Switching on “private DNS” feels like flipping the privacy switch. The name alone makes it sound like a one-click solution to keep your browsing habits to yourself, hidden from your ISP, your network admin, and anyone else who might be peeking at your traffic.
The reality is messier. Private DNS does plug one specific hole, but it leaves a surprising amount of your activity exposed in ways most people never think about. I’ve gone down this rabbit hole more than once, and here’s where the leaks actually happen.
What “private DNS” actually does (and what it doesn’t do)
The name oversells the feature by a wide margin
Private DNS, in most cases, just means your device is using DNS over TLS (DoT) or DNS over HTTPS (DoH) to talk to a resolver like Cloudflare, Google, or Quad9. That encryption stops your ISP or someone on the same Wi-Fi from reading the contents of your DNS lookups in plain text.
That’s a real improvement over the old default, where every “what’s the IP for example.com?” query traveled in clear text for anyone to inspect. But the marketing language around private DNS makes it sound like a privacy cloak for your whole connection, and it absolutely is not. It only encrypts DNS lookups, not any of the other data your device sends out.
If you flip on “Private DNS” in your Android settings and assume you’re now invisible online, you’re going to be disappointed. The feature does one narrow job, and a lot of identifying information rides on entirely different rails.
QuizDNS servers & how the internet finds its way
Trivia challenge
From 8.8.8.8 to how your browser finds cat videos — find out how much you really know about DNS.
DNS BasicsIP AddressesSecurityProvidersHistory
Correct! DNS stands for Domain Name System — the internet’s giant phone book that translates human-friendly domain names like ‘howtogeek.com’ into IP addresses computers can actually use. Without it, you’d need to memorize a string of numbers every time you wanted to visit a website.
Not quite — DNS stands for Domain Name System. It acts like the internet’s phone book, converting easy-to-remember domain names into the numerical IP addresses that computers use to route traffic. It’s one of the most fundamental building blocks of the modern web.
Before DNS was invented, how did computers resolve hostnames on the early internet (ARPANET)?
That’s right! Before DNS, every computer on ARPANET relied on a file called HOSTS.TXT maintained by the Stanford Research Institute. Admins had to manually download the updated file to get new hostname mappings — not exactly scalable once the network started growing rapidly.
The answer is HOSTS.TXT. Before DNS existed, a single text file maintained at the Stanford Research Institute mapped all hostnames to addresses, and every machine had to download it periodically. As the internet grew, this system became completely unmanageable, which is exactly what motivated the creation of DNS in 1983.
The famous DNS server at IP address 8.8.8.8 is operated by which company?
Correct! 8.8.8.8 (and its companion 8.8.4.4) is Google’s Public DNS service, launched in 2009. It was one of the first major free public DNS resolvers and became incredibly popular as a fast, reliable alternative to ISP-provided DNS servers.
The 8.8.8.8 address belongs to Google’s Public DNS, launched in 2009. Google made 8.8.8.8 easy to remember on purpose. Cloudflare runs 1.1.1.1, OpenDNS uses 208.67.222.222, and Microsoft’s Azure DNS exists but isn’t the same service — each provider pitches slightly different benefits like speed, privacy, or filtering.
Cloudflare’s DNS resolver at 1.1.1.1 launched in 2018 with a strong emphasis on what selling point?
Spot on! Cloudflare launched 1.1.1.1 on April 1, 2018 (yes, really) with privacy as its headline feature, promising never to log users’ IP addresses or sell browsing data. It was independently audited by KPMG to back up those claims, which set it apart from many competitors.
Cloudflare’s big pitch for 1.1.1.1 was privacy — specifically the promise to never log users’ IP addresses or sell their data. While 1.1.1.1 is also very fast (often ranking #1 in independent speed tests), privacy was the headline claim at launch, backed by a third-party audit from KPMG. Ad blocking is available via a separate 1.1.1.2 address, but it’s not on by default.
What is a DNS ‘resolver’ (also called a recursive resolver)?
Exactly right! A recursive resolver (like 8.8.8.8 or 1.1.1.1) is the middleman that takes your query and chases down the answer by contacting root servers, TLD servers, and authoritative nameservers — then delivers the final IP address back to you. It does all the heavy lifting so you don’t have to.
A recursive resolver is the server that does the legwork on your behalf — it contacts root nameservers, top-level domain servers, and authoritative nameservers in sequence until it finds the IP address you need. The authoritative nameserver is the one that actually holds the official records. Your resolver is essentially the internet’s investigator, tracking down answers one clue at a time.
What type of attack involves poisoning a DNS cache with false records to redirect users to malicious websites?
Correct! DNS spoofing, also known as cache poisoning, tricks a DNS resolver into storing a fraudulent IP address for a legitimate domain. When users then request that domain, they’re silently redirected to a malicious server — which is exactly why DNSSEC was developed to cryptographically sign DNS records.
The attack you’re thinking of is DNS spoofing or cache poisoning. An attacker injects fake DNS records into a resolver’s cache, causing anyone who queries that resolver to be directed to the wrong — often malicious — IP address. DNSSEC (DNS Security Extensions) was designed specifically to fight this by adding cryptographic signatures to DNS records.
Which DNS record type is responsible for mapping a domain name to an IPv4 address?
Right on! The ‘A’ record (short for Address record) is the most fundamental DNS record type, mapping a hostname directly to a 32-bit IPv4 address. Its cousin, the AAAA record, does the same job for 128-bit IPv6 addresses — you’ll sometimes see both configured for the same domain.
