Public, Private and Secure DNS

Published Mar 25 2020, Updated Dec 19 2020

The domain name system (DNS) connects or resolves URL / Link names to IP addresses, i.e. With DNS, it’s possible to type words instead of a string of numbers into a web browser, allowing people to search for websites and send emails using familiar names. Traditionally these queries are not encrypted when they traversing an internet connection.

Private DNS (aka Secure DNS) is available now and encrypts DNS queries, ensuring they cannot be tampered with and are unintelligible to ISPs, mobile carriers, and any others in the network path between you and your DNS resolver.

At least newer Android devices support Private DNS but it may not be configured or active by default and not all internet providers or connections support it.

You can test if your current DNS is using Secure / Private DNS

Currently OpenDNS (acquired by Cisco) is a popular provider of public (free) or paid DNS services to improve security for home, business and other internet users.

You can change your router to use OpenDNS (or other DNS service’s) servers instead of your ISP’s DNS servers and all devices connecting to your router will be better protected by those services by default. Warning if your kids have mobile phones or devices that allow them to turn off WiFi and using their own wireless data for internet and not your routets they will not be protected. There is restrictions or parental controls that can be enabled that may allow restricting this or the times or duration of use etc…

There is also a OpenDNS agent you can install on at least Windows that will pop up and tell you if you are not using OpenDNS. Your OpenDNS portal allows customizing how aggressive it filters including blocking adult content if you want, white or black list domains (false positive) etc…

They also offer DNSCrypt service for Windows and Mac computers that has improvements to traditional DNS and can work along side Private DNS.

OpenDNS is operated out of the US and and now is part of the Cisco Umbrella service but still branded OpenDNS.

There is a Canadian version to keep your DNS queries and data private and in Canada.

CIRA Canadian Shield – Free malware and phishing protection

They also have paid version for business.

More info on Private DNS

DNS Security and Privacy — Choosing the right provider –

Nykolas Z
Apr 18, 2018

There are many options for DNS security and privacy available right now. You do not need to use your ISP DNS or plain-text DNS anymore and open yourself to DNS hijacking, sniffing and abuse by third parties (looking at your Marriot).

However, with all great options out there (eg:,,, come great responsibilities. Which provider to choose? Which protocol to choose? DNSCrypt? DNS over HTTPS or TLS? What about DNSSEC? …

Here is a list and more info on Public and Private DNS providers.

Enable Private DNS with on Android 9 Pie –

Stephen Pinkerton 2018-08-16

Cloudflare: Consumer Privacy is Priority –


Android Pie (v9) only supports DNS over TLS. To enable this on your device:

  1. Go to Settings → Network & internet → Advanced → Private DNS.
  2. Select the Private DNS provider hostname option.
  3. Enter and hit Save.
  4. Visit (or to verify that “Using DNS over TLS (DoT)” shows as “Yes”.

And you’re done!

Partial archive

Cloudflare: Consumer Privacy is Priority –

Is Cloudflare’s Really About Privacy First?

So basically, despite its “privacy-first” policy, Cloudflare will be sharing DNS query data with APNIC Labs (Asia-Pacific Network Info Centre, the Regional Internet address Registry for the Region) for the next 5 years in exchange for the use of its network address along with the chance of permanently acquiring the IP address — including

On APNIC’s blog post, they stated that their deep interest is in understanding the technical infrastructure of the internet including the intricacies of DNS in order to mitigate malicious denial of service attacks. They were also quick to reiterate Cloudflare’s commitment to data privacy:

“In setting up this joint research program, APNIC is acutely aware of the sensitivity of DNS query data. We are committed to treat all data with due care and attention to personal privacy and wish to minimise the potential problems of data leaks. We will be destroying all “raw” DNS data as soon as we have performed statistical analysis on the data flow. We will not be compiling any form of profiles of activity that could be used to identify individuals, and we will ensure that any retained processed data is sufficiently generic that it will not be susceptible to efforts to reconstruct individual profiles. Furthermore, the access to the primary data feed will be strictly limited to the researchers in APNIC Labs, and we will naturally abide by APNIC’s non-disclosure policies.”

Further, Cloudflare argued that they’re not a media or advertising company (unlike Google or broadband providers) so they see a user’s personal data as “toxic asset”. They claim that they never store information that could identify an end user and that all logs on their public resolver are never kept for more than 24 hours. They also submit to annual audits published publicly to show their commitment to their privacy policy.

About Kevin Yaworski

I use my blog to write about things that I think are a matter of public interest or that I think others will be interested in
This entry was posted in Computers and Internet, News and politics, security and tagged , , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s