IP dekho
Back to Blog
DNS

How to Check if Your DNS Is Actually Secure

By Kunal Khatri·Mar 9, 2026
How to Check if Your DNS Is Actually Secure

Your DNS resolver is the first stop for every internet request you make. Default ISP resolvers log your queries, don't validate responses, and often inject ads into NXDOMAIN responses (when a domain doesn't exist). Checking and improving your DNS security is one of the highest-value, lowest-effort privacy improvements most people can make.

What to Check First

Find out which DNS resolver your device is actually using. On Windows, open Command Prompt and run 'ipconfig /all' — look for DNS Servers under your active network adapter. On macOS and Linux, check /etc/resolv.conf or run 'scutil --dns'. If it shows your router's IP, your router is handling DNS (and probably forwarding to your ISP). If it shows 8.8.8.8, you're on Google. If it shows 1.1.1.1, you're on Cloudflare.

The Three Properties That Matter

Privacy: does the resolver log your queries, and for how long? Google's 8.8.8.8 logs queries for 24-48 hours tied to approximate location. Cloudflare's 1.1.1.1 claims to delete logs within 24 hours. NextDNS allows fully customisable logging with an option for no logging. Your ISP's resolver logs queries for months or years in most jurisdictions.

Encryption: is the query encrypted in transit? Plain DNS sends queries in cleartext on UDP port 53 — visible to anyone watching the network. DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) encrypt queries so only the resolver can read them. Check whether your browser or OS is using DoH — Chrome, Firefox, and Windows 11 all support it.

Validation: does the resolver validate DNSSEC signatures? Cloudflare and Google both validate DNSSEC. Many ISP resolvers don't. DNSSEC validation prevents certain cache poisoning attacks.

Actually, The VPN Case

Actually, scratch that — if you're using a VPN, the VPN's DNS configuration matters most. A VPN that tunnels your traffic but routes DNS through your ISP's resolver leaks every domain you visit. A VPN with proper DNS leak protection routes all queries through its own resolver inside the tunnel. Test it. Don't assume.

Run a DNS Leak Test

Find out exactly which DNS resolver is handling your queries — and whether it's leaking.

Run DNS Leak Test
Share this article:
TwitterLinkedIn