Most Android phones can encrypt DNS out of the box — the feature is just buried in the settings. It's called Private DNS, it uses DNS-over-TLS (DoT), and it has shipped on every Android device since Android 9 (Pie). Turning it on takes about a minute and protects every app on your phone.
What Private DNS Does
Normally your DNS lookups travel in plain text, so anyone on the same Wi-Fi — and your network operator — can see which sites you're resolving. Private DNS wraps those lookups in TLS encryption, the same technology that secures HTTPS websites. It doesn't hide that you used the internet, but it hides the specific domains you looked up.
How to Enable Private DNS (Step by Step)
- Open Settings.
- Go to Network & internet (on some phones: Connections → More connection settings).
- Tap Private DNS.
- Choose Private DNS provider hostname.
- Enter a hostname, for example
one.one.one.onefor Cloudflare. - Tap Save.
one.one.one.one · Quad9 — dns.quad9.net · Google — dns.google. Use the hostname, not the IP address — DoT requires a name to validate the certificate.Why Use It on Mobile
Phones constantly hop between networks — home, work, coffee shops, airports. On public Wi-Fi especially, unencrypted DNS is easy to snoop. Because Private DNS is applied system-wide, it protects your lookups everywhere without per-app setup, and it keeps working on mobile data too.
DNS-over-TLS vs Plain DNS
Plain DNS sends your lookups in the clear on port 53. DoT sends the same queries over an encrypted connection so they can't be read or tampered with in transit. It's a meaningful privacy upgrade, and unlike browser settings it covers your entire device.
Verify It's Working
Open our DNS leak test in your phone's browser. The resolver shown should match the provider you set (for example, Cloudflare). If it still shows your carrier, re-open Private DNS and confirm the hostname saved correctly. To understand what you're protecting against, read what DNS leaks are, and for desktop coverage see how to fix DNS leaks in your browser.