DNS used to be the most boring protocol on the internet. You typed a domain, your computer shouted "what's the IP?" at a nearby DNS server, the server shouted back, and the whole exchange happened in plain text that anybody on the path could read. For forty years nobody cared. Then Edward Snowden happened, then Cambridge Analytica happened, then the ad-tech industry figured out that your DNS queries were a goldmine, and suddenly the boring protocol became a battleground.
In 2026, there are four competing flavours of DNS in regular use — classic DNS, DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and the brand-new Encrypted Client Hello (ECH) that hides the last thing classic DNS encryption couldn't. This guide unpacks what each one does, why you should probably be using at least one of them, and where the remaining gaps are.
TL;DR
- Classic DNS is plaintext — your ISP, Wi-Fi host, and anyone in the middle can read and modify it.
- DoH and DoT encrypt the DNS query so only your chosen resolver can see it. Same goal, different transport.
- ECH closes the last plaintext leak (SNI) in TLS. Enable it in Firefox/Chrome and you hide which site you're visiting from the network.
Two minutes on how DNS actually works
When you type `ip-checker.pro` into your browser, your computer needs the server's IP to connect. It asks a DNS resolver — usually the one your ISP auto-configured on your router. The resolver, if it doesn't already have the answer cached, asks the root servers, then the `.pro` servers, then our authoritative servers, and eventually returns an IP. All of it, traditionally, over UDP port 53 in the clear.
"In the clear" means three things could always happen:
- Your ISP or employer could log which domains you visit (DNS is hands-down the easiest way to keep a browsing history).
- A coffee-shop or hotel network could silently substitute the answer — "nope, gmail.com is this other IP" — and run a MITM.
- Governments could force resolvers to return null or different IPs for censored domains. This is how most country-level blocking works in 2026.
Encrypted DNS fixes the first two completely and the third partially.
DoH — DNS over HTTPS
DoH wraps DNS queries inside an HTTPS request to a specially-designated resolver (like `https://cloudflare-dns.com/dns-query`). To any network watcher, it looks exactly like you loading a web page — just another HTTPS connection on port 443, indistinguishable from the flood of other HTTPS traffic flowing through at any moment.
Why browsers love it
Firefox, Chrome, Edge and Brave all ship with DoH support and many enable it by default for US users and on-demand elsewhere. Switching is one toggle. You end up with your browser's queries going to Cloudflare, Google, NextDNS or a provider of your choice, over HTTPS, untouchable by your ISP.
Why network admins hate it
Exactly the same reason. Corporate networks used to log and filter DNS centrally for everything from malware blocklists to parental controls to compliance. DoH blows a clean hole through all of it, because the DoH traffic looks like any other HTTPS connection. Enterprises now ship DoH-aware proxies that break and re-inspect the traffic, which… defeats the purpose. The cat-and-mouse continues.
DoT — DNS over TLS
DoT does the same encryption but on its own dedicated port 853. That means DoT is easy to identify and block at the network layer — the opposite of DoH. In practice, this makes DoT popular for operating-system-level configuration (Android's "Private DNS" is DoT, most Linux distros prefer DoT) where you want the whole device to use encrypted DNS cleanly, and where the network being able to tell "this is encrypted DNS" is fine or even desired.
Choosing between DoH and DoT is mostly a question of who you're trying to block and who you're trying not to annoy. For individuals behind hostile networks, DoH wins. For home networks and mobile devices where you want consistency across every app, DoT wins.
ECH — Encrypted Client Hello
Here's the twist people forget: encrypting DNS doesn't fully encrypt what you're doing. Even with DoH, when your browser then connects to the resolved IP over HTTPS, the TLS handshake contains a plaintext field called SNI — Server Name Indication — that tells the network "I'm about to talk to example.com". The actual content of your HTTPS session is encrypted; the destination name isn't.
ECH (Encrypted Client Hello) fixes that. With ECH, your browser wraps the sensitive parts of the TLS handshake — including SNI — in a second layer of encryption using a key your DNS provider (via HTTPS records) gave you. The middleman now sees an encrypted TLS connection to a generic CDN front-end, with no visible hostname.
Where ECH stands in 2026
- Cloudflare: enabled for all customers, default.
- Google: rolling out across major services.
- Meta (Facebook/Instagram/WhatsApp web): enabled.
- Firefox, Chrome: ECH on by default when the target domain supports it.
- Safari: shipping support in iOS 19 / macOS Tahoe.
Catch: ECH needs both endpoints to support it. If you visit a small site still running on plain Apache on a VPS, ECH does nothing for that visit. The SNI is still in the clear. ECH is a layered solution — it helps you on the sites that have adopted it, which, in 2026, is roughly 50-60% of real browsing traffic.
Censorship and ECH
Within weeks of ECH rollout, China's Great Firewall started dropping any TLS connection that used encrypted ClientHello. Russia, Iran and a handful of other states followed. The stated reason is always "we can't identify the destination so we can't enforce rules." The real reason is the same. Where ECH works, it works wonderfully. Where it's blocked, your browser falls back to standard TLS and the SNI is visible again — no error, no warning, just a silent downgrade. It's worth checking manually from time to time whether your connections are actually ECH-protected.
Picking a resolver
If you're going to encrypt your DNS, you also have to trust the resolver on the other end. Changing "my ISP sees everything" to "Cloudflare sees everything" is only an improvement if you trust Cloudflare more. Some options worth knowing in 2026:
Cloudflare (1.1.1.1)
Fast, audited no-log policy, DoH + DoT + ECH support, free.
Google Public DNS (8.8.8.8)
Fast, logged for a limited time, feeds Google's ecosystem.
Quad9 (9.9.9.9)
Swiss non-profit, blocks known malware domains, DoH + DoT, free.
NextDNS
Configurable blocklists, personal logs, commercial tiers, very popular with power users.
Mullvad DNS
Aggressive blocklists, no logs, free and public.
AdGuard DNS
Ad-and-tracker-blocking resolver, free and paid tiers.
For most people, Cloudflare or Quad9 is a no-brainer default. If you want ad blocking at the DNS layer, NextDNS or AdGuard. If you're paranoid about datacenter resolvers, run your own Unbound instance — but that's a bigger project.
How to actually enable this
On your computer
Modern browsers: open settings, search for "DNS" or "secure DNS", pick a provider. That's it — the browser will use DoH for every query. Everything outside the browser (mail client, Steam, native apps) still uses your system DNS.
To encrypt DNS system-wide: Windows 11 supports DoH/DoT in Settings → Network → Advanced. macOS supports it via a configuration profile. Linux depends on your resolver (systemd-resolved has DoT support out of the box; Unbound, Stubby and dnscrypt-proxy all work).
On your phone
iOS and Android both support encrypted DNS device-wide. iOS uses configuration profiles (download one from Cloudflare or NextDNS). Android has "Private DNS" in settings — type `1dot1dot1dot1.cloudflare-dns.com` and you're done. Covers every app, not just the browser.
On your router
The big-impact move. Set your router's DNS to a DoT-capable resolver and suddenly every device on your home network — smart TVs, game consoles, IoT stuff that you'd never configure individually — gets encrypted DNS for free. Supported out of the box on OpenWrt, pfSense, UniFi, MikroTik, and most premium consumer routers.
What encrypted DNS still doesn't hide
We have to be honest about this because the marketing often isn't. Even with DoH + DoT + ECH, the following are still visible:
- The IP address you connect to. Reverse-lookup data can still leak the destination on small sites.
- Which CDN you're hitting. If the whole network is behind Cloudflare, that's a narrow guess; if it's a niche provider, the IP itself identifies the site.
- Traffic volume and timing patterns. Watching "you just downloaded 4GB from CDN at 9pm" is still meaningful for a motivated observer.
- Anything your ISP can correlate from account-level data they already have.
The encrypted-DNS stack raises the bar from "anyone with basic logging" to "you need traffic analysis infrastructure". For 99% of threats — nosy ISPs, hotel Wi-Fi, advertising networks — that's a huge upgrade.
FAQ
Is DoH legal?
Yes, in every country we know of, for individuals. Some countries (notably Russia, Iran) have floated laws requiring ISPs to block DoH to specific resolvers; as of 2026 enforcement is spotty. Using DoH yourself isn't illegal.
Will my employer be able to tell I'm using DoH?
Yes — corporate networks now detect DoH traffic by the destination IP/hostname of the resolver. Many corporate proxies explicitly break DoH to re-enable filtering. On a managed work laptop, you probably can't use it. On personal devices on corporate Wi-Fi, you can, but the network sees the encrypted connection to the resolver.
Does DoH slow my browsing?
A few milliseconds on first query, imperceptible after that once the resolver caches your common domains. Cloudflare and Quad9 are often faster than your ISP's DNS because they run more points of presence.
How do I verify ECH is working?
Cloudflare has a test page at `https://tls-ech.dev`. Some DNS testing tools (including our DNS Lookup) show whether the queried domain publishes the HTTPS records needed for ECH.
Do I still need a VPN if I have DoH and ECH?
For the "hide what I'm doing from my ISP" use case, encrypted DNS + ECH covers a lot. For geographic spoofing, avoiding IP-based blocks, or protecting against active network attackers, you still need a VPN on top. They complement each other.
What about DNS over QUIC (DoQ)?
Newer, uses HTTP/3's QUIC transport, faster in some conditions. Adoption is growing. Android already supports it. Functionally equivalent to DoH for our purposes.
Tools on ip-checker.pro that help
→ DNS Lookup — A, AAAA, MX, TXT, HTTPS records (HTTPS records reveal ECH support)
→ IP Lookup — verify which resolver returned the answer
→ Security Check — scan DNS and resolver configuration for common mistakes