How to Configure Private DNS on Android for System-Wide Tracker Blocking

Configure Private DNS (DNS over TLS) on Android to encrypt all DNS queries and block trackers system-wide without VPN apps. This system-level setting protects every app from DNS-based tracking and surveillance while requiring just a few settings changes.

Understanding How Private DNS Works

When you type a website address in your browser, your device performs a DNS lookup to translate the human-readable domain name into an IP address. By default, these queries are sent to your ISP’s DNS servers in plaintext, meaning anyone monitoring your network traffic can see which domains you access. Trackers exploit this by embedding their domains in websites and apps, allowing them to build detailed profiles of your browsing habits.

Private DNS (also known as DNS over TLS or DoT) encrypts these queries using TLS, preventing eavesdroppers from seeing which domains you request. Beyond encryption, you can configure Private DNS to use services that actively block known tracker domains, providing ad-blocking and tracker-blocking capabilities without installing any apps.

Prerequisites

Before configuring Private DNS, ensure your device meets these requirements:

• Android 9 (Pie) or later is required for system-wide Private DNS support
• Your network must allow outbound TLS on port 853
• Some corporate or school networks may block Private DNS; you may need to disable it on such networks

Configuring Private DNS on Android

Step 1: Access Network Settings

Open your Android device’s Settings app and navigate to Network & Internet (or Connections on Samsung devices). Tap on Internet or Wi-Fi, then tap the gear icon next to your connected network.

Step 2: Configure Private DNS

Scroll down to the Private DNS option. By default, it’s set to “Automatic” (or “Provider’s hostname”). Tap on it to reveal the available options:

• Automatic - Uses your ISP’s DNS without encryption
• Provider’s hostname - Automatic detection of DoT support
• Off - Disables Private DNS entirely
• Custom hostname - Manually specify a Private DNS provider

Select Custom hostname and enter one of the following provider hostnames based on your blocking preferences.

Private DNS Provider Options

AdGuard DNS (Recommended for Trackers)

dns.adguard-dns.com

AdGuard operates free DNS servers that block ads and trackers at the network level. Their servers return NXDOMAIN responses for known tracker domains, effectively preventing them from loading. This covers approximately 100,000+ tracker domains.

NextDNS (Customizable)

your-custom-id.dns.nextdns.io

NextDNS allows you to create a free account and customize which categories to block. You can enable or disable specific blocklists, create custom blocking rules, and view analytics about blocked queries. Replace your-custom-id with your personal identifier from the NextDNS dashboard.

Quad9 (Security-Focused)

dns.quad9.net

Quad9 focuses on blocking domains associated with malware and phishing while leaving ad-blocking to other solutions. This is ideal if your primary concern is security rather than ad blocking.

Control D (Privacy-Focused)

dns.controld.com

Control D offers customizable blocklists and allows you to create custom DNS filters. Their free tier provides access to multiple blocklists with reasonable query limits for personal use.

Verifying Your Configuration

After configuring Private DNS, verify that it’s working correctly. Several methods exist:

Method 1: Use a DNS Leak Test

Visit dns leak test or dnscheck.tools to verify your DNS queries are being routed through your chosen provider. These tools analyze the DNS servers responding to your queries.

Method 2: Check with Browser Developer Tools

Open Chrome, navigate to chrome://inspect/#network, or use developer tools to monitor network requests. For a more detailed view, you can configure your app to log DNS queries if you’re developing Android applications.

Method 3: Test Tracker Blocking

Visit a website known to contain heavy tracking (such as news sites with ad networks) and observe whether trackers are blocked. You should see fewer network requests and faster page loads.

Advanced Configuration for Developers

Using Stubby for Custom DNS Chains

For advanced users wanting more control, you can configure a DNS-over-HTTPS (DoH) client like Stubby. While Stubby typically runs on Linux or as a container, Android’s rootless environment limits direct use. However, you can run Stubby in a termux environment:

# Install Stubby in Termux
pkg install stubby

# Configure stubby.yml in your home directory
# Set upstream_resolver to your preferred DoT servers
stubby -g

Testing DNS Resolution Programmatically

Developers can verify DNS resolution using command-line tools:

# Using dig with DNS over TLS
dig +tls @dns.adguard-dns.com google.com

# Using adig (another DNS testing tool)
adig -S +tls @dns.adguard-dns.com example.com

For Android development, you can query DNS programmatically:

import android.net.LinkProperties
import android.net.Network
import java.net.InetAddress

fun resolveWithSystemDNS(hostname: String): List<InetAddress> {
    return InetAddress.getAllByName(hostname)
}

