If you use your mobile phone for everything, use shared data for your laptop, and connect to any WiFi network you can find, Configure a secure hotspot with custom DNS It's one of those things that seem geeky, but it marks a before and after in privacy, security and even browsing speed.
The good news is that you don't need to be a system administrator: with a few clear ideas about what DNS is, what risks the traditional method entails, and how the options work, you'll be able to do it. Private DNS, DoH, DoT or solutions like AdGuard Home, Pi-hole and VPNYou can set up a fairly secure environment for your mobile phone and for the devices connected to its access point.
What is DNS and why should you care?
The DNS, short for Domain Name System, is basically the internet contact listYou type in a convenient domain name like "google.com" or "xatakandroid.com," and underneath, your phone needs a numerical IP address to find the correct server. The DNS server is responsible for translating that name into its corresponding IP address so that the connection can be established.
In almost all networks, both fixed and mobile, it's usually your operator, router, or public Wi-Fi hotspot that decides which DNS server to use. This means that, by default, Your device queries the DNS provided by your provider. without you having to touch anything. It works, yes, but it has several significant drawbacks in terms of privacy and control.
The underlying problem is that these queries, in the classic model, They travel in plain text and without authentication.Every time your mobile phone asks "what IP address does this domain have?", that request becomes visible to anyone who controls the network: your ISP, the owner of the bar's WiFi, an attacker on the same network, etc.
Furthermore, DNS has become a key point for blocking or filtering websites. Operators, corporate networks, or governments can decide that certain domains "cease to exist" for users. simply by not resolving their names or returning manipulated IPsFrom your end, all you see is that the website is down, as if the server has crashed.
For all these reasons, taking control of which DNS server you use, and how you use it, It opens the door to improved performance, enhanced privacy, bypassing certain blocks, and filtering threats.And, as a bonus, it allows you to turn your mobile phone into a much more secure hotspot than the one it comes with from the factory settings.
Disadvantages of traditional DNS and real risks
When we talk about classic DNS, we are talking about a system in which The queries are neither encrypted nor signed.This allows an intermediary to see which domains you visit, alter responses, or even block them without your device clearly noticing.
I'm sure this has happened to you on some free WiFi: you try to open any website and, instead of going directly to your destination, A login or advertising page appears first.This is done by redirecting your requests through the DNS, returning a different IP address than the one you requested and sending you to a captive portal.
The same technique, in the hands of someone with malicious intent, allows for the creation of much more dangerous scenarios. An attacker who controls the network can, for example, send you to a phishing page that mimics your bank's login. or to a website that distributes malware, simply by changing the response IP in the DNS query.
DNS control is also used to enforce censorship or filtering policies. In corporate environments, educational networks, or at the national level, the resolution of certain domains is denied so that It may appear that the website is down or does not exist.There are no clear blocking messages: the user only sees resolution errors.
In parallel, your Internet provider can use your domain resolution history to to create highly detailed profiles of your browsing habitsThis information is used for advertising segmentation, personalized products, or, in the worst case, to market aggregated data.
What are the benefits of changing DNS servers and choosing good providers?
Changing the DNS settings on your mobile phone, PC, or router is not just technical posturing: It can improve speed, privacy, security, and access to content.All at once. You won't double your bandwidth, but you can significantly reduce latency and improve control.
In terms of performance, many public resolvers have a globally distributed network of servers with highly optimized caches. This means that when your computer queries a website's IP address, the response arrives sooner and the page starts loading fasterEach resolution takes only milliseconds, but it makes a difference over the course of the day.
In terms of privacy, providers like Cloudflare or Quad9 declare much stricter policies than many operators. For example, Cloudflare claims it purges logs quickly and does not sell usage dataQuad9, on the other hand, boasts of collecting minimal information and focusing on security.
In terms of security, some services incorporate blacklists of malicious domains. Examples include servers like Quad9, certain OpenDNS profiles, and solutions like NextDNS. They block access to websites containing malware, phishing, botnets, or highly intrusive advertising.If you try to access (even accidentally) a dangerous page, the DNS itself intervenes and prevents you from loading the malicious content.
