How to Protect Your Data Online Without a VPN: Encrypted DNS and Apple Private Relay (2026)

Your internet service provider logs every site you visit. The leak is DNS, the address-book lookup every device runs before opening a connection. Plain-text DNS hands your ISP the name of every domain you reach, with a timestamp, ready for resale to advertisers in most US states and many other jurisdictions.

You do not need a paid VPN to fix most of this. Three free or near-free tools, Cloudflare DNS, Google Public DNS, and Apple iCloud Private Relay, take meaningful chunks of your browsing private when set up correctly. Here is what each one actually does, how to set them up, and (the part most guides skip) what they cannot do.

I spent more than a decade building LoginRadius into a customer identity platform serving over a billion users. Network-level privacy sits below identity, and most consumers underestimate how exposed it is. This is the guide I send to friends and family who ask whether they should pay for a VPN. Often the honest answer is "do these three free things first."

What is DNS, and why it leaks your browsing history

The Domain Name System (DNS) is the address book of the internet. Every site lives at a numeric IP address (something like 172.64.155.209). Your device cannot use a human name like wikipedia.org directly. It asks a DNS resolver, "what is the address for this name?", gets a numeric answer back, and starts the connection.

By default that lookup is unencrypted, and the resolver is run by your ISP. Two consequences follow:

• Your ISP sees every domain you visit, with timestamps. Every site, every app, every tracker, every CDN hop. They can profile interests, health concerns, work patterns, and political views from this list alone.
• In most US states and many other jurisdictions, ISPs are legally allowed to sell this data. The 2017 repeal of the FCC's broadband privacy rules removed federal protection in the United States. California's CCPA is a partial exception; most states are not.

Encrypted DNS fixes both problems, but only if you switch resolvers AND turn on encryption. Either step alone is incomplete. Switching to Cloudflare's IP without encryption still leaks the lookup to your ISP, just as the ISP route now passes through a different destination. Encryption is the load-bearing piece.

Encrypted DNS explained: DoH versus DoT

Two encryption standards matter in 2026:

Name	Common shorthand	What it does
DNS over HTTPS	DoH (RFC 8484)	Wraps DNS queries inside ordinary HTTPS traffic on port 443. Your ISP cannot distinguish your DNS lookups from any other web traffic on the same port.
DNS over TLS	DoT (RFC 7858)	Encrypts DNS over a dedicated port (853). Easier for network operators to identify, and to block.

Both scramble queries so an ISP cannot read which domains you ask about. DoH is the privacy-stronger of the two because it blends in with normal web traffic on port 443. For consumer use, pick DoH when given a choice. Most browsers and modern operating systems default to DoH when you enable encrypted DNS.

The cryptography is the same TLS that protects your online banking. The underlying hash and key-exchange primitives are covered with interactive demos on Hash Lab.

Tool 1: Google Public DNS (8.8.8.8)

Launched December 2009, Google Public DNS is the oldest mass-market public resolver. The addresses are 8.8.8.8 and 8.8.4.4. The encrypted hostname is dns.google for both DoH and DoT.

What it gets right

• Performance. Anycast routing from hundreds of Google edge locations means low-latency answers from almost anywhere on the planet.
• DNSSEC validation. Confirms answers are cryptographically signed by the domain's authoritative server, blocking the classic cache-poisoning attack.
• DoH and DoT both supported.

What to consider before trusting it

• Temporary logging. Google retains some query data short-term for security and abuse detection, longer-term in anonymized or aggregated form. Google states it does not link these queries to your Google account or sell them. You are still shifting trust from one large company to another, and Google's core business is advertising. Decide whether that is an improvement for you.
• No filtering. Google DNS answers honestly. No malware blocking, no parental controls.

Best for: users who want maximum speed and DNSSEC validation, are comfortable with Google as a custodian, and do not want filtering.

