What is encrypted DNS traffic, and why does it matter?

Encrypted DNS (Domain Name System) traffic secures your queries using encryption protocols, protecting them from eavesdropping and DNS manipulation that might redirect you to malicious websites. However, sometimes, network restrictions or compatibility issues might force you to disable the feature. 

Fortunately, there are fixes you can try to resolve these problems and reclaim control of your DNS encryption settings. We’ll walk you through all of them, but first, let’s start with a quick overview of how DNS works.

How does traditional DNS work?

The DNS works like a phonebook for the internet, translating human-friendly domain names into machine-friendly IP (Internet Protocol) addresses. So, when you type in www.example.com, DNS translates it into 93.184.216.34. 

Here’s what a typical DNS query and response process looks like:

1. You enter a URL, like www.surfshark.com, in your browser.
2. Your device goes through its local DNS cache to see if it already has the IP address for that URL. If it does, it skips the query and uses the cached address.
3. Otherwise, your device sends a DNS request to a DNS resolver, which is usually provided by your ISP (Internet Service Provider) or a third-party service like Google DNS.
4. The resolver checks its own cache. If it has the IP, it sends it back to your device. 
5. If the resolver doesn’t have it, it queries other servers to find the IP address. These servers pass the query along until the IP is found. 
6. Once the resolver receives the IP address, it sends it back to your device, which uses it to connect to the website.

This exchange between your device and the DNS servers, also known as DNS traffic, usually isn’t encrypted — meaning the queries and responses are sent in plaintext. This leaves them vulnerable to monitoring or interception by pretty much anyone with access to your network, such as your ISP or even hackers.

Introduction to encrypted DNS

Encrypted DNS secures the connection between website names and IP addresses by encrypting your DNS queries and responses using specific protocols. This prevents others from seeing or tampering with the websites you’re accessing. Only the parties involved, like your browser, can access the encrypted data.

Types of DNS encryption protocols

The two most common DNS encryption protocols are DNS over HTTPS (DoH) and DNS over TLS (DoT). Both do a great job of encrypting DNS traffic, but which one you should use depends on your setup and what your network or browser supports.

DoH

DoH encrypts DNS queries by sending them over HTTPS through port 443. Since DoH uses the same HTTPS protocol that secures most websites, your DNS traffic blends right in with regular web activity. 

This makes it much harder for your ISP or bad actors to monitor the websites you visit or dig into your DNS queries. At the same time, it also makes it tougher for networks to block or filter DoH traffic without risking disruption to web browsing. 

Major browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox support DoH and allow users to configure it in their settings.

DoT

DoT keeps your DNS queries private by encrypting them with TLS (Transport Layer Security), the same protocol used for HTTPS. However, unlike DoH, which blends in with regular traffic, DoT uses a dedicated port — port 853.

This dedicated port makes it easier to spot, isolate, and troubleshoot potential issues. It also gives DoT a slight edge over DoH in terms of speed, as there’s less interference from other types of traffic. 

However, on the flip side, it’s easier for third parties to recognize DNS traffic since DoT exclusively uses port 853. Additionally, DoT requires DNS servers and clients that specifically support TLS encryption, making setup and configuration more technically demanding than DoH.

Feature	DoH	DoT
Encryption	HTTPS (TLS/SSL)	TLS
Port used	Port 443, similar to regular web traffic	Port 853, a dedicated port for DNS
Privacy	High	High, but the separate port can increase the risk of being flagged or blocked
Blocking	Harder to block since it uses port 443, which is widely allowed	Easier to block, as it uses the dedicated port 853, which can be filtered
Adoption	Widely used, especially in modern browsers	Supported by many servers

How encrypted DNS traffic works

When you enter a URL into your browser, your device looks up the website’s IP address by querying a DNS server. With encrypted DNS, the query is protected using protocols like DoH or DoT, ensuring it can’t be intercepted or altered. 

The resolver decrypts the request, finds the corresponding IP address, and encrypts the response before sending it back to your device. If the resolver doesn’t know the IP, its query sent to the root server is also encrypted. If anyone intercepts any part of the DNS process, all they’ll see is scrambled data. 

However, for encrypted DNS traffic to work properly, the DNS resolver must support the protocol used by your network. If it doesn’t, it won’t know how to decrypt your requests, which could force your device to fall back to unencrypted DNS.

Pros and cons of encrypted DNS

Encrypted DNS provides an additional layer of security, but there are a few trade-offs that you need to consider. Here’s a look at some of its benefits and potential downsides:

Pros

✅Keep your browsing private
Traditional DNS queries are sent in plaintext and visible to your ISP, advertisers, and anyone else monitoring your network. Encrypting your DNS traffic with protocols like DoH or DoT shields these queries from prying eyes and invasive surveillance. 