Regarding blocking, many operator and government filters are applied precisely at the DNS level. When you switch to a server managed by a third party that is not under your control, You can circumvent some of those restrictionsIt's not infallible, but it's often enough to "resurrect" websites that seemed inaccessible.
When choosing an internet provider, there's no single winner. It depends on your location, your priorities (speed, privacy, security), and the compromises you're willing to make. Even so, there are some names worth keeping an eye on: Google Public DNS, Cloudflare, Quad9, OpenDNS and NextDNS They are among the most used and recommended.
Recommended DNS servers: examples and key information
A widely used veteran is Google Public DNS. It offers IPv4 addresses such as 8.8.8.8 and 8.8.4.4and IPv6 addresses such as 2001:4860:4860::8888 and 2001:4860:4860::8844. It is free, stable, fast, and supports encryption using DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) using the host dns. googlewhich is precisely the name used when you define private DNS on Android.
Cloudflare is the other major player with its famous 1.1.1.1Its IPv4 addresses are 1.1.1.1 and 1.0.0.1; for private DNS on Android, hostnames like [type missing] are used. 1dot1dot1dot1.cloudflare-dns.com or equivalent options like one.one.one.one. They place a strong emphasis on privacy and claim that They delete the records in very short periods of time.in addition to topping speed rankings like DNSPerf in many regions.
If you prioritize security above all else, Quad9 deserves serious attention. Its star IPv4 is 9.9.9.9 And, for private DNS on Android, the typical name is dns.quad9.netIt focuses on blocking domains of malware, phishing, and similar threats, so that It acts as a security filter from the name resolution itself..
OpenDNS (owned by Cisco) and NextDNS fall into the category of highly configurable services. They allow you to create profiles with parental controls, adult content filters, ad blocking, and dashboards with detailed statistics. They are ideal for anyone who wants define fine-tuned policies for children, work environments, or complex home networks.
To choose the best one for you, it's a good idea to try several and measure response times from your location. Tools like DNSPerf can help. They compare latency and availability of multiple DNS services from more than 200 locationswhich helps you see which provider performs best in your area.
Secure DNS: DoH, DoT, DNSCrypt and the concept of private DNS
When we talk about "secure DNS," we are actually referring to how queries travel between your device and the serverInstead of sending data in plain text, protocols such as DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), or DNSCrypt allow that traffic to be encrypted and authenticated.
DoH encapsulates DNS requests within conventional HTTPS connections, typically using port 443. This makes it easier for a censor or provider attempting to filter them. It can be difficult to distinguish encrypted DNS traffic from the rest of web browsing.Therefore, blocking it without breaking half the internet is quite difficult.
DoT, for its part, encrypts queries using the TLS protocol specifically for DNS. This is the method that Android uses under the label of Private DNS starting with Android 9That's why it's considered the most direct way when you want to protect all system apps without depending on each browser.
DNSCrypt is an older solution that also adds encryption and authentication, although in recent years it has been overshadowed by DoH and DoT. Even so, it remains relevant in advanced environments where users They set up their own resolvers or home networks with extra security measures.
In Android 9 and later, the option called “Private DNS” should actually be labeled “Secure DNS.” Enabling it forces the system to use a secure DNS server. All system queries are sent encrypted to a server that supports DoTYou are not managing your own server, but choosing a third-party server to which you connect securely.
Secure DNS and VPN: allies, not substitutes
It's very common to confuse concepts: enabling encrypted DNS is a big leap in privacy, but It is not the same as using a VPNWith secure DNS you only protect name requests; the rest of the traffic (pages, downloads, video, online games…) will still depend on whether the website uses HTTPS and the network you are passing through.
A VPN, on the other hand, builds an encrypted tunnel between your device and a remote server. Everything (or almost everything, if properly configured) that leaves your device is routed through it. It travels encapsulated and encrypted to the VPN server.And the websites you visit see that server's IP address instead of your real one.
Many commercial VPN providers include their own protected DNS, and upon connecting, They prevent leaks to the mobile operator's or WiFi network's DNS servers.Others let you choose: your own DNS, third-party DNS (Cloudflare, Google, Quad9), or even a home server you have deployed. You can find recommendations on commercial VPN providers to see reliable options.
