Encrypted DNS: How to Protect Your Browsing from ISP Snooping

You're sitting at home on a Tuesday evening, browsing on your Jio Fiber connection. You visit a health forum to read about a skin condition. Then you check a job portal because, honestly, you've been thinking about switching roles. Then you open your bank's website to check your balance. Three mundane acts. Three websites your ISP just logged, because every time your browser looked up one of those domain names, it sent the request as plain text through your ISP's servers. Jio now knows you visited a health forum, a job site, and your bank — in that order, at those exact times. Not the content of what you read, but the fact that you visited. And honestly, sometimes the destination tells you more than the content would.

Most people have no idea this is happening. They've heard that HTTPS makes their browsing private — and HTTPS does encrypt the content of your connection, so your ISP can't read what you typed into the health forum or see your bank balance. But DNS, the system that translates "privacytechindia.com" into an IP address your browser can connect to, runs in plain text by default. It's like writing the address on the outside of a sealed envelope. The letter inside is private. The destination on the front is not.

Encrypted DNS fixes this. It's been available for years, it's free, and setting it up takes less time than making chai. Let me walk you through the whole thing.

Wait, What Is DNS Actually Doing?

Quick primer for those who need it — skip ahead if you already know this stuff. DNS stands for Domain Name System. It's basically the phone book of the internet. You type "youtube.com" into your browser. Your device doesn't know what that means — it needs a numerical IP address to connect to. So it sends a query to a DNS server asking "what's the IP address for youtube.com?" The DNS server responds with something like "142.250.77.46," and your browser connects to that address.

By default, your device sends these queries to your ISP's DNS server. On Airtel, those queries go to Airtel's DNS. On Jio, to Jio's. On BSNL, to BSNL's. And those queries are unencrypted — sent as plain text over the network. Anyone between you and the DNS server can read them. That means your ISP, yes, but also anyone on the same Wi-Fi network (at a cafe, hotel, or airport), and potentially anyone monitoring the network in between.

The result is that your ISP has a complete log of every domain name you've looked up. Not every page — just the top-level domains. But that's enough to build a detailed picture of someone's interests, habits, and concerns. It's enough for ISPs to comply with government-mandated website blocks (which in India are implemented primarily through DNS filtering). And it's enough, in principle, to sell aggregated browsing patterns to advertisers, which some ISPs globally have been caught doing.

The Two Protocols: DoH and DoT

There are two main protocols for encrypting DNS queries. They do essentially the same thing — encrypt the lookup so nobody between you and the DNS server can read it — but they work differently under the hood.

DNS over HTTPS (DoH) wraps DNS queries inside regular HTTPS traffic on port 443, the same port every website uses. This makes DNS queries indistinguishable from normal web browsing at the network level. Your ISP can see that you're sending HTTPS traffic to, say, Cloudflare's IP address, but they can't tell whether you're visiting Cloudflare's website or sending DNS queries. It's encrypted and it blends in with everything else. This makes DoH very hard to block or detect, which is why it's the preferred protocol if you're worried about your ISP actively trying to prevent you from using encrypted DNS.

DNS over TLS (DoT) encrypts DNS queries using TLS, similar to how HTTPS encrypts web traffic, but it uses a dedicated port — 853. This means it's technically easier for a network operator to identify and block DoT traffic, since they can just block port 853. On the other hand, DoT provides cleaner protocol separation (DNS traffic stays separate from web traffic), and some people prefer it for that reason. Android's built-in "Private DNS" feature uses DoT.

For most Indian users, the choice between DoH and DoT doesn't matter much. Neither Jio, Airtel, nor BSNL currently blocks either protocol on consumer connections, at least not as of early 2026. Just pick whichever your device supports more easily.

Setting It Up on Your Android Phone

This is the quickest win. If you've got an Android phone running version 9 (Pie) or later — which covers the vast majority of phones sold in India in the last five or six years — DNS over TLS is built in.

Open Settings. Look for Network & Internet (on some Samsung phones it might be under Connections, then More Connection Settings). Find Private DNS. You'll see three options: Off, Automatic, and "Private DNS provider hostname." Select the last one, and type in a DNS provider's hostname. Good options: dns.quad9.net for Quad9, one.one.one.one for Cloudflare, or your NextDNS hostname if you've set up a NextDNS account (it'll look like abc123.dns.nextdns.io). Save it. Done. Every DNS query from your phone is now encrypted.

