How to Set Up Encrypted DNS on All Devices 2026

Overview

Standard DNS (Domain Name System) broadcasts every website you visit to your ISP, router, and network administrators. Encrypted DNS (DoH/DoT) encrypts DNS queries, preventing surveillance of your browsing. This guide shows how to configure encrypted DNS on all major devices and provides provider comparison with privacy ratings.

The DNS Privacy Problem

When you visit example.com:

Without Encrypted DNS:

Your Device → ISP DNS Server
    Query: "What is the IP for example.com?"
    ↓
ISP sees: example.com
    → Logs query to your account
    → Can sell this data to advertisers
    → ISP invoice shows all sites visited
    → ISP can sell browsing profile

ISP implications:

ISPs log 100% of non-HTTPS DNS queries
Your ISP sold browsing data before 2015 (Comcast, AT&T, Verizon)
ISP still retains browsing logs
Healthcare lookups, political sites, dating apps all logged

With Encrypted DNS (DoH/DoT):

Your Device → Encrypted tunnel → DNS Provider
    Query: "What is the IP for example.com?" (encrypted)
    ↓
ISP sees: "Encrypted DNS traffic to 1.1.1.1"
    → Cannot see which sites you visit
    → Cannot log browsing history
    → Browsing remains private

Privacy benefit: ISP cannot identify sites you visit. DNS provider sees queries (choose provider carefully).

DNS Encryption Standards

DNS over HTTPS (DoH)

Protocol: HTTPS wrapper (standard web encryption)
Port: 443 (same as HTTPS websites)
Advantage: Works through restrictive firewalls, looks like regular web traffic
Disadvantage: Slightly higher latency (milliseconds), more CPU intensive
Adoption: Most consumer-friendly

DNS over TLS (DoT)

Protocol: TLS encryption (same as HTTPS base)
Port: 853 (dedicated DNS port)
Advantage: Faster than DoH (native DNS optimization)
Disadvantage: Easily blocked by restrictive networks
Adoption: Enterprise preference

Practical difference: Negligible for consumers. DoH recommended for ease.

Encrypted DNS Providers Compared

1. Cloudflare (1.1.1.1)

Addresses:

DoH: https://1.1.1.1/dns-query
DoT: 1.1.1.1 port 853
IPv6: 2606:4700:4700::1111 (DoT), 2606:4700:4700::1001 (DoT)

Privacy Policy:

✅ No query logging
✅ Deletes logs after 24 hours
✅ Independent audits (Cure53, published results)
✅ Transparent infrastructure (US-based, FOIA-subject)
✅ Free tier
❌ Cloudflare sees your queries (evaluate risk vs ISP)

Additional Features:

Malware blocking (optional)
Adult content filtering (optional)
Performance optimized (fast response times)

Cost: Free (with optional pro features)

Best for: Users prioritizing speed + privacy, zero budget.

2. NextDNS

Addresses:

DoH: https://dns.nextdns.io
DoT: dns.nextdns.io port 853

Privacy Policy:

✅ No query logging (option: enable for advanced filtering)
✅ 30-day log retention if enabled
✅ EU data residency option
✅ Independent audits
✅ Fine-grained privacy controls
❌ Free plan limited (300k queries/month)

Additional Features:

Custom blocklists (create your own)
Security filtering (phishing, malware)
Parental controls (advanced)
Multiple profiles (work, home, kids)
API for automation

Pricing:

Free: 300k queries/month (~10 queries/min = very limited)
Paid: $1.99-4.99/month per device

Best for: Privacy-focused users, multiple devices, advanced filtering needs.

3. Quad9

Addresses:

DoH: https://dns.quad9.net/dns-query
DoT: dns.quad9.net port 853

Privacy Policy:

✅ No query logging
✅ Independent audits (Ernst & Young)
✅ Non-profit organization (not profit-driven)
✅ Threat intelligence filtering (blocks malware/phishing)
❌ Logging disabled by default, but can be enabled for statistics

Additional Features:

Security filtering (DNSSEC validation)
Malware detection
Phishing prevention
CDN optimization

Cost: Free (completely, no limits)

Best for: Privacy purists, security focus, non-profit preferred.

4. Mullvad (mullvad.net)

Addresses:

DoH: https://dns.mullvad.net/dns-query
DoT: dns.mullvad.net port 853

Privacy Policy:

✅ Absolutely no logging (stated in EU contracts)
✅ No query retention
✅ Swedish company (GDPR-compliant)
✅ VPN provider (can combine with VPN service)
✅ Open-source DNS infrastructure

Additional Features:

Ad blocking (optional)
Tracker blocking (optional)
DNSSEC validation
Optional: Use with Mullvad VPN ($5.99/month)

Cost: Free standalone, $5.99/month with VPN

Best for: VPN users, jurisdiction privacy preference (Sweden), maximum privacy.

