Back to Blog
DNS

How to Check if Your DNS Is Actually Secure

By Kunal KhatriMar 9, 2026
How to Check if Your DNS Is Actually Secure

Your DNS resolver is the first stop for every internet request you make. Default ISP resolvers log your queries, don't validate responses, and often inject ads into NXDOMAIN responses (when a domain doesn't exist). Checking and improving your DNS security is one of the highest-value, lowest-effort privacy improvements most people can make.

What to Check First

Find out which DNS resolver your device is actually using. On Windows, open Command Prompt and run 'ipconfig /all' — look for DNS Servers under your active network adapter. On macOS and Linux, check /etc/resolv.conf or run 'scutil --dns'. If it shows your router's IP, your router is handling DNS (and probably forwarding to your ISP). If it shows 8.8.8.8, you're on Google. If it shows 1.1.1.1, you're on Cloudflare.

The Three Properties That Matter

Privacy: does the resolver log your queries, and for how long? Google's 8.8.8.8 logs queries for 24-48 hours tied to approximate location. Cloudflare's 1.1.1.1 claims to delete logs within 24 hours. NextDNS allows fully customisable logging with an option for no logging. Your ISP's resolver logs queries for months or years in most jurisdictions.

Encryption: is the query encrypted in transit? Plain DNS sends queries in cleartext on UDP port 53 — visible to anyone watching the network. DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) encrypt queries so only the resolver can read them. Check whether your browser or OS is using DoH — Chrome, Firefox, and Windows 11 all support it.

Validation: does the resolver validate DNSSEC signatures? Cloudflare and Google both validate DNSSEC. Many ISP resolvers don't. DNSSEC validation prevents certain cache poisoning attacks.

Actually, The VPN Case

Here's the honest part: if you're using a VPN, the VPN's DNS configuration matters most. A VPN that tunnels your traffic but routes DNS through your ISP's resolver leaks every domain you visit. A VPN with proper DNS leak protection routes all queries through its own resolver inside the tunnel. Test it. Don't assume.

Choosing a Secure DNS Provider

Not all private DNS resolvers are equal. Cloudflare 1.1.1.1 is the fastest globally (consistently under 15ms average query time) and has a clear privacy policy that's been independently audited. Google's 8.8.8.8 is slightly slower but reliable and validated by DNSSEC. Quad9 (9.9.9.9) adds malware-blocking by default — queries for known malicious domains return NXDOMAIN, blocking access without additional configuration. NextDNS is the most flexible, letting you configure custom blocklists and query logging settings through a web dashboard.

For maximum privacy, Mullvad offers a DNS resolver that strips all identifying information from queries before processing — even the query source IP is anonymised. It's designed specifically for VPN users who want their DNS resolver to know as little as possible. The catch is that it's only reliably usable from Mullvad's VPN infrastructure. The right choice depends on your priority: speed, blocking, customisation, or maximum privacy. All of them are meaningfully better than your ISP's default resolver.

Run a DNS Leak Test

Find out exactly which DNS resolver is handling your queries — and whether it's leaking.

Run DNS Leak Test
KK

About Kunal Khatri

Kunal is a network security specialist and systems administrator with 8+ years of experience auditing secure connections and building network infrastructure.

Share this article: