Encrypted DNS: What It Is and Why We Should Care
Aug 17, 2021
What Is Encrypted DNS?
Traditionally, DNS requests travel as readable clear-text across the internet. This means that anyone monitoring the network -- your Internet Service Provider, network administrator, or even a malicious actor on a public Wi-Fi network -- can see which websites you are trying to visit. Encrypted DNS changes this by transforming those requests into an unreadable format, so that a request for a website like "cleanbrowsing.org" would appear as garbled code to anyone observing the traffic.
Why Encrypted DNS Exists
The primary drivers for encrypted DNS adoption are security and privacy. Without encryption, ISPs can monitor and log every website their customers visit. Governments can use this data for surveillance purposes, and advertisers can exploit it for targeted marketing. Encrypting DNS requests prevents these entities from easily monitoring browsing behavior.
From a security standpoint, encrypted DNS also protects against DNS spoofing and man-in-the-middle attacks, where a malicious actor could redirect your DNS requests to fraudulent websites.
How It Is Being Implemented
Browser adoption has dramatically accelerated encrypted DNS deployment. Modern browsers now offer "Secure DNS" features based on DNS-over-HTTPS (DoH), which sends DNS queries over the same encrypted HTTPS connections used for regular web browsing. Operating systems like macOS, iOS, and Windows have also introduced encryption mechanisms that application developers can leverage.
This means encrypted DNS is no longer a niche technology used by privacy enthusiasts. It is becoming a default setting in the tools millions of people use every day.
The Problem for Families and Organizations
While CleanBrowsing supports encryption in general, there are serious concerns about how it is being implemented. The technology can be enabled by any user regardless of age, and once enabled, it immediately circumvents parental controls and content filters that operate at the DNS level.
The current rollout assumes that all users are the same, without accounting for children and the legitimate need their guardians have to filter content. A child can enable Secure DNS in their browser settings in seconds, completely bypassing the protections their parents have put in place.
What Can Be Done
For families and organizations that rely on DNS-based content filtering, it is important to disable Secure DNS features in browsers to maintain filtering effectiveness. CleanBrowsing provides guidance on how to disable these features across major browsers including Chrome, Firefox, Edge, and Brave.
On managed devices, administrators can use Group Policy or registry settings to enforce these configurations. For home users, checking browser settings and ensuring Secure DNS is turned off is an important step in maintaining your content filtering setup.