Some Android skins bury this setting in weird places. On Xiaomi/MIUI, you might need to search for "Private DNS" in the Settings search bar. On Samsung OneUI, it's often under Connections, then More Connection Settings. If you can't find it, just search. It's there.

On Windows 11

Windows 11 added native DNS over HTTPS support, which is nice because previously you needed a third-party client.

Go to Settings, then Network & Internet, then click on your active connection (Wi-Fi or Ethernet). Click Hardware properties. Scroll down to DNS server assignment and click Edit. Toggle from Automatic to Manual. Under IPv4, enter a DNS server that supports DoH — for Quad9, that's 9.9.9.9 as the primary and 149.112.112.112 as the secondary. For Cloudflare, it's 1.1.1.1 and 1.0.0.1. After entering the IP, a dropdown will appear asking about encryption. Select "Encrypted only (DNS over HTTPS)". Save.

Windows 10 doesn't have this built in. If you're still on Windows 10 (and a lot of people are), you can configure encrypted DNS through Firefox (see below), or use a client like Simple DNSCrypt or YogaDNS. These are third-party tools, so you'd want to stick to well-known, open-source options.

In Firefox

Firefox supports DNS over HTTPS independently of your operating system, which means even if your OS is sending regular DNS queries, Firefox encrypts its own. This is useful if you don't want to (or can't) change system-wide settings.

Open Firefox. Go to Settings (the gear icon), scroll down to Privacy & Security, then find the DNS over HTTPS section near the bottom. Set it to "Max Protection" — this tells Firefox to always use encrypted DNS and fail (show an error) rather than fall back to unencrypted DNS if the encrypted connection fails. Choose a provider — Cloudflare is the default, NextDNS is available as an option, or you can enter a custom provider URL.

One thing to know: if you set up DoH in Firefox but not on your system, other apps (email clients, other browsers, game launchers) will still use unencrypted DNS. Firefox only encrypts its own queries. For full protection, configure it at the system level or on your router.

On Your Router (Protects Everything)

The most thorough approach is to configure encrypted DNS on your Wi-Fi router. This way, every device that connects to your home network — phones, laptops, tablets, smart TVs, IoT devices — automatically uses encrypted DNS without any per-device configuration.

The challenge is that most ISP-provided routers in India (the ones from Jio, Airtel, BSNL) have limited firmware that may or may not support custom DNS settings. Some allow you to change the DNS server addresses (so you can point to Quad9 or Cloudflare), but few support DoH or DoT natively. If you can change the DNS server, do it — even without encryption, using Quad9 or Cloudflare instead of your ISP's DNS means your queries go to a provider with a better privacy policy. It's not encrypted on the path between your router and the DNS server, but it's an improvement.

If you've got your own router (something like a TP-Link Archer or an ASUS model), check whether it supports DoH or DoT in its firmware. ASUS routers with Merlin firmware support DoT natively. TP-Link has been adding DoH support to newer models. If your router supports it, configure it there and you're done — every device on your network benefits.

The nuclear option is running Pi-hole or AdGuard Home on your network, which I've written about elsewhere. These tools act as your network's DNS server and can be configured to use encrypted upstream DNS. They also block ads and trackers at the DNS level for all devices. But that's a bigger project than just setting up encrypted DNS, so I'll leave it for another day.

Which Provider Should You Pick?

A few options, each with different strengths.

Quad9 (9.9.9.9 / dns.quad9.net) is based in Switzerland, operates as a non-profit, and blocks known malicious domains by default. Their privacy policy is one of the strongest in the industry — they don't log your IP address or your queries. Switzerland's data protection laws add a layer of jurisdictional protection. For most Indian users who just want a private, safe DNS provider, Quad9 is probably the best default choice.

Cloudflare (1.1.1.1 / one.one.one.one) is the fastest DNS resolver globally, consistently topping performance benchmarks. They commit to not logging your IP beyond 24 hours and have undergone third-party audits of their DNS privacy practices. Cloudflare is a commercial company, not a non-profit, and they do operate a massive CDN business, so there's a question of whether you want your DNS provider to also be one of the largest infrastructure companies on the internet. Up to you.