Tool 2: Cloudflare DNS (1.1.1.1, 1.1.1.2, 1.1.1.3)

Cloudflare launched its public resolver in April 2018, commissioned an independent audit two months later, and has commissioned one annually since. The most recent KPMG examination report (2025) re-confirmed Cloudflare's commitment to not retaining queryable identifying logs. This audit posture is the strongest in the public-resolver category.

Cloudflare DNS comes in three flavors, addressed at three different IPs:

Primary IP	Backup	Behavior
1.1.1.1	1.0.0.1	Standard. No filtering. Answers everything.
1.1.1.2	1.0.0.2	Standard plus malware-domain blocking. Returns 0.0.0.0 for known phishing and malicious hostnames so the dangerous site never reaches your device.
1.1.1.3	1.0.0.3	Standard plus malware plus adult-content blocking. Family-network safe by default.

What it gets right

• Independently audited no-logs policy. Cloudflare commits to retaining IP-tied query data for no more than 24 hours, and to never selling DNS data. The annual KPMG audit (publicly published) is the strongest such commitment among public resolvers.
• Speed. Routinely benchmarks at or near the top globally.
• Filter-by-picking-an-address. No software install, no configuration page. Want adult-content blocking on a family router? Set the WAN DNS to 1.1.1.3 and you are done.
• DoH and DoT. cloudflare-dns.com for both. The family variants get their own hostnames (security.cloudflare-dns.com, family.cloudflare-dns.com).

What to consider

• Category filters can over-block. When 1.1.1.3 launched, the family filter briefly blocked several LGBTQ resource pages and sex-education sites. Cloudflare fixed it within days. Automated category filters will occasionally over-block. Assume exceptions will be needed.
• Trust still shifts. Cloudflare's no-logs commitment is the strongest in the category, but it is still a centralized trust point. If you do not trust Cloudflare, this option is moot.

Best for: most users. 1.1.1.1 for adults who want maximum openness, 1.1.1.3 for family Wi-Fi networks.

Tool 3: Apple iCloud Private Relay

Private Relay is included with any paid iCloud+ subscription (storage plans starting at $0.99 per month in the US). It is enabled per Apple ID and works in Safari plus several Apple system services. It is not available in mainland China, Russia, Saudi Arabia, and a small number of other jurisdictions where Apple is required to disable it.

The two-hop architecture

This is the substantive idea, and the reason Private Relay is closer to a "VPN-lite" than a DNS-only tool. Your traffic is split across two relays operated by two different organizations so neither can build a profile alone:

1. Ingress hop (Apple). Sees your real IP address. Does not see the destination URL because it is encrypted to the egress.
2. Egress hop (a partner, currently Cloudflare, Akamai, or Fastly depending on region). Sees the destination URL. Does not see your real IP, only an Apple-supplied address geo-anchored to roughly your region.

The cryptographic property: no single party sees both who you are and what you are doing. Apple cannot inspect your browsing because Apple does not hold the keys to decrypt the destination. The egress partner cannot identify you because Apple does not pass your real IP. Profile-building requires collusion between Apple and a partner, which Apple's technical overview explicitly forbids contractually.

What it gets right

• Single toggle. Settings, Apple ID, iCloud, Private Relay. No DNS servers to type, no apps to install.
• Hides your real IP from websites. Plain DNS resolvers do not do this. Private Relay does, for Safari traffic.
• Encrypted DNS automatic. Built in, no separate setup.
• Stronger architecture than a single-vendor VPN. Most VPNs are one company that sees everything end-to-end. Split-trust is genuinely better on this dimension.

What to consider

• Safari only for browsing. Chrome, Firefox, and most third-party apps bypass Private Relay. If you live in Chrome, this protects very little.
• Apple ecosystem only. iPhone, iPad, Mac.
• Requires paid iCloud+. The free tier does not include it.
• Coarse geolocation is preserved. Local-business search still works. This is privacy, not anonymity.
• Some sites get confused. A handful of banks and streaming services see the Apple-supplied egress IP and assume it is a VPN. Most have learned to handle Private Relay correctly by now; the rest may require disabling it temporarily for specific sites.

