How DNS Works

The Domain Name System (DNS) translates human-readable domain names (like cwzero.com) into IP addresses (like 78.111.67.116) that computers use to communicate. Every time you visit a website, a DNS query happens first.

The lookup chain works like this:

1
Your device checks its local DNS cache for a stored answer
2
If not cached, the query goes to your configured DNS resolver (usually your ISP's server)
3
The resolver queries root servers, TLD servers, and authoritative servers to find the answer
4
The IP address is returned to your device and cached for future use

Why DNS is a Privacy Risk

Traditional DNS has a critical privacy problem: queries are sent in plain text.

  • Your ISP can see every website you visit via DNS queries
  • Network operators (on public WiFi, corporate networks) can log your DNS traffic
  • Attackers can intercept and modify DNS responses (DNS spoofing/hijacking)
  • Governments can compel ISPs to provide DNS logs of your browsing history
⚠️
Even with HTTPS, DNS leaks your browsing

HTTPS encrypts the content of your connection, but the DNS query revealing which domain you are visiting is sent before the HTTPS connection is established.

Encrypted DNS: DoH and DoT

DNS over HTTPS (DoH) Sends DNS queries over HTTPS (port 443). Hard to block since it uses the same port as regular web traffic.
DNS over TLS (DoT) Sends DNS queries over TLS (port 853). Easier to identify and block, but is a dedicated standard.

Both prevent your ISP and network operators from seeing your DNS queries.

Recommended DNS Providers

Cloudflare (1.1.1.1) Fast, privacy-focused. Audited by KPMG. Supports DoH and DoT.
Quad9 (9.9.9.9) Non-profit, blocks known malicious domains. Swiss-based (strong privacy laws).
Google (8.8.8.8) Reliable and fast, but Google logs some data. Less private than alternatives.

Configuring DNS

On Your Router (Recommended)

Changing DNS on your router protects all devices on the network:

  • Log into your router admin panel
  • Find DNS settings (often under WAN, Internet, or DHCP settings)
  • Replace the ISP DNS with your preferred provider (e.g., 1.1.1.1 and 1.0.0.1)

On Linux

# Temporary (resets on reboot):
sudo resolvectl dns eth0 1.1.1.1 1.0.0.1

# Check current DNS:
resolvectl status

In Firefox (DoH)

Firefox supports DoH natively:

  • Go to Settings > Privacy & Security > scroll to "DNS over HTTPS"
  • Select "Max Protection" and choose Cloudflare or a custom provider

DNS Leak Testing

After changing your DNS, verify it is working by visiting a DNS leak test site. The results should show your chosen DNS provider, not your ISP.

Summary

In this tutorial, you learned:

  • How DNS works and the lookup chain
  • Why traditional DNS is a privacy risk
  • Encrypted DNS options: DoH and DoT
  • Trusted DNS providers to use
  • How to configure DNS on your router, Linux, and Firefox
🎉
Your DNS queries are now private!

Switching to an encrypted DNS provider is one of the simplest and most effective privacy improvements you can make.

Related Tutorials