DNS Privacy in 2026: Your ISP Knows Every Site You Visit (Here’s How to Stop It)

By PublicDNS.info Team · Updated March 2026

Let me paint a picture. You open your laptop, visit your bank’s website, check the news, browse Reddit, look up a medical symptom, then watch a YouTube video. Normal morning.

Your internet service provider just logged all of it. Not the content of those pages, HTTPS takes care of that, but the fact that you visited each one of those domains. The timestamp, your IP address, the domain name. Every single lookup.

This happens because DNS queries, by default, are sent in plain text. Your ISP doesn’t need to do anything sneaky to see them, they flow through their network unencrypted as part of normal internet operation. And in many countries, ISPs are legally required to keep these logs for months or years.

The thing is, you can fix this. It’s not even hard.

What Your DNS Resolver Actually Sees

I think most people underestimate how revealing DNS logs are. Your resolver sees every domain your device contacts, not just websites you type into a browser, but every background connection too. App updates, smart home devices phoning home, ad tracking domains, streaming services, social media APIs, email server lookups. All of it.

From a DNS log alone, you can reconstruct a pretty detailed picture of someone’s life: what they read, what they buy, their health concerns, their political interests, their entertainment habits, when they’re home and when they’re not. It’s one of the richest metadata sources that exists, and most people hand it to their ISP without a second thought.

Check Your Exposure Right Now

Before going further, find out where you actually stand. PublicDNS.info’s DNS Privacy Check runs a quick test from your browser and tells you:

— Which DNS resolver is actually answering your queries (you might be surprised, sometimes it’s your ISP even when you thought you’d changed it)

— Whether your queries are encrypted or travelling in plain text

— Whether your resolver validates DNSSEC (which protects against spoofing)

— Whether your ISP is hijacking failed queries to serve ads

If the results show your ISP’s resolver and unencrypted queries, you’ve got work to do. Keep reading.

Encrypted DNS: DoH and DoT

The fix for DNS privacy has two parts: use a resolver that doesn’t log your data, and encrypt the queries so your ISP can’t read them in transit.

DNS over HTTPS (DoH) wraps your DNS queries in standard HTTPS traffic on port 443. To anyone watching the wire, it looks identical to normal web browsing. Your ISP can’t distinguish DNS lookups from regular HTTPS connections, which makes it very difficult to block or inspect. This is what I’d recommend for most people.

DNS over TLS (DoT) encrypts queries on a dedicated port (853). It’s slightly more efficient than DoH but runs on its own port, which means network administrators and ISPs can see that you’re using encrypted DNS (even though they can’t read the content). Some restrictive networks block port 853. Android’s “Private DNS” feature uses DoT.

DNS over QUIC (DoQ) is the newest option, uses the QUIC transport protocol for faster connections, especially on mobile networks. Still limited support, but AdGuard and NextDNS already offer it.

The trade-offs between these are nuanced. The DoH vs DoT guide on PublicDNS.info covers the technical details. For the short version: use DoH if your platform supports it, DoT if you’re on Android.

Which DNS Providers Actually Respect Privacy?

Not all public DNS is created equal when it comes to privacy. Some providers have genuine commitments. Others… don’t. Here’s my honest read.

Quad9, the strongest case

Swiss non-profit. Doesn’t log IP addresses at all, not temporarily, not anonymised, not ever. Can’t reconstruct your browsing history because the data doesn’t exist. GDPR-compliant from day one. Switzerland is outside the Five Eyes and Fourteen Eyes intelligence-sharing alliances. Also blocks malicious domains, which is a security bonus.

If I had to pick one provider for pure privacy, it’s this one.

Mullvad DNS, proven under pressure

Run by the Swedish VPN company that’s had their servers physically seized by police and produced zero user data, because there was nothing to find. That’s not a marketing claim, it’s been tested in the real world. Their DNS service inherits the same zero-logging philosophy. Offers ad-blocking and tracker-blocking variants too.

Available at 194.242.2.2 (no blocking) and 194.242.2.3 (ad blocking).

Cloudflare (1.1.1.1), fast and private enough

Doesn’t log client IPs. Purges query data within 24 hours. Independently audited by KPMG with published reports. The main concern is US jurisdiction, Cloudflare is subject to National Security Letters and other US legal processes. Their no-logging policy means there should be minimal data to hand over, but “should be” and “guaranteed to be” are different things.

For most people who aren’t in a high-risk situation, Cloudflare is excellent. It’s the best balance of speed and privacy.