The ideal combination, if you take your privacy seriously, is to have a secure DNS configured at the system level and use a VPN when connecting to public networks, traveling, or needing to bypass geographical restrictions. To learn how Activate a VPN on Android and to block unsafe traffic, that guide is very useful. However, be sure to check the fine print of your VPN app, because some ignore Android's private DNS and They force their own resolvers by default..
For beginners, setting up an encrypted DNS already represents a huge change from the traditional scenario. Then, if you want to further increase the level of protection, Adding a VPN on top further secures your traffic.If you prefer free options, you can check the best free VPNs as starting point.
How to change DNS on your Android phone
On Android, the way to customize DNS depends on the version and how the manufacturer has organized the menus. From Android 9 (Pie) onwards, there is an option to Private DNS that applies to the entire system, both WiFi and mobile dataIn previous versions you could only adjust it network by network.
The names of the sections vary: what's called "Network & Internet" on a Pixel might appear as "Connections" or "Connection Settings" on a Samsung Galaxy. But the logic is similar: You go into the network settings, look for the private DNS section, and define the provider.and it is possible in several models Create automatic profiles based on the WiFi network to simplify the process.
On many recent Samsung phones, the path is Settings > Connections > More connection settings > Private DNS. On other Android devices, the sequence is usually Settings > Network & Internet (or similar) > Advanced > Private DNS. Once there, you'll see options like "Automatic," "Off," and "Private DNS provider hostname."
If you leave the mode set to “Automatic”, the system will attempt to use encrypted DNS with the server provided by the network, but if it is not available will silently revert to traditional DNSTo ensure you always use a specific provider, you must select “Hostname…” and enter the corresponding domain of your preferred service.
There is an important detail: Android does not accept numeric IP addresses in the private DNS fieldNever use 1.1.1.1 or 8.8.8.8; always use the hostname provided by your provider, such as dns.google, one.one.one.one, or 1dot1dot1dot1.cloudflare-dns.com.
Configure private DNS on Android 9 and later versions
If your smartphone runs Android 9 or higher, you can set a single, secure DNS provider for the entire system. This setting This applies to both WiFi and mobile networks and also affects the hotspot you create., although with nuances that we will see later.
The general steps are very similar across brands: go to Settings > Network & Internet (or Connections) > Private DNS, select the option to enter a hostname and type, for example, dns.google if you want to use Google Public DNS with DoT, one.one.one.one for the Cloudflare serviceYou save, the mobile checks the connection and, if everything is correct, activates secure DNS.
If you type the domain incorrectly or the server stops responding, you'll notice that No website loads even though you have good coverage.This is a typical symptom of a name resolution failure. The solution is to temporarily switch back to "Automatic" or "Off", re-establish the connection, and then check the entered data.
On Android 10 and later, the system manages interactions between private DNS and network-accessible applications (VPNs, proxies, etc.) much better. Even so, it's advisable to verify which server you're actually using with an online test like "My DNS" or similar, especially if you combine... VPN, private DNS, and filtering apps.
Change DNS on Android 8 and earlier, network by network
If your phone is still running Android 8 or an older version, you won't have the option for a global private DNS. In these cases, the only alternative is manually modify the DNS settings on each WiFi network you connect to.repeating the process for home, work, etc.
The typical procedure begins by connecting to Wi-Fi and going to Settings > Wi-Fi or Settings > Network & Internet > Wi-Fi. In the list of networks, tap and hold the one you're using and choose "Modify network" or "Advanced options," where the IP and DNS settings are usually located.
You'll usually see an "IP Configuration" field that's set to "DHCP" by default. Changing it to "Static" unlocks the IP address, gateway, and, most importantly for our purposes, DNS 1 and DNS 2There you can enter the servers you want to use on that specific network.
In those fields you can put, for example, 8.8.8.8 and 8.8.4.4 if you opt for Google, or 1.1.1.1 and 1.0.0.1 if you stick with Cloudflare. Save, your phone reconnects, and from that moment on, any queries you make on that Wi-Fi will use the DNS servers you've defined.
If at any point the network starts behaving strangely or you want to revert to the original settings, simply return to that screen and change the IP address back to “DHCP”. That should do it. The DNS provided by the router or access point is automatically restored..
