What Is DNS? A Beginner's Guide to How the Internet Really Works

What Is DNS?

Every time you type a website address into your browser, something invisible happens behind the scenes. Your device needs to figure out where that website actually lives on the internet. That is the job of DNS, which stands for Domain Name System.

Think of DNS as the phone book of the internet. When you want to call a friend, you look up their name in your contacts and your phone dials their number. DNS works the same way: you type a human-readable name like google.com, and DNS translates it into a machine-readable IP address like 142.250.80.46 so your browser knows where to connect.

You type google.com
↓
Your device asks a DNS server
↓
DNS server returns 142.250.80.46
↓
Your browser connects to that IP address
↓
Google's homepage loads on your screen

Your devices do this thousands of times per day without you ever noticing. Every website, every app, every notification that pops up on your phone starts with a DNS lookup. Without DNS, you would have to memorize long strings of numbers for every website you want to visit. Imagine typing 142.250.80.46 instead of google.com every single time.

How DNS Works Step by Step

When you type a URL and press Enter, a chain of events unfolds in milliseconds:

Your device checks its local cache. If you visited this website recently, the answer might already be stored on your device. If so, the lookup is instant.
Your device asks a DNS resolver. This is usually a server run by your Internet Service Provider (ISP), though you can choose a different one. The resolver is the middleman that does the heavy lifting.
The resolver checks its own cache. Millions of people use the same resolver, so popular websites are almost always cached. If found, the answer comes back immediately.
If not cached, the resolver asks the root servers. There are 13 groups of root servers worldwide. They do not know the final answer, but they know who to ask next. For google.com, they point to the .com servers.
The TLD servers respond. The .com servers (called Top-Level Domain servers) know which server is authoritative for google.com and point the resolver there.
The authoritative server gives the final answer. Google's own DNS server returns the IP address. The resolver caches it and sends it back to your device.
Your browser connects. With the IP address in hand, your browser opens a connection and the website loads.

How fast is this? The entire process typically takes between 10 and 100 milliseconds. A cached lookup takes less than 1 millisecond. You would never notice it happening.

Plain DNS: The Original (and Insecure) Way

DNS was invented in 1987. At that time, the internet was a small academic network and security was not a concern. The original protocol, often called Plain DNS, sends queries over port 53 using UDP. It is fast, simple, and has worked reliably for nearly four decades.

The problem? Plain DNS sends everything in plain text. There is no encryption whatsoever. This means:

Your ISP can see every website you visit. Even if the website itself uses HTTPS, the DNS query that happens before the connection is completely visible.
Anyone on the same Wi-Fi can snoop. At a coffee shop, hotel, or airport, someone on the same network can intercept your DNS queries and see your browsing habits.
Governments and ISPs use DNS to censor. In many countries, DNS-based blocking is the primary method used to restrict access to websites.
Attackers can forge responses. A technique called DNS spoofing lets an attacker return a fake IP address, sending you to a phishing site that looks identical to your bank.

Surprising fact: Despite these risks, Plain DNS is still the default on virtually every router and device sold today. Unless you have actively changed your DNS settings, you are almost certainly using it right now.

DNS-over-HTTPS (DoH)

DoH encrypts your DNS queries inside HTTPS, the same encryption technology used for online banking and shopping. When you see the padlock icon in your browser, that is HTTPS at work, and DoH uses the exact same protection for your DNS queries.

DoH runs on port 443, which is the same port used by all regular HTTPS web traffic. This makes it virtually impossible for anyone to distinguish your DNS queries from normal browsing. A typical DoH URL looks like: https://dns.example.com/dns-query.

DoH is supported by all major browsers including Chrome, Firefox, Edge, and Safari, as well as Android and iOS. Because it blends in with regular web traffic, ISPs and network administrators cannot easily block it.

The only downside is a slight overhead from the TLS handshake required to establish the encrypted connection. In practice, this adds a few milliseconds at most and is unnoticeable during normal browsing.