Google DNS (8.8.8.8), privacy is not the point

Google logs your full IP for 24–48 hours and keeps permanent anonymised records including ISP and city-level location. No independent privacy audit of the DNS service. Google is, at its core, an advertising company. I wouldn’t use their DNS if privacy is your primary goal.

That said, if you’re currently using ISP DNS, Google is still a significant upgrade. Just not the best option available.

NextDNS, maximum control

This one’s different. NextDNS lets you decide your own logging policy: log everything, log nothing, encrypt logs, set retention periods, delete on demand. You control the dashboard. The free tier handles 300,000 queries/month, which is plenty for one person.

If you want customisable filtering AND privacy on your terms, NextDNS is hard to beat. The trade-off is that it requires an account and some setup.

For the complete privacy analysis with per-provider audit details, see the Provider Audits page. For privacy ratings broken down by country, there’s the Privacy Score by Country directory. The Best Private DNS list has the curated recommendations.

Is Cloudflare DNS Secure? (The Full Answer)

This is one of the most searched DNS questions, so let me give it a proper answer instead of the usual hand-waving.

In terms of technical security: yes. Cloudflare supports DNSSEC validation, DoH, DoT, DoQ, and ECH. Their infrastructure is massive and redundant. They’re not going to get hacked by some script kiddie.

In terms of privacy: mostly yes. No IP logging, 24-hour data purge, annual KPMG audit. Better than the vast majority of alternatives, and dramatically better than any ISP.

In terms of jurisdiction and trust: this is where it gets nuanced. Cloudflare is a US company. US law gives the government tools (FISA Section 702, National Security Letters with gag orders) that could theoretically compel data collection. Cloudflare’s position is that their logging architecture doesn’t retain the data these orders would target. Whether you trust that depends on your threat model.

For a journalist in a hostile country or a political dissident: Quad9 or Mullvad, with Swiss or Swedish jurisdiction, is a safer bet. For a regular person who wants privacy from their ISP and advertisers: Cloudflare is excellent.

NXDOMAIN Hijacking: Your ISP’s Dirty Secret

Here’s something that genuinely annoyed me when I first discovered it. When you type a URL wrong and the domain doesn’t exist, DNS is supposed to return an NXDOMAIN response, “this domain doesn’t exist.” Simple, honest, correct.

But many ISPs intercept that response and instead redirect you to a search page packed with ads. They’re literally monetising your typos. It breaks email servers, security tools, HSTS implementations, and anything else that relies on accurate DNS responses. The 2026 ISP DNS Report documents this across 109,644 resolvers, and the numbers are ugly.

The DNS Privacy Check tests for NXDOMAIN hijacking specifically. If your ISP is doing it, switching to any reputable public DNS stops it immediately. For technical details on the practice, there’s a dedicated NXDOMAIN hijacking explainer.

Setting Up Encrypted DNS

Keeping this brief since the setup varies by platform:

Windows 11: Settings → Network & Internet → your connection → Hardware properties → DNS server assignment → Edit. Enter your DNS, set “Preferred DNS encryption” to “On (automatic template).” Done. DoH is now active.

Android 9+: Settings → Network & Internet → Private DNS → “Private DNS provider hostname.” Enter one.one.one.one or dns.google. DoT is now active, system-wide.

iOS: The built-in settings don’t support encrypted DNS natively. Install the Cloudflare 1.1.1.1 app or a provider DNS profile for system-wide DoH.

Browsers: Chrome, Firefox, and Edge all support DoH in their privacy/security settings. This only covers browser traffic though, not system-wide.

For detailed walkthroughs with screenshots, the encrypted DNS setup guide on PublicDNS.info covers everything.

Common Questions

Do I still need a VPN if I use encrypted DNS?

They protect different things. Encrypted DNS hides which domains you look up. A VPN hides all your traffic, including the IP addresses you connect to. For full privacy, you want both. For a meaningful improvement over the default? Encrypted DNS alone is a big step.

Can my ISP see anything if I use DoH?

They can’t see your DNS queries. They can still see the IP addresses you connect to (since your actual web traffic still routes through their network) and, in some cases, the SNI field in TLS handshakes, which reveals the domain. ECH (Encrypted Client Hello) fixes the SNI issue but it’s not widely deployed yet.

How do I verify my DNS is encrypted?

Run the DNS Privacy Check. It tests encryption status and shows you which resolver is actually handling your queries. If it shows your ISP or unencrypted queries, your config needs another look.