5. Open DNS (Cisco)

Addresses:

DoH: https://doh.opendns.com/dns-query
DoT: DoT port 853 not offered natively

Privacy Policy:

✅ Basic logging (logs processed anonymously)
✅ Data sold to enterprise (NOT for consumer ads)
✅ Parental controls available
❌ Not pure privacy-focused
❌ Logging by default

Best for: Enterprise/parental control use cases, not privacy-first.

Provider Comparison Table

Provider	DoH	DoT	Logging	No Logging Speed	Best For	Cost
Cloudflare	✅	✅	No (24hr)	Fast	Speed + privacy	Free
NextDNS	✅	✅	Optional	Medium	Advanced filtering	$1.99/mo
Quad9	✅	✅	No	Fast	Security + privacy	Free
Mullvad	✅	✅	No	Fast	VPN users	Free/$5.99
OpenDNS	✅	❌	Yes	Medium	Enterprise	Paid

Recommendation: Cloudflare (speed + privacy) or Quad9 (non-profit, security focus).

Setup: macOS

Method 1: System Preferences (Easiest)

macOS 13+:

System Settings > Network > Wi-Fi > Details
Under Wi-Fi, click “DNS”
Click “+” to add DNS over HTTPS

For Cloudflare:

https://1.1.1.1/dns-query

For Quad9:

https://dns.quad9.net/dns-query

Click OK > Apply

Verification:

# Terminal: Verify DNS queries are encrypted
scutil -d -v <<< 'show State:/Network/Global/DNS'

# Should show your custom DNS provider

Method 2: Network Interface (Advanced)

For more control, edit networksetup:

# List network services
networksetup -listnetworkserviceorder

# Set DNS for Wi-Fi
networksetup -setdnsservers Wi-Fi 1.1.1.1 1.0.0.1

# Verify
networksetup -getdnsservers Wi-Fi

Method 3: Stubby (DNS over TLS)

For native DoT support (more private than DoH):

Install Stubby: brew install stubby
Configure /etc/stubby/stubby.yml:

# Set DoT provider
upstream_recursive_servers:
  - address_data: 1.1.1.1
    tls_auth_name: "one.one.one.one"
    tls_pubkey_pinning: "<pin>"

# Localhost listening
listen_addresses:
  - 127.0.0.1@53
  - 0::1@53

Set system DNS to 127.0.0.1 (localhost)
Start Stubby: brew services start stubby

Advantage: Encrypts DNS all the way to provider, more secure than DoH in some scenarios.

Setup: Windows 10/11

Method 1: Built-in Settings (Windows 11)

Settings > Network & Internet > Advanced network options
Under “More network options” > DNS settings
Click “Edit” next to DNS servers
Select “Encrypted (DoH)”
Choose provider:
- Cloudflare (1.1.1.1)
- Quad9
- NextDNS
Click Save

Verification:

# PowerShell: Verify DNS
nslookup google.com

Method 2: Command Line (All Windows)

# Set DNS with DoH for Cloudflare
Add-DnsClientNrptRule `
  -Namespace "." `
  -NameEncryptionType Doh `
  -ServerAddress ("1.1.1.1", "1.0.0.1")

# Verify
Get-DnsClientNrptPolicy

Method 3: Group Policy (Enterprise)

For domain-joined computers:

gpedit.msc > Computer Configuration >
  Administrative Templates > Network > DNS Client >
  Turn on DoH

Set DNS servers to DoH provider addresses.

Method 4: Stubby on Windows

Download Stubby from GitHub: github.com/getdnsapi/stubby
Extract to C:\Program Files\Stubby
Configure stubby.yml with DoT provider (same as macOS)
Set system DNS to 127.0.0.1

Setup: Linux

Method 1: systemd-resolved (Modern)

Most Linux distros use systemd-resolved for DNS.

Edit /etc/systemd/resolved.conf:

[Resolve]
# Cloudflare DoH
DNS=1.1.1.1 1.0.0.1
FallbackDNS=2606:4700:4700::1111

# Enable DoH
DNSOverTLS=yes

# Optional: DNSSEC validation
DNSSEC=yes

Apply changes:

sudo systemctl restart systemd-resolved

# Verify
systemd-resolve --status

Method 2: Quad9 on Linux

# Edit resolved.conf
sudo nano /etc/systemd/resolved.conf

# Add Quad9 addresses
DNS=9.9.9.9 149.112.112.112
DNSOverTLS=yes

# Restart
sudo systemctl restart systemd-resolved

Method 3: Stubby on Linux (Advanced)