// For custom DNS resolution, use a library like dnsjava
// implementation("dnsjava:dnsjava:3.5.2")

Troubleshooting Common Issues

Connection Failures

If you experience connectivity issues after enabling Private DNS:

1. Check network restrictions - Corporate firewalls often block port 853
2. Verify the hostname - Typos in the custom hostname will cause failures
3. Test with a different provider - Some providers may be temporarily unavailable

Performance Degradation

DNS resolution through encrypted channels adds minimal latency (typically 5-20ms). If you notice significant slowdowns:

• Try a different provider closer to your geographic location
• Check if your network has quality-of-service restrictions on encrypted traffic
• Consider using a provider with anycast for better latency

App-Specific Issues

Some apps hardcode DNS servers or use their own DNS implementation, bypassing Android’s Private DNS settings. For these apps:

• Use a VPN app with DNS filtering (sacrifices some privacy)
• Consider a custom ROM with built-in DNS filtering
• Contact the app developer to request DoT support

Limitations and Considerations

Private DNS has some constraints:

• IPv6 handling - Not all providers support IPv6 DNS queries
• Partial encryption - DNS over TLS encrypts the query but not the initial connection setup in all cases
• No ad blocking on all networks - Some networks route DNS through their own servers, bypassing your settings
• Mobile data - Private DNS works on mobile data but may have different behavior depending on your carrier

Security Considerations

When choosing a DNS provider, consider:

• Provider reputation - Some free DNS providers collect and sell data
• Logging policies - Review the provider’s privacy policy
• DNSSEC validation - Ensures the responses haven’t been tampered with

Providers like AdGuard, Quad9, and NextDNS publish transparency reports and maintain no-logs policies for personal use.

Provider Comparison Table

Rooting Considerations

Rooted Android devices offer more control but introduce security risks. For advanced users, rooting enables:

# System-level DNS override (rooted only)
su
setprop net.dns1 dns.adguard-dns.com

# Force DNS through iptables
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to dns.adguard-dns.com:53
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to dns.adguard-dns.com:53

However, rooting invalidates most security patches. For production devices, system-wide Private DNS without rooting is the safer choice.

Integration with VPN Services

When using both Private DNS and VPN simultaneously, ensure they don’t conflict:

# Private DNS configuration via adb (unrooted)
adb shell settings put global private_dns_mode hostname
adb shell settings put global private_dns_specifier dns.adguard-dns.com

# Verify VPN doesn't override
adb shell settings list global | grep private_dns

If your VPN provides its own DNS servers, they should match your Private DNS choice. Misconfiguration causes leaks where DNS queries bypass both protections.

Mobile Carrier DNS Interception

Some carriers intercept port 53 traffic regardless of settings. Test for this:

# From your Android device
nslookup example.com 8.8.8.8  # Should fail if carrier intercepts
dig @dns.adguard-dns.com example.com  # Should work through DoT

If carrier interception detected, use only DoT providers (all listed above support it). DoT uses port 853 and encrypts DNS in TLS, preventing carrier manipulation.

Performance Optimization

DNS resolution speed impacts browser performance. Monitor latency:

#!/bin/bash
# Test DNS resolution time for each provider

providers=(
  "dns.adguard-dns.com"
  "dns.quad9.net"
  "dns.controld.com"
)

for provider in "${providers[@]}"; do
  echo "Testing $provider..."
  time nslookup -timeout=1 example.com $provider
done

If you notice slowness:

• Try different providers (geographic proximity helps)
• Ensure port 853 isn’t being rate-limited by your carrier
• Enable caching with a local resolver like systemd-resolved

DNS Monitoring and Logging

For privacy audits, capture your actual DNS traffic:

# Monitor DNS queries (requires root or system shell)
adb shell tcpdump -i any -n 'port 53 or port 853' -w /sdcard/dns.pcap

# Analyze with Wireshark
wireshark dns.pcap

# Count queries by domain
tshark -r dns.pcap -T fields -e dns.qry.name | sort | uniq -c | sort -rn

This reveals which apps are making DNS requests and to which servers. Many apps bypass system DNS entirely—these queries are invisible to Private DNS settings.

Related Articles

• How to Set Up Private DNS on Android for All Apps
• How to Configure DNS over HTTPS Inside a VPN Tunnel
• How To Configure Openwrt Guest Network With Separate Dns And
• How To Use Adb To Disable Android System Apps That Spy On Yo
• How To Configure Per App Vpn On Android Without Root

Built by theluckystrike — More at zovo.one