Updated: November 21, 2025

DNS is one of the weak points of privacy. Even with VPN, your DNS queries can reveal visited sites. Let’s understand how it works and how to protect yourself.

What Is DNS and Why It Matters

How DNS Works

DNS (Domain Name System) is the internet’s “phone book”. It translates readable names into IP addresses:

google.com → 142.250.185.78

Every time you open a website, your device asks a DNS server: “What’s the IP for this domain?”

The Problem: DNS Queries Are Unencrypted

Traditional DNS works in plain text:

You: "What's the IP for protonmail.com?"
DNS: "185.70.42.31"

Who sees these queries:

Your ISP
WiFi network administrator
Anyone intercepting traffic

They don’t see what you do on the site (if HTTPS), but they see which sites you visit.

DNS Leaks When Using VPN

Even with VPN, DNS queries can bypass the tunnel:

All traffic → VPN tunnel (protected)
DNS queries → Direct to ISP (unprotected)

This is called a DNS leak. ISP sees which sites you visit, even though VPN is on.

Solutions: Encrypted DNS

DNS over HTTPS (DoH)

DNS queries are transmitted inside HTTPS connection on port 443.

Pros:

Looks like regular HTTPS traffic
Hard to block
Supported by browsers

Cons:

Slight latency
Dependence on DoH provider

DNS over TLS (DoT)

DNS queries are encrypted with TLS on dedicated port 853.

Pros:

Clean protocol, no HTTP overhead
Easier to troubleshoot

Cons:

Easy to block (separate port)
Less browser support

DNS over QUIC (DoQ)

New protocol based on QUIC. Faster than DoT, harder to block.

Comparison

Protocol	Port	Stealth	Speed	Support
DoH	443	High	Medium	Wide
DoT	853	Low	High	Medium
DoQ	853/8853	Medium	High	Limited

Popular DNS Providers

Public Services

Provider	DoH	DoT	Features
Cloudflare	`1.1.1.1`	`1.1.1.1`	Fast, private
Google	`8.8.8.8`	`dns.google`	Fast, logs
Quad9	`9.9.9.9`	`dns.quad9.net`	Blocks malware
NextDNS	Personal	Personal	Customizable
AdGuard	`94.140.14.14`	`dns.adguard.com`	Blocks ads

What to Choose

For privacy: Cloudflare 1.1.1.1 - doesn’t log queries, fast.

For security: Quad9 - blocks known malicious domains.

For control: NextDNS - full customization, statistics, filters.

For ad blocking: AdGuard DNS - built-in block lists.

Setup on Different Devices

Windows 11

System level (DoH):

Settings → Network & Internet → WiFi/Ethernet
Hardware properties → Edit DNS
Manual → IPv4
DNS: 1.1.1.1
Encryption: “Encrypted only (DNS over HTTPS)“

Windows 10

No built-in DoH support. Options:

Upgrade to Windows 11
Use an app (Cloudflare WARP, NextDNS)
Configure in browser

macOS

System level:

Download profile from provider’s site (e.g., 1.1.1.1)
Open profile → Install
System Preferences → Profiles → Confirm

Via terminal:

networksetup -setdnsservers Wi-Fi 1.1.1.1 1.0.0.1

iOS

Profile:

Safari → open 1.1.1.1/dns (for Cloudflare)
Download profile
Settings → Profile Downloaded → Install

App: Install 1.1.1.1 from App Store.

Android

Android 9+:

Settings → Network & Internet → Private DNS
Hostname: one.one.one.one (Cloudflare) or dns.google

App: Install 1.1.1.1 or Intra from Google Play.

Linux

systemd-resolved:

sudo nano /etc/systemd/resolved.conf

[Resolve]
DNS=1.1.1.1
DNSOverTLS=yes

sudo systemctl restart systemd-resolved

Router

Depends on model. General principle:

Access router settings
Find DNS section
Enter DoT server addresses
Enable DNS over TLS (if supported)

Keenetic: Supports DoH and DoT out of the box.

ASUS with Merlin: Supports DoT.

OpenWrt: Install https-dns-proxy package for DoH.

Browser Configuration

Chrome

Settings → Privacy and security → Security
“Use secure DNS” → Enable
Choose provider or specify custom

Firefox

Settings → Privacy & Security
Scroll to “DNS over HTTPS”
Select “Max Protection”
Choose provider

Edge

Settings → Privacy, search, and services
“Use secure DNS” → Enable
Choose provider

Safari

Uses macOS/iOS system settings.

Verifying Setup

DNS Leak Test

Open dnsleaktest.com
Click “Extended test”
Check results

Good result:

Only servers from chosen DNS provider
No ISP servers

Bad result:

Your ISP’s servers
Mix of different DNS servers

Encryption Check

Open 1.1.1.1/help (for Cloudflare)
Check DoH/DoT status

DNS Filtering

What It Is

DNS filtering blocks domains at DNS query level:

Ad networks
Trackers
Malicious sites
Adult content (parental control)

How It Works

Query: "What's the IP for ads.example.com?"
Response: "0.0.0.0" (blocked)

Browser can’t load ad because it doesn’t know the address.

DNS and VPN

How They’re Connected

Good VPN:

Routes DNS through tunnel
Uses its own DNS servers
Prevents leaks

Testing VPN for DNS Leaks

Connect to VPN
Open dnsleaktest.com
Run extended test

Expected result:

VPN provider’s DNS servers
Or your chosen DoH/DoT servers
No ISP servers

If Leak Exists

Check VPN client settings (DNS leak protection)
Manually configure DNS on device
Switch VPN provider if issue persists

Limitations of Encrypted DNS

Doesn’t Hide Everything

DoH/DoT encrypts queries, but:

Site’s IP is still visible (after DNS resolution)
SNI in TLS handshake reveals domain
For full privacy, need VPN

Dependence on Provider

You trust DNS provider instead of ISP. Choose verified ones:

Cloudflare - audits, transparency
Quad9 - non-profit organization
NextDNS - clear privacy policy

Possible Blocks

Some networks block DoT (port 853)
Corporate networks may require their DNS
DoH is harder to block

Setup Checklist

Reliable DNS provider chosen
DoH or DoT configured on device
Verified working via dnsleaktest.com
DNS filtering configured (optional)
VPN tested for DNS leaks

Summary

DNS encryption is an important but often ignored privacy element. Even with VPN, unprotected DNS queries reveal your activity.

Set up DoH or DoT in 5 minutes, and close this vulnerability. For maximum protection, combine with VPN.

Tainet routes DNS through the protected tunnel and prevents leaks. Additionally, you can use your own DoH server for full control.