Private DNS on Android: Block Trackers at the System Level

Every time you open an app or visit a website, your phone sends a request to find the specific IP address associated with that service. By default, your Internet Service Provider (ISP) handles these requests via their Domain Name System (DNS) servers. This gives your ISP a complete map of your online activity, which is often logged and monetised. Using a private DNS android configuration allows you to bypass these standard servers, encrypting your requests and filtering out tracking domains before they ever reach your device's browser or applications.

I have spent the last week testing various DNS configurations across my Pixel 8 Pro on Android 15, a Samsung Galaxy S24 running One UI 6.1, and a Xiaomi 14 Ultra with HyperOS. Setting up a private DNS android host is perhaps the single most effective "set and forget" privacy tweak available. It doesn't just hide your browsing history from your ISP; if you choose the right provider, it can block adverts, trackers, and known malware sites across every single app on your phone, without requiring a permanent VPN connection or significant battery drain.

What Private DNS does

In technical terms, the Private DNS feature in Android uses a protocol called DNS over TLS (DoT). Without this, your DNS queries are sent in plain text, meaning anyone on your local Wi-Fi network or your mobile carrier can see that you are connecting to a specific bank, medical site, or social media platform. By enabling this feature, your phone establishes an encrypted tunnel to a specific provider. This ensures that even if the connection itself is intercepted, the contents of the DNS request remain unreadable to third parties.

Beyond encryption, the real power of Private DNS on Android 13, 14, and 15 is the ability to use "filtering" servers. While a standard DNS server simply tells your phone where a website is located, a filtering DNS checks that request against a blacklist of known advertising and tracking servers. If an app tries to load a tracking script from a company like DoubleClick or AppLovin, the DNS server returns a "null" address. The result is that the advert never loads, saving you data and preventing that tracker from profiling your device's behaviour.

It is important to understand that this happens at the system level. Unlike a browser extension that only works in Chrome or Firefox, a private DNS android setting applies to the entire operating system. This includes "baked-in" system apps, games that usually show annoying video ads, and social media platforms that try to ping tracking servers in the background. On modern Android versions, this protocol is highly efficient and designed to hand off between Wi-Fi and mobile data seamlessly, unlike older VPN-based ad blockers that often struggle during network transitions.

Choosing a provider

The effectiveness of your privacy setup depends entirely on the hostname you enter. If you just want encryption without filtering, Google (dns.google) and Cloudflare (one.one.one.one) are popular choices, but they won't block any ads. For those looking to eliminate trackers, AdGuard DNS and NextDNS are the industry leaders. AdGuard offers a simple, free "Default" server (dns.adguard-dns.com) that blocks ads and tracking out of the box with zero configuration required. It is an excellent starting point for those who want immediate results without creating accounts.

For users who want more granular control, configuring NextDNS android settings is the gold standard. NextDNS allows you to create a custom profile on their website where you can toggle specific blocklists, whitelist certain domains that might break, and view real-time analytics of what your phone is trying to "phone home" to. When you use NextDNS, they provide you with a unique ID that you incorporate into your hostname (e.g., [your-id].dns.nextdns.io). This level of customisation is particularly useful on Android 14 and 15, as you can see exactly which apps are the most "chatty" regarding data collection.

Another strong contender is Quad9 (dns.quad9.net), which focuses heavily on security. Quad9 is a Swiss-based non-profit that blocks malicious domains, phishing sites, and spyware. While it doesn't block standard commercial adverts as aggressively as AdGuard or NextDNS, it provides a very high level of protection against digital threats. When choosing, consider your priority: if it's pure ad-blocking, go with AdGuard; if it's customisation and data logs, choose NextDNS; if it's high-level security and neutrality, choose Quad9.

Setting it up

The setup process is remarkably consistent across most modern Android devices, though the menu names vary slightly. On a standard Pixel device running Android 14 or 15, the path is straightforward. 1. Open Settings. 2. Tap Network & internet. 3. Scroll to the bottom and tap Private DNS. 4. Select the radio button for "Private DNS provider hostname". 5. Type in your chosen address, such as dns.adguard-dns.com or your custom NextDNS URL. 6. Hit Save. If you have typed it correctly, you will see the hostname listed as "Active" or "Connected".

If you encounter an error saying "Could not connect" immediately after saving, it is usually due to a typo in the hostname or a restrictive firewall on your current Wi-Fi network. Some corporate or school networks block the port used for DNS over TLS (Port 853). If this happens, your phone may lose internet connectivity entirely while Private DNS is set to "On". In these cases, you must switch the setting back to "Automatic" or "Off" until you are on a more open network. On Android 15, the system is slightly better at notifying you when a Private DNS server is unreachable compared to older versions.

