How to Enable Encrypted DNS on Android

Why Enable Encrypted DNS on Android?

By default, DNS queries are sent in plain text over UDP port 53. This means your ISP, network administrator, or anyone on your local network can see every domain you visit. Encrypted DNS solves this by wrapping your DNS queries in TLS or HTTPS encryption.

• DNS-over-HTTPS (DoH) sends DNS queries inside HTTPS on port 443 — the same port used for web traffic. This makes it very difficult to block or detect.
• DNS-over-TLS (DoT) sends DNS queries encrypted via TLS on port 853. It is a dedicated protocol that is easier for network admins to manage but may be blocked on some networks.

This guide shows you how to configure DoT on Android.

Step-by-Step Setup Instructions

Follow these steps to enable encrypted DNS on Android:

1. Open Settings
   Open the Settings app on your Android device. You can swipe down from the top of the screen and tap the gear icon, or find Settings in your app drawer.
2. Navigate to Private DNS
   Go to Network & Internet (or Connections on Samsung devices). Tap on Private DNS. On some Android versions, you may need to tap Advanced or More connection settings first.
3. Select Private DNS provider
   You will see three options: Off, Automatic, and Private DNS provider hostname. Select Private DNS provider hostname.
4. Enter the DNS hostname
   Enter one of the following hostnames: one.one.one.one (Cloudflare), dns.google (Google), or dns.quad9.net (Quad9). This hostname is used for DNS-over-TLS authentication.
5. Save and verify
   Tap Save. Android will validate the hostname by attempting a DoT connection. If it succeeds, Private DNS will show as active. If validation fails, check for typos in the hostname.
6. Test encrypted DNS
   Open your browser and visit a DNS leak test site. The result should show your chosen DNS provider (not your ISP), confirming that DNS-over-TLS is active for all apps on your device.

After configuring encrypted DNS, it is recommended to clear your DNS cache and test the configuration using a DNS leak test site.

Recommended Encrypted DNS Providers

These providers support encrypted DNS and are compatible with Android:

Verify Your Encrypted DNS Setup

After configuring encrypted DNS on Android, run our DNS Privacy Check to verify your queries are encrypted and your ISP cannot see your DNS traffic.

Encrypted DNS Guides for Other Platforms

Set up encrypted DNS on all your devices for comprehensive protection:

• Windows 11 (DoH)
• macOS (DoH & DoT)
• iPhone & iPad (DoH & DoT)
• Firefox (DoH)
• Chrome (DoH)
• Microsoft Edge (DoH)
• Linux (systemd-resolved) (DoT)
• Unbound (DoT)
• Router (DoH & DoT)

Related Resources

• DoH vs DoT: Which encrypted DNS protocol should you use?
• DNS Privacy & Security Check tool
• Best private DNS servers
• All DNS guides
• Browse DNS servers by country

Frequently Asked Questions

What Android version supports Private DNS?

Android 9 (Pie) and later support Private DNS natively. This feature uses DNS-over-TLS (DoT) to encrypt all DNS queries at the system level, covering all apps on the device without needing root access or a VPN.

What is the difference between Automatic and Private DNS provider hostname?

Automatic mode uses opportunistic DNS-over-TLS: Android tries encrypted DNS with your network DNS server, but falls back to unencrypted if DoT is not supported. Private DNS provider hostname forces strict DoT with your chosen server, blocking unencrypted fallback.

Does Private DNS on Android use DoH or DoT?

Android Private DNS uses DNS-over-TLS (DoT) on port 853. As of Android 13, Google is adding DNS-over-HTTPS (DoH) support as well. For most users, DoT via Private DNS provides full encryption and is the simplest setup.

Why does my Private DNS keep showing "Cannot connect"?

This usually means your network (e.g., corporate Wi-Fi, hotel Wi-Fi) is blocking port 853 which DoT uses. Try switching networks or using a VPN. Some public Wi-Fi networks block all non-standard ports, preventing DoT connections.