DNS (Domain Name System) is the internet's address book. It translates human-readable domain names like "example.com" into the numeric IP addresses your device actually uses to connect to servers.
How it works (briefly)
When you type reddit.com in your browser:
- Your device asks a DNS resolver: "what's the IP for reddit.com?"
- The resolver looks it up (in its cache, or by asking other DNS servers).
- The resolver returns the IP (something like
151.101.0.140). - Your device opens a connection to that IP.
This happens before any actual webpage loads. Every domain you visit requires a DNS query first.
Whose resolver answers your queries?
By default, your device uses the DNS resolver assigned by your network — usually your ISP's resolver. That resolver sees every domain you ever look up: a complete record of every site you've visited, in plaintext.
You can change which resolver your device uses:
- Cloudflare 1.1.1.1 — fast, privacy-focused.
- Quad9 9.9.9.9 — focused on blocking malicious domains.
- Google 8.8.8.8 — reliable but Google-operated (some users prefer not to give them this data).
- NextDNS — customizable, includes ad-blocking options.
- Your VPN provider's resolver — when a VPN is connected, your DNS goes through the tunnel to the VPN's resolver.
Why DNS matters for privacy
DNS queries are typically plaintext (visible to the network), so anyone between you and the resolver can read them. This is one of the biggest privacy leaks people don't realize they have.
Encrypted DNS variants:
- DoH (DNS-over-HTTPS): queries wrapped in HTTPS, indistinguishable from web traffic.
- DoT (DNS-over-TLS): queries over a dedicated TLS connection.
- VPN tunneled: DNS queries go through the encrypted VPN tunnel to the VPN's resolver.
If you're using a properly configured VPN, your DNS queries are tunneled and your ISP can't see them. If they're leaking around the tunnel, you have a "DNS leak" — see the deeper article.