What is encrypted DNS?

Q: What is encrypted DNS?

Short answer: DNS is the system that turns site names like wikipedia.org into IP addresses your computer can connect to. By default DNS is unencrypted, so your internet provider, and anyone else on the network, sees every site you visit. Encrypted DNS (DNS-over-HTTPS or DNS-over-TLS) wraps those queries so they can't be read in transit.

In short

Every time you visit a website, your computer first asks a DNS server 'what's the IP for this name?' By default that question is sent in plaintext, and your ISP can log every site you visit even if those sites use HTTPS. Encrypted DNS encrypts the query itself, hiding which sites you visit from your network. DNS-over-HTTPS (DoH) is the most common form. Dazr uses dns0.eu (a non-profit French/German service) by default.

How DNS works (and leaks)

You type wikipedia.org into your browser. Your computer doesn't know the IP address for that site, so it asks a DNS server. By default the DNS server is your ISP's, and the question is sent unencrypted over UDP. Any device on the path, your ISP's logging system, the coffee-shop Wi-Fi, your office network, can see the question and the answer.

HTTPS encrypts the connection to Wikipedia itself. It does not encrypt the DNS lookup that happened first. Your ISP can't read what you did on Wikipedia, but it knows you went to Wikipedia.

DNS-over-HTTPS and DNS-over-TLS

Two protocols solve this. DNS-over-HTTPS (DoH) wraps DNS queries inside an HTTPS connection to a DNS provider. DNS-over-TLS (DoT) does the same with a dedicated TLS port. Either way, the network in between sees only "this device is talking to a DNS provider", not which sites are being looked up.

Both are widely supported. Cloudflare runs 1.1.1.1, Google runs 8.8.8.8, Quad9 runs 9.9.9.9. The catch: now the DNS provider sees everything your ISP used to see. So the choice of provider matters.

What about my VPN?

A VPN tunnels all your traffic, including DNS. If the VPN is doing its job, the VPN provider sees DNS queries instead of your ISP. Same trade, the provider that handles the lookups can log them. Mullvad, IVPN, and Proton VPN are EU-based and have audited no-log policies.

One catch worth knowing: DNS leaks. If your VPN isn't configured correctly, your operating system might still send DNS queries through your ISP even when the VPN tunnel is up, defeating the privacy benefit. Most modern VPN clients handle this automatically; it's worth testing.

What Dazr does

Dazr uses encrypted DNS by default, pointed at dns0.eu, a non-profit French/German DNS service that doesn't log queries and is governed under European privacy law. Your ISP sees "this device is talking to dns0.eu" and nothing about the actual sites you visit. dns0.eu also blocks malicious domains automatically, which is a small bonus.

What is encrypted DNS?

How DNS works (and leaks)

DNS-over-HTTPS and DNS-over-TLS

What about my VPN?

What Dazr does

Related

What is a WebRTC IP leak?

Is incognito private?

Made in Europe

A browser that's private without a special window