Whenever I set up a new Android phone, I change one setting before I start using it normally. I update the Private DNS provider hostname, so the phone uses an encrypted server instead of the one assigned by the network. This keeps my lookups private on shared Wi-Fi and helps avoid the unreliable or slow resolvers you sometimes find on public networks. Setting this up early also limits what the network can see and makes it harder to track which domains I access.
What Private DNS actually does
Keeps your DNS requests encrypted and private
Before your phone can reach most sites or services, it has to identify the actual network address behind the name you tap or type. This request is sent through DNS and often travels in plain text. People along the network path, such as your Wi-Fi provider or mobile operator, can see the domains you visit because those requests are not protected. Private DNS encrypts these requests before they leave your phone and prevents intermediaries from reading or altering them.
Android protects these lookups through a protocol called DNS-over-TLS, which encrypts them before any content begins to load. It doesn’t shield your whole connection like a VPN, but it secures what happens first. Since most apps depend on these lookups to connect online, choosing a stable private DNS provider helps prevent connection problems caused by unreliable servers.
A fast, reliable encrypted DNS provider can help web pages and online services load without unnecessary delays. Using encrypted DNS on Android also keeps your lookups private on shared networks, even when many people are connected to the same hotspot. Your requests go to the provider you choose, although a few apps may still use their own DNS settings.
Private DNS lets you select which server resolves your lookups once you change your DNS settings. You can point them to a provider you trust and send most of your requests through it. This keeps your phone’s address resolution consistent on both mobile data and Wi-Fi and helps you avoid the slow or unstable servers used by some networks.
How to set up Private DNS on your Android phone
Steps to enter a secure hostname
You’ll find the Private DNS option in your phone’s connection settings. On most Android devices, go to Settings -> Network and internet -> Private DNS. Here, you’ll see options such as Off, Automatic, and Private DNS provider hostname. Pick the hostname option to open a text field. On Samsung phones, the path is a little different: navigate to Settings, then Connections, then More connection settings, and tap Private DNS to reach the same field.
This field accepts only a hostname, so type one.one.one.one instead of an IP address like 1.1.1.1. Android verifies the hostname during the encrypted connection process, so it requires the text version. Cloudflare uses one.one.one.one for its encrypted service, and the older hostname 1dot1dot1dot1.cloudflare-dns.com still points to the same service. For a general-purpose resolver that behaves much like a typical default server but adds encryption, use dns.google for Google’s encrypted DNS.
Another choice is AdGuard DNS at dns.adguard.com, which blocks many known trackers, analytics domains, and unwanted sites before they load. After you enter the hostname, save your settings and return to the home screen. Your phone will then use that provider for almost all lookups. If everything works as expected, you can leave this setting alone unless you want to change providers later.
Where Private DNS falls short
Private DNS has some limitations. It encrypts only the lookup, not the actual content you view or send. Your Wi-Fi provider or mobile operator can’t see the domains you request, but they can still see the IP addresses you connect to, since this information is outside DNS. If your chosen provider experiences outages, you may need to switch back to Automatic or choose another hostname to regain access. A few apps also use their own method instead of the system resolver, so they will not benefit from this setting.
You may also run into networks that don’t work well with encrypted DNS. Some public Wi-Fi setups that require a sign-in page, such as those in hotels or airports, redirect your DNS traffic to load that page, so many websites will fail to open while Private DNS is active. If the Wi-Fi shows as connected but nothing loads, switch Private DNS to Automatic, complete the sign-in page, then return to your usual hostname once the connection is active.
The same issue can appear on enterprise or institutional networks that block encrypted DNS entirely. These networks force traffic through their own resolvers, so Private DNS will not function until you switch back to the default or Automatic option.