Every device and app we use that connects to the Internet uses DNS to figure out where to route data. We trust our browsers with an enormous amount of personal information, and while much of that is encrypted nowadays, unless you've got a private DNS set up, your DNS records are sent in plaintext. Even your VPN could potentially be leaking DNS data if it's not encrypting it or sending it through the encrypted tunnel, and that likely means it's being tracked by someone, or someones.

At this point in the Internet's development, it's simpler to assume that everything you send out of your home network is being tracked (or at least someone is trying to track it). Anything sent unencrypted will be read, categorized, and filed away for future surveillance, data harvesting, or even malicious attacks. If you still think you're too small to target, think again, and get ready to encrypt everything you can, including your DNS requests.

User privacy should be the default, not the edge case

Protecting user data, reducing targeting by advertisers and DNS attacks are all worthy features

Modern network architecture is shifting towards a Zero-Trust model, where both trust and privacy are the default, and then rules are added to allow communication where necessary. It's a total paradigm shift, and while it protects companies from attack, it also protects individual user data with the same processes. That's because it doesn't just stop attackers from seeing data in transit, it stops ISPs, insider threats like rogue administrators, and anyone else from monitoring your browsing.

But while browsing data, backups, and other personally identifying data is (mostly) encrypted these days, that's not the case for DNS requests. According to APNIC, only 35% of the world's DNS requests are validated by DNSSEC, which was designed to avoid MitM attacks against the DNS system. SSL mostly protects browsing data, but that doesn't protect emails. Without DNSSEC, an attacker could spoof the MX records needed for email routing and intercept email before copying it and forwarding it to the intended server.

It's all a bit of a mess, really, but you can do your part by picking a DNS service with support for encryption. That could be DNS-over-HTTPS (DoH), or DNS-over-TLS (DoT), or DNSCrypt, along with support for DNSSEC so that you can trust the results you get. That removes MITM issues, like when your ISP 'helpfully' changes the website you see to protect you from the content it decides should be censored.

Expecting the user to enable private DNS is the wrong move

Anything to do with security needs to be set up as the default; otherwise, most people won't use it. It's hard enough to educate users about password etiquette, and why using the same password on all your online accounts is a bad idea. And that's for something that protects banking details, with an immediately visible benefit.

Apple has taken some steps in the right direction with Private Relay, but it only encrypts the DNS requests sent by Safari when it really should encrypt every DNS request sent by any app, browser, or system setting on an Apple device. It's also only available with an iCloud+ subscription, putting profits over privacy.

It's feasible (with a little work)

Your most-used devices should have native support, and there's always your router

Whether you use Android, iOS, Windows, Linux, or macOS, at this stage, they should all support either DoH or DoT natively. If they don't, you still have options. Consumer routers are getting better at supporting encrypted DNS, and there are always options like Firewalla and OPNsense. Making your router use encrypted DNS is good practice anyway, but make sure you set the router to use 127.0.0.1 for its own DNS queries, otherwise some will go out in plaintext.

For mobile devices, you should be able to set private DNS up in the settings app. These DNS servers all support DNS-over-TLS, which is supported by Android:

• dns.quad9.net
• dns.adguard.com
• doh.mullvad.net
• adblock.doh.mullvad.net
• p2.freedns.controld.com
• 1dot1dot1dot1.cloudflare-dns.com
• security-filter-dns.cleanbrowsing.org
• one.one.one.one

For iOS, you'll have to generate a configuration profile with the DNS servers above (from Safari on your iPhone), download the configuration, and install the profile. You could also use NextDNS, AdguardDNS, or other providers that support encrypted DNS and give you either iOS apps or profiles to install. Windows, macOS, and Linux all support using encrypted DNS from the network settings pages, and it only takes a minute to get working.

Some devices might not support custom DNS settings

Even with most major devices supporting DNS-over-HTTPS or DNS-over-TLS, not every device you own will let you change the DNS settings. IoT devices often have hardcoded DNS or use the ones set in your router by default. To get those using encrypted DNS, you'll either need to set up your own DNS server as the only DNS resolver in your router, or you could go for the nuclear option and block your IoT devices from accessing the Internet.

I know that the last option isn't always possible, but if most of them are blocked, your risk profile will be reduced substantially. There are always going to be some smart home devices that are either difficult to route DNS requests for or require a connection to the Internet to work, but maybe as more Matter-capable devices hit the market, that will become less of an issue.

Private DNS makes us all safer online

Private DNS is only part of the equation for online privacy and security. Good browsing habits, keeping your wits about you, and using a privacy-focused browser all contribute to the picture. The sad fact is that companies have found ways to monetize all forms of data, even DNS requests, and they use it all to serve targeted advertising. Your location can also be triangulated based on which DNS servers are used and how long responses take, and it all feeds a vast machine that extracts value from data that should be private.