# Install Stubby
sudo apt-get install stubby

# Edit config
sudo nano /etc/stubby/stubby.yml

# Set DoT provider with TLS name validation
upstream_recursive_servers:
  - address_data: 1.1.1.1
    tls_auth_name: "one.one.one.one"

# Start Stubby
sudo systemctl start stubby
sudo systemctl enable stubby

# Verify
dig @127.0.0.1 google.com

Setup: iOS

Native DoH Support (iOS 14+)

Settings > VPN & Device Management
DNS Settings > Encrypted DNS
Choose provider:
- Cloudflare: https://1.1.1.1/dns-query
- Quad9: https://dns.quad9.net/dns-query
- NextDNS: https://dns.nextdns.io (requires account)
Install configuration profile > Allow

Important: On cellular, requires Profile installation (WiFi may auto-configure).

Using DNSCloak App (Advanced)

Alternative app for more control:

Download DNSCloak (App Store, free)
Select DNS provider (Quad9, Cloudflare, Mullvad)
Enable VPN mode (allows system-wide DNS encryption)
Verify: Open app, check “Connected” status

Advantage: Works across WiFi and cellular automatically.

Setup: Android

Native DoH Support (Android 9+)

Settings > Network & Internet > Advanced > Private DNS
Select “Private DNS provider hostname”
Enter provider address:

For Cloudflare:

1dot1dot1dot1.cloudflare-dns.com

For Quad9:

dns.quad9.net

For NextDNS:

dns.nextdns.io

Tap Save

Verification:

Settings > Apps > System apps > Settings > Storage > Cache
Clear DNS cache
Open app, restart phone to verify

Using Nebulo App (Advanced)

Nebulo provides GUI and additional features:

Download Nebulo (Play Store, free with ads)
Select DNS provider from list
Enable VPN mode
Verification: Nebulo dashboard shows “Connected”

Advantage: Works across WiFi and cellular, shows query log.

Verification: All Platforms

DNS Leak Test

DNS leaks occur when queries bypass your encrypted DNS setup.

Test online:

Go to dnsleaktest.com
Run test
Should show your DNS provider (Cloudflare, Quad9, etc.), NOT your ISP

Correct result:

Your DNS servers:
1.1.1.1 (Cloudflare)
1.0.0.1 (Cloudflare)

Incorrect result (LEAK):

Your DNS servers:
8.8.8 (Google)
8.4.4 (Google)
67.222.123 (Comcast ISP)  ← ISP leak!

If DNS leaks detected, verify:

System settings actually applied
VPN app not overriding DNS
Firewall not blocking DoH ports (443 for DoH, 853 for DoT)

Command Line Verification

macOS/Linux:

# See which DNS server responds
dig @8.8.8.8 google.com

# Check your actual DNS resolver
nslookup -querytype=NS google.com

Windows (PowerShell):

Resolve-DnsName -Name google.com

Performance Impact

Myth: Encrypted DNS is slower.

Reality: Negligible performance difference (0-5ms added latency).

Bottom line: 3-5ms slower is imperceptible. Page loads identical.

Troubleshooting

Problem: “DNS not responding” after setup.

Solution:

Verify network connected
Restart device
Clear DNS cache: sudo systemctl restart systemd-resolved (Linux)
Disable VPN briefly (may conflict)

Problem: Some websites won’t load.

Solution:

May be ISP-level blocking (rare)
Try different DNS provider (Quad9 if Cloudflare fails)
Add fallback DNS server

Problem: DNS slowdown on mobile.

Solution:

Switch from cellular to WiFi
Use app (DNSCloak, Nebulo) instead of native settings
Verify VPN not active (causes double-encryption)

Problem: Corporate network blocks DoH.

Solution:

Firewall blocking port 443 (DoH) or 853 (DoT)
Use VPN to bypass corporate firewall
Use Mullvad VPN ($5.99/mo) combines DNS encryption + VPN

Privacy Considerations

Choosing Between Providers:

Consideration	Provider
Maximum privacy (non-profit)	Quad9
Speed optimized	Cloudflare
VPN included	Mullvad
Advanced filtering	NextDNS

Key point: Even with encrypted DNS, your DNS provider sees queries. Choose provider based on trust:

Cloudflare: US company, transparent, audited
Quad9: Non-profit, EU-friendly
Mullvad: VPN provider, maximalist privacy
NextDNS: Privacy startup, advanced controls

Complete Setup Checklist

Choose DNS provider (recommend: Cloudflare or Quad9)
Set up on all devices (macOS, Windows, iOS, Android)
Run DNS leak test (dnsleaktest.com)
Verify no ISP DNS servers appear in results
Test website loading (ensure no breaking changes)
Monitor for 1 week (performance, stability)
Share provider address with family members (group setup)
Optional: Add fallback DNS (Quad9 as backup to Cloudflare)