GHOSTPORT
← Back to Dev Log

DNS: The Privacy Hole Nobody Talks About

Every website you visit starts with a question your ISP can read.
March 28, 2026 • GhostPort Technologies

You've probably heard advice like "use HTTPS" and "enable incognito mode" and "get a VPN." All reasonable steps. But there's a fundamental layer of internet privacy that almost nobody talks about, and it undermines everything else you do.

It's called DNS, and it's the biggest privacy hole in your internet connection.

What DNS Actually Is (Simply)

DNS stands for Domain Name System. Think of it as the internet's phone book. When you type "reddit.com" into your browser, your device doesn't know where Reddit actually lives on the internet. It needs to look up Reddit's IP address — a number like 151.101.129.140 — before it can connect.

That lookup is a DNS query. And it happens before anything else — before the page loads, before HTTPS encrypts the connection, before the website even knows you're coming.

  1. You type "reddit.com" in your browser.
  2. Your device sends a DNS query: "What's the IP for reddit.com?"
  3. The query goes to a DNS resolver (by default, your ISP's).
  4. The resolver responds with the IP address.
  5. Your browser connects to Reddit using that IP.
  6. Your ISP just logged that you visited Reddit — before the page even loaded.

By default, DNS queries are sent in plaintext. Completely unencrypted. Your ISP can read every single one. It's like sending a postcard with every website you want to visit written on the front, then expecting nobody to read it because the website itself uses HTTPS.

What Your ISP Sees Through DNS

Even though most websites now use HTTPS (which encrypts the content of the page), the DNS query that precedes every connection is typically unencrypted. Your ISP can see:

Every domain you visit: reddit.com, webmd.com, bankofamerica.com, pornhub.com — every single one.

When you visit: Timestamped to the millisecond. They know your browsing patterns better than you do.

Which device asked: DNS queries include the source IP, which maps to a specific device on your network.

How often: Visit a site 50 times a day? They know. Check a health condition at 3am? Logged.

Even in incognito mode: Private browsing prevents local history. It does nothing to hide DNS queries from your ISP.

HTTPS protects the content of your communication. DNS reveals who you're communicating with. For most surveillance and advertising purposes, who you're talking to is far more valuable than what you're saying.

Why Changing to 8.8.8.8 Isn't Enough

The most common advice you'll find online is to change your DNS resolver from your ISP's default to something like Google (8.8.8.8), Cloudflare (1.1.1.1), or Quad9 (9.9.9.9). This is better than nothing, but it has real problems.

Google DNS (8.8.8.8) Google's privacy policy states they log your IP address and query data temporarily (24-48 hours for full logs, permanent for anonymized data). Google's business model is advertising. Connect the dots.
Still Unencrypted Changing DNS servers doesn't encrypt the query. Your ISP can still read the plaintext DNS request as it passes through their network — they just can't see the response.
Only One Device Changing DNS on your laptop doesn't change it on your phone, TV, gaming console, or IoT devices. Each device needs to be configured individually.
ISP DNS Hijacking Some ISPs intercept DNS queries to port 53 regardless of what server you've configured. They redirect your query to their own resolver. Your settings are silently overridden.

Changing your DNS server is like changing which phone company handles your calls but still making those calls on an unencrypted radio frequency. You've moved your trust from one party to another, and the conversation is still audible to anyone listening in between.

DNS-over-HTTPS and DNS-over-TLS: The Real Fix

DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) are protocols that encrypt the DNS query itself. Instead of sending "What's the IP for reddit.com?" in plaintext, the question is wrapped in encryption before leaving your device.

DNS-over-HTTPS (DoH) sends DNS queries inside HTTPS (port 443), making them look like regular web traffic. Your ISP can't distinguish a DNS query from normal browsing. It's the harder protocol to block or intercept.

DNS-over-TLS (DoT) uses a dedicated port (853) with TLS encryption. Slightly easier for ISPs to identify and potentially block, but equally encrypted.

With encrypted DNS, your ISP sees that you're making connections, but not where you're going.

