What Is Private DNS?
By default, a DNS query is a plaintext UDP or TCP packet sent to port 53, structured per RFC 1035. Anyone positioned between your device and the resolver — your ISP, a café router, a compromised network — can read exactly which domain you're looking up, even if the connection to the site itself is later encrypted with HTTPS. That visibility is what private DNS is built to close.
Google introduced "Private DNS" as a named, user-facing setting in Android 9 (Pie, SDK level 28), released September 2018. It lets a device send DNS queries to a specific resolver over an encrypted channel instead of accepting whatever unencrypted resolver the network assigns via DHCP. The same underlying capability exists on other platforms — Windows 11, iOS 14+, and most Linux distributions via systemd-resolved all support DoT or DoH — but "Private DNS" as a term is specifically Android's name for it, which is why the keyword is so tightly associated with Android search intent.
Private DNS is not a separate DNS server type or a VPN feature. It's a transport-layer change: the same A, AAAA, MX, and TXT records get resolved, through the same recursive-resolution process described in How DNS Caching Works — only the query itself travels encrypted instead of in the clear.
How Does Private DNS Work? DoT vs. DoH vs. DNSCrypt
Three protocols implement encrypted DNS in practice, and Android's Private DNS setting can use two of them:
-
DNS-over-TLS (DoT) — defined in RFC 7858 (May 2016). Wraps a standard DNS query in a TLS session over TCP port 853, a dedicated port reserved for this purpose. The RFC explicitly states DoT clients and servers "MUST NOT" use port 853 for cleartext DNS — the port itself signals encryption. Because it runs on its own port, DoT is trivial for a network operator to block by filtering port 853, without touching normal web traffic.
-
DNS-over-HTTPS (DoH) — defined in RFC 8484 (October 2018). Wraps the DNS query as an HTTPS request — GET or POST to a resolver endpoint like
https://dns.google/dns-query— over standard port 443, the same port all other HTTPS traffic uses. Because DoH is indistinguishable from ordinary HTTPS traffic at the network level, it's much harder to selectively block than DoT. -
DNSCrypt — not an IETF standard and has no RFC number. It's a community-maintained protocol that both encrypts and authenticates DNS traffic, typically over port 443 or 8443. Android's Private DNS setting does not support DNSCrypt; it only accepts a DoT/DoH-capable hostname.
On Android, the user-facing setting only ever asks for a hostname — it never asks you to pick DoT or DoH explicitly. By default Android negotiates DoT to that hostname. Since Android 11 (SDK level 30), a Google Play system update lets the device transparently upgrade the connection to DNS-over-HTTP/3 (DoH3, built on QUIC) when the resolver advertises support, without any change to the Settings UI, per Google's Online Security Blog. This is a detail most guides skip: entering a hostname doesn't lock you to one wire protocol — Android picks the strongest one your resolver and device both support.
You can inspect the raw handshake yourself outside of Android to see what's actually happening on the wire:
# Inspect the DoT TLS handshake to Cloudflare's resolver on port 853
openssl s_client -connect 1.1.1.1:853 -servername cloudflare-dns.com
# Query over DNS-over-HTTPS using curl's built-in DoH support (curl 7.62+)
curl --doh-url https://dns.google/dns-query https://example.com -v
The first command shows a standard TLS 1.3 handshake against port 853 — the certificate presented belongs to cloudflare-dns.com, confirming the resolver's identity before any query is sent. The second sends example.com's A-record lookup through Google's DoH endpoint instead of your system resolver, and -v will show the HTTPS request/response instead of a plain UDP exchange.
