user@s3-3:~/s3-3/tools/how-to-use-private-dns-on-android-and-ios $ cat index.md
S3-3 Tech Guides & Tools
~/tools/how-to-use-private-dns-on-android-and-ios
Privacy · Jun 2026

How to Use Private DNS on Android and iOS

9 min read · S3-3 Tech

Every time your phone loads a website or app, it first asks a DNS resolver to translate a domain name like example.com into an IP address. By default, that request goes to your mobile carrier or ISP's DNS server, sent in plain text — unencrypted, visible to anyone monitoring your network traffic, and logged by the resolver. Switching to an encrypted private DNS resolver means those lookups are hidden from your carrier and from anyone on the same network as you. Both Android and iOS support this without any additional apps, using built-in settings that take under two minutes to configure.

What Private DNS Actually Does (and Does Not Do)

Setting a private DNS resolver encrypts your DNS lookups. This prevents your ISP or mobile carrier from seeing which domains your phone queries, and prevents passive monitoring on a public Wi-Fi network from reading your DNS traffic. What it does not do:

  • It does not hide the IP addresses your phone connects to — those remain visible to network observers even after DNS encryption.
  • It does not encrypt the content of your traffic — that is handled by HTTPS, separately.
  • It does not make you anonymous on the internet or hide your browsing from websites themselves.
  • It does not hide your activity from the DNS resolver you are switching to — you are trusting that resolver instead of your ISP.

With those limits understood: encrypted DNS is still a meaningful privacy improvement, particularly on mobile networks where carrier DNS logging is common and on public Wi-Fi where passive DNS snooping is trivial.

Choosing a Resolver

Before configuring either platform, decide which resolver to use. The most widely used free options:

  • Cloudflare (1.1.1.1): DoT hostname one.one.one.one, DoH address https://cloudflare-dns.com/dns-query. Fast, privacy-focused (claims no logging beyond 25 hours for operational purposes). Also offers 1.1.1.2 (blocks malware) and 1.1.1.3 (blocks malware and adult content) via alternate hostnames.
  • Google (8.8.8.8): DoT hostname dns.google. Reliable and globally fast, but Google retains some query data per their privacy policy — a reasonable trade-off for some, less ideal for privacy-focused users.
  • Quad9 (9.9.9.9): DoT hostname dns.quad9.net. Non-profit operated, blocks known malicious domains, privacy policy commits to no selling of data. Good default if you want built-in malware blocking with no extra setup.
  • NextDNS: Free tier supports up to 300,000 queries per month, with a dashboard showing your DNS logs and configurable blocklists for ads, trackers, and malware. Provides a personal DoH/DoT hostname after you create a free account. The most powerful option if you want control over what gets blocked.

Configuring Private DNS on Android

Android 9 and later have built-in support for DNS-over-TLS (DoT) under the "Private DNS" setting. This applies system-wide to all apps and all network connections — both Wi-Fi and mobile data.

Steps

  1. Open Settings on your Android device.
  2. Go to Network & internet (or Connections on Samsung devices) → Private DNS. On some Android skins, search "Private DNS" in the Settings search bar if the path differs.
  3. Select "Private DNS provider hostname."
  4. Enter the DoT hostname for your chosen resolver. For Cloudflare: one.one.one.one. For Quad9: dns.quad9.net. For Google: dns.google.
  5. Tap Save.

Android will attempt to connect to the resolver using TLS. If the connection succeeds, DNS queries are now encrypted. If Android cannot reach the resolver over TLS, it does not fall back to unencrypted DNS silently — instead it shows a "Private DNS" error in the connection status, and connections may fail until you fix or revert the setting. This fail-closed behavior is a privacy advantage: you will know if something is wrong rather than silently reverting to plain-text DNS.

Network-specific DNS vs. system-wide: The Android Private DNS setting applies globally. If you want different DNS settings per Wi-Fi network — for example, your home router handles DNS at home but you want encrypted DNS everywhere else — that requires a more advanced setup or a DNS app. The built-in setting is all-or-nothing.

Configuring Private DNS on iOS and iPadOS

iOS does not have a single system-wide encrypted DNS setting equivalent to Android's Private DNS. Instead, iOS uses configuration profiles or per-Wi-Fi settings. The two main approaches are the built-in per-network DNS change and installing a DNS configuration profile.

Option A: Per-Wi-Fi DNS Change (No Encryption)

You can change the DNS server used on a specific Wi-Fi network in Settings. This changes the DNS server but does not encrypt the queries — it is a plain-text DNS change:

  1. Go to Settings → Wi-Fi.
  2. Tap the info icon next to the network you want to change.
  3. Scroll to DNS and tap Configure DNS.
  4. Switch from Automatic to Manual, remove existing servers, and add your preferred IP (e.g., 1.1.1.1 for Cloudflare, 9.9.9.9 for Quad9).

This changes the resolver but does not encrypt. For encrypted DNS on iOS, use Option B.

Option B: Encrypted DNS via Configuration Profile (DoH or DoT)

iOS 14 and later support DoH and DoT system-wide via configuration profiles — small files that install a DNS setting at the operating system level, applying to all apps and connections including cellular data.

  1. In Safari on your iPhone, navigate to the resolver's profile download page. Cloudflare offers one at 1.1.1.1/dns/ — tap the "iOS" option to download the profile. Quad9 offers profiles at their website. NextDNS generates a personal profile in its dashboard.
  2. After downloading, iOS prompts you to review the profile. Tap Allow to download it.
  3. Open Settings → General → VPN & Device Management. The downloaded profile appears here.
  4. Tap the profile and tap Install. Enter your passcode if prompted and confirm the installation.
  5. The profile is now active. DNS queries are encrypted system-wide.

Verifying It Works

After installation, navigate to 1.1.1.1/help in Safari to verify Cloudflare's resolver is active (if you chose Cloudflare). The page shows whether DNS-over-HTTPS and DNS-over-TLS are successfully connected. For other resolvers, their websites typically provide similar test pages.

When to Revert

Some network environments block custom DNS resolvers — corporate networks, schools, and hotel Wi-Fi sometimes require their own DNS to enforce policies or content filtering. If you notice certain sites or apps stop loading after enabling private DNS, that network may be blocking the resolver. On Android, temporarily switch Private DNS back to Automatic. On iOS, remove or disable the configuration profile temporarily in Settings → General → VPN & Device Management.