✅Prevent tampering and redirects
Encryption protects your DNS traffic from being intercepted and altered. It helps reduce the risks of MitM (Man-in-the-Middle) attacks, such as DNS spoofing, where attackers redirect you to phishing or malicious sites. This is especially crucial for sensitive services like online banking or shopping.

Cons

❌Slows down performance
Encryption adds extra steps to the DNS resolution process, as each query needs to be encrypted before it’s sent and then decrypted when it’s received. These additional steps can cause slight delays. While the impact is usually minimal, you might notice some lag if you’re on a slower device or network. 

❌Overrides local configurations
Encrypted DNS may not always work well with your custom DNS settings. For instance, if you’ve set up your own DNS servers to block certain websites, encrypted DNS can bypass these custom settings because it uses a remote server. As a result, content filtering rules, security measures, and other customizations may not function as expected.   

❌Leaves privacy gaps
Encrypted DNS keeps your DNS queries private but leaves the rest of your internet traffic exposed. Snoopers and cybercriminals can still monitor, intercept, or manipulate your browsing habits, IP address, and online activity. For more comprehensive protection, a VPN is the way to go since it encrypts all your internet traffic, not just DNS queries.

Common issues with encrypted DNS traffic

Encrypting DNS traffic may not always be smooth sailing. While some issues might pop up more often than others, here are the two that users run into most often.

Network blocking encrypted DNS

Some networks block encrypted DNS traffic — this can happen in places like offices, schools, or even at your local coffee shop. Here’s why they might do so:

• Policy enforcement: organizations may block DNS traffic to control internet usage, such as restricting the websites you can access;
• Security concerns: network admins might block encrypted DNS to make it easier to detect suspicious activity;
• Technical limitations: some networks struggle to handle encrypted DNS traffic; 
• Routing strategies: networks may intentionally block encrypted DNS to manipulate DNS queries for ads or traffic routing;
• Configuration errors: incorrect DNS settings can unintentionally block encrypted DNS.

If a network blocks encrypted DNS, your requests may fail. In this case, you might need to disable encrypted DNS, which can leave your queries visible and susceptible to tampering.

Compatibility problems

Encrypted DNS may not always work seamlessly across all devices due to compatibility issues such as:

• Legacy constraints: many older routers, systems, and devices were made before encryption protocols like DoH or DoT became standard, leaving them incompatible;
• IoT (Internet of Things) limitations: since smart devices like TVs and security cameras often rely on traditional DNS, trying to use encrypted DNS can cause connectivity problems;
• App conflicts: custom DNS settings in some apps can override or interfere with encrypted DNS configurations;
• Setup errors: misconfigured or outdated network settings can block encrypted DNS traffic from functioning correctly.

Since Apple introduced DNS encryption with iOS 14, iOS users are especially prone to encountering connection issues and seeing the “This network is blocking encrypted DNS traffic” warning.

Troubleshooting the “This network is blocking encrypted DNS traffic” warning on iOS

If the “This network is blocking encrypted DNS traffic” warning pops up on your iPhone, there are several ways to resolve it and restore your encrypted connection.

Restart your device and router

A quick and simple device restart clears out any temporary software or network hiccups and refreshes all processes and apps. Wiping the slate clean ensures your device reconnects to the DNS servers with the right, updated settings.

To restart your iOS device:

1. Press and hold the power button — or both the power and volume buttons, depending on your model — until you see slide to power off.
2. Slide to switch off your device.
3. Wait 30 seconds, then turn it back on.

While you’re at it, restart your router, too. Here’s how:

1. Unplug your router from the power source.
2. Wait 30 seconds, then plug it back in.
3. Wait for it to reboot completely.
4. Reconnect your device.

Forget and reconnect to the Wi-Fi network

It’s also possible that your Wi-Fi network is the one triggering the “This network is blocking encrypted DNS traffic” warning. In that case, you’ll need to forget the network before reconnecting. This resets your connection and clears any corrupted data, misconfigurations, or conflicts, allowing your iPhone to apply the correct protocols.

To forget and reconnect:

1. Go to Settings and select Wi-Fi.
2. Tap the i icon next to your Wi-Fi network.
3. Select Forget This Network and confirm.
4. Reconnect by selecting the network.
5. Enter the username and password, and tap Join.