A pro-tip for power users: if you frequently switch between networks that block DoT and those that don't, you can use a "Quick Settings" tile to toggle Private DNS. While this isn't a native feature on all phones, apps like "QuickSettings" or "Tasker" can be used to create a shortcut. This prevents the frustration of having to dive deep into the settings menu every time you connect to a public Wi-Fi hotspot that uses a captive portal (the "Log in to Wi-Fi" page), which often break when Private DNS is active.

Where to find it on each OEM

Samsung’s One UI 6.1 and the upcoming One UI 7 (Android 15) bury this setting slightly differently than the Pixel. 1. Go to Settings. 2. Tap Connections. 3. Tap More connection settings. 4. Tap Private DNS. Samsung also includes a "Search" icon in the top right of the Settings app; typing "DNS" here is the quickest way to find it if you get lost. On Galaxy devices, the implementation is very stable, but I have noticed that Samsung's "Data Saver" mode can occasionally interfere with third-party DNS resolution if not configured correctly.

On Xiaomi, POCO, or Redmi devices running HyperOS or the older MIUI 14, the menu is found under the sharing section. 1. Open Settings. 2. Tap Connection & sharing. 3. Tap Private DNS. Xiaomi devices often default to "Auto", which usually means they use whatever the router provides. Be aware that some Xiaomi "Security" features might flag custom DNS settings as a network risk, but you can safely ignore these warnings as long as you are using a reputable provider like AdGuard or Quad9. HyperOS has kept this path consistent with MIUI, making it relatively easy to find.

Other manufacturers like OnePlus (OxygenOS) and Motorola generally follow the Pixel path (Settings > Network & internet). On Android 13 and above, if you cannot find the setting, always use the search bar at the top of your Settings menu. One quirk I've noted across different OEMs is how they handle "Automatic" mode. In "Automatic" mode, the phone will attempt to use DoT if the network's local DNS server supports it. However, since most home routers and ISP equipment do not support DoT, "Automatic" usually results in an unencrypted connection. This is why explicitly setting a "Private DNS provider hostname" is mandatory for privacy.

Verifying it's working

Once you have entered the hostname and saved the settings, you need to confirm that your traffic is actually being routed correctly. The most reliable way is to use a web-based leak test. Open your browser and visit a site like "browserleaks.com/dns" or "dnsleaktest.com". If the setup is working, you should see the name of your chosen provider (e.g., "AdGuard" or "NextDNS") and a location that likely differs from your actual ISP’s server location. If you see your ISP’s name (like BT, Virgin Media, or Comcast), the Private DNS is either not configured correctly or is being bypassed.

Specific providers also have their own verification pages. For AdGuard, you can go to "adguard-dns.io/en/welcome.html" which will give you a clear "Running" or "Not running" status. For NextDNS, visiting "test.nextdns.io" will provide a JSON output that confirms your "status" as "ok" and tells you which protocol (DoT) you are using. If you are using a blocking DNS, another simple test is to visit a known (but safe) advertising domain in your browser. If the page fails to load or shows a "DNS_PROBE_FINISHED_NXDOMAIN" error, the filter is successfully doing its job.

On Android 14 and 15, you can also check the connection status within the Settings menu itself. Under the Private DNS entry, it will often say "Connected" in small text underneath the provider's name. If it says "Couldn't connect," your phone has reverted to standard, unencrypted DNS to maintain your internet connection. This often happens if you have a typo in the hostname, such as leaving a space at the end or forgetting a dot. Always double-check that the string is exactly as provided by the service.

What Private DNS doesn't block

While Private DNS is a powerful tool, it is not a silver bullet for Android privacy. Because it works by blocking domain names, it can only stop an app from connecting to a server if that server is used exclusively for ads or tracking. It cannot block adverts that are served from the same domain as the content you want. For example, YouTube ads are served from the same domains as the videos themselves; therefore, Private DNS cannot block YouTube ads without breaking the video playback entirely. The same applies to sponsored posts in the Instagram or Facebook apps.

Furthermore, Private DNS does not hide your IP address from the websites you visit. Unlike a VPN, which masks your origin by routing all traffic through a secondary server, DNS only handles the "address book" part of the connection. Once your phone knows the IP address of a website, it connects to it directly using your real local IP. For complete anonymity, you would need to layer a VPN or Tor on top of your DNS settings. Additionally, some apps use "hardcoded" DNS, meaning they ignore the system's Private DNS settings and talk directly to their own servers (Google apps are occasionally guilty of this), though this is becoming harder for apps to do on newer Android versions.

Finally, Private DNS doesn't encrypt your actual data traffic—it only encrypts the DNS queries. While most web traffic today is already encrypted via HTTPS, the DNS query is just one piece of the privacy puzzle. Despite these limitations, implementing a private DNS android strategy remains the most efficient way to clean up your mobile experience and stop the constant flow of telemetry data to third-party brokers. As Android 15 rolls out, we expect to see even better integration and perhaps more "Quick Setting" options to make this vital privacy tool even more accessible to the average user.