Private DNS: A complete guide

What is private DNS?

A private DNS is one that you set up and manage, instead of using the default DNS from your internet service provider (ISP) (if you haven’t changed your DNS settings, you’re probably using your ISP’s DNS at home and your network provider’s DNS when you’re on public Wi-Fi or work Wi-Fi). Private DNS encrypts your DNS queries, so your ISP and online snoopers can’t see which websites you visit. However, ISPs and other network observers might still infer which websites you visit based on the IP addresses your device connects to unless you use additional privacy tools, such as a VPN. 

To get a clearer picture of what private DNS is, let’s look into the underlying topic — what is DNS and how does it work? Let’s recap. A DNS (domain name system) is an important internet protocol that translates human-friendly internet addresses into IP addresses that computers use to connect to each other.

When you type a web address into the address bar of your web browser, your computer sends a DNS query to a DNS server to find the corresponding IP address for the site you want to visit. DNS servers translate human-friendly domain names into computer-readable IP addresses. For example, the NordVPN website uses the nordvpn.com domain name that corresponds to a numerical IP address 104.19.159.190.

Typically, the process of sending DNS queries to DNS servers isn’t encrypted, meaning they’re visible to your ISP and potential eavesdroppers. But when you connect to a private DNS server, it encrypts these queries and creates a secure path that hides this information from anyone monitoring your internet connection.

How does private DNS work?

We’ve already established what private DNS does — it sends DNS queries through an encrypted tunnel. Now, let’s examine the role of a private DNS in more detail. Let’s say you’re looking up NordVPN. So, what happens next, and when does a private DNS server come in?

1. 1.You type a domain name (such as, nordvpn.com) into your web browser.
2. 2.Your computer sends a DNS request to a DNS server to find the corresponding IP address for that domain.
3. 3.The DNS request is sent over the internet to the DNS server, which could be provided by your ISP or a third party like Google Public DNS or Cloudflare DNS.
4. 4.The DNS server finds the IP address associated with the domain name and sends it back to your computer.
5. 5.The DNS response is sent over the internet to the DNS server, which could be provided by your ISP or a third party like Google Public DNS or Cloudflare DNS.
6. 6.Your computer provides the IP address to the web browser, letting it know where to connect.
7. 7.Your ISP routes the browser’s connection request to the server at that IP address.
8. 8.The web server responds, sending the website data back through the ISP to your browser.
9. 9.Your browser displays the website on your screen.

When using a private DNS server, your ISP still routes your requests and responses. However, the DNS queries are encrypted, so the ISP cannot see the specific domain names you’re looking up.

While the ISP can tell that your device is connecting to a DNS server and accessing various IP addresses, it won’t know which websites or domains you’re specifically requesting. This encryption protects your browsing habits from being easily tracked at the DNS level.

Use cases of private DNS

It’s useful to configure private DNS on your mobile devices, especially if you hop between networks throughout the day. This mode is useful to set up on your mobile devices and smart home devices for an extra layer of protection and privacy.

• Private DNS on mobile devices. With private DNS enabled, your mobile device keeps DNS queries encrypted, so whether you’re browsing on cellular data or public Wi-Fi, your browsing activity remains private. For example, a private DNS for Android is easy to set up and use to improve your browsing security.
• Private DNS on smart home devices. Many internet of things devices rely on DNS to communicate with their servers. By using private DNS, you help shield your smart devices like cameras, speakers, and thermostats from DNS-based attacks and similar cyber threats.
• Private DNS for reducing ads and online tracking. Companies often use DNS requests to build profiles based on your browsing behavior, but private DNS encryption prevents data collectors from accessing these insights. This results in fewer targeted ads and less data profiling.

In addition to enabling private DNS, you might also want to change DNS servers occasionally — you can do so in your device’s network settings. Different DNS servers can improve speed, privacy, and website performance. However, private DNS offers even stronger protection. Read on to find why it matters.

Benefits of using private DNS

By using private DNS, you will be better equipped to avoid phishing attacks and keep your online activity more private.

Privacy

More privacy is one of the main benefits you can enjoy when you enable private DNS on your device. With your DNS requests encrypted, your ISP or potential snoopers on the network will not see which websites you’re accessing.

Protection against DNS spoofing

Another benefit is protection from DNS spoofing which is, essentially, the manipulation of DNS records to redirect users to malicious websites. Encrypting your DNS requests makes it much harder for cybercriminals to intercept or manipulate them. This helps ensure you’re connecting to legitimate websites, adding a layer of safety against phishing attacks.

Limited tracking

Many ISPs log DNS queries to build user profiles and track browsing behavior. Private DNS interferes with this process by hiding your queries, limiting the data that your ISP can collect about you. This means fewer ads and recommendations based on your browsing.

Types of private DNS architectures

Private DNS architectures are the different ways private DNS is set up and managed. The most common types include one-premises DNS, cloud-based DNS, hybrid private DNS, and split-horizon DNS.

On-premises private DNS

On-premises DNS refers to DNS servers that a company hosts and manages within its own infrastructure instead of relying on external or cloud-based DNS services. Implementing on-premises DNS allows the company to keep its queries internal, reduce third-party exposure, and have full control over domain resolution and access.

