Alright, let’s pull back the curtain on one of the internet’s dirtiest little secrets. Grab a cup of tea (or your beverage of choice), get comfy, and let’s talk about how your internet connection has been shouting your secrets from the rooftops, and what we can do to make it whisper instead.
Let’s set the scene:
You’re sitting in a bustling Hobart café (or as bustling as anything in Hobart can get — other than the “organic goat food” section of the local farmers market), sipping on a double-steeped Darjeeling, aged five years in a Huon pine humidor carved by retired boatbuilders, infused with a whisper of Tasmanian bush peppermint, a rogue sprig of wild wattleflower, and precisely one clove — all brewed in rooftop-harvested Hobart rainwater, filtered through quartz and naïve optimism that helps you justify the cost.
The Wi-Fi is free, the vibes are good. You pull out your phone and decide to look up a sensitive health concern, check your bank balance, and maybe doomscroll through some political news you wouldn’t want your boss to see. You’re smart, so you make sure every site you visit has that little padlock icon and starts with “HTTPS”. You’re safe, right? Your data is encrypted.
Well, sort of. You’ve locked the contents of your mail, but you’ve written the destination address on a postcard for everyone to see.
Every time you type a website address—like google.com or mysecretguineapigfanclub.net—into your browser, your device first has to figure out where on the internet that website actually lives. It does this by asking a special server called a DNS resolver. DNS stands for “Domain Name System,” and it’s basically the Internet’s giant, sprawling phonebook. Your device shouts out, “Hey, where can I find mysecretguineapigfanclub.net?” and the DNS server shouts back an IP address, which is the numerical street address for that site (like 104.21.23.147).
But it’s here that the plot thickens: by default, this entire conversation happens in plain text. Unencrypted. Openly.
Think about that for a second. The barista who runs the café Wi-Fi? They can see it. The sketchy guy in the corner with a laptop running network sniffing tools? He can see it. More importantly, your Internet Service Provider (ISP)—the company you pay a hefty sum to every month, like Telstra or Comcast or BT—sees every single one of these requests. They keep a log of every website you’ve ever intended to visit, even if the connection to the site itself was later secured by HTTPS.
This is like sending a postcard. The message inside might be a secret, but the “To:” and “From:” addresses are there for the entire postal service to read, log, and analyse. A 2019 study from Northeastern University confirmed that ISPs and third parties can and do collect this DNS data, creating a surprisingly detailed map of your online life. It’s a fundamental privacy hole that’s existed since the dawn of the public internet, and most people have no idea. The list of people who wants to see this data are long, and their intentions aren’t always pure.
All this always reminds me of the old party-line telephones my grandma used to talk about. Anyone on the shared line could pick up the receiver and listen in on your conversation. That’s essentially what default DNS is—a digital party line, and you’re never quite sure who’s listening in. It’s a system built for a more trusting, simpler time. A time that is very much over.
So, does this mean we should all just give up and move to a cabin in the woods? Of course not. It just means we need a better envelope.
So, What on Earth is DNS over TLS?
If standard DNS is a postcard, then DNS over TLS (or DoT, for the acronym-inclined) is that same message sealed inside a tamper-proof security envelope and sent through a private, armoured tunnel.
Let’s break that down.
TLS stands for “Transport Layer Security”. It’s the modern-day version of SSL and it’s the cryptographic protocol that puts the “S” in “HTTPS”. It’s the workhorse of internet security, the same technology that protects your credit card numbers when you buy something online and secures your login details for your email. It creates a secure, encrypted channel between two points, ensuring that anyone listening in only hears meaningless gibberish.
DNS over TLS, therefore, simply wraps your DNS requests in that same powerful TLS encryption.
Instead of your device shouting its request into the void, it opens a secure tunnel directly to a DoT-compatible DNS resolver. Your request (“Where’s mysecretguineapigfanclub.net?”) travels through this tunnel, completely shielded from prying eyes. The resolver gets the request, finds the IP address, and sends the answer back through the exact same secure tunnel.
To the outside world—your ISP, the café owner, the government agency with a listening post set up, trying to figure out what the agenda of the guinea pig-loving community is looking at on the internet—all they can see is encrypted traffic flowing between your device and the DNS server’s IP address. They have no idea what websites you’re asking for. The postcards have been replaced with opaque, unmarked packages.
Is this system foolproof? Not entirely. A sophisticated observer can still see that you’re communicating with a known DNS resolver, and they can still see the IP address of the website you ultimately connect to. But DoT removes the easiest, most revealing part of the equation. It takes your Browse intentions off the public record. It’s the difference between someone seeing you walk into a specific bookstore versus them having a complete list of every single book you picked up and considered reading. It’s a massive leap forward for everyday privacy. A real game-changer, you know?