They know data is flowing. They can't read the DNS queries inside. The domain names — the phone book lookups — are hidden.

This is the difference between your ISP knowing everything you browse and your ISP knowing you use the internet.

Firefox and Chrome both support DoH natively, and you can enable it in their privacy settings. But this only protects DNS queries from that specific browser on that specific device. Your other browsers, apps, smart TV, and every IoT device in your house are still sending plaintext DNS.

Why It Has to Happen at the Router

The average American household has over 17 connected devices. Smartphones, laptops, tablets, smart TVs, gaming consoles, smart speakers, thermostats, cameras, light bulbs. Most of these devices don't let you configure DNS settings, let alone enable encrypted DNS.

Your Roku doesn't have a DNS-over-HTTPS setting. Your Ring doorbell doesn't let you choose a DNS resolver. Your kid's Nintendo Switch is hardcoded to use whatever DNS the network provides.

  1. Browser DoH protects one browser on one device.
  2. System-level DNS change protects one device (if the OS supports it).
  3. Router-level encrypted DNS protects every device on your network.
  4. Every new device that joins your WiFi is automatically covered.
  5. No per-device configuration. No apps. No settings to remember.

When encrypted DNS runs at the router, it doesn't matter what device connects or what settings it has. The router intercepts all DNS queries, encrypts them, and sends them to a privacy-respecting resolver. The device doesn't even know it's happening. It just works.

What GhostPort Does With DNS

GhostPort runs Pi-hole as a local DNS server on the Raspberry Pi 5. Every device on your network uses Pi-hole for DNS resolution. Pi-hole does two things:

Block Tracking Domains Known ad, tracker, and telemetry domains are resolved to a dead address. The request never leaves your network. No ads. No tracking beacons. No data collection endpoints.
Encrypt Upstream DNS Legitimate DNS queries are forwarded to privacy-respecting resolvers (Quad9, Cloudflare) over encrypted connections (DoH/DoT). Your ISP sees encrypted traffic. Nothing useful.

Let's be specific about what this does and doesn't do. Encrypted DNS at the router prevents your ISP from logging the domains you visit via DNS queries. It does not hide the IP addresses you connect to — your ISP can still see the destination IP of your connections. For many sites (especially those using shared hosting or CDNs), an IP address alone doesn't reveal the specific site. But for sites with unique IPs, a determined ISP could still make inferences.

For complete IP-level privacy, you'd need a VPN — which GhostPort also offers through its WireGuard tunnel. But even without the VPN, encrypted DNS eliminates the easiest and most comprehensive surveillance tool your ISP has: your DNS query log.

What You Can Do Right Now

  1. Enable DNS-over-HTTPS in your browser (Firefox: Settings → Privacy & Security → DNS over HTTPS; Chrome: Settings → Privacy → Use secure DNS).
  2. On your phone, use the Private DNS setting (Android 9+: Settings → Network → Private DNS → set to "dns.quad9.net").
  3. On iOS, install a DNS profile from a provider like Cloudflare (1.1.1.1 app) or NextDNS.
  4. Check if your router supports custom DNS (most ISP routers don't, or the setting gets overridden).
  5. For whole-network encrypted DNS that covers every device automatically, you need it at the router — that's what GhostPort is built for.

DNS is the foundation of every internet connection. It's been unencrypted for decades — not because encryption wasn't possible, but because there was no financial incentive to fix it. Your ISP benefits from reading your DNS. The ad industry benefits from reading your DNS. The only party who benefits from encrypting it is you.

Start encrypting it.

Related Articles

Your ISP Sells Your Browsing History — Here's the Law That Made It Legal → The FCC Just Signed Advertisers' Death Warrants → Why App-Based Parental Controls Don't Work (And What Does) →

Encrypt every DNS query from every device in your home.

ghostporttechnologies.com
Private DNS. Network-wide. Automatic.
GHOSTPORT TECHNOLOGIES • 2026 • YOUR NETWORK. YOUR RULES.
🎨
ACCENT COLOR
A+
TEXT SIZE