Best for: iPhone, iPad, and Mac users who already pay for iCloud+ and primarily browse in Safari.

What encrypted DNS and Private Relay cannot do

This is the section most guides skip. Encrypted DNS is a real, free privacy upgrade. It is not invisibility. Setting realistic expectations is part of protecting yourself.

Even with encrypted DNS on, your ISP can usually still infer where you are going from two side channels:

1. The destination IP address. Your packets have to be routed somewhere, and the ISP routes them. The mitigation: large fractions of the modern web sit behind shared services like Cloudflare and Fastly, so a single destination IP can host tens of thousands of sites. The ISP knows "you connected to Cloudflare's edge" but cannot reliably guess which exact origin you visited behind it.
2. The TLS SNI extension. Server Name Indication (SNI) is the domain label your browser announces during the TLS handshake. Historically it has been sent in the clear, even when the rest of the connection is encrypted.

The fix for SNI is Encrypted Client Hello (ECH), a TLS 1.3 extension that finally encrypts SNI. ECH is supported by Chrome, Firefox, and Safari as of 2024-2025, and by Cloudflare-fronted sites by default. Adoption beyond Cloudflare's edge is partial. Once ECH and encrypted DNS work together on a connection, an ISP genuinely cannot tell which site you visited behind a shared edge. This is meaningfully stronger than encrypted DNS alone, and worth turning on in browser settings even before the rest of the web finishes the migration.

The capabilities matrix:

Tool	Hides DNS lookups from ISP	Hides destination IP	Hides domain at TLS handshake	Encrypts all traffic	Makes you anonymous
Google or Cloudflare DNS (DoH on)	Yes	No	Only with ECH	No	No
Apple Private Relay (Safari)	Yes	Yes (Safari)	Yes (Safari)	No (Safari-scoped)	No
Reputable paid VPN	Yes	Yes	Yes	Yes	Partial (you trust the VPN)

And the meta point: you are always shifting trust, not eliminating it. Plain DNS gives the data to your ISP. Encrypted DNS gives it to Google, Cloudflare, or Apple. Pick the one whose policies you trust more. For context on how the broader browser threat model evolved this decade, see Browser security landscape transformed in 2025.

How to set up encrypted DNS, step by step

The exact taps vary slightly between OS versions, but the structure is consistent. The steps below assume current versions as of mid-2026.

iPhone and iPad (iOS 17 or later)

• iCloud Private Relay. Settings, tap your name, iCloud, Private Relay, toggle On. Requires iCloud+.
• System-wide encrypted DNS. Install Cloudflare's free 1.1.1.1 app from the App Store. Open it and tap "Install VPN Profile". The profile installs through the VPN-settings mechanism but does not actually tunnel your traffic; it just configures encrypted DNS for the whole device.

Mac (macOS Sequoia / 15)

• Manual DNS. System Settings, Wi-Fi, Details next to the connected network, DNS, add 1.1.1.1 and 1.0.0.1.
• Encrypted DNS profile. Download the Cloudflare configuration profile for DoH and double-click to install. macOS will use DoH for all DNS lookups, system-wide.
• Private Relay. System Settings, Apple ID, iCloud, Private Relay.

Windows 11

• Settings, Network & Internet, the connected adapter, Hardware properties, DNS server assignment, Edit, switch to Manual.
• Enter 1.1.1.1 and 1.0.0.1.
• Set DNS over HTTPS to On (automatic template). This is the encryption step. Skip it and the DNS change is a different provider, plain text.

Android (9 or later)

• Settings, Network & Internet, Private DNS, select Private DNS provider hostname.
• Enter one of: one.one.one.one (Cloudflare), security.cloudflare-dns.com (Cloudflare malware-blocking), family.cloudflare-dns.com (Cloudflare family), dns.google (Google).
• Android uses DoT under the hood. No VPN profile needed.

