DNS over HTTPS vs DNS over TLS on Android

When you type a website address into your browser, your Android phone performs a background lookup to translate that name into an IP address. By default, this request is sent in cleartext, meaning your mobile carrier, public Wi-Fi provider, or any local attacker can see exactly which sites you are visiting. Even if the website itself is encrypted via HTTPS, the initial DNS request is an open book. To fix this, you need to understand how to implement DNS over HTTPS on Android and how it differs from the system-wide DNS over TLS settings found in your phone's menus.

I have spent the last month testing various encrypted DNS configurations across a Pixel 8 Pro running Android 15, a Samsung Galaxy S24 Ultra on One UI 6.1, and a Xiaomi 14 Ultra running HyperOS. While Android includes a native feature called Private DNS, it does not always cover every app on your device. This guide will walk you through the technical differences between these protocols, how to configure them on different manufacturer skins, and the specific limitations you will face when trying to secure your network traffic on Android 13, 14, and 15.

Plain DNS leaks

Plaintext DNS is the standard legacy protocol used by most internet service providers. When your device is set to use the default network settings, it sends UDP packets on port 53. These packets contain no encryption. This is the primary reason why "DNS leaking" is such a common privacy issue. Even if you use an encrypted messaging app, the initial request to find the app's server is visible. On Android 13 and newer, the system tries to be more intelligent about network security, but it cannot fix a DNS leak if the underlying connection is intentionally unencrypted by the network administrator.

During my testing on public Wi-Fi at a local library, I used a packet capture tool to see what a standard Android 14 device reveals. Without any specific Private DNS configuration, every single domain I visited—from news sites to banking portals—was logged in the clear. This allows network owners to build a profile of your browsing habits or even redirect your traffic to malicious "spoofed" sites. On Samsung One UI devices, the system often defaults to the provider's DNS unless you manually intervene, which means your mobile carrier has a persistent log of every hostname your device has queried since the moment you inserted the SIM card.

The danger of plain DNS extends to censorship and filtering. If you are on a network that blocks certain content, they do so by intercepting these port 53 requests. On older Android versions, bypassing this required root access or complex VPN workarounds. However, with the introduction of modern standards, we now have two main ways to fight back: DNS over TLS (DoT) and DNS over HTTPS (DoH). Understanding which one your Android version supports natively is the first step toward a hardened privacy setup.

DoT: Android's Private DNS

DNS over TLS, or DoT, is the protocol Android uses for its native "Private DNS" feature. It wraps DNS queries in a layer of TLS encryption, historically using port 853. This is the "cleaner" approach from a networking perspective because it separates DNS traffic from standard web traffic. Android introduced this in version 9, but it has become significantly more stable in Android 13 and 14. When you enable Private DNS on a Pixel or Samsung device, you are almost certainly using DoT. The system establishes a secure tunnel directly to the DNS provider, ensuring that no one on the local network can snoop on the requests.

To configure DoT on a Google Pixel or any device with stock-like software (Android 13, 14, or 15), follow this path: 1. Open Settings. 2. Tap Network & internet. 3. Scroll to the bottom and tap Private DNS. 4. Select "Private DNS provider hostname" and enter a provider like dns.google or family-filter.cleanbrowsing.org. On Samsung One UI 6, the path is slightly different: 1. Open Settings. 2. Tap Connections. 3. Tap More connection settings. 4. Tap Private DNS. For Xiaomi HyperOS users, you will find it under: 1. Settings. 2. Connection & sharing. 3. Private DNS. Note that Xiaomi's implementation is occasionally aggressive with power management, so ensure the "Security" app isn't resetting these network permissions after a reboot.

What makes DoT unique on Android is that it is a system-wide setting. Once configured, the Android OS attempts to force all outgoing DNS traffic through this encrypted tunnel. However, there is a catch: if the network you are on blocks port 853—which many corporate and school firewalls do—Android may fail to connect. In this scenario, depending on your settings, the phone will either fall back to unencrypted DNS (if set to "Automatic") or lose internet connectivity entirely (if set to "Strict" or a specific hostname). This is where the limitations of DoT become apparent compared to the more flexible DoH.

DoH: per-app encrypted DNS

DNS over HTTPS (DoH) differs from DoT by hiding DNS queries within standard HTTPS traffic on port 443. To an outside observer, your DNS lookups look exactly like regular web browsing traffic. This makes DoH significantly harder to block or throttle compared to DoT. While Android 13 and 14 support DoH at the platform level, the OS generally prefers DoT for the system-wide "Private DNS" toggle. Currently, DoH on Android is most commonly implemented at the application level, specifically within web browsers like Google Chrome, Brave, and Firefox.

To enable DoH in Google Chrome on Android: 1. Open Chrome. 2. Tap the three dots and select Settings. 3. Tap Privacy and security. 4. Tap Use secure DNS. 5. Choose "Choose another provider" and select from the dropdown or enter a custom URL. This ensures that even if your system-wide Private DNS is disabled or blocked by a firewall, your browser traffic remains encrypted. On Android 15, Google has improved the underlying "DNS Resolver" module, allowing the system to use DoH more frequently if the provider supports it, though the user interface still largely refers to it as Private DNS without always specifying the protocol.