My own personal observation is that explaining this to people often elicits a “Wait, it wasn’t already private?” reaction. It feels like finding out the walls of your house were made of glass all along. The good news is, we’re about to install some very effective curtains.
Why You Should Care (Even If You’re Not a Super-Spy)
“Okay,” you might be thinking, “this is all very interesting, but I’m not planning a revolution or hiding from the law. I just use the internet to watch cat videos and argue with strangers. Why should I bother with this?”
That’s a fair question. The “I have nothing to hide” argument is a common one, but it misses the point of privacy. Privacy isn’t about hiding bad things; it’s about having control over your own information. You close the bathroom door when you use it, not because you’re doing something illegal (presumably), but because you deserve a private space. Your digital life deserves the same courtesy. To put it more plainly, if you try to apply the “I’ve got nothing to hide” principle to every aspect of your life, you’re likely to be walking around naked, showing off your tattoo of your credit card details while yelling your bank password for the world to hear.
Let’s get down to brass tacks. Perhaps the biggest reason to care is that it stops your Internet Service Provider from profiling you and monetising your Browse habits. ISPs in many countries, including the United States, are legally permitted to collect and sell your browsing history, which is largely built from your plain-text DNS requests. This data gets bundled into so-called “anonymised” profiles and sold to a vast, shadowy ecosystem of advertisers and data brokers, as highlighted in a report by the U.S. Federal Trade Commission. Encrypting your DNS effectively turns off this data tap at the source, preventing your curiosity from becoming a commodity.
This surveillance isn’t just limited to your home connection, either. It’s arguably an even greater risk when you’re out and about, using public Wi-Fi. That free connection at the airport, hotel, or local coffee shop is a digital minefield where the network owner can easily monitor and even manipulate your traffic. A common attack is “DNS hijacking”, where the network redirects you to a malicious counterfeit of a legitimate website to steal your credentials. By using an encrypted, authenticated DNS service, you sidestep the local network’s untrustworthy “phonebook” and ensure you’re getting the correct, untampered-with results.
This kind of network-level meddling also underpins most common forms of censorship and content filtering. Whether you’re traveling abroad in a country that blocks certain news outlets or just dealing with a heavy-handed corporate network that blocks streaming sites, the mechanism is often a simple DNS block. The network sees the forbidden domain name and refuses to provide the IP address. Encrypted DNS wraps your request in a cloak of invisibility, allowing it to bypass these simplistic filters. Makes you wonder, doesn’t it? How much of the internet’s control infrastructure relies on us using outdated, insecure protocols? I can feel my nervous twitch coming back…
This is where a tool like encrypted DNS shines as a perfect companion to a VPN. While a VPN is excellent for encrypting all your traffic and hiding your IP address, software glitches can sometimes cause DNS requests to “leak” outside the secure VPN tunnel. A study published in the Proceedings on Privacy Enhancing Technologies found this to be a persistent issue. If you have system-wide encrypted DNS enabled, even those leaked requests remain protected, providing a crucial layer of defense. Think of it as a safety net for your safety net.
You Can Enable This in Under 5 Minutes. No, Really.
Okay, enough with the theory and the doom-saying. Let’s get to the good part: fixing it. This is genuinely easy. You don’t need a computer science degree or a willingness to wrestle with the command line. You can do this in less time than it takes to properly steep a pot of Earl Grey.
On Your Phone (The Easiest Method for Everyone)
For both iOS and Android users, the most straightforward, fire-and-forget method is to use a dedicated app. The most popular and well-respected choice is Cloudflare’s 1.1.1.1 application. Your first port of call is your phone’s app store, where there are apps on both Apple’s App Store or the Google Play Store. Once you open it, you’ll be greeted with a refreshingly simple interface dominated by a large on/off toggle. Tap it to turn it on.
Your phone will then ask for your permission to install a “VPN profile”. It’s important to understand that while it uses the VPN framework built into your phone’s OS, it is not a full VPN; it doesn’t hide your IP address. It just cleverly uses that plumbing to intercept and secure your DNS requests. With that one tap, you’re done. Your phone’s DNS is now private.
On Your Desktop Computer (Also Pretty Darn Easy)
You have a few excellent options on your desktop, but the path of least resistance is enabling the feature directly within your web browser. The good folks at Mozilla, being staunch privacy advocates, have built this right into Firefox. In fact, for many users, it’s already on by default. They refer to it as “DNS over HTTPS” (DoH), but the privacy outcome is the same. To check, open Firefox, click the hamburger menu in the top-right corner, and navigate to Settings, then Privacy & Security.