Browser only (any OS)

Chrome, Firefox, Edge, and Brave each have a "Secure DNS" or "DNS over HTTPS" setting under privacy. Picking a provider here enables DoH for the browser only, not for other apps. The quickest way to try encrypted DNS without committing system-wide.

Whole-home, on the router

The most leveraged single change: set the DNS on your home router so every device on the network inherits it automatically (TVs, smart speakers, IoT, every phone that joins the Wi-Fi). Routers vary, but the path is always "WAN" or "Internet" settings, DNS servers, enter 1.1.1.1 and 1.0.0.1 (or the family variant for a kid-friendly network). Modern routers (eero, UniFi, Asus AX series) support encrypted DNS at the router itself. Older routers may only do plain DNS upstream, in which case still enable encrypted DNS on each device.

Which tool should you pick

• Want fast, private lookups on any platform? Cloudflare 1.1.1.1 with DoH on. Best all-rounder.
• Want a malware safety net, set-and-forget? Cloudflare 1.1.1.2.
• Setting up a family-friendly home Wi-Fi? Cloudflare 1.1.1.3 on the router.
• Prefer Google as custodian and want maximum speed? Google 8.8.8.8.
• Live in the Apple ecosystem and use Safari? Turn on iCloud Private Relay; layer Cloudflare DNS for non-Safari apps.
• Need every byte of traffic encrypted and your IP hidden everywhere? These tools do not. A reputable paid VPN or Tor does. Note that any single-vendor VPN still requires trusting that vendor not to log; the audit posture matters more than the marketing copy.

My actual setup (and what I do not bother with)

For full transparency, here is what I run, and why:

• Home router: Cloudflare 1.1.1.1 as primary, 8.8.8.8 as backup. Every device joining the network gets encrypted DNS by default via DoH where the device supports it, DoT where it does not.
• iPhone and Mac: iCloud Private Relay on. Safari is my primary browser. The split-trust property is a meaningful upgrade over running just DNS.
• I do not run a paid VPN by default. For everyday browsing, the combination above closes most of the leak surface. I use a VPN only when I need full traffic encryption on untrusted public Wi-Fi (rare since most sites are HTTPS-only), or when I genuinely need to test a product from a different region.

Total monthly cost: $0.99 (iCloud+ Mini, which I would pay for anyway for photo storage). Setup time: ten minutes once, then never again.

The takeaway

You do not have to be a network engineer, or pay a monthly VPN bill, to meaningfully shrink how much your ISP knows about you. Switch to encrypted DNS and the address-book lookups travel in an envelope your provider cannot read. Cloudflare gives you the best blend of speed, an audited no-logs policy, and optional protection. Google offers rock-solid speed and DNSSEC. Apple Private Relay adds IP-hiding for Safari users with almost zero effort.

Keep two honest constraints in mind. Turn on encryption (changing providers alone is not enough). And remember these tools reduce tracking rather than make you invisible. For most people, most of the time, that is a big, free, ten-minute upgrade to your privacy. Set it once, forget about it, and your data is quietly better protected from that day forward.

Related reading

• Browser security landscape transformed in 2025, the broader context for how connection-layer privacy fits into the modern browser threat model.
• Staying secure when logging in, the identity-side companion: passwords, MFA, phishing.
• 11 tips for keeping information safe on the internet, the broader consumer-privacy checklist.
• Hash Lab, the cryptographic primitives that make DoH and TLS work, with interactive demos.
• The AI paradox in digital identity, why "more security" sometimes means "less privacy", and how to think about the tradeoff.

Updated: June 2026. Cloudflare audit references are current as of the KPMG 2025 examination report. Apple Private Relay partner list and country availability change occasionally; the latest is in Apple's official overview linked above. Threat-model assumptions in this guide are written for ordinary consumer privacy from ISP tracking, not for high-risk threat models (journalist, activist, dissident) where Tor or specialised threat-model-specific tooling is appropriate.