The correct answer is the A record (Address record), which maps a domain to an IPv4 address. An MX record handles mail routing, a CNAME is an alias pointing one domain name to another, and TXT records store arbitrary text — often used for things like SPF email verification or domain ownership confirmation. The A record is the bread-and-butter of DNS.
DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) both aim to solve the same core problem. What is it?
Absolutely correct! Traditional DNS queries travel as plain, unencrypted text — meaning your ISP, network admin, or anyone monitoring traffic can see every domain you look up. DoH wraps DNS in HTTPS (using port 443), while DoT uses a dedicated TLS connection (port 853), both making your browsing queries much harder to snoop on.
The core problem that DoH and DoT solve is that standard DNS queries are completely unencrypted and readable by anyone watching your network traffic — your ISP, a coffee shop Wi-Fi operator, or a government. DNS-over-HTTPS hides queries inside normal HTTPS traffic, while DNS-over-TLS uses a dedicated encrypted channel. Both approaches protect your privacy at the DNS layer, which is surprisingly often overlooked.
Your Score
/ 8
Thanks for playing!
Your ISP can still tell where you’re going
IP addresses and SNI metadata give the game away
Here’s the part that surprises people. Even with DNS encrypted, your ISP can still see the IP address of every server you connect to. That alone is often enough to figure out which sites or services you’re using, especially for major platforms hosted on dedicated infrastructure.
It gets worse. When your browser starts an HTTPS connection, it usually sends the hostname in plain text inside something called Server Name Indication (SNI). That means even when your DNS lookup is encrypted, the very next packet your computer sends often contains the domain name in readable form. Network observers can also infer what you’re visiting from connection patterns, timing, and other metadata.
So the ISP can’t read your DNS query, but they can watch you connect to a specific IP address and frequently still see the hostname your browser hands over. Private DNS doesn’t touch any of that. The conclusion researchers keep landing on is that DoT and DoH improve your privacy situation, but only to a limited extent, and someone watching your traffic can still paint a rough picture of your browsing habits.
7/10
- Brand
-
ExpressVPN
- Range
-
Up to 750 sq. ft.
If privacy is your main concern, picking a router developed by one of the leading VPN providers is a good start.
You’re just trading one observer for another
Your DNS provider sees everything you used to hand to your ISP
When you switch to private DNS, your queries stop going to your ISP’s resolver and start going to whoever you picked instead. That’s usually Cloudflare, Google, Quad9, or whatever your phone defaults to. Encrypted or not, those queries are still fully visible to the resolver handling them.
That’s a real tradeoff. You’re betting that your chosen DNS provider has better privacy practices than your ISP, which is often true but not guaranteed. Some providers log queries, some monetize the data, and some are based in jurisdictions with their own rules about what has to be handed over on request. Private DNS only works as a privacy tool if you actually trust the resolver on the other end, and the average user has no idea which provider their device is even using.
There’s also the SSL certificate angle to think about. Invalid or sketchy certificates during the TLS handshake can themselves create privacy risks, since the handshake exposes information about who you’re connecting to before encryption fully kicks in.
DNS leaks happen even when “private DNS” is on
Other apps, VPNs, and Wi-Fi quirks can route around the setting
This is the leak that catches people off guard. You can have private DNS configured at the system level and still have queries escape through other paths. Some apps use their own hardcoded DNS resolvers and ignore your system settings entirely. Some routers force all DNS traffic to the ISP’s servers no matter what your device prefers.
If you use a VPN, you’d think DNS is automatically handled, but a misconfigured VPN can let DNS queries bypass the tunnel and head straight to your ISP’s resolver, exposing your real location and browsing activity. That’s the classic “DNS leak” scenario, and it happens more often than people realize.
Phones connected to Wi-Fi are especially vulnerable here. The router’s default DNS is often whatever the ISP provided, and depending on how aggressively the network captures DNS traffic, your encrypted queries may not actually leave the network the way you expect. The fix usually involves running a DNS leak test from a tool that checks where your queries are really going, rather than trusting that the toggle in your settings is doing its job.
Private DNS is worth using, just don’t oversell it to yourself
Treat it as one layer, not a full solution
I don’t want to leave the impression that private DNS is pointless. It absolutely beats sending every lookup in plain text, and it stops the laziest form of network-level snooping in its tracks. For people who don’t run a VPN, switching to a trustworthy DoT or DoH provider is one of the easiest privacy wins available.
The trick is not mistaking it for something it isn’t. Privacy online is layered, and no single tool covers everything. If your goal is to actually hide your browsing from your ISP, you need to think about IP-level traffic, SNI, app behavior, and resolver trust at a minimum. That usually means combining private DNS with a VPN, an encrypted SNI-capable browser, and some attention to which apps are doing their own thing behind your back.
Private DNS is a start, not a finish line
The label “private DNS” sounds airtight, but the feature only encrypts a thin slice of what your device tells the outside world. Your ISP can still profile you through IP addresses and SNI, your DNS provider sees every query you make, and various apps and network configurations can quietly bypass the whole thing.
If you’ve been treating that toggle as your privacy strategy, it’s worth knowing what it actually covers. Use it, sure, but pair it with the rest of the stack if you genuinely care about who’s watching. Anything less is more about peace of mind than real privacy.
- Supported standards
-
802.11.be, 802.11ac, 802.11ax, 802.11g, 802.11n
- Speeds
-
6500 Megabits Per Second
Here’s a router that’s both mighty impressive and not too expensive. TP-Link’s BE6500 gives you Wi-Fi 7 and two 2.5GbE ports.
