DNS: the link nobody hardens

In a network audit of a mid-sized company, DNS is flowing in plaintext on port 53 toward the ISP’s resolver. Every domain the company visits is visible to anyone listening on the network. The company just spent $15,000 on a next-generation firewall.

The common trap

Most people have internalized that HTTPS protects their communications. It does — HTTPS encrypts the content exchanged between your browser and a server. But there’s a near-universal blind spot: DNS.

Before your browser can establish an HTTPS connection to gmail.com, it needs to resolve that domain name to an IP address. That DNS resolution, in the default configuration of virtually every device, happens in plaintext, on port 53, toward your ISP’s or mobile carrier’s resolver.

The result: even if all your web traffic is HTTPS, your ISP — and anyone listening on the network — sees a complete list of every domain you visit, with timestamps and frequency. The content is protected. The intent is not.

What DNS reveals

Think of DNS as the internet’s phone book. Every time your device wants to reach a service, it asks a DNS resolver: “what’s the IP address for this domain?”

What’s visible in unencrypted DNS:

• Every domain visited, at what time, how often
• Mobile apps (not just the browser) make constant DNS queries — your email client, messaging apps, IoT devices, automatic updates
• Browsing habits: news sites consulted, services used, work schedules
• Sometimes implicit geolocation (regional resolvers, CDN selection)

Who sees this data:

• Your ISP or mobile carrier (the default resolver)
• Anyone listening on the local network (hotel Wi-Fi, coffee shop)
• Your DNS resolver, whoever they are

Do53 vs DoT vs DoH: the three modes

Do53 (classic DNS, port 53, plaintext): the default. No encryption. Your resolver sees your queries in plaintext. Anyone on the network path does too. Your ISP can intercept, log, and sell this data. In many countries, ISPs are legally required to retain connection metadata.

DoT — DNS over TLS (port 853): DNS queries are encrypted in a TLS tunnel. Your resolver can no longer be eavesdropped in transit. However, port 853 is identifiable as “DNS traffic” — it can be blocked or intercepted by network equipment that forces DNS to revert to plaintext. This is common practice in some enterprises and in countries with active network surveillance.

DoH — DNS over HTTPS (port 443): DNS queries are encapsulated in standard HTTPS traffic. Two major advantages: encryption, and indistinguishability from regular HTTPS traffic. Blocking DoH without breaking all HTTPS is extremely difficult. It’s the preferred protocol for bypassing active network surveillance.

DNSSEC: don’t confuse this. DNSSEC cryptographically signs DNS responses (integrity — you’re sure the response came from the right server and wasn’t tampered with). It does not encrypt queries. DNSSEC and DoH/DoT are complementary, not redundant.

Choosing your resolver

The DNS resolver is the entity that makes the actual queries to authoritative servers on your behalf. Switching your resolver is one of the highest-impact actions you can take with the least effort.

Quad9 (9.9.9.9): operated by a Swiss non-profit. Auditable no-logs policy. Active malware domain filtering by default (aggregated threat database). Supports DoH and DoT. Recommended as the default choice for most users.

Mullvad DNS: if you’re already using Mullvad VPN, your DNS traffic automatically routes through the tunnel. Consistent and effective. Mullvad also offers public DNS resolvers usable independently of the VPN, with variants that filter ads and tracking.

NextDNS: configurable model. You create a profile with your preferences: block ads, trackers, malware, site categories. Optional logging — enable it to audit your network traffic, or disable it completely for privacy. Freemium: 300,000 queries/month free, then roughly $2/month. Excellent for families and small businesses that want visibility into their traffic.

Cloudflare 1.1.1.1: lowest latency. No-logs claim, partially audited. Caveat: Cloudflare is a massive US corporation hosting a considerable fraction of the web — their existing visibility over DNS flows is already extensive. Acceptable for general consumer use, less advisable for profiles wanting to minimize exposure to a single large operator.

ISP default: avoid where possible. Most ISPs use your DNS queries for commercial profiling. Some redirect queries for non-existent domains to their own advertising pages.

Self-hosted (Unbound + Pi-hole): full control. Unbound performs recursive resolution directly against root DNS servers, without a third-party intermediary. Pi-hole filters tracker domains locally. You’re responsible for maintenance and updates. Limited in mobility — only works on your network or via VPN back home.

Pi-hole: what it does, what it doesn’t

Pi-hole is a local DNS resolver that consults blocklists. When an app queries the IP for doubleclick.net or analytics.twitter.com, Pi-hole responds with “NXDOMAIN” (domain doesn’t exist) rather than resolving it. The connection never happens.

What Pi-hole does well:

• Blocks ads and trackers at the network level for all devices (Smart TVs, consoles, IoT) without per-device configuration
• Gives complete visibility into which domains each device on the network is querying
• Meaningfully reduces advertising tracking across the household

What Pi-hole does not do:

• It does not encrypt DNS queries by default. Without a DoH or DoT upstream configured, the queries it doesn’t block still leave in plaintext toward your ISP
• It doesn’t protect you on external networks (outside your home)
• Apps using hardcoded DoH (Firefox, some Google apps) bypass Pi-hole entirely

The recommended setup for a home network: Pi-hole (filtering) + Unbound (local recursive resolution) + DoT upstream for queries Unbound doesn’t resolve locally. More complex to set up, but it gives full control.

Configuration on mobile

iOS: Apple supports DNS configuration profiles (.mobileconfig files). The NextDNS and Cloudflare apps generate one automatically in a few taps. Once the profile is installed through Settings, all DNS traffic from the phone routes through the configured resolver via DoH or DoT, with no resident third-party app required.

Android 9+: the “Private DNS” feature supports DoT natively. Go to Settings > Network > Private DNS, enter dns.quad9.net or dns.nextdns.io/[your-id]. Simple and effective, no app needed. For DoH specifically, you’ll need either the NextDNS app or a VPN that routes DNS.

On both platforms: if you’re using a VPN, verify that the VPN tunnels your DNS — without this, you have a DNS leak (check dnsleaktest.com).

Common mistakes

Configuring DoH in the browser only. Partial protection. All other system apps continue with the default unencrypted resolver.

Believing Pi-hole encrypts DNS queries. Pi-hole filters. It doesn’t encrypt. Without an encrypted upstream, your ISP still sees every query Pi-hole doesn’t block — which is the vast majority of them.

Forgetting DNS when traveling. DoH configured at home? On 4G or hotel Wi-Fi abroad, the local carrier’s resolver applies if you haven’t configured DoT/DoH at the system level (not just in the browser).

Not testing. Visit dnsleaktest.com and ipleak.net. It’s not uncommon to believe you’re running DoH and discover a leak toward the ISP resolver.

• N1 Configure DoH or DoT at the system level on all your devices
• N1 Choose Quad9 (9.9.9.9) or NextDNS as your primary resolver
• N1 Verify no DNS leak with dnsleaktest.com
• N2 On iOS: install a NextDNS or Cloudflare DNS profile via the dedicated app
• N2 On Android: enable Private DNS (DoT) in system network settings
• N2 Temporarily enable NextDNS logging to audit outbound DNS traffic from your network
• N2 Install Pi-hole on the home network with Unbound as the upstream resolver
• N3 Configure DoH/DoT on the router to cover all devices without individual configuration
• N3 Self-hosted Unbound with direct recursive resolution against root servers (zero third-party)