When you visit a website, your browser needs to translate the domain name (like example.com) into an IP address. This translation happens through DNS (Domain Name System) queries.

By default, these queries are unencrypted and go to your ISP’s DNS servers. That means your ISP sees every website you visit, even if you’re using HTTPS for the actual connection.

Australian ISPs are required to retain metadata including DNS queries for two years under data retention laws. Whether you care about this depends on your privacy preferences and threat model, but you should at least understand what’s being collected and what options exist.

How Standard DNS Works (and Leaks)

Your device sends a DNS query asking “what’s the IP address for example.com” to a DNS resolver (usually your ISP’s by default).

The resolver responds with the IP address.

Your device connects to that IP address using HTTPS (hopefully).

The problem: That initial DNS query is unencrypted and typically goes to your ISP. Anyone monitoring network traffic between you and your ISP can see every domain you’re looking up.

HTTPS protects the content of your browsing — the ISP can’t see what you’re reading on example.com. But they can see that you’re accessing example.com, which reveals plenty about your browsing habits.

DNS-over-HTTPS (DoH)

DoH encrypts DNS queries by sending them over HTTPS to a DNS resolver that supports it. From a network perspective, DoH traffic looks like regular HTTPS web traffic.

Your ISP can’t see the contents of the DNS query. They know you’re connecting to a DoH-capable resolver (like Cloudflare’s 1.1.1.1 or Google’s 8.8.8.8), but not what domains you’re looking up.

Browsers with built-in DoH support:

• Firefox: Enabled by default in many regions, including Australia as of 2024
• Chrome/Edge: Available but not enabled by default
• Brave: Enabled by default
• Safari: Supports encrypted DNS but implementation varies

How to enable DoH in Firefox:

1. Settings > Privacy & Security
2. Scroll to “DNS over HTTPS”
3. Select “Max Protection”
4. Choose a DoH provider (Cloudflare is default)

How to enable DoH in Chrome:

1. Settings > Privacy and security > Security
2. Scroll to “Advanced”
3. Enable “Use secure DNS”
4. Choose “With Custom” and select a provider

Once enabled, your DNS queries are encrypted end-to-end to the resolver. Your ISP sees only that you’re making HTTPS connections to a DNS resolver, not what you’re looking up.

DNS-over-TLS (DoT)

DoT is similar to DoH but uses TLS directly rather than wrapping it in HTTPS. It runs on port 853 instead of port 443.

From a privacy perspective, DoT and DoH provide equivalent protection. The difference is primarily technical and affects how network administrators can control DNS traffic.

DoT is more easily blocked by network firewalls because it uses a distinct port. DoH blends with regular HTTPS traffic and is harder to distinguish.

For individual users on residential connections, this distinction rarely matters. For users on managed corporate or school networks, DoH is more likely to work while DoT might be blocked.

Which DNS Resolver to Use

Cloudflare 1.1.1.1: Fast, privacy-focused, no logging policy. Available via DoH and DoT. Strong privacy commitments documented in their policy.

Quad9 (9.9.9.9): Security-focused, blocks known malicious domains. Good privacy policy. Not-for-profit organization.

Google 8.8.8.8: Fast, reliable, but Google does log queries for a limited time for security and reliability purposes. Privacy implications depend on your threat model and trust in Google.

NextDNS: Configurable DNS resolver with filtering, logging, and privacy controls. Free tier available, paid plans for advanced features.

Mullvad DNS: Privacy-focused, associated with Mullvad VPN but usable independently. No logging.

If privacy is your priority, avoid your ISP’s DNS and avoid Google DNS. Cloudflare, Quad9, or Mullvad are better choices for privacy-conscious users.

System-Wide vs Browser-Only

Browser DoH protects DNS queries from your web browser but doesn’t protect DNS lookups from other apps — email clients, messaging apps, system updates, background services.

For comprehensive DNS privacy, you need system-wide encrypted DNS.

Windows 11: Native DoH support via Settings > Network & Internet > Properties > DNS Server Assignment. Set to manual and enter DoH resolver address.

macOS: No native DoH support as of current version. Use third-party tools like DNSCrypt-proxy or configure DoT via system preferences.

Linux: Multiple options — systemd-resolved supports DoT, DNSCrypt-proxy supports both DoH and DoT, Stubby is a DoT-specific client.

iOS/iPadOS: Native encrypted DNS support via VPN & Device Management. Install a configuration profile for your chosen DoH/DoT provider.

Android: Native DoT support in Settings > Network & internet > Private DNS. Enter DoT hostname for your chosen provider.

System-wide configuration protects all network traffic, not just browser activity. It’s more comprehensive but slightly more complex to set up.

VPN vs Encrypted DNS

A VPN encrypts all traffic and routes it through the VPN provider’s servers. This hides your DNS queries from your ISP (the VPN provider sees them instead) and hides your IP address from the sites you visit.

Encrypted DNS protects only DNS queries. Your ISP still sees your IP address connecting to the actual websites, they just don’t see the DNS lookup that preceded it.

For privacy from your ISP, a VPN is more comprehensive. But it shifts trust from your ISP to your VPN provider. If you don’t trust your VPN provider, you’re not better off.

For many users, encrypted DNS is sufficient and simpler than running a VPN constantly. If you’re primarily concerned about DNS query logging, DoH/DoT solves that problem without the complexity and performance overhead of a VPN.

What Encrypted DNS Doesn’t Protect

Your ISP can still see the IP addresses you’re connecting to, even if they can’t see the DNS queries.

For major websites (Google, Facebook, Amazon), IP addresses clearly indicate which service you’re using. Encrypted DNS doesn’t hide this.

For sites using shared hosting or CDNs, the IP address is less revealing — it might be shared by thousands of sites. Encrypted DNS provides more privacy benefit in these cases.

SNI (Server Name Indication) in TLS handshakes also leaks domain names. Encrypted SNI (ECH/ESNI) is being standardized and deployed but isn’t universal yet.

For complete privacy from ISP monitoring, you need VPN or Tor, not just encrypted DNS. But encrypted DNS is a meaningful privacy improvement over standard DNS.

Performance Considerations

Adding encryption to DNS queries introduces minimal overhead. DoH/DoT queries typically take 5-30 milliseconds longer than unencrypted DNS due to TLS handshake overhead.

This is barely noticeable in real-world browsing. Modern browsers cache DNS results, so you’re not doing a DNS lookup for every page load anyway.

Some ISPs throttle or prioritize traffic based on DNS queries. Using encrypted DNS means your ISP can’t prioritize or throttle based on what sites you’re visiting, which can occasionally affect performance — usually for the better (no throttling), occasionally for the worse (no prioritization).

Privacy Trade-Offs

Using encrypted DNS shifts DNS query visibility from your ISP to whoever runs your chosen DNS resolver.

If you use Cloudflare DoH, Cloudflare can see your DNS queries instead of your ISP. Whether that’s better depends on your trust assessment.

Cloudflare has published commitments not to log or sell DNS query data. Your ISP is required to retain DNS logs for government access. For most Australians, Cloudflare is more privacy-respecting than their ISP.

But you’re making a trust decision either way. Research the privacy policies and data handling practices of any DNS resolver you use.

Legal Considerations in Australia

Australian data retention laws require ISPs to log metadata including DNS queries. Using encrypted DNS prevents your ISP from logging this data because they can’t see the queries.

This is legal. You’re not circumventing any law by using encrypted DNS. You’re using a different service provider for DNS resolution that isn’t subject to the same retention requirements.

Law enforcement can still obtain other metadata from your ISP — IP addresses you connect to, connection times, data volumes. DNS queries are just one piece of metadata, and encrypted DNS removes only that piece.

Should You Use Encrypted DNS

If you value privacy and don’t want your ISP logging every website you visit, yes.

If you’re concerned about ISP throttling or interference based on DNS queries, yes.

If you want protection from DNS hijacking or manipulation on untrusted networks (public WiFi, hotel networks), yes.

If you don’t care who sees your browsing history and trust your ISP, encrypted DNS provides marginal benefit and you can skip it.

The setup process takes 5-10 minutes. The ongoing performance impact is negligible. The privacy benefit is meaningful if you care about ISPs tracking your browsing.

For most privacy-conscious users, encrypted DNS is a sensible baseline protection. It’s not perfect, it doesn’t hide everything, but it’s a significant improvement over unencrypted DNS with minimal cost or complexity.