DNS-over-TLS (DoT)

DoT encrypts DNS queries using TLS, the same underlying encryption technology as DoH, but takes a different approach. Instead of wrapping DNS inside HTTPS, DoT uses a dedicated port: 853.

This dedicated port is a double-edged sword. On one hand, it makes DoT easy for network administrators to identify and manage. On the other hand, it means your ISP can see that you are using encrypted DNS, even though they cannot see what you are querying.

DoT is natively supported by Android 9 and newer through the Private DNS setting, making it the easiest encrypted DNS option for Android users. Some routers also support it. The format is simply a hostname like dns.example.com on port 853.

DoT is a great choice for organizations that want encrypted DNS but still need network visibility to confirm that DNS traffic is flowing properly.

DNS-over-QUIC (DoQ)

DoQ is the newest DNS protocol, built on top of QUIC, the same technology that powers HTTP/3. If you have noticed websites loading faster in recent years, QUIC is a big part of the reason.

What makes DoQ special is its speed. QUIC supports 0-RTT connection establishment, which means reconnecting to a DNS server you have used before is nearly instant. DoQ also handles packet loss much better than TCP-based protocols, making it particularly effective on mobile networks where connections are less stable.

DoQ uses port 853 UDP (the same port number as DoT, but over UDP instead of TCP). The format looks like: quic://dns.example.com.

As the newest option, DoQ is still gaining adoption and is supported by fewer clients and providers. But it represents the future of encrypted DNS, combining the best of privacy and performance.

Comparison Table

Protocol	Port	Encryption	ISP Privacy	Speed	Browser Support	Mobile	Block Resistance
Plain DNS	53 UDP	None	✗	Fastest	All	All	Easy to block
DoH	443 TCP	TLS	✓	Fast	Chrome, Firefox, Edge, Safari	iOS, Android	Very hard
DoT	853 TCP	TLS	✓	Fast	Limited	Android 9+	Moderate
DoQ	853 UDP	QUIC	✓	Fastest encrypted	Limited	Limited	Moderate

Which Protocol Should You Use?

The best choice depends on your situation:

For most people: DoH. It has the widest support, is built into every major browser, and is the hardest to block. If you only change one thing today, enable DoH.
For Android users: DoT. Android has native Private DNS support since version 9. You enter a hostname in Settings and you are done. It takes 30 seconds.
For maximum performance: DoQ. If your DNS provider supports it, DoQ gives you the lowest latency of any encrypted protocol. Great for gamers and performance-sensitive applications.
For your home router: Plain DNS is acceptable if your DNS provider is trusted. The traffic between your router and the provider stays on the open internet, but within your home network the risk is minimal. That said, if your router supports DoH or DoT, use it.

The most important thing: The protocol matters less than the provider. A trusted DNS provider with Plain DNS is better than an untrustworthy provider with DoH. Choose your provider first, then pick the best protocol your devices support.

DNS and Your Privacy

Your DNS queries paint a detailed picture of your entire online life. Every website you visit, every app you open, every smart device that phones home starts with a DNS lookup. If someone can see your DNS traffic, they know what news you read, what you shop for, what medical symptoms you searched, and what you do at 2 AM.

In many countries, ISPs are legally allowed to collect and sell this data. Even where laws protect privacy, unencrypted DNS is an easy target for surveillance.

Using encrypted DNS solves the privacy problem, but it does not solve the security problem. A DNS provider that also filters your queries adds an active layer of protection: blocking malware domains before they load, stopping phishing sites before you enter your password, and preventing trackers from following you across the web.

The combination of encrypted DNS and intelligent filtering gives you both privacy and security. Your ISP cannot see your queries, and threats are blocked before they ever reach your device.

Protect Your DNS with UnveilDNS

Encrypted DNS filtering with full support for DoH, DoT, DoQ, and DoH3. Block ads, malware, and trackers at the DNS level. Set up in under 2 minutes.

Start Free