Cloud-based private DNS

Cloud-based private DNS is a DNS service hosted by an external provider that encrypts and manages DNS queries on secure cloud-based servers. A cloud-based private DNS provider makes your life easier by handling DNS security, privacy, and speed for you. These providers typically have a fast, globally distributed server network which may reduce website load times and provide a more stable connection. Once set up, you don’t have to worry about manually configuring or maintaining DNS settings.

Hybrid private DNS

Hybrid private DNS combines on-premises DNS servers and cloud-based DNS services, so organizations can manage internal traffic locally and use cloud-based security and filtering for external queries.

This setup gives users the best of both worlds — full control over internal DNS management with the added security of cloud-based DNS. It keeps internal traffic fast and efficient while encrypting and protecting external queries from threats.

Split-horizon private DNS

Split-horizon private DNS uses different DNS responses depending on whether a request comes from inside or outside a network. Organizations use it to keep internal services accessible only to internal users, and they direct external users to public-facing versions of the same services.

This setup improves security by keeping sensitive internal resources hidden from outsiders. It also helps with network efficiency because  internal users get faster access to local services without routing through external DNS servers.

Private DNS protocols

Private DNS protocols ensure that DNS requests remain secure and private by encrypting them as they travel across the internet. These protocols prevent third parties, like ISPs or snoopers, from intercepting or tracking DNS queries.

DNS over TLS

DNS over TLS (DoT) encrypts DNS requests using the TLS protocol, which is also used to secure HTTPS websites. By wrapping DNS queries in TLS, DoT keeps your browsing private from anyone monitoring your network. It’s particularly useful on open or public Wi-Fi networks, where unsecured DNS requests are easy to intercept.

DNS over HTTPS

DNS over HTTPS (DoH) functions similarly to DoT but wraps DNS queries in HTTPS. By using the same protocol that secures web traffic, DoH allows DNS queries to blend in with other HTTPS data, which makes it even harder for third parties to detect and intercept.

DNSCrypt

DNSCrypt encrypts DNS queries with its own protocol so that third parties can’t intercept them or tamper with them. DNSCrypt focuses on authenticating DNS responses — it verifies that the responses come from a trusted DNS server and haven’t been altered by attackers. This protocol is ideal if you’re looking for both privacy and strong assurance against DNS spoofing or tampering.

DNS over QUIC

DNS over QUIC (DoQ) encrypts DNS requests using the QUIC transport protocol, which is also designed for secure and low-latency internet connections. By sending DNS queries over QUIC, DoQ minimizes connection setup times and reduces latency, making it ideal for mobile and high-speed networks. The protocol also offers resilience against packet loss and congestion, which ensures a smoother, faster browsing experience even under challenging network conditions.

Using DoH, DoT, DNSCrypt, and DoQ reduces the risk of DNS leaks, but you’ll need additional safeguards to fully prevent these leaks, for example, a reliable VPN service.

Should private DNS be off or automatic?

No one-size-fits-all answer exists to whether private DNS should be off or set to automatic because it ultimately depends on your needs and the network environment. It’s generally recommended to enable private DNS (set to “automatic”) on most of your personal devices, especially when you connect to both home and public Wi-Fi networks during the day. This setup helps prevent tracking and snooping.

However, in specific situations — such as when a network has strict requirements or experiences performance issues — you may need to turn it off temporarily.

Private DNS settings are easy to find and activate on your device:

1. 1.

   Open your device’s “Settings” and choose “Connections” or “Network and internet,” or a similar option.

   
2. 2.

   Tap “More connection settings” if the DNS option is not immediately available.

   
3. 3.

   Select “Private DNS.”

   
4. 4.

   You can either turn it off, set it to “Automatic,” or select the “Private DNS provider hostname" and type in the provider’s hostname. Once you’ve chosen an option, tap “Save.”

   

   

That’s it! Now you know how to enable private DNS to have more privacy online.

Is private DNS the same as a VPN?

No, private DNS and VPNs are not the same. A VPN provides more privacy than private DNS.

Private DNS encrypts only your DNS queries, which prevents ISPs and attackers from seeing which websites you request and protects from some cyberattacks, such as DNS hijacking or spoofing. However, it does not shield your IP address from snoopers or encrypt the rest of your internet traffic. If you want to improve your privacy as much as you can, it’s best to use both private DNS and a VPN.

A VPN encrypts your entire internet connection, protecting both your browsing activity and your real IP address from prying eyes. However, some VPN providers also offer the private DNS feature with their VPN service. If you use NordVPN to protect your virtual location and data in transit, you can rest assured that our private DNS servers will safely handle all your DNS queries automatically. All your ISP will know is that you’re using NordVPN’s servers.

Free DNS vs. VPNs with private DNS

Free DNS is a publicly available DNS service that you can use instead of your ISP’s default DNS. It helps resolve website addresses but usually lacks encryption, so your browsing activity may be visible to third parties. A VPN with private DNS encrypts both your DNS queries and internet traffic, keeping your browsing private and secure.