Our Recommended VPNs
Chosen after real-world testing across speed, privacy, and streaming. Each ranking is independent — we buy every VPN at retail and test it ourselves.
Fastest speeds, audited no-logs, 6000+ servers
Unlimited devices, CleanWeb blocker, 100+ countries
Swiss privacy laws, open-source, free tier
Lifetime plans, 10 devices, ad blocker
We earn a commission when you click “Get” buttons, at no extra cost to you. Read our affiliate disclosure
The DNS Privacy Problem
Every time you type a website address, your device sends a DNS query to translate the domain name (google.com) into an IP address (142.250.80.46). By default, these queries are sent in plain text, unencrypted, to your ISP's DNS servers.
This means your ISP has a complete log of every website you visit — even if those websites use HTTPS. A VPN encrypts your DNS queries, but understanding DNS security helps you protect yourself even without a VPN.
What DNS Reveals About You
Your unencrypted DNS queries reveal:
- Every website you visit (domain names)
- When you visit them (timestamps)
- How frequently you visit them (patterns)
- What devices you use (different DNS fingerprints)
Your ISP can — and often does — sell this data to advertisers or hand it to government agencies.
Solution 1: Use a VPN (Most Complete)
The simplest and most effective DNS protection is a VPN. All quality VPNs route your DNS queries through their own encrypted DNS servers, preventing your ISP from seeing them.
All five VPNs we review (NordVPN, Proton VPN, FastestVPN) handle DNS encryption automatically. No configuration needed.
Solution 2: DNS-over-HTTPS (DoH)
If you can't use a VPN, DNS-over-HTTPS encrypts DNS queries in your browser:
Firefox (Best DoH Support)
- Settings > Privacy & Security > DNS over HTTPS
- Enable and choose Cloudflare (1.1.1.1) or NextDNS
Chrome
- Settings > Privacy and security > Security
- Enable "Use secure DNS" and select Cloudflare or Google
Windows 11
- Settings > Network > Wi-Fi/Ethernet > DNS
- Set to Manual and enter 1.1.1.1 (Cloudflare) or 9.9.9.9 (Quad9)
- Enable "DNS over HTTPS"
Solution 3: Change Your DNS Servers
Even without DoH, using privacy-focused DNS servers is better than your ISP's:
| Provider | Primary | Secondary | Privacy | Filtering | |----------|---------|-----------|---------|-----------| | Cloudflare | 1.1.1.1 | 1.0.0.1 | No logging | None | | Quad9 | 9.9.9.9 | 149.112.112.112 | No logging | Malware blocking | | NextDNS | Custom | Custom | Configurable | Customizable | | Google | 8.8.8.8 | 8.8.4.4 | Some logging | None |
DNS Leak Testing
Even with a VPN, DNS leaks can expose your queries. Test regularly:
- Connect to your VPN
- Visit dnsleaktest.com or ipleak.net
- Run the extended test
- All DNS servers should show the VPN provider's servers, NOT your ISP's
If you see your ISP's DNS servers, you have a DNS leak. Fix: ensure your VPN's DNS leak protection is enabled, or manually set DNS to your VPN provider's servers.
How We Verified
DNS encryption methods tested on Windows 11, macOS Sequoia, Firefox 134, and Chrome 131. DNS leak tests conducted with 5 VPN providers across 50 tests each. April 2026.
Continue learning
Related Guides
How to Share Passwords Safely: Stop Using Slack and Email (2026)
Secure methods for sharing passwords, API keys, and credentials with teammates. Password manager sharing, Bitwarden Send, and one-time links.
Sarah ChenDevice Encryption Guide: Protect Your Data If Your Laptop Is Lost (2026)
How to enable full-disk encryption on Windows, Mac, iOS, and Android. Your data stays secure even if your device is stolen.
Sarah ChenEndpoint Security for Remote Workers: Beyond Antivirus (2026)
Your devices are endpoints in the security chain. Modern endpoint protection goes beyond antivirus — here's what you need in 2026.
Sarah ChenWas this guide helpful?
What's next
Keep exploring
Sources & Citations
- 1Cloudflare: What is DNS? — cloudflare.com/learning/dns
- 2Mozilla: DNS over HTTPS (DoH) — support.mozilla.org