Popular Private DNS Providers (Reference Table)
Every major public resolver that supports encrypted DNS publishes a specific hostname for Android's "Private DNS provider hostname" field:
| Provider | Private DNS Hostname | Port | Notes |
|---|---|---|---|
| Cloudflare | one.one.one.one | 853 (DoT) / 443 (DoH) | Filtered variants: security.cloudflare-dns.com (malware), family.cloudflare-dns.com (malware + adult content) |
| Google Public DNS | dns.google | 853 (DoT) / 443 (DoH) | Unfiltered; DoH endpoint is https://dns.google/dns-query |
| Quad9 | dns.quad9.net | 853 (DoT) / 443 (DoH) | Blocks known-malicious domains by default at the resolver level |
| NextDNS | <config-id>.dns.nextdns.io | 853 (DoT) / 443 (DoH) | Per-account config ID gives fully customizable, logged blocklists |
| AdGuard DNS | dns.adguard-dns.com | 853 (DoT) / 443 (DoH) | Blocks ads and trackers by default at the resolver level |
Interpretation: all five accept the exact same hostname whether Android negotiates DoT or upgrades to DoH/DoH3 — the provider, not the user, decides which encrypted protocols a given hostname supports.
How to Set Up Private DNS on Android
-
Open Settings → Network & Internet → Advanced → Private DNS. The exact path varies slightly by OEM skin (Samsung, Pixel, and OnePlus all place it one level deep differently), but the setting is always under the network/internet section.
-
Choose "Private DNS provider hostname" from the three available modes: Off (no private DNS, network default applies), Automatic (Android opportunistically tries DoT if the network's assigned resolver supports it, silently falling back to plaintext if not), and Private DNS provider hostname (you specify an exact resolver).
-
Enter a hostname from the table above, for example
one.one.one.one, and tap Save. -
Android tests connectivity immediately. It opens a TLS connection to the hostname on port 853 before applying the setting; if that test fails, it shows an error rather than silently leaving you unprotected.
-
Confirm the status. A working configuration shows the hostname with no error banner. If you see "Private DNS server cannot be accessed," see the troubleshooting section below before assuming the setting failed for good.
Private DNS vs. VPN vs. Public DNS: What's the Difference?
These three get conflated constantly because all three change "which server handles my internet," but they protect completely different things:
| Encrypts DNS queries | Hides your IP from destination sites | Encrypts app/browser traffic | Changes apparent location | |
|---|---|---|---|---|
| Public DNS (e.g., 8.8.8.8 without DoT) | No | No | No | No |
| Private DNS (DoT/DoH) | Yes | No | No | No |
| VPN | Yes (tunneled) | Yes | Yes | Yes |
Switching to a public resolver like 8.8.8.8 or 1.1.1.1 without enabling Private DNS only changes who answers your DNS queries — the query itself is still sent in plaintext over port 53 unless you also configure DoT/DoH. Private DNS closes that specific gap: the lookup is encrypted, but the site you connect to afterward still sees your real IP address, and your ISP can still see which IP addresses you're connecting to even if it can't see the domain name behind them (unless the connection also uses Encrypted Client Hello, which most sites don't yet support). A VPN is the only one of the three that tunnels all traffic — DNS included — through an encrypted connection and replaces your visible IP address entirely.
Why Does "Private DNS Server Cannot Be Accessed" Happen?
This is the single most common complaint tied to this feature, and it almost always traces to one of five causes:
Problem: Hostname typo.
Cause: a single mistyped character in the hostname field — most common with long provider-specific hostnames like NextDNS's <config-id>.dns.nextdns.io.
Fix: re-copy the hostname exactly from the provider's setup page rather than retyping it.
Problem: Port 853 is blocked on the current network. Cause: school, workplace, and some public Wi-Fi networks block outbound port 853 specifically to force plaintext DNS they can monitor or filter, while leaving port 443 (DoH) open. Fix: switch to a resolver's DoH-capable hostname where the network allows it, or wait until you're on an unrestricted network — there's no client-side fix for a network-level port block.
Problem: A VPN is active at the same time. Cause: most VPN apps take over DNS resolution for the device and route it through their own tunnel, which conflicts with Android's separate Private DNS negotiation. Fix: disable Private DNS while the VPN is active, or check whether your VPN app has its own DNS-over-TLS/HTTPS option instead.
Problem: The resolver itself is temporarily down. Cause: maintenance or an outage at the provider you configured. Fix: try a different provider from the table above to confirm it's provider-side, then switch back once resolved.
