Taking steps to hide your internet traffic from prying eyes is something that we’re passionate about here. Which is why we feel like we should warn you: there’s a potential vulnerability hiding in plain sight. Your DNS queries might be unencrypted.
If you have no idea what this means, don’t worry; we’ll explain it for you. And if you do know what this means, you’re probably familiar with DNS encryption methods, which have evolved significantly since 2018.
Let’s start with the basics, and then we’ll get to our recommendations.
Why Your DNS Queries Should Be Encrypted
DNS stands for “domain name system,” and it servers a bit like the internet’s phone book. When you type a URL into your browser, like www.thebestvpn.com, your computer gets in touch with a DNS server, and the server sends an IP address back. The IP address is the actual location of the site.
Once your computer has the IP address, it can connect to the server where the site is hosted. All of this happens in the background, and you might not even knows it’s happening.
There’s a problem, though: your query to the domain name server might be unencrypted. And if it is, someone snooping on your web traffic might be able to see the sites you’re going to, even if you’re using HTTPS or a VPN.
They won’t be able to see what you type into the site, or what you do there, but just knowing which site you’re going to could be enough to make you a bit less secure. Remember the big controversy over the NSA collecting cell phone metadata? This is sort of like that. No one can see what you’re doing on those websites, but they can still see which sites you’re going to. And that’s enough to make a lot of people (including us) uncomfortable.
If you’re worried about government surveillance, you definitely don’t want your DNS queries unencrypted.
In addition to security problems, it can also be cause for concern about privacy. If you’re using your ISP’s DNS server, they’ll know which sites you’re going to. And if they’re under national jurisdiction — or you’re in the US, where that information could be sold to advertisers — that’s a violation of your privacy.
Many people use Google’s DNS servers because they’re very fast. But that’s another potential privacy concern, as Google is always collecting as much information as possible about every user they can. And while they state that they don’t keep permanent records of DNS queries or match your DNS queries to personally identifiable information, the fact remains that they’re out to make money. And if they can use your DNS traffic to do it, they will.
These are all reason why unencrypted DNS queries are bad. It’s time to start encrypting your DNS traffic.
Do VPNs Protect DNS Queries? What About HTTPS?
You’d think that using a VPN would protect all of your DNS queries. In many cases, you’re right. But that’s not always the case. Some VPNs, when confronted with certain situations, will send your DNS queries along normal lines of communication — which means they’re probably going to your ISP. And you won’t even know it’s happening.
So the answer is “yes . . . most of the time.” The best VPNs out there have DNS leak protection, and it works well. But if you’re using another VPN or you have this particular feature turned off, you could be exposed to data collection or snooping.
We always recommend VPNs with DNS leak protection, which stops this behavior before it can become a problem.
And if you’re not using a VPN, your DNS queries are definitely unencrypted, even if you use HTTPS. The secure version of HTTP encrypts all of the information that you send to sites. So no one can see what you’re doing on the site, the password you used to access it, or which pages you go to. But an unencrypted DNS query allows snoopers to see which sites you’re making requests to.
HTTPS is a great security feature — and we strongly recommend using it at all times to protect your online privacy. But it still leaves you open to DNS query surveillance, and that’s something a lot of people don’t realize.
The Best Methods for DNS Encryption in 2025
DNS encryption technology has advanced significantly in recent years. While DNSCrypt was once one of the most popular options, today there are multiple robust methods for encrypting your DNS queries. In 2025, these are your best options for securing DNS traffic.
A group called Dyne.org took over maintenance of DNSCrypt-Proxy years ago, and contrary to early concerns, the project has remained actively maintained. DNSCrypt-Proxy 2 remains a flexible DNS proxy tool with support for multiple encryption protocols, including DNSCrypt v2, DNS-over-HTTPS, Anonymized DNSCrypt, and newer protocols.
You can still get DNSCrypt directly from Cisco, but it’s not going to do you any good if you’re not using their DNS servers.
While DNSCrypt is certainly one of the more robust options, there are several modern alternatives. Here are four choices you have when you want to encrypt your DNS traffic.
1. Use a VPN with DNS Leak Protection
This is still the simplest alternative to DNSCrypt. You should be using a VPN anyway, and all you need to do is make sure that the one you’re using has DNS leak protection.
These VPNs — including two of our favorites, ExpressVPN and NordVPN — prevent your computer from routing DNS requests outside of the VPN.
Both of these services run their own DNS servers, so all of your DNS queries are routed through secure channels, both to and from the servers. This is the ideal situation; if your VPN has its own DNS servers, you won’t need to use those provided by your ISP (or another traffic spy, Google) and potentially reveal your browsing habits.