Turn your mobile into a secure hotspot with custom DNS
Let's get to the heart of the matter: when you activate tethering or a Wi-Fi access point, it starts acting like a small router. It's responsible for distributing private IP addresses to the connected devices (laptop, tablet, game console, another mobile phone) and instructing them which DNS servers should they use via DHCP. If you need guidance on Share internet from your PC or create a mobile hotspotThat tutorial explains the basic steps.
In theory, it sounds very nice to imagine that, if your mobile phone uses encrypted private DNS, Devices connected to your hotspot inherit that same protectionIn practice, with many Android models this doesn't happen: they continue to advertise via DHCP the DNS provided by the mobile network, not the one you have set at the system level.
As a result, your smartphone may be browsing with encrypted and filtered queries, while your laptop is connected to its access point. It continues to query the operator's DNS server directly.For your ISP, there's hardly any difference compared to the laptop connecting automatically.
The robust way to ensure minimally consistent protection across all equipment is Configure DNS manually on each client deviceOn your Windows laptop, Mac, tablet, etc. This way you don't depend on what the hotspot advertises via DHCP.
There's a slightly more advanced option: setting up your own encrypted DNS server (for example, with AdGuard Home or a resolver that supports DoH/DoT) and connecting your mobile device to it, either directly or through a VPN. The problem is, if you want to access it from outside your home, you'll need to use the VPN. opening DNS or HTTPS ports to your server, you introduce a new attack vector if that machine is not very well secured.
Use AdGuard Home, Pi-hole, and Home DNS with your Android
If you've already set up solutions like AdGuard Home or Pi-hole on your local network, you probably have them configured as the primary DNS server on your home router. Therefore, All connected devices at home (wired or WiFi) go through this filter without you having to configure anything on each device..
The "but" comes when you leave home and want to continue using that filtering from your mobile phone, and on top of that, You intend for devices connected to the mobile hotspot to also benefitThere are several strategies:
One possibility is to make your home server accessible from the internet using DoH or DoT, with a valid domain and certificate. You configure that hostname as a private DNS on Android and, wherever you are, Your mobile phone will send encrypted queries to your home resolver.However, it does require opening ports on the router, keeping certificates up to date, and having that machine very well protected.
Another, more balanced option is to combine your home DNS with your own VPN (WireGuard, OpenVPN, etc.). You configure the VPN on your router or on a server on the local network, and when you connect from outside, All traffic, including DNS queries, goes through the tunnel to your LANUsing Pi-hole or AdGuard Home as a resolver. It requires more initial work, but you avoid directly exposing the DNS service to the internet.
If all this sounds like too much trouble for how you use your mobile phone, the most sensible thing in most cases is to just use your home server when you're at home, through your router, and Configure a secure public DNS on Android when you leave (Cloudflare, Quad9, Google, etc.). For most users, that balance between convenience and protection is more than reasonable.
Does the mobile DNS also protect connected devices?
A very common question, often seen in privacy forums, is whether simply activating private or secure DNS on your mobile phone is enough to... All devices that connect to the hotspot are automatically protectedGiven the current situation, the honest answer is: normally, no.
As we have discussed, when the mobile phone acts as an improvised router, the network parameters it distributes (IP address, gateway, DNS) are usually based on what the mobile network delivers to himnot in Android's secure DNS settings. So, in many cases, private DNS is limited to the phone itself.
For the laptop you connect via tethering, the scenario is practically the same as if you were using a USB modem: Check the mobile operator's DNS and query against it unless you force it to use another one.From the provider's side, you can continue profiling which domains are resolved from your connection.
The way to ensure that each device works with the resolution you want is to go into its network settings and manually specify the DNSOn Windows, macOS or Linux, this is done from the network adapter properties (WiFi or Ethernet), replacing “automatic DNS” with the servers you choose.
On iPhone and iPad, you can also configure DNS using your Wi-Fi network: go to Settings > Wi-Fi, tap the "i" next to the network (which might be the hotspot on Android), and under "Configure DNS," switch to "Manual" to enter your preferred provider's IP address. It's a bit tedious if you frequently switch networks, but It ensures that the device is not using the carrier's DNS without your permission..
How to change DNS on iPhone, other mobile phones, and computers
In iOS and iPadOS, Apple introduced support for DoH and DoT starting with iOS 14 and macOS 11, but There is no setting as visible as Android's "Private DNS".By default, the easiest way is to change the DNS for each WiFi network: Settings > Wi-Fi > "i" icon > Configure DNS > Manual, delete the old servers and add the new ones (for example, 1.1.1.1 and 1.0.0.1 or 8.8.8.8 and 8.8.4.4).
This setting only applies to the network where you define it, so if you connect to a different network, you'll have to repeat the process. For mobile data and to use DoH/DoT more transparently, There are apps in the App Store that install configuration profiles with encrypted DNS, and advanced user tools that allow you to package your own profiles.
In Windows 10 and 11, changing the DNS involves going to network settings (or the classic Control Panel) and editing the adapter properties. Select the IPv4 protocol, check the box for "Use the following DNS server addresses," and You enter the IP addresses corresponding to your preferred providerIn the latest versions, the system also supports native DoH with certain resolvers.
On macOS, the path is similar: open System Settings > Network, choose your interface (WiFi or Ethernet), click Advanced/Details, and on the DNS tab, Add the new servers using the add button.After applying the changes, all connections through that interface will use those DNS servers until you change them.
In Linux, the process depends on whether you use NetworkManager or another manager, but the idea is the same: access the connection settings, manually set the resolvers, and, if you want maximum control, edit files such as /etc/resolv.conf or NetworkManager profiles.
Configure DNS at the router level and in dedicated hotspot solutions
A powerful alternative, if you don't want to touch each device individually in your home, is Change the DNS settings directly on your home router.By accessing the web interface (usually at 192.168.1.1 or another LAN IP address), you can enter the WAN/Internet section and replace the automatic DNS with manual servers.
By saving and restarting, all devices that obtain IP addresses via DHCP will inherit those DNS settings without you having to do anything else. This includes mobile phones, laptops, game consoles, Smart TVs, etc., as long as they don't have static DNS settings configured. It's a convenient way to standardize filtering and privacy across the entire network.
In professional hotspot environments (for example, controllers like those from EdgeCore or WifiCloud solutions), it is common to combine custom DNS with firewall rules to Prevent users from bypassing filtering by changing their device's DNS settingsOne common technique is:
First, configure the device's WAN settings to use the filtering service's DNS servers (for example, WifiCloud's IP addresses) as both the "preferred DNS server" and the "alternative DNS server". With that, Requests from the entire network pass through these filtered resolvers..
Then firewall rules are created that only allow DNS traffic (port 53) to those specific IPs and They block any attempt to use external DNS servers such as 8.8.8.8 or 1.1.1.1In practice, users can set any DNS they want on their laptop, but if it doesn't match the approved ones, the traffic is cut off and they can't browse.
This approach also extends to advanced home routers or firmware like OpenWrt. It's possible to configure services like dnsmasq, point them to a Pi-hole on the local network (for example, 192.168.1.201), and combine this with firewall rules to force all DNS traffic to pass through your filtering resolverpreventing leaks to external DNS.
However, in complex OpenWrt and Pi-hole configurations, it's easy to get lost: you have to configure the LAN interface to use Pi-hole as the DNS server, add DHCP option 6 (DNS server for clients), and decide whether the router itself also uses that server or queries the internet directly. A simple nslookup will help you check. if the clients are actually using the DNS you've defined or they continue to point the finger at others.
Ultimately, understanding which DNS each layer (device, router, hotspot, VPN) uses and in what order requests are resolved is key to your configuration. Secure hotspot with custom DNS works as expected and don't just stay in theory.
All this effort in adjusting DNS, combining encryption (DoH/DoT), leveraging services like Cloudflare, Google, Quad9, OpenDNS or NextDNS, using tools like AdGuard Home or Pi-hole and accompanying it with a good VPN when necessary, translates into your connections, both from your mobile and from devices that depend on your access point, They work faster, filter threats better, respect your privacy more, and give you real control over what happens to your data online..