If you scroll all the way to the bottom, you’ll find the DNS over HTTPS section. Here, you can crank up the protection to “Max Protection” to ensure all requests go through the secure channel and even choose your provider, with Cloudflare being a solid default.
For those of you in the Chromium family of browsers—Google Chrome, Microsoft Edge, or Brave—the process is quite similar. Dive into your browser’s Settings and find the Privacy and Security section. In there, you’ll find an option to Use secure DNS. After enabling it, you can either allow the browser to automatically use a provider if your system’s default one supports it, or you can take manual control. I’d recommend the latter.
Choose the option to customise it and select a trusted provider like Cloudflare (1.1.1.1), Google (8.8.8.8), or Quad9 (9.9.9.9), a non-profit that also blocks malicious domains. This action secures the DNS lookups originating from your browser, which is a massive step forward.
The Pro Move: Setting it at Your Router (For the Keen)
If you’re feeling adventurous and want to protect every single device on your home network in one go—your phone, your laptop, your smart TV, your weird internet-connected washing machine (I can’t be the only one)—the ultimate solution is to configure DoT on your internet router. This process varies depending on your hardware, but it generally involves logging into your router’s admin panel and finding the WAN or Internet settings.
From there, you’ll look for an option for “DNS over TLS” or “Private DNS”, enable it, and provide the details of a DoT service. For Cloudflare, for instance, you’d typically enter the IP 1.1.1.1 and the TLS hostname one.one.one.one. This is the true set-it-and-forget-it approach, and my personal favourite. A project like Pi-hole can even be configured to do this, providing network-wide ad-blocking and private DNS in one fell swoop. It’s deeply satisfying.
Bonus Round: Not All Encrypted DNS is Created Equal (DoT vs. DoH)
You may have noticed I used two different acronyms: DoT (DNS over TLS) and DoH (DNS over HTTPS). The end result for your privacy is largely the same, but the method is slightly different, and the difference is the source of a very nerdy debate online.
I think I need to pause here for a moment. This is one of those technical distinctions that matters a lot to a few people, and not at all to most. But knowledge is power, right? So let’s quickly demystify it. DNS over TLS is the purist’s implementation. It runs over its own dedicated network port (853), making it efficient and easy for network admins to identify and manage. Think of it as a special, armoured diplomatic courier with its own dedicated route.
By contrast, DNS over HTTPS is the pragmatic chameleon. It wraps DNS traffic inside the same kind of HTTPS traffic your browser uses for everything else, sending it over the standard web port (443). This makes it incredibly difficult to distinguish from normal web browsing, and thus much harder to block. It’s like smuggling a secret message in a regular Amazon box.
The controversy arises from this very distinction. Some network professionals dislike DoH because its stealthy nature can be used to bypass security policies, while privacy advocates love it for the exact same reason, seeing it as a more robust tool against censorship. This was at the heart of the debate when Mozilla enabled DoH by default in Firefox. For the average user, however, the difference is academic. Both are a monumental improvement over the alternative. Don’t get paralysed by the choice; just pick one and turn it on.
Final Thoughts
So there you have it. Your internet connection has been sharing your browsing habits like town gossip for decades. But now you know the secret, and more importantly, you know the fix. The journey to better digital privacy can feel overwhelming, like trying to empty the ocean with a teaspoon. But it’s not about achieving perfect, impenetrable security overnight. It’s about taking small, meaningful steps. It’s about adding locks to your doors, one by one.
So, what’s your next move? Your first step should be to enable this technology right now. Pick a method we’ve discussed—the 1.1.1.1 app on your phone is a fantastic place to start—and take the five minutes to flip the switch. Once you’ve done that, take a moment to test your work. You can visit a page like Cloudflare’s Help Center (1.1.1.1/help), which will run a quick check and confirm that you’re using a secure DNS service. Seeing those green checkmarks pop up is surprisingly rewarding.
And don’t stop there. Think of this as the first, foundational piece of a more comprehensive privacy toolkit. Pair the power of encrypted DNS with other fundamentals: a good ad-blocker like uBlock Origin to fight off trackers, a reputable password manager like 1Password to secure your accounts, and a privacy-respecting browser.
You lock your front door at night. You draw the curtains. You don’t need to be paranoid or have something to hide to want a little bit of privacy in your own space. It’s a basic right.
It’s time we claimed it back for our digital lives, too. Now, if you’ll excuse me, I think my tea is ready.
