I called my ISP last week about a flaky fiber connection, and halfway through the call, the rep casually read out my router's manufacturer, firmware version, and both my Wi-Fi network names. I hadn't told them any of that. I sat there for a second trying to figure out how they knew, and then the uncomfortable follow-up question hit me: if they can see that, what else are they seeing? How far into my network does their view actually reach?
This got me intrigued, and after a bit of digging, the router details turned out to be the least interesting part, because every single website I visit passes through my ISP's DNS resolver in plaintext. Every lookup, every domain, is tagged with my IP and a timestamp. I'd been assuming HTTPS covered me. It doesn't. And the fix turned out to be one setting I'd never bothered to check on any of my PCs.
Your ISP can see every domain you visit by default
The DNS layer is the weak link in your connection
Every time I open a website or launch an app, my phone or PC has to translate a domain name like youtube.com into an IP address. That translation is a DNS lookup, and by default, it goes straight to my ISP's resolver in the clear. They see the timestamp, my public IP, and the exact hostname. Do that a few thousand times a day across every device in the house, and you get a detailed picture.
What's interesting is how much that log reveals without touching a single page of content. The gaps and spikes in DNS traffic map out when I wake up, when I sleep, and when I leave the house. The domains hint at my bank, my streaming services, the health sites I've checked, and every smart device on my network phoning home. It's not just browser history, but every app on every device, captured centrally, and most people never touch the default DNS their router hands out.
HTTPS encrypts the page, not the lookup
Why the padlock in your browser isn't the full story
Most people think the padlock icon on your browser was the end of the conversation. If a site loads over HTTPS, the contents are encrypted, so the ISP can't read the page you are on or the form you're filling out. That part is still true. What's also true is that DNS lookup happens before the encrypted connection even begins.
So while my ISP can't see which specific video I watched or which article I read, they can absolutely see that I contacted YouTube, a specific news site, or a mental health resource. The hostname also tends to leak in the TLS handshake through a field called SNI, unless both my browser and the site support a newer feature called Encrypted ClientHello. Most don't yet.
The end result is that HTTPS alone gives me content privacy, but not metadata privacy. My ISP doesn't need to read the page to build a profile of my routine and interests, because the domains already reveal enough.
An encrypted, filtering resolver fixes both problems
Swap the resolver, and the ISP goes dark
The fix is to stop using my ISP's DNS entirely and route lookups through an encrypted resolver that also filters junk. Once queries are encrypted with DNS-over-TLS or DNS-over-HTTPS, my ISP sees an opaque stream to the resolver instead of a readable list of domains. Filtering on top of that blocks ad servers, trackers, and known malicious domains before my devices ever connect.
The simplest path is a per-device setup. On Android, I switched my Private DNS to dns.nextdns.io under Settings > Network & internet > Private DNS, which let me pick exactly what gets blocked through a dashboard. On Windows, I pointed my adapter at Quad9 (9.9.9.9) after benchmarking it against my ISP's DNS and seeing it come out faster and safer.
Now, if you want whole-home coverage, the cleaner option is to change the DNS at the router level so every device, including smart TVs and IoT gear, inherits it automatically. For this, you can opt for an option like NextDNS that gives granular control and parental filtering, which most free resolvers don't offer, and the free tier covers a normal household.
This is the best DNS I've used—and it's not because it's fast
NextDNS is actually plenty fast, but it's other features make it one of the best DNS options.
DNS filtering has real limits
What it can't block, and where it falls short
I don't want to oversell this. DNS filtering is a huge upgrade, but it still has its limitations.
The biggest gap is same-domain ads. YouTube, Twitch, Netflix, Hulu, and TikTok all serve their ads from the same domain as the content. A filter can't block the ad without breaking the whole service, so in-stream ads sail straight through. Browser-based ad blockers still matter for that kind of traffic.
Some devices also ignore whatever DNS you set. For instance, Chromecast, Android TV boxes, and certain smart TVs hardcode Google or Cloudflare DNS and silently bypass my router settings. The only reliable fix is blocking those hardcoded IPs at the firewall, which most consumer routers don't make easy.
Finally, encrypted DNS isn't a VPN. Even with lookups hidden, my ISP can still see the destination IPs my devices connect to and, in most cases, the SNI hostname in the handshake. For full metadata privacy, I'd need a VPN or Tor on top. DNS filtering just closes the biggest and easiest leak.
AdGuard DNS
- Developer
- Adguard Software
- Plan Options
- Free Public/Licenses
AdGuard DNS is a free, privacy-focused DNS service that blocks ads, trackers, and malicious websites across all your devices. No apps needed, just change your DNS settings.
Your ISP doesn't need to know your browsing habits
My current setup is NextDNS at the router for the whole house, plus Quad9 on devices that travel with me. This combination gives filtering across every gadget at home, a privacy-focused fallback when I'm on mobile data, and roughly zero ongoing maintenance. It's the closest thing to a set-and-forget privacy upgrade I've found.