Anonymity Private DNS: Setup Guide.

Fixxx

Fixxx

Moderator
Joined
Aug 21, 2024
Messages
760
Reaction score
3,654
Points
93
1758979021026.jpeg

Incognito mode only creates a local illusion of privacy. The real “privacy hole” is one level up: your Internet provider sees every DNS request, so it knows which sites you visit even if the connection to them is protected by HTTPS. In this article we’ll explain how to switch to private encrypted DNS servers in a few minutes. That will not only hide your browsing history from your ISP, but as a nice bonus - speed up the internet, block a large portion of ads and protect you from phishing.


Why this matters - a bit of Theory

Here’s the basic mechanics. When you type site.com in your browser, your computer sends a query to a DNS server (usually your provider’s) asking: “What is the IP of site.com?” The server replies, and only then does the browser establish the connection. The problem is that by default this query can be read by anyone on the path - first and foremost your ISP. It sees which domains you request and can easily log every site its customers visit. Modern encrypted DNS protocols address exactly this problem:
  • DNS over TLS (DoT): wraps DNS queries in a protected TLS tunnel. It uses a dedicated port (853), which makes its traffic recognizable.
  • DNS over HTTPS (DoH): hides DNS queries inside ordinary HTTPS traffic (port 443). Externally it's indistinguishable from regular web browsing, which makes blocking it nearly impossible without breaking large parts of the internet.
Of course, for maximum control you can run your own DNS resolver on a Raspberry Pi using Pi-hole or AdGuard Home - an excellent project for enthusiasts. But using public private DNS is the quickest and simplest way to get about 95% of the benefits with 5% of the effort.


Step 1: Choose a Service

There are many public DNS servers, each with its own philosophy. Here are some popular, well‑tested options.

ServiceMain focusProsCons
AdGuard DNSAd and tracker blockingEffectively cuts ads across devices, speeding up page loads. Offers variants (no-blocking, family).Aggressive blocking can sometimes break certain sites.
Quad9Security
Blocks access to known malicious domains (phishing, malware, botnets) using threat feeds from 19+ cybersecurity organizations.
Almost no ad blocking - focused on security.
Cloudflare DNS
Speed and privacy
One of the fastest DNS services in the world. Emphasizes a privacy policy (doesn't log queries).
Doesn't filter content by default. May be unstable in some regions.
NextDNS
Flexible customization
Lets you create a profile, fine-tune blocklists, maintain allow/deny lists and view analytics.
Requires initial setup. Free plan has a monthly query limit.

In the instructions below I’ll use AdGuard DNS and Quad9 addresses as examples, but you can use any service from the list.


Step 2: Step-by-step Guide

Time for practice. This really takes only a few minutes.

Android

Android makes this easy via native Private DNS (DoT) support.
  1. Open Settings → Network & internet → Advanced → Private DNS. Paths vary by skin, so searching “DNS” in Settings can be easiest.
  2. Select “Private DNS provider hostname”.
  3. Enter the provider hostname, e.g. dns.adguard-dns.com or dns.quad9.net.
  4. Tap Save.

iOS / iPadOS

Apple supports encrypted DNS via configuration profiles.
  1. Open Safari and visit a profile generator such as AdGuard’s: https://adguard-dns.io/ru/public-dns.html.
  2. Choose “Method 2”. Select the server you want (for example AdGuard DNS) and tap “Download profile”.
  3. Allow the profile download when prompted.
  4. Open Settings - a “Profile Downloaded” item will appear at the top. Tap it.
  5. Tap Install (top right) and follow the prompts. After installation, DNS traffic will be protected.

Windows 11

Windows 11 has built-in DNS over HTTPS support.

GUI method:
  1. Open Settings → Network & internet.
  2. Select your active connection (Wi‑Fi or Ethernet).
  3. Click Hardware properties.
  4. Under “DNS server assignment” click Change.
  5. Choose Manual and enable IPv4.
  6. Enter preferred and alternate DNS IPs, e.g. 94.140.14.14 and 94.140.15.15.
  7. For “Preferred DNS encryption” and “Alternate DNS encryption” select “Encrypted only (DNS over HTTPS)”.
  8. Click Save.
PowerShell method:

Run PowerShell as Administrator and, replacing the interface name as needed, execute:
Code: 
Set-DnsClientServerAddress -InterfaceAlias "Wi-Fi" -ServerAddresses ("94.140.14.14","94.140.15.15")

macOS GUI method:
  1. Open System Settings → Network.
  2. Select your active connection and click Details….
  3. Go to the DNS tab.
  4. Click + and add the DNS server IPs (e.g. 9.9.9.9 and 149.112.112.112).
  5. Click OK.
Terminal method:

Example for Wi‑Fi and Quad9:
Code: 
networksetup -setdnsservers Wi-Fi 9.9.9.9 149.112.112.112

Note: for native DoH/DoT support on macOS (as on iOS) you may need to install a configuration profile.

Linux

Open the config file:
Code: 
sudo nano /etc/systemd/resolved.conf

Uncomment or add these lines in the [Resolve] section: [/CODE][Resolve] DNS=94.140.14.14 94.140.15.15 DNSOverTLS=opportunistic[/CODE] Replace DNS=… with the IP addresses of your chosen servers separated by spaces. DNSOverTLS=opportunistic makes the system attempt DoT when possible and fall back to plaintext if not - this avoids breaking connectivity if DoT is blocked or temporarily unavailable. Save (Ctrl+O, Enter) and exit (Ctrl+X). Restart the service:
Code: 
sudo systemctl restart systemd-resolved

Verify:
Code: 
resolvectl status


Conclusion

You’ve just taken a big step toward better digital hygiene. Your ISP will now see significantly less about your network activity and depending on the service you chose, you’ll gain strong protection against ads or malicious sites. This simple change requires little technical knowledge and delivers an immediate, tangible benefit.
 
You must log in or register to reply here.
Top Bottom