Update your device and router software

If your device or router’s software is outdated, that could explain why you’re having trouble with encrypted DNS. Keeping up with updates is crucial as they fix bugs, improve compatibility with newer protocols, patch vulnerabilities, and minimize conflicts that could disrupt your connection. 

To update your iOS device:

1. Go to Settings and select General.
2. Tap Software Update to check for available updates.
3. Tap Update Now.

To update your router’s software, log into the admin panel and check for firmware updates under Settings or Maintenance.

Reset network settings

Clearing your network settings might do the trick, too. It gets rid of anything that could interfere with DNS encryption, such as custom DNS settings tied to servers that don’t support encryption, misconfigured network parameters, and outdated DNS cache. Essentially, it gives your network a fresh start, free from conflicts that might disrupt encrypted traffic. 

To reset network settings:

1. Go to Settings, then tap General.
2. Scroll down and select Transfer or Reset iPhone.
3. Select Reset.
4. Tap Reset Network Settings.
5. Enter your passcode and confirm.

However, bear in mind that resetting your iPhone will remove all saved network settings. For instance, saved networks and passwords will be erased, and manual DNS configurations will be cleared.

Configure DNS settings manually

Many default DNS servers don’t support encryption. So, if you still can’t shake off the privacy warning, you might need to manually set up custom DNS to use servers that support encrypted DNS protocols. 

To configure DNS:

1. Open Settings on your iOS device and tap Wi-Fi.
2. Tap the i icon next to your network.
3. Scroll down and select Configure DNS under the DNS section.
4. Switch from Automatic to Manual.
5. Tap the ⛔ button next to the existing DNS servers.
6. Tap Add Server.
7. Enter these DNS addresses: 162.252.172.57 and 149.154.159.92.
8. Tap Save.

Enable WPA3 security protocol

Check your router’s security settings and, if available, upgrade to WPA3 (Wi-Fi Protected Access 3). It’s the latest and most secure option, offering stronger encryption and better protection against advanced hacking techniques. Outdated protocols like WPA2 (Wi-Fi Protected Access 2) might not support the newer DNS technologies, which could set off the privacy warning. 

To enable WPA3, you’ll first need to find your router’s IP address:

1. Go to Settings and tap Wi-Fi.
2. Tap the i icon next to your network.
3. Scroll down to Router — your router’s IP address will be listed next to it.

Once you have the IP, access your router’s admin panel like this:

1. Open a browser and enter the router’s IP address in the address bar.
2. Enter your username and password on the router’s login page.
3. Once logged in, locate the Security or Wireless section and change the security protocol to WPA3.
4. Your router will restart and disconnect you from the network.
5. Connect to the network again.

Using a VPN for DNS encryption

If you’re frustrated by the “This network is blocking encrypted DNS traffic” warning, a VPN (Virtual Private Network) like Surfshark could be the solution. Surfshark encrypts all your internet traffic, including your DNS queries, to keep your online activity, IP address, and search history private and secure.    

For devices that don’t support a VPN natively, Surfshark also offers Smart DNS, which replaces your local DNS with its US-based Smart DNS servers. Since Smart DNS doesn’t rely on protocols like DoH or DoT, you won’t have to worry about triggering encrypted DNS traffic blocks.

Encrypt your DNS — keep your browsing private

Encrypted DNS traffic prevents third parties like your ISP and malicious actors from spying on and tampering with your DNS requests, which are used to look up website addresses. Without encryption, these requests are sent in plaintext, leaving your data vulnerable to tracking, theft, or redirection to shady sites. 

However, encrypted DNS alone isn’t a complete privacy fix. Instead, a more comprehensive solution is to use a VPN like Surfshark to encrypt all your internet traffic, including your DNS queries.

Frequently Asked Questions

What does encrypted DNS traffic mean?

Encrypted DNS traffic means your DNS requests and responses are secured using encryption protocols like DoH or DoT. This prevents third parties from spying on or tampering with your online queries, keeping the websites you access private.

Why does my iPhone say this network is blocking encrypted DNS traffic?

Your iPhone shows this warning because the network you’re connected to is blocking encrypted DNS traffic. Possible reasons include content filtering, website restrictions, security policies, and DNS configuration conflicts.

How do I get rid of encrypted DNS traffic?

To stop encrypted DNS traffic, disable DoH or DoT in your browser or device settings. In most browsers, go to privacy or security settings and disable DNS encryption.

Can DNS be encrypted?

Yes, DNS can be encrypted using protocols like DoH or DoT. These protocols protect your DNS queries and responses by encrypting the traffic between your device and the DNS server to prevent eavesdropping or tampering.