The Domain Name System (DNS), created by Paul Mockapetris, translates human-readable addresses like cleanbrowsing.org into IP addresses that computers use to communicate. However, DNS was designed during the internet's early era, when the focus was on creating innovative technologies with less emphasis on security safeguards. As a result, traditional DNS queries are sent in plain text, leaving them vulnerable to interception and manipulation.

Four Options for Safe DNS

Over the years, several technologies have been developed to address the security gaps in traditional DNS. Here are the four main approaches:

DNSSEC (Domain Name System Security Extensions) was launched in 2004 to prevent attackers from forging DNS data during requests. It works by adding cryptographic signatures to DNS records, allowing resolvers to verify that the response has not been tampered with.

DNSCrypt addresses man-in-the-middle threats by wrapping DNS traffic in a tunnel of encryption using HTTPS. This prevents anyone from eavesdropping on or modifying DNS queries as they travel between your device and the resolver.

DNS-over-HTTPS (DOH) was released in 2016 and similarly wraps DNS communications in HTTPS encryption to prevent interception. It sends DNS queries over the same port as regular web traffic (port 443), making it harder to distinguish DNS requests from normal browsing.

DNS-over-TLS (DOT) was also introduced in 2016 and uses TLS encryption rather than HTTPS for the same protective purpose. It operates on a dedicated port (853), which makes it easier to identify and manage at the network level.

The final three methods — DNSCrypt, DOH, and DOT — accomplish similar goals through different technical approaches. Each encrypts the communication between your device and the DNS resolver, preventing eavesdropping and tampering.

CleanBrowsing and Encrypted DNS

CleanBrowsing offers both free and paid filtering options and supports all of the encryption methods mentioned above (excluding DNSSEC, which operates at a different layer and does not apply directly to resolver services). By combining DNS-based content filtering with encrypted DNS protocols, you can ensure both privacy and safety in your online experience.