WeTalkin is end-to-end encrypted messaging with zero data collection. No phone number required. Your conversations stay yours.
Trusted by 10,000+ privacy advocates. Free to start.
Explore the full portfolio of independent AI tools and editorial properties at blossend.com.
Estimated time: 15 minutes
End-to-end encrypted messaging with zero metadata collection.
Every time you visit a website, your device sends a DNS query to translate the domain name like example.com into an IP address. By default, these DNS queries are sent in plain text over your network, meaning your internet service provider, network administrator, and anyone monitoring the network can see every website you visit. Even if the website itself uses HTTPS encryption, the DNS query happens before the encrypted connection is established, creating a privacy gap. DNS-over-HTTPS (DoH) solves this by encrypting DNS queries within regular HTTPS traffic, making them indistinguishable from normal web browsing. This prevents your ISP from logging the websites you visit, prevents network-level censorship based on DNS filtering, and protects against DNS spoofing attacks where an attacker redirects you to malicious websites. DNS-over-HTTPS is supported by all major browsers and operating systems, making it accessible to everyone regardless of technical expertise.
Not all DNS providers are equally privacy-respecting. Avoid using your ISP default DNS servers, as they typically log all your queries and may sell this data to advertisers or share it with government agencies. Recommended privacy-respecting DNS providers include Quad9 at dns.quad9.net, which blocks malicious domains and does not log user queries. Cloudflare at 1.1.1.1 or one.one.one.one promises to never sell user data and deletes logs within 24 hours. Mullvad DNS at dns.mullvad.net offers ad-blocking DNS with no logging. AdGuard DNS at dns.adguard-dns.com blocks ads and trackers at the DNS level. NextDNS at dns.nextdns.io offers customizable filtering with privacy-focused logging options. Each provider has different strengths. Quad9 focuses on security by blocking known malicious domains. AdGuard DNS adds ad and tracker blocking. NextDNS offers the most customization. Consider what is most important to you: pure privacy, ad blocking, malware protection, or customizable filtering.
Firefox has the most mature DNS-over-HTTPS implementation among browsers. Open Firefox, go to Settings, then Privacy & Security. Scroll down to the DNS over HTTPS section. Select Max Protection mode, which ensures all DNS queries use encrypted DoH and never fall back to unencrypted DNS. Choose your preferred DNS provider from the dropdown menu or enter a custom provider URL. If you chose Quad9, enter https://dns.quad9.net/dns-query. For AdGuard, enter https://dns.adguard-dns.com/dns-query. For NextDNS, enter https://dns.nextdns.io/your-config-id (replace with your actual NextDNS configuration ID). After configuration, Firefox will route all DNS queries through the encrypted HTTPS channel to your chosen provider. To verify it is working, visit the provider test page or use a DNS leak test website. The test should show your chosen DNS provider rather than your ISP DNS servers. If you experience issues with certain websites, you can add exceptions or temporarily switch to a less strict mode.
Unlimited access to 6,400+ articles, premium privacy guides, and all Blossend platforms.
Windows 11 supports system-wide DNS-over-HTTPS. Open Settings, then Network & Internet, then your active network connection (Wi-Fi or Ethernet). Click on Hardware Properties or DNS Server Assignment. Click Edit next to DNS server assignment. Switch from Automatic to Manual. Enable IPv4 and enter the DNS provider IP address. For Cloudflare, use 1.1.1.1 as primary and 1.0.0.1 as secondary. For Quad9, use 9.9.9.9 as primary and 149.112.112.112 as secondary. For AdGuard, use 94.140.14.14 as primary and 94.140.15.15 as secondary. Under each DNS address, set the DNS over HTTPS dropdown to On (automatic template) or On (manual template) and enter the DoH template URL. Click Save to apply the settings. This configuration encrypts DNS queries for all applications on your computer, not just the browser. On Windows 10, system-wide DoH is available in newer builds through similar network settings. If your Windows version does not support native DoH, use the browser-level configuration or install a DoH client application.
End-to-end encrypted messaging with zero metadata collection.
On macOS, system-wide DNS-over-HTTPS requires installing a DNS configuration profile. Download a profile from your chosen DNS provider website. For Cloudflare, visit one.one.one.one and download the macOS profile. For AdGuard, visit adguard-dns.io and download the macOS profile. Open the downloaded profile, which will appear in System Preferences under Profiles. Click Install to activate the encrypted DNS configuration. On iPhone, install a DNS profile from your provider or use the Settings, General, VPN & Device Management section to install downloaded profiles. On Android, go to Settings, Network & Internet, Private DNS, and enter your provider hostname such as dns.adguard-dns.com. Android Private DNS uses DNS-over-TLS, which is slightly different from DNS-over-HTTPS but provides equivalent encryption protection. After configuration on any device, verify by visiting a DNS leak test website. Ensure the results show your chosen DNS provider rather than your ISP. Some routers also support DNS-over-HTTPS configuration, which protects all devices on your home network automatically.
After enabling DNS-over-HTTPS, thorough testing ensures everything is working correctly. Visit dnsleaktest.com and run the extended test. All results should show servers belonging to your chosen DNS provider, not your ISP. If you see your ISP DNS servers in the results, your configuration may not be applied correctly or your system may be falling back to unencrypted DNS. Visit browserleaks.com/dns for an additional independent test. If you configured DNS-over-HTTPS in your browser but still see ISP DNS in system-level tests, the browser configuration is working but system applications may still use unencrypted DNS. For complete protection, configure DoH at the system level. Common issues include corporate networks that block DoH traffic, in which case you may need to discuss with your IT department or use a VPN that tunnels all traffic including DNS. Some networks use captive portals for login that require standard DNS to function. If you cannot connect to a new Wi-Fi network, temporarily disable DoH to complete the login process, then re-enable it.
By completing this guide, you have successfully worked through 6 steps covering "How to Configure DNS-over-HTTPS for Private Browsing". Here is a summary of what you achieved:
Get unlimited access to all 6,400+ privacy articles, premium guides, group creation, and unlimited messaging across every Blossend platform.
View PlansWeTalkin: End-to-end encrypted messaging with zero metadata collection. No ads. No data harvesting. Just private conversation.
Subscribe to Privacy Newsletter
App returning to stores soon. Join 10,000+ privacy advocates.
Weekly digest of surveillance news, privacy tools, and protection tips. Free.
Join thousands choosing privacy over surveillance with WeTalkin.
NexusBro helps developers catch bugs and SEO issues before they reach production. Try it free →
Private messaging with end-to-end encryption. No phone number required.
Get Started Free