NextDNS is what I personally use. It's a paid service (free up to 300,000 queries per month, which is probably enough for an individual) that gives you a dashboard with custom blocking lists, analytics on your query patterns, and granular control over what gets blocked. It's like Pi-hole without the hardware. If you want encrypted DNS plus ad and tracker blocking plus detailed logs of what your devices are doing, NextDNS is the most convenient option.

Control D is another option with servers in India, which means lower latency for Indian users. They offer multiple filtering profiles (malware blocking, ad blocking, adult content blocking) and a free tier. Worth considering if speed is your priority.

Does Switching DNS Affect Your Internet Speed?

People ask this a lot, and the answer is: it depends, but usually in a good way. Your ISP's default DNS servers are often slow and overloaded. Cloudflare and Quad9 have been consistently faster than most Indian ISPs' DNS servers in independent tests. DNS resolution time is typically a few milliseconds on a good resolver versus sometimes 50-100 milliseconds on a congested ISP resolver. You probably won't notice the difference consciously, but your pages might load slightly snappier. It's a small improvement, but it stacks up over thousands of queries per day.

The encryption itself adds minimal overhead. Maybe a millisecond or two for the TLS handshake, which is reused for subsequent queries. In practical terms, the performance impact of encrypted DNS is negligible. You won't see your speeds drop. If anything, you might see a marginal improvement because major DNS providers have better infrastructure than your ISP's DNS servers.

One scenario where DNS provider choice matters more: if you're in a smaller town or on a mobile connection in a rural area, a DNS provider with servers geographically closer to you will perform better. Cloudflare and Quad9 both have presence in Indian cities (Mumbai, Chennai, Delhi at minimum), so latency from urban India is very low. From more remote areas, the extra hop to a DNS server in Mumbai instead of your ISP's local resolver could add a few milliseconds, but the trade-off for privacy is well worth it.

The Website Blocking Question

Let's address the elephant in the room. One side effect of switching to a non-ISP DNS provider is that some government-mandated website blocks stop working. In India, the Department of Telecommunications (DoT) instructs ISPs to block certain websites, and most ISPs implement these blocks through DNS filtering — they configure their DNS servers to not resolve the blocked domain names. When you switch to Cloudflare or Quad9, you're no longer using your ISP's filtered DNS, so those blocks no longer apply to you.

I want to be careful here. I'm not advocating that you use encrypted DNS to access blocked content. Some blocks are court-ordered and relate to copyright, some relate to national security, and the legal terrain around circumventing blocks in India isn't entirely clear. The IT Act doesn't directly criminalise using alternative DNS, but it does create offences around "accessing computer resources without authorisation" that could theoretically be stretched. In practice, I'm not aware of any Indian user being prosecuted for using Cloudflare's DNS, and the DPDPA's privacy protections arguably support the use of encrypted DNS for privacy purposes. But I'd be misleading you if I said there was zero legal ambiguity. Use your own judgement, and understand that switching DNS providers can have this side effect whether you intend it or not.

What Encrypted DNS Doesn't Do

I want to be clear about the limits, because overpromising is how people lose trust in privacy tools.

Encrypted DNS hides your queries from your ISP, but it doesn't hide them from your DNS provider. You're moving trust from your ISP to whatever DNS provider you choose. That's why picking a provider with a solid privacy policy and audit history matters. You're not eliminating trust — you're placing it more carefully.

Encrypted DNS doesn't hide the IP addresses you connect to. Your ISP can still see that your device connected to, say, 142.250.77.46. They'd have to do reverse lookups to figure out that's a Google IP, but sophisticated ISPs can do that. Encrypted DNS hides the human-readable domain name, not the numerical address. For full traffic privacy from your ISP, you'd need a VPN or Tor.

Encrypted DNS won't bypass all website blocks in India. Government-ordered blocks in India are implemented through a mix of DNS-based blocking (which encrypted DNS does bypass) and IP-based blocking (which it doesn't). If a site is blocked by DNS, switching to Cloudflare or Quad9 will let you access it. If it's blocked by IP, encrypted DNS won't help — you'd need a VPN.

All of that said, encrypted DNS is the single highest-impact, lowest-effort privacy change most Indian internet users can make. It takes under five minutes. It costs nothing. It works on every device and every connection. If you haven't done it yet, do it now — literally right now, before you close this tab. Pick up your phone, go to Settings, find Private DNS, type in dns.quad9.net, save. That's it. Every DNS query from your phone is now invisible to your ISP, starting from this moment.