Encrypted DNS on Your Router
Protect your DNS queries from ISP monitoring and tampering by enabling encrypted DNS (DoH & DoT) on Router. This guide walks you through each step with real settings and menu paths.
Last updated
Why Enable Encrypted DNS on Router?
By default, DNS queries are sent in plain text over UDP port 53. This means your ISP, network administrator, or anyone on your local network can see every domain you visit. Encrypted DNS solves this by wrapping your DNS queries in TLS or HTTPS encryption.
- DNS-over-HTTPS (DoH) sends DNS queries inside HTTPS on port 443 — the same port used for web traffic. This makes it very difficult to block or detect.
- DNS-over-TLS (DoT) sends DNS queries encrypted via TLS on port 853. It is a dedicated protocol that is easier for network admins to manage but may be blocked on some networks.
This guide shows you how to configure DoH & DoT on Router.
Step-by-Step Setup Instructions
Follow these steps to enable encrypted DNS on Router:
-
Access your router admin panel
Open a web browser and navigate to your router IP address, typically 192.168.1.1 or 192.168.0.1. Log in with your admin credentials. If you have never changed them, check the sticker on the bottom of your router for default credentials. -
Find DNS or Internet settings
Navigate to WAN settings, Internet settings, or Network settings — the exact location varies by brand. Look for DNS Server, Name Server, or DNS Configuration options. Some routers have a dedicated DNS or Security section. -
Check for DoH/DoT support
Look for options labeled DNS over HTTPS, DNS over TLS, Encrypted DNS, or Secure DNS. Routers from Asus (Merlin firmware), Netgear, TP-Link (recent models), and routers running OpenWrt, DD-WRT, or pfSense support encrypted DNS. If your router lacks these options, see the alternative step below. -
Configure encrypted DNS (if supported)
Enable DNS-over-TLS or DNS-over-HTTPS and enter the provider details. For DoT: server address 1.1.1.1, port 853, hostname one.one.one.one. For DoH: URL https://cloudflare-dns.com/dns-query. Save settings. -
Alternative: Set plain DNS servers
If your router does not support encrypted DNS, enter plain DNS servers (Primary: 1.1.1.1, Secondary: 1.0.0.1) to at least use a privacy-focused provider. Then enable encrypted DNS on individual devices (Windows, macOS, Android, iOS) for encryption on those devices. -
Reboot and verify
Save all settings and reboot your router. After reboot, connect a device and visit a DNS leak test site. All devices on your network should now use the configured DNS servers. If using encrypted DNS, the leak test should show your chosen provider.
After configuring encrypted DNS, it is recommended to clear your DNS cache and test the configuration using a DNS leak test site.
Recommended Encrypted DNS Providers
These providers support encrypted DNS and are compatible with Router:
| Provider | Primary IP | Secondary IP | DoH URL | DoT Hostname | |
|---|---|---|---|---|---|
| Cloudflare | 1.1.1.1 |
1.0.0.1 |
https://cloudflare-dns.com/dns-query |
one.one.one.one |
|
8.8.8.8 |
8.8.4.4 |
https://dns.google/dns-query |
dns.google |
||
| Quad9 | 9.9.9.9 |
149.112.112.112 |
https://dns.quad9.net/dns-query |
dns.quad9.net |
Verify Your Encrypted DNS Setup
After configuring encrypted DNS on Router, run our DNS Privacy Check to verify your queries are encrypted and your ISP cannot see your DNS traffic.
Run DNS Privacy CheckEncrypted DNS Guides for Other Platforms
Set up encrypted DNS on all your devices for comprehensive protection:
- Windows 11 (DoH)
- macOS (DoH & DoT)
- Android (DoT)
- iPhone & iPad (DoH & DoT)
- Firefox (DoH)
- Chrome (DoH)
- Microsoft Edge (DoH)
- Linux (systemd-resolved) (DoT)
- Unbound (DoT)
Related Resources
Frequently Asked Questions
Which routers support DNS-over-HTTPS or DNS-over-TLS?
Asus routers with Merlin firmware, Netgear Nighthawk (recent models), TP-Link Deco, and Synology routers support DoH or DoT natively. Open-source firmware like OpenWrt, DD-WRT, and pfSense also support encrypted DNS. Older or budget routers typically lack this feature.
Is it better to set encrypted DNS on my router or on each device?
Setting encrypted DNS on your router protects all devices on your network, including IoT devices, smart TVs, and guest devices that you cannot individually configure. However, per-device configuration gives you more control and works even when connected to other networks. Ideally, configure both for maximum coverage.
Will encrypted DNS on my router slow down my internet?
The encryption overhead is negligible — typically adding less than 5ms to DNS resolution time. Modern encrypted DNS servers like Cloudflare and Google are fast enough that you will not notice any difference in daily browsing. DNS caching on the router further minimizes any impact.
Can I use encrypted DNS on my router with a Pi-hole?
Yes. Set your router DHCP to point devices to your Pi-hole (e.g., 192.168.1.2). Then configure Pi-hole to use an encrypted DNS upstream — either directly via Cloudflare DoH (using cloudflared) or via Unbound with DNS-over-TLS forwarding. This gives you ad blocking plus encrypted DNS for all devices.