Problem: No working internet connection at all when the check runs. Cause: Android tests port 853 reachability as part of validating the setting — if the device has no connectivity, the test fails and reports the same error message regardless of cause. Fix: confirm basic connectivity first (load any website) before troubleshooting the DNS setting itself.
If your device relies on a local DNS server that stopped responding entirely rather than a Private DNS misconfiguration, see Fix "DNS Server Not Responding" for the broader diagnosis path.
How to Verify Private DNS Is Actually Working
Because the encryption happens on-device before the query ever leaves your phone, you can't inspect it directly from a website-based tool — but you can verify the resolver is doing its job correctly:
- Check the Settings status first. "Connected" under Private DNS confirms the TLS handshake to your chosen hostname succeeded.
- Cross-check a known record with the DNS Lookup tool. If a domain resolves to a different IP on your phone than the DNS Lookup tool shows for the same domain, something upstream — a captive portal, a hijacked local resolver, or a misconfigured Private DNS provider — is intercepting or overriding your queries.
- Use the NS Lookup tool to confirm a domain's real authoritative nameservers if you suspect DNS manipulation rather than a Private DNS problem specifically.
- Run the DNS Propagation Checker if results seem inconsistent between your device and other networks — it queries dozens of resolvers globally and shows whether the discrepancy is regional caching rather than your Private DNS setting.
- Confirm PTR consistency with the Reverse DNS tool when troubleshooting mail or connectivity issues that only appear on the Private-DNS-enabled connection.
Key Takeaways
- ✓ Private DNS encrypts the DNS query itself — using DoT (RFC 7858, port 853) or DoH (RFC 8484, port 443) — it does not encrypt any other traffic.
- ✓ Android introduced it as "Private DNS" in Android 9 (SDK 28); since Android 11 (SDK 30) it can transparently upgrade to DoH3 over QUIC for supporting resolvers.
- ✓ It is not a VPN: your IP address and non-DNS traffic remain unprotected and visible to destination sites and your ISP.
- ✓ "Private DNS server cannot be accessed" is most often a blocked port 853, an active VPN, or a typo — not a broken device.
- ✓ Every major encrypted resolver (Cloudflare, Google, Quad9, NextDNS, AdGuard) publishes a specific hostname you enter directly into Android's "Private DNS provider hostname" field.
Frequently Asked Questions
Q: What is private DNS in simple terms?
It's a setting that sends your DNS lookups to a chosen resolver over an encrypted connection (DoT or DoH) instead of the plaintext DNS your network provides by default, so third parties on the network can't see which domains you're looking up.
Q: Is private DNS the same as a VPN?
No. Private DNS only encrypts the DNS query. A VPN encrypts and tunnels all of your traffic and hides your IP address; private DNS does neither of those things.
Q: What's the difference between DoT and DoH?
DoT (RFC 7858) runs on a dedicated port, 853, making it easy to block at the network level. DoH (RFC 8484) runs on port 443, the same port as normal HTTPS traffic, so it's much harder for a network to selectively block.
Q: Which Android version supports private DNS?
Android 9 (SDK 28) and later. Android 11 (SDK 30) and later can additionally upgrade the connection to DNS-over-HTTP/3 automatically via a Google Play system update.
Q: Why does my phone say "Private DNS server cannot be accessed"?
Usually a typo in the hostname, port 853 blocked by the current network, an active VPN taking over DNS, or the resolver being temporarily down — rarely a permanent device fault.
Q: Does private DNS slow down my internet?
The TLS handshake adds a small amount of latency to the first query to a new domain, typically single-digit milliseconds on modern networks, and subsequent lookups are cached exactly as with unencrypted DNS.
Q: Can my ISP still see what I do if I use private DNS?
Your ISP can no longer read the domain names in your DNS queries, but it can still see the IP addresses your device connects to afterward and, in most cases, the destination hostname via the unencrypted TLS SNI field unless the site also supports Encrypted Client Hello.
Q: Should I turn on private DNS?
If your device supports it and you want your ISP or local network operator unable to log your DNS lookups, yes — it's a low-risk, no-cost change. It doesn't replace a VPN if hiding your IP address or encrypting all traffic is the goal.