What is Encrypted DNS?

Understand and Configure DoH & DoT for Better Online Privacy

Encrypted DNS helps protect your browsing activity from being tracked or tampered with by encrypting DNS queries. Learn how DNS-over-HTTPS (DoH), DNS-over-TLS (DoT) and DNSCrypt work and how to set them up on your devices.

Learn About Pricing

Step 1: What is Encrypted DNS?

Every time you visit a website, your device makes a DNS request to translate a domain name (like google.com) into an IP address. Traditionally, this request is sent in plaintext, making it vulnerable to eavesdropping, tracking, and manipulation.

Encrypted DNS solves this by wrapping DNS queries inside encrypted protocols such as:

  • DNS-over-HTTPS (DoH) – Sends DNS over HTTPS traffic, same as a secure website
  • DNS-over-TLS (DoT) – Sends DNS traffic over a dedicated TLS connection
These technologies improve user privacy and help prevent DNS-based attacks like spoofing or hijacking.

Step 2: Benefits of DNS Encryption

Using encrypted DNS offers several key benefits:

  • 🔒 Prevents ISPs or networks from tracking your browsing behavior
  • 🚫 Stops third-party DNS injection or manipulation
  • 📶 Secures public Wi-Fi usage by protecting DNS traffic
  • 🧩 Helps enforce parental controls and filtering rules consistently
Encrypted DNS is a foundational part of modern internet privacy, especially in schools, businesses, and at home.

👉 Read our full DoH guide:
Encrypted DNS: What it Is and Why we should Care

Step 3: What is DNS-over-HTTPS (DoH)?

DoH sends DNS queries over the same protocol used for secure websites (HTTPS). This makes DNS requests blend in with regular web traffic and helps bypass some filtering or surveillance systems.

CleanBrowsing supports DoH with these endpoints:

  • https://doh.cleanbrowsing.org/doh/family-filter/
  • https://doh.cleanbrowsing.org/doh/adult-filter/
  • https://doh.cleanbrowsing.org/doh/security-filter/


👉 Read our full DoH guide:
What is DNS-over-HTTPS (DoH)?

Step 4: What is DNS-over-TLS (DoT)?

DoT encrypts DNS using Transport Layer Security (TLS), typically on port 853. It provides strong privacy without tunneling through HTTPS.

CleanBrowsing DoT endpoints:

  • family-filter-dns.cleanbrowsing.org
  • adult-filter-dns.cleanbrowsing.org
  • security-filter-dns.cleanbrowsing.org


👉 Read our DoT guide:
What is DNS-over-TLS (DoT)?

Step 5: What is DNSCrypt?

DNSCrypt is an open-source protocol that authenticates and encrypts DNS traffic between your device and a DNS resolver. Unlike DoH and DoT which use standardized web encryption (HTTPS/TLS), DNSCrypt uses its own cryptographic protocol to prevent DNS spoofing and man-in-the-middle attacks.

While not as widely supported by browsers and OS-level settings, DNSCrypt is a powerful option for advanced users and router-level setups. It offers strong privacy and security, and works great with CleanBrowsing.

CleanBrowsing DNSCrypt endpoints:

  • sdns://AQc... (full sdns stamps listed on the docs page)


👉 Full guide here:
Using DNSCrypt with CleanBrowsing

Tip: DNSCrypt is ideal for use with apps like Simple DNSCrypt (Windows) or dnscrypt-proxy.

Step 6: How to Enable Encrypted DNS

You can enable DoH or DoT on most modern devices and browsers. Here are some of our step-by-step guides: CleanBrowsing makes these protocols easy to use — just copy/paste our endpoints into the configuration fields.

Step 7: How to Verify and Troubleshoot

After enabling encrypted DNS, you can test it using tools like:
  • https://dnsleaktest.com – Confirms DNS server in use
  • Use browser dev tools or network logs to confirm DNS calls go to CleanBrowsing
Command Line Example (Basic)
nslookup example.com
Result should show a CleanBrowsing DNS server like: 
Server:  185.228.168.168
          Address: 185.228.168.168#53
Advanced Command Line Tests

DoT Test (with kdig):

kdig @dns.cleanbrowsing.org +tls-ca +tls-host=dns.cleanbrowsing.org example.com

DoH Test (with curl):

curl -H 'accept: application/dns-json' 'https://dns.cleanbrowsing.org/dns-query?name=example.com&type=A'
Packet-Level Verification

You can also inspect DNS traffic using tcpdump or Wireshark to confirm that unencrypted DNS (port 53) is not in use:

sudo tcpdump -n port 53

If no traffic appears on port 53, your encrypted DNS is likely working correctly.

CleanBrowsing supports DoH and DoT across all filters — with no additional configuration needed.

Explore Our DNS Filters