Sun, Jul 12, 2026NY 5:59 PM EDTLA 2:59 PM PDTLON 10:59 PM GMT+1DXB 1:59 AM GMT+4TOK 6:59 AM GMT+9SYD 7:59 AM GMT+10UTC 9:59 PM UTCBTC market check delayedETH CoinGecko source
Strangely Useful

Practical guides for apps, money, security, and everyday tech problems.

Start: payment fixFake supportMoney hubTopicsVerification
Sections
Latest storiesTopicsMoney & ChargesSearchInternet & CultureTech & AISecurity & TrustPractical TechnologyMoney & PaymentsBrowser & PrivacyAI ToolsSoftware & ServicesInternet Culture & Everyday WorkflowsHidden HistoryUseful ThingsEntertainmentQuizzesAboutHow we workHow guides are madeNewsletter
Browser & Privacy - story

Secure DNS Hides the Lookup, Not the Whole Website Visit

Encrypted DNS can stop ordinary network observers from reading your domain lookups, but it is not a VPN and does not make browsing anonymous.

Last verified July 11, 20262 sources checkedEditorial standards
An encrypted path carries a domain lookup from a laptop to a DNS resolver.
Secure DNS Hides the Lookup, Not the Whole Website VisitAn encrypted path carries a domain lookup from a laptop to a DNS resolver.Encrypted DNS protects the lookup channel; it does not hide every later connection. Illustration: Strangely Useful. Generated for Strangely Useful; provenance retained.
In this story4 sectionsWhy DNS needs a protected channelWhat it does not concealAutomatic or custom provider?A sensible configuration

Secure DNS encrypts the request your device makes to translate a domain name into an IP address. It can prevent a basic local-network observer from reading or changing that lookup in transit. It does not hide every destination from your network, encrypt an insecure webpage or make you anonymous.

Why DNS needs a protected channel

Before a browser can open a site, it usually asks a DNS resolver where that site's server lives. Traditional DNS sends many of those questions without transport encryption. DNS over HTTPS, commonly shortened to DoH, places the lookup inside HTTPS. DNS over TLS uses a dedicated encrypted channel. Both aim to protect the query between your device and the resolver.

Chrome calls its control Use secure DNS. Google says automatic mode can fall back to an unencrypted lookup if the protected lookup fails. Selecting a custom provider changes that behavior: Chrome says it will not fall back to an unencrypted mode for that provider, so a resolver outage may instead produce an error. Firefox similarly lets users choose increased protection and a provider, subject to network and policy conditions.

What it does not conceal

After DNS gives the browser an address, the browser still has to connect to the destination. HTTPS protects page contents in transit, but other connection details can still reveal information to the network or service providers. The resolver itself receives the DNS question unless a more complex proxy design is used. The website sees the connecting address unless another network layer changes it.

  • Secure DNS is not a VPN. It does not reroute all device traffic through a different exit.
  • It does not repair a phishing site or certify that a domain is trustworthy.
  • It does not replace HTTPS. An HTTP page can still expose content in transit.
  • It does not stop tracking performed by the site, account or browser storage.

Automatic or custom provider?

Automatic mode is the low-friction choice. It often upgrades lookups while preserving compatibility with a network's resolver. A custom provider gives you a clearer resolver choice and may prevent silent downgrade, but it moves trust to that provider and can interfere with parental controls, company filtering or hotel sign-in systems. Read the provider's retention and filtering policy, not only its speed claims.

When a network breaks

A managed device may lock the feature. Captive portals and filtered networks may expect their own DNS behavior. If a site fails only after choosing a custom resolver, temporarily return to automatic mode, confirm the device clock, and test another known site. Do not disable every security control because one hotel login page is confused.

A sensible configuration

  1. Keep the browser and operating system updated.
  2. Turn on secure DNS in the browser's privacy or security settings.
  3. Use automatic mode unless you have a reason to select and trust a provider.
  4. Also enable the browser's HTTPS-only or always-secure-connections mode.
  5. Remember that account privacy, cookies and site permissions remain separate problems.

Secure DNS solves a narrow, real problem: exposed name lookups. It is worth enabling when it works on your network, especially alongside HTTPS. The correct mental model is an encrypted address-book request—not an invisibility cloak for everything that follows.

Sources & methodology2 sources - evidence for this revision

The records below show what each source supports in this published revision.

  1. Manage Chrome safety and securityGoogle Chrome Helpreference - Retrieved Jul 12, 2026

    What it supportsChrome's secure DNS encrypts host lookup information. - Chrome automatic mode may fall back to unencrypted DNS, while a selected custom provider does not.

  2. DNS over HTTPS (DoH)Mozilla Supportreference - Retrieved Jul 12, 2026

    What it supportsDNS over HTTPS sends DNS queries over HTTPS.

The Useful Dispatch

Keep the good rabbit holes coming.

The weekly email is being prepared. No address is collected yet.

See the newsletter plan →