One major advantage of DoH is its ability to bypass "Middleboxes" or transparent proxies often found in hotels and cafes. Because the traffic stays on port 443, it blends in with the billions of other encrypted packets moving across the web. If you are using a Xiaomi device with HyperOS, you might notice that the built-in Mi Browser has its own DNS settings which can sometimes conflict with your system settings. I always recommend disabling these proprietary browser-level DNS features in favour of a single, trusted DoH provider configured in a privacy-focused browser like Firefox or through a dedicated app like RethinkDNS or NextDNS.

Which apps use which

The complexity of Android privacy stems from the fact that not all apps follow the same rules. My testing shows a clear split in how traffic is handled. Most standard apps—think Instagram, Spotify, or your banking app—rely on the Android "System Resolver." If you have configured Private DNS (DoT) in your Samsung or Pixel settings, these apps will use that encrypted path. They don't know or care that the DNS is encrypted; they simply ask the OS for an IP address and receive it. This is why having a system-level DoT configuration is your first line of defence.

However, many high-profile apps include their own internal DNS clients to bypass system settings for performance or tracking reasons. Google Chrome is the most prominent example; it can be configured to use its own DoH settings regardless of what your Android system settings say. Similarly, some social media apps and streaming services use "hardcoded" DNS servers to ensure their advertisements and content delivery networks (CDNs) aren't blocked by your Private DNS filter. During my tests on a Pixel 7 running the Android 15 beta, I found that even with a strict DoT provider set at the system level, some Chinese-manufactured apps attempted to bypass the system resolver entirely to reach their own servers via plaintext queries over port 53.

Furthermore, VPN apps change the rules completely. When you activate a VPN on Android 13 or 14, the VPN's DNS settings usually take precedence over your "Private DNS" configuration. If you use a reputable VPN like Mullvad or IVPN, they use their own encrypted DNS tunnels. However, if you use a poor-quality VPN, it might revert to the carrier's DNS, leading to a leak. On Samsung One UI 6.1, there is a specific setting under "More connection settings > VPN" where you can toggle "Block connections without VPN." This is essential if you want to ensure that no app—regardless of its internal DNS preferences—can communicate outside of your encrypted tunnel.

System override behaviour

An often misunderstood aspect of Android network privacy is the hierarchy of settings. If you have both a system-wide Private DNS (DoT) and an in-app DNS (DoH) configured, which one wins? Usually, the app-specific setting takes precedence. For example, if your Pixel 8 is set to use Cloudflare (1dot1dot1dot1.cloudflare-dns.com) via Private DNS, but your Chrome browser is set to use Google DNS via the "Secure DNS" toggle, Chrome will query Google while your Instagram app will query Cloudflare. This creates a fragmented privacy profile that can be difficult to manage.

There is also the "Automatic" mode to consider. In Android 13, 14, and 15, if you leave Private DNS on "Automatic," the OS will try to upgrade to an encrypted DoT connection only if your current network's DNS server supports it. If it doesn't, it silently reverts to plaintext. This is a massive privacy hole. On my Xiaomi 14 Ultra, "Automatic" mode frequently failed to upgrade the connection on older home routers, leaving my traffic exposed without any warning. I strongly advise moving away from "Automatic" and instead selecting "Private DNS provider hostname" to force encryption. If the connection fails, you will know immediately because your internet will stop working, rather than failing silently into an insecure state.

Android 15 introduces more robust handling for these overrides, particularly in how it manages "DoH templates." This allows the OS to more easily switch between DoT and DoH based on network conditions without user intervention. However, for the privacy-conscious user, the rule remains: manual configuration is superior to automated "smart" switching. On Samsung devices, be wary of "Intelligent Wi-Fi" features found in the Galaxy Labs menu, as these can occasionally bypass your manual DNS settings in an attempt to "optimise" your connection speed when the signal is weak.

Recommended setup

For the best balance of privacy and reliability, I recommend a multi-layered approach that covers both DoT and DoH. First, set a system-wide Private DNS (DoT) using a trusted, no-logs provider. 1. Go to your Private DNS settings (Settings > Network & internet > Private DNS on Pixel; Connections > More connection settings > Private DNS on Samsung). 2. Choose "Private DNS provider hostname." 3. Enter "p2.freedns.kontur.io" for high privacy, or "dns.quad9.net" for a balance of security and speed. This secures the majority of your apps and the OS itself.

Second, harden your browser with DoH. Regardless of your system settings, open your primary browser (Chrome, Brave, or Firefox) and manually select a secure DNS provider. This ensures that even on restricted networks where port 853 (DoT) might be blocked, your web browsing remains encrypted via port 443 (DoH). If you use a Samsung device, I also recommend going to Settings > Security and privacy > More security settings and ensuring that "Secure Wi-Fi" is disabled if you already have a DNS provider set, as Samsung’s built-in service can sometimes override your custom configurations with its own sponsored DNS servers.

Finally, for advanced users on Android 14 or 15, consider using an app like RethinkDNS. This allows you to monitor exactly which apps are trying to bypass your DNS settings. It acts as a local VPN interface that intercepts all traffic and forces it through a DoH or DoT resolver of your choice, effectively giving you a "firewall" view of your device's network activity. As we move toward Android 16 and beyond, we expect Google to further integrate DoH into the core system settings, eventually making the distinction between these two protocols invisible to the average user while providing maximum security by default.