DNS Sovereignty: Reclaiming Your Resolution Data and Rebuilding the Web Map

You switched on your VPN months ago and felt safe. The little shield is green, your traffic is encrypted, you’re invisible — that’s the story you’ve been told. Then someone mentions a “DNS leak” and you run a test on a whim, and there it is in black and white: your ISP’s name, sitting right there, watching every destination you type even with the VPN running. The shield was real. It was just guarding the wrong door.

The short version: DNS sovereignty means routing your DNS queries through encrypted channels (