Fi → adapter → DNS server assignment → Manual. Enable IPv4 DNS over HTTPS (set to 'On (manual template)'). Add 1.1.1.1 (or your preferred resolver).
macOS: System Settings → Wi-Fi → Details → DNS → add resolver. For DoH, install a configuration profile from your DNS provider.
iOS: Settings → Wi-Fi → (i) next to network → Configure DNS → Manual. Or install DNS configuration profile from your provider.
Android: Settings → Network & internet → Private DNS → set hostname (e.g., 1dot1dot1dot1.cloudflare-dns.com).
These are easier to set than to maintain — if you switch networks (work, hotel) you may need to reconfigure.
Verify it works
Visit dnscheck.tools — confirms which DNS resolver you're using.
Visit cloudflare-dns.com/help — Cloudflare's specific test, shows if you're on 1.1.1.x and whether DoH is active.
Run nslookup or dig from a terminal: 'dig @1.1.1.1 example.com' should return without errors.
If your DNS doesn't change despite configuration, your router may be force-overriding — check for ISP-locked routers or DNS hijacking settings.
What this protects (and doesn't)
Protects: your DNS queries from ISP-level logging and shaping; helps with ad/tracker/malware blocking depending on resolver.
Doesn't protect: HTTPS contents (the URL path, form data, etc. — those are encrypted by HTTPS itself, separate from DNS).
Doesn't make you anonymous: the DNS resolver still sees your queries (though privacy-respecting ones don't log).
For full anonymity, combine with a VPN or Tor.
Order of impact: blocks the ISP's view of your browsing; reduces ad-tracker pixel calls; helps against some phishing/malware domains; speeds up DNS for some networks.
Frequently asked questions
What's the difference between DoH and DoT?
Both encrypt DNS. DoH (DNS-over-HTTPS) wraps DNS in HTTPS, harder to block. DoT (DNS-over-TLS) uses a dedicated TLS port (853), easier to identify but cleaner. Either is fine.
Will encrypted DNS slow my internet?
Marginally — adds 5-30ms per query. Modern resolvers (Cloudflare especially) often cache aggressively, so you may see no slowdown or even improvements over slow ISP DNS.
Can my employer/school detect that I'm using custom DNS?
Yes — they can see DNS queries to non-default resolvers. On work/school networks, follow their AUP. For home, this is your own network.
Does this make a VPN unnecessary?
No. DNS protects only DNS queries. A VPN protects DNS + the actual content of your traffic + your IP address from sites you visit. They're complementary.
What if my router doesn't have DNS settings?
Some ISP routers lock these. Workaround: put your own router behind the ISP's (double-NAT) and configure DNS on yours. Or replace the ISP router with your own (call ISP for credentials).
Sources & further reading
We cite primary sources whenever possible. Below is the reference list relevant to this category. Specific facts in this article are checked against vendor documentation and the sources we link to inline.
Related guides
Encrypted Messaging Apps Compared (Without the Drama)
Signal, WhatsApp, iMessage, Telegram — what they actually encrypt, and from whom.
Read article → Privacy ToolsBrowser Privacy Settings: A Quick Tune-Up Guide
Ten minutes in your browser settings cuts the majority of casual tracking.
Read article → Privacy ToolsCookies, Trackers, and Fingerprinting Explained
Three different ways the web identifies you — and why blocking only one isn’t enough.
Read article →