How to Check if Your DNS Is Actually Secure
Your DNS resolver is the first stop for every internet request you make. Default ISP resolvers log your queries, don't validate responses, and often inject ads into NXDOMAIN responses (when a domain doesn't exist). Checking and improving your DNS security is one of the highest-value, lowest-effort privacy improvements most people can make.
What to Check First
Find out which DNS resolver your device is actually using. On Windows, open Command Prompt and run 'ipconfig /all' — look for DNS Servers under your active network adapter. On macOS and Linux, check /etc/resolv.conf or run 'scutil --dns'. If it shows your router's IP, your router is handling DNS (and probably forwarding to your ISP). If it shows 8.8.8.8, you're on Google. If it shows 1.1.1.1, you're on Cloudflare.
The Three Properties That Matter
Privacy: does the resolver log your queries, and for how long? Google's 8.8.8.8 logs queries for 24-48 hours tied to approximate location. Cloudflare's 1.1.1.1 claims to delete logs within 24 hours. NextDNS allows fully customisable logging with an option for no logging. Your ISP's resolver logs queries for months or years in most jurisdictions.
Encryption: is the query encrypted in transit? Plain DNS sends queries in cleartext on UDP port 53 — visible to anyone watching the network. DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) encrypt queries so only the resolver can read them. Check whether your browser or OS is using DoH — Chrome, Firefox, and Windows 11 all support it.
Validation: does the resolver validate DNSSEC signatures? Cloudflare and Google both validate DNSSEC. Many ISP resolvers don't. DNSSEC validation prevents certain cache poisoning attacks.
Actually, The VPN Case
Here's the honest part: if you're using a VPN, the VPN's DNS configuration matters most. A VPN that tunnels your traffic but routes DNS through your ISP's resolver leaks every domain you visit. A VPN with proper DNS leak protection routes all queries through its own resolver inside the tunnel. Test it. Don't assume.
Choosing a Secure DNS Provider
Not all private DNS resolvers are equal. Cloudflare 1.1.1.1 is the fastest globally (consistently under 15ms average query time) and has a clear privacy policy that's been independently audited. Google's 8.8.8.8 is slightly slower but reliable and validated by DNSSEC. Quad9 (9.9.9.9) adds malware-blocking by default — queries for known malicious domains return NXDOMAIN, blocking access without additional configuration. NextDNS is the most flexible, letting you configure custom blocklists and query logging settings through a web dashboard.
For maximum privacy, Mullvad offers a DNS resolver that strips all identifying information from queries before processing — even the query source IP is anonymised. It's designed specifically for VPN users who want their DNS resolver to know as little as possible. The catch is that it's only reliably usable from Mullvad's VPN infrastructure. The right choice depends on your priority: speed, blocking, customisation, or maximum privacy. All of them are meaningfully better than your ISP's default resolver.
Run a DNS Leak Test
Find out exactly which DNS resolver is handling your queries — and whether it's leaking.
Run DNS Leak TestAbout Kunal Khatri
Kunal is a network security specialist and systems administrator with 8+ years of experience auditing secure connections and building network infrastructure.
Related Articles
DNSSEC: Making DNS Trustworthy (Finally)
DNS has no built-in authentication — any resolver can lie to you. DNSSEC adds cryptographic signatures to prevent that. Adoption is growing. It's not enough yet.
MX Records: How Email Routing Actually Works
When you send an email, the routing decision happens through MX records in DNS. Understanding this explains delivery failures, spam problems, and how to set up email correctly.
What Is a Reverse DNS Lookup and Who Uses It
Forward DNS goes from domain name to IP. Reverse DNS goes the other way — and the uses range from spam filtering to server identification to network diagnostics.
What Is a DNS Leak and Why It Ruins Your VPN
Your VPN is running. Your traffic is encrypted. But your DNS queries might be going somewhere else entirely — and that's a serious privacy problem.