And that provides all the security you could need.
If you’re not sure whether your VPN is protecting your DNS traffic, we recommend using ExpressVPN’s leak test. It will tell you whether your DNS queries are visible to people who are trying to see them. If you’re not protected, it’s time to get a new VPN (and make sure to use it all the time).
In fact, you should use a leak test like this one whenever you’re working to secure your DNS traffic. They’ll let you know if your chosen solution, no matter what it is, is working.
2. Use DNS-over-TLS or DNS-over-HTTPS
Transport layer security (TLS) and HTTPS are cryptographic protocols used around the internet for secure data transfer. Major DNS services now support DNS queries sent over these protocols, encrypting your requests and keeping them safe from your ISP’s snooping.
DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) have become widely adopted standards in 2025. Major DNS providers like Cloudflare (1.1.1.1), Google DNS (8.8.8.8), Quad9 (9.9.9.9), and NextDNS now support these protocols out of the box.
Many modern browsers like Firefox, Chrome, and Edge support DoH natively, allowing you to encrypt DNS queries directly from your browser. Operating systems like Windows, macOS, Android, and iOS also now include built-in support for encrypted DNS.
These modern protocols offer excellent security with strong standardization and wide adoption by 2025. If you’re not using a VPN, switching to a DNS provider that supports DoT or DoH is a good way to add security to your DNS requests. Of course, we always recommend that you use a VPN, as it protects more information than just your DNS queries. But if you can’t use a VPN, encrypted DNS is a good security system to have in place.
3. Consider DNSCurve for Advanced Encryption
While not as widely supported as DoT or DoH, DNSCurve is another option for cryptographically protecting your DNS queries. Any request sent between a user and a DNS server is protected using elliptical curve cryptography, which is extremely secure; even more secure than the RSA encryption used by other security measures.
DNSCurve remains an option for users who prioritize extremely strong cryptography. It uses Curve25519 elliptic curve cryptography, which offers excellent performance compared to other cryptographic systems while maintaining high security.
Your best bet is to install DNSCurve, make sure you’re using compatible DNS servers, and run a leak test. You’ll require more technical skill and understanding than you’d need for the previous options, but if you’re willing to put in the time and you want to support a system that uses very strong cryptography, DNSCurve is worth looking into.
4. Use DNSCrypt-Proxy 2
This isn’t really an alternative, but it’s an important option to mention. DNSCrypt-Proxy 2 has remained actively maintained and continues to receive regular updates into 2025.
DNSCrypt-Proxy has evolved into a flexible DNS proxy tool that supports multiple encryption protocols including DNSCrypt v2, DNS-over-HTTPS, Anonymized DNSCrypt, and Oblivious DoH. It also includes features like DNS caching, filtering capabilities, and client IP protection.
The project is actively maintained with regular updates, making it a reliable option for encrypting your DNS traffic. If you pass a DNS leak test when using DNSCrypt-Proxy 2, you can be confident your DNS queries are protected.
Still, we recommend testing regularly, as with any security solution.
The Simplest Way to Encrypt Your DNS Queries in 2025
As you can see above, using a VPN with its own DNS servers and DNS leak protection is definitely the best way to protect your DNS traffic from spying. There certainly are other solutions, but many of them are quite technical. If you have the technical literacy to implement these or other cryptographic methods, we encourage you to do so!
If you’d like to find out more about DNS privacy and what people are doing to improve it, DNSprivacy.org is a great resource. There’s lots of technical information there about the problems, potential solutions, and ongoing work in DNS privacy. You can even get involved with development and testing if you’re so inclined.
But for most people, the best way to further increase your privacy is to use a solid VPN. When we review VPNs, we look for proper DNS leak protection. If a particular VPN doesn’t have it, we’ll let you know. Our top recommendations, however, will always encrypt your DNS traffic.
And remember that you should always run a leak test with your VPN. There are lots of useful DNS leak test tools (we like ExpressVPN’s tool because it’s very easy to use), and they’ll all let you know if your DNS queries are protected. If they’re not, it’s time to tweak your settings or get a new VPN.
No matter what you decide to do, if you’re concerned about your security and privacy, you need to make sure your DNS queries are safe! It’s an easy thing to forget, but it’s also an insidious backdoor into your browsing habits.
“DNSCrypt.org is no longer working , but https://dnscrypt.info is working. 8 months later, dnscrypt-proxy is not dead with V2.