How to Find Things on the Internet

Why Encrypt DNS?

By default, most internet connected devices use standard DNS which is not encrypted. Queries are sent in plaintext and can be seen by your network admin, ISP, or anyone up the chain. Encrypting your DNS requests protects your privacy, and defends against DNS poisoning, a common censorship method that blocks or redirects access to certain domains.

Even if you encrypt your DNS requests your DNS provider can still see your DNS requests and log them, your ISP, however can only see the IP address of the servers you connect to, and they can still track your activity with it, just not as well.

Why DoH?

There are a few methods of encrypting DNS, DNS Over HTTPS (DoH) is currently the most popular one, mainly because DoH uses port 443, just like all other regular web traffic, and that makes it harder to block or censor.

DNS Proxy

If you just want a simple method to use DoH that works on all devices and you don’t really care about the DNS provider you can use a proxy made by a popular DNS provider like NextDNS, or Cloudflare WARP (DNS only mode).

Browser only

All modern popular browsers support DoH, just find the relevant option in the settings, usually labelled something like “Encrypted DNS” or “Secure DNS”, select a provider and you’re good to go.

Selecting a DNS provider

Most people cannot run their own DNS resolver at home, and are either using their ISPs resolver or some publicly available DNS resolver, all you need is one that supports DoH, find one from this list in the curl wiki or this one by AdGuard DNS, all you need is a URL that looks something this:

https://domain.tld/dns-query

Some of them have security, family and ad-blocking filters, just be aware that some sites might break if the filtering is too heavy.

To check if DoH is working you can use the Cloudflare connection information page or do a DNS leak test and make sure your are only using the selected provider for DNS.

Device-Level Setup

Android

DoH is supported as of android 13, find “Private DNS” in your network settings and set it to your preferred DNS provider, using only the domain name in this format: domainname.tld don’t include the protocol (https://) or any path like (/dns-query)

Windows

Windows 11 has native support for DoH, you can set it per network or per network adapter (interface) in the hardware properties section.

The Standard version of Windows 10 and the ones below do not have support for DoH, you’d have to use a DNS Proxy or a Custom Proxy.

iOS & macOS

DoH is supported starting from iOS 14 and macOS 11 through network configuration profiles

Network profiles can be used to [set Wifi, VPN, DNS settings and much more][appleconfigurationprofilereference], You can download ready made profiles check out this Github repo for a list of profiles and instruction.

you can also write those profiles yourself, which is made easier using Apple Configurator or some unoffical tool like this one.

Linux

Systemd-resolved doesn’t Support DoH only DoT, and different linux distros Handle DNS differently so it can break easily, i would recommend running a custom proxy.

Custom DNS Proxy

You can run a custom DNS proxy on any device, the proxy forwards your DNS requests to a DoH server, its a bit advanced and only recommended if you know what you’re doing.

Network-Level Setup

The simplest method would be to have a DoH proxy running on a local server that the router can reach, then just point your router’s DNS settings to use it.

Just be ware that network interruptions can break it if you’re proxy is configured with an upstream server’s domain name instead of it’s IP address, because it must first resolve that domain to an IP which creates a circular dependency.

Another method would be using custom router firmware like DD-WRT or OpenWRT, or a custom OS like pfSense, they have support for encrypted DNS and can connect to upstream resolvers directly.