The Domain Name System (DNS) is the backbone of the internet. Each time you input a new human-readable web address into a browser, your device will send a 'query' to a DNS 'resolver' - a server that converts it to a machine-readable IP address. This allows your device to connect to your chosen website. Think of DNS as a type of virtual phone book for the internet.
DNS Dangers
It's easy to see the advantages of DNS, as without it you'd have to remember the IP address for every site you want to visit - domain names like https://controld.com/ are a lot easier to recall than a string of numbers.
Still, traditional DNS 'queries' from devices carry several risks, including:
Online Snooping
Unencrypted DNS queries are simple for anyone with access to your ISP's records to monitor. This could give bad actors like cybercriminals and spammers insight into your browsing habits and other online activities.
DNS Spoofing
Cybercriminals can intercept unencrypted communications between an internet user and a legitimate DNS server, in order to redirect their queries to the hackers' own 'rogue' DNS server. When a user tries to access a legitimate website such as Facebook, bad actors can then return the IP address for a different site such as one designed to install malware or harvest their personal data.
Domain Blocking
If DNS queries are unencrypted, ISPs and governments can also employ 'DNS filtering' to block websites they don't want you to access.
Powerful Protocols
Traditional 'Legacy' DNS is the original and most widely used version of the DNS protocols. Almost all internet-connected devices support it but it has no built-in mechanisms to encrypt your DNS queries.
Luckily, there are now more secure, modern DNS protocols:
DNS-over-HTTPS (DoH)
+ Widespread OS and browser support
+ Better protection against DNS spoofing
- Not fully supported on Android
DNS-over-HTTPS (DoH) is a secure DNS protocol that encrypts DNS queries within the HTTPS protocol. This means your DNS queries are protected in the same way as web traffic using HTTPS. This makes it much more difficult for cybercriminals to monitor or 'spoof' your DNS requests.
As DoH can be applied at the application layer, users can easily configure browsers to make use of the protocol. This bypasses managed device restrictions and can make it more difficult for network administrators to block websites that contain malware.
DoH uses the existing HTTPS infrastructure. Its default port is TCP (Transmission Control Port) 443, which is commonly associated with encrypted web traffic. This means it's very unlikely to be blocked by firewalls.
The protocol is extremely fast and is supported by most modern browsers, though not all enable DoH by default.
DNS-over-TLS (DoT)
+ Uses TLS directly
+ Hypothetically faster, since there is less overhead
- DNS queries are more easily blocked
DNS-over-TLS (DoT) is a secure DNS protocol that, like DoH, encrypts DNS queries. The difference lies in how this is done: DoT uses TLS directly, making it almost impossible for cybercriminals to read or intercept DNS requests.
By default, the protocol manages TCP connections on port 853. Having its very own port makes DoT DNS queries much easier to detect than DoH, which uses the same port as all other HTTPS traffic. This can be a real advantage for network administrators who want to detect DNS requests.
For the same reason, DoT may not be of much use to users trying to evade internet censorship, as their DNS queries are less well disguised relative to DoH.
As a newer protocol, DoT is not supported on all devices, so may require software updates or third-party programs to fully implement.
DNS-over-QUIC (DoQ)
+ Very efficient
+ More resilient against packet loss
- Still experimental
DoQ makes good use of Google's QUIC protocol to process your DNS queries quickly and securely.
It operates in a similar way to DoH and DoT in that it encrypts your DNS requests, making it much harder for bad actors to know exactly which sites you're accessing.
It does this by encapsulating DNS queries within QUIC packets. This allows queries to be transmitted securely over UDP, in a more efficient way than other secure DNS protocols.
QUIC connections can be initiated with just a single data packet rather than establishing the traditional TCP/TLS 'handshake', which makes it much faster relative to other DNS protocols. It also operates at the application level, making it truly cross-platform.
Despite these clear advantages, DoQ is still experimental and hasn't been widely implemented. It only became an official standard in 2022. Having a dedicated port to handle DNS queries also means that like DoT, it can be blocked more easily than DoH.
DNS-over-HTTP/3
+ Fast DNS resolution
+ Fast reconnection times
- Not widely supported
DNS-over-HTTP/3 (DoH3) combines the benefits of DoH with the performance enhancements of HTTP/3 based on the QUIC protocol.
Like regular DoH, DoH3 encrypts DNS queries and responses, ensuring data confidentiality and protecting against eavesdropping. However, using the QUIC protocol means that it has the same performance advantages as DoQ in that it can handle multiple data streams and handle out-of-order packets in a more efficient manner than regular TCP. It can also resume suspended connections faster than DoT, such as when a mobile device switches networks.
As DoH3 is a newer protocol it's not currently widely supported. Android devices from Android 11 onwards use DoH3 instead of DoT for a limited number of well-known DNS servers like Google DNS. Users on other platforms have to stick to 3rd party apps.
Use Cases
It's clear by now what secure DNS protocols are available but you may still struggle to think of scenarios in which they'd be useful. If the weaknesses of traditional legacy DNS we outlined above are not enough, consider other situations where more secure DNS is preferable:
Secure Your Home Network
You may be sensible enough not to click on a fake 'phishing' link to download malware onto your device but can you say the same of your 70 year-old Grandma? If she can't load a harmful site in the first place, the amount of damage she can do to your network and any connected devices is limited. By using a customized DNS resolver you can block any device on your home network from loading dubious domains.
Block Harmful Content
If you're a network administrator in a huge corporation, properly configured DNS settings can ensure that employees don't eat into company time by playing online games or scrolling through TikTok. Concerned parents can also protect their children from adult content, and gambling websites, and even regulate the times at which they can access social media.
Lock Down Public Wi-Fi
If you manage a public wireless hotspot, you need to make sure it can't be abused. Bad actors often make use of Public Wifi to illegally access copyrighted content, deliver malware, and run scams. In the worst-case scenario, your ISP could even disconnect your network for DMCA or other violations.
You can prevent this simply by setting up your own custom DNS resolver to monitor usage patterns and block potentially harmful domains.
Which DNS Protocol Should I Use?
If you're now convinced that upgrading to a more modern DNS protocol is the right move, you need to give some thought about which one to deploy. Your choice will be informed by the device and software you use:
Web Browsers
Most modern web browsers support DoH including Mozilla Firefox, Microsoft Edge, Google Chrome, Brave, and Vivaldi. In some cases you may need to manually enable a setting, so be sure to check the developer's support pages to be sure this is set up correctly. Remember, only DNS queries for websites you visit in the browser itself will be encrypted - other internet-enabled programs on your device won't get the benefit of secure DNS.
Windows 10
Windows 10 doesn't support DoH natively but you can configure it to use the protocol using third-party tools like Control D's Command Line Daemon.
If you prefer to keep things simple, you can also use Control D's own GUI Setup Utility to start using DoH in seconds.
Windows 11
Like its predecessor, Windows 11 also supports DoH. Unlike Windows 10, it's actually possible to enable DNS over HTTPS via the Network & Internet Settings app. Take some time to read our online guide on how to do this. You can also use our 1-click configurator to set up DoH in seconds.
macOS
If you're running macOS 11 (Big Sur) or later you can easily enable DoH or DoT using a configuration profile. Control D users can also get set up in minutes using the GUI Setup Utility.
If you're using macOS 10.15 (Catalina) or earlier and can't upgrade, you can only use secure DNS protocols via third-party utilities like those mentioned above.
Android
Modern versions of Android support DNS-Over-TLS, which is called “Private DNS” in Android OS. You can enable DoT support using your device's network settings for both WiFi and cellular networks. Control D users can get going even quicker with the Control D Quick Setup utility, available via the Google Play Store.
Devices running Android 11 and later use DoH3 (see below) but only for certain hardcoded DNS services.
If your device is running Android version 8 (Oreo) or earlier, you can still modify your DNS settings on every WiFI network you connect to or use Secure DNS via third-party apps.
iOS
Like Macs, Apple devices running iOS like iPhones and iPads also support DoH or DoT. You can do this natively on devices running iOS 14 or later using configuration profiles. Control D users can get going even quicker with the Control D Quick Setup utility, available via the App Store.
You may need to restart your network connection for your changes to take effect.
Take Back Control With Control D
Control D is a powerful DNS service that gives you granular control over your internet experience. Block ads and trackers, filter unwanted content, protect yourself from malware and phishing attempts, and more, all through an intuitive browser UI - no additional software required!