Your computers, phones, and other devices normally use the Domain Name System (DNS) server with which the router is configured. Unfortunately, this is often the one provided by your Internet Service Provider (ISP). These lack privacy features and may also be slower than some alternatives.
DNS is not private (without DoH)
The DNS was designed almost 40 years ago and has not changed much since. It is completely unencrypted. This means that it offers the same level of protection against curious third parties as unsecured HTTP traffic, which isn’t much at all. Even if you use HTTPS, any third party in the middle of your traffic can see the websites you are connecting to (but not the content of your visit). For example, on a public Wi-Fi network, the operator of that network can monitor the websites you visit.
The solution to this problem is DNS over HTTPS (DoH). This new protocol simply encrypts the content of a DNS request so that third parties cannot detect it. Major DNS providers, such as Cloudflare, OpenDNS and Google Public DNS, already support it. However, Chrome and Firefox are also rolling it out.
In addition to privacy improvements, DoH prevents tampering with DNS queries in transit. It’s just a more secure protocol, and everyone should be using it.
However, even if you activate DoH in your browser, it is up to the DNS provider to implement it. Most home network connections are configured by default to use the ISP’s DNS servers, which are unlikely to support DoH. If you haven’t changed it manually, it’s probably the case with your browser and operating system.
There are, however, some exceptions. In the USA., Mozilla Firefox automatically activates DNS over HTTPS and using Cloudflare’s DNS servers. Comcast DNS servers support DoH and work with Google Chrome and Microsoft Edge.
Generally, however, the only way to really get DoH is to use a different DNS service.
Your ISP can record your browsing history
If you are concerned about online privacy, using your ISP’s DNS server is a huge problem. Each request sent can be saved and tells your ISP which websites you browse, down to host names and subdomains. Browsing history like this is the type of valuable data from which many companies make huge profits.
Many ISPs, including Comcast, claim not to store customer data. However, Comcast actively lobbying against DoH. Although U.S. ISPs say they don’t collect data (and even if it’s legal to do so), it would be very easy to implement since they control the DNS servers you use. The FTC was concerned enough to investigate if ISPs do. Other countries’ laws and regulations vary, so it’s up to you to decide if you trust your ISP.
It should be noted that Comcast has adopted DoH, but that doesn’t protect your privacy with the company that monitors your DNS queries. DoH secures the connection between you and the DNS provider, but, in this case, Comcast is the DNS provider and, therefore, can still see queries.
Of course, DNS is not the only way for ISPs to follow you. They can also see the IP addresses to which you connect, regardless of the DNS server you use. They can thus glean a lot of information about your browsing habits. Changing DNS servers won’t stop your ISP from tracking, but it will make things a little more difficult.
Using a virtual private network (VPN) for your daily browsing is the only real way to prevent your ISP from seeing what you’re connecting to online. You can check out our guide to VPNs to learn more about them.
Third-party DNS servers could also be faster
In addition to privacy concerns, the DNS services provided by ISPs may be slower than Google or Cloudflare. This is not always the case, as your ISP will usually be closer to you than a third party, but many people get faster speeds with a third-party DNS server. However, this is usually a difference of a few milliseconds, which may not matter to you very much.
Which public DNS server should you use?
If you want to switch to a public DNS server, you have a few options. The most common is Google’s public DNS, which uses the addresses 18.104.22.168 and 22.214.171.124.
If you trust Google less than your ISP, you can also use CloudFlare’s DNS, who claims to be the fastest and who privileges confidentiality. The main address is 126.96.36.199, with an alternative 188.8.131.52.
Finally, you can also use OpenDNS, from Cisco. You can find addresses here.
How to change your DNS settings
The best way to change your DNS settings is at the router level. If you change your DNS server on your router, this change will apply to all devices on your home network.
To start, type 192.168.1.1 or 10.0.0.1 to connect to your router.
The exact location of the DNS setting varies depending on the router you have. However, it should be somewhere in the network settings.
For example, on a Verizon router, it is under My Network> Network Connections> Broadband> Edit. Once there, you can manually change the address and replace your ISP’s automatic servers.
If you’re having trouble finding it, just do a Google search for your router model to find out where that setting is.
If you’re in a situation where you can’t change the DNS settings on the router (like a college dorm or some other place where you don’t control Wi-Fi), you can always change the settings on your device specific. We will show you how to change these settings on a Mac and Windows computer (go here how to change them on an Android phone or iPhone).
On a Windows machine, open “Control Panel” from the Start menu, then go to “Network and Sharing Center”. In the sidebar, click on “Change adapter settings”.
You should see a list of your network devices over Ethernet and Wi-Fi. If you want to change the settings for both, you will need to repeat the following instructions for each device.
Right-click the first device for which you want to change the DNS settings, then click “Properties”.
Select “Internet Protocol Version 4” from the list.
In the dialog box that appears, select the radio button next to “Use the following DNS server addresses”, type your preferred DNS server addresses, then click “OK”.
On a Mac, you will find this option in “System Preferences” under “Network”. Click on “Wi-Fi” or “Ethernet”, then click on “Advanced” at the bottom of the menu.
Under the “DNS” tab, you can modify the DNS settings of your device. Click the plus (+) or minus (-) signs at the bottom to add or remove servers.
How to enable DNS over HTTPS (DoH)
If you want to activate DoH on your browser, you can do so on Chrome, Firefox and Microsoft Edge.
On Chrome, go to chrome: // flags / # dns-over-https, then select “On” from the drop-down menu. Relaunch Chrome for the changes to take effect.
In Firefox, the option is a little buried. Open the menu and go to Options> General. Scroll down and click “Settings” at the bottom. Check the box next to “Enable DNS over HTTPS”. You can also select a DNS provider manually here if you prefer.