Why Encrypt Your DNS
Your DNS queries reveal every site you visit
Every time you visit a website, your device sends a DNS query — a request to translate a domain name like example.com into an IP address. It happens thousands of times a day. And by default, every single one of those queries is sent in plain text, visible to anyone between your device and the DNS resolver.
That includes your ISP, the operator of the coffee shop WiFi you’re using, and anyone running a packet capture on the same network. DNS is the phone book of the internet, and right now, most people are reading it out loud.
What Can Someone Learn From Your DNS Queries?
Quite a lot, actually.
Your DNS traffic reveals a detailed portrait of your online activity — not the content of what you read, but the pattern of where you go. Consider what the following queries imply:
api.period-tracker-app.com— health datacareers.competitor.com— job huntingwww.addiction-helpline.org— sensitive personal circumstancesforums.opposition-party.fr— political interestschat.dating-app.com— relationship status
None of these queries carry the content of what you did on those sites. But the destinations alone are enough to build a comprehensive profile. This data has commercial value, which is why ISPs in some countries sell it. It also has legal and political value in others.
Real-World Risks
ISP surveillance and monetization. In the US, ISPs can legally sell your browsing history. In the EU, GDPR limits this significantly — but plain-text DNS still exposes your queries to your ISP’s infrastructure, even if they’re currently prohibited from using it commercially.
Public WiFi interception. On any network you don’t control, DNS traffic can be observed passively. In a hotel, at an airport, at a conference — anyone with access to the network equipment sees your queries.
DNS hijacking. Some ISPs and network operators intercept DNS queries and redirect them to their own resolvers — even when you’ve configured a different one. Without encryption, there’s no way to detect or prevent this. Your query says “go to 8.8.8.8” and the ISP intercepts it and sends it somewhere else instead.
DNS manipulation. Unencrypted DNS can be tampered with in transit. An attacker can return false answers, sending you to a phishing site instead of your bank. This is sometimes called DNS spoofing or DNS cache poisoning. Encryption alone doesn’t prevent all of this, but it significantly raises the bar.
The Solution: Encrypted DNS
Three protocols exist today to encrypt your DNS queries. They all solve the same core problem — your queries are hidden from the network — but they differ in how they work and what tradeoffs they carry.
DoH — DNS-over-HTTPS
DoH wraps DNS queries inside standard HTTPS requests. From the network’s perspective, your DNS traffic is indistinguishable from loading a webpage. Port 443, standard TLS, same as everything else.
This makes DoH the most resilient option against network-level blocking. You can’t block DoH without also breaking most of HTTPS. It’s supported natively in Firefox and Chrome, and you can configure it in a few clicks.
Tradeoff: your DNS provider can see all your queries (this is unavoidable with any DNS resolver, encrypted or not). With DoH, you’re moving trust from your ISP to your DNS provider. Choose one you actually trust.
DoT — DNS-over-TLS
DoT uses a dedicated encrypted channel on port 853. The encryption is equivalent to DoH (both use TLS), but the traffic is clearly identifiable as DNS — a network operator can see you’re making encrypted DNS requests, even if they can’t see the content.
This means DoT is easier to block than DoH. Some corporate networks and restrictive environments block port 853 entirely. That said, DoT is natively supported on Android 9+, recent Linux distributions with systemd-resolved, and many router firmware options. If you’re on a network you control, DoT is an excellent choice.
DoQ — DNS-over-QUIC
DoQ is the newest of the three. It uses the QUIC transport protocol (the same one underlying HTTP/3) instead of TCP. QUIC was designed to reduce connection latency — it establishes encrypted connections faster, handles packet loss better, and generally performs well in mobile and congested network conditions.
le_dns supports DoQ today. It’s not yet widely supported by operating systems or browsers natively, but dedicated DNS clients like dnscrypt-proxy can use it. Expect broader support as the protocol matures.
Quick Comparison
| Protocol | Port | Block resistance | Native OS support | Latency |
|---|---|---|---|---|
| DoH | 443 | High | Browsers (Firefox, Chrome) | Low |
| DoT | 853 | Medium | Android 9+, Linux | Low |
| DoQ | 853 (UDP) | Medium | DNS clients only | Lowest |
What Encryption Doesn’t Fix
Encrypted DNS protects your queries in transit. It does not:
- Hide that you’re using a specific DNS resolver (your ISP can still see the IP you’re connecting to)
- Prevent your DNS resolver from logging your queries (pick a privacy-respecting one)
- Replace a VPN for full traffic anonymization
Encrypted DNS is one layer in a privacy stack. It’s a meaningful, low-friction improvement over plain DNS — and it should be the baseline, not an advanced user option.
How le_dns Helps
le_dns supports all three protocols: DoH (https://ledns.eu/dns-query), DoH3 (h3://ledns.eu/dns-query), DoT (ledns.eu on port 853), and DoQ (ledns.eu on port 8853).
Beyond encryption: we pseudonymize IP addresses before any logging (truncated to /16 for IPv4, /48 for IPv6), we don’t log which domains you resolve, and all infrastructure is in the EU.
Ready to encrypt your DNS? Set it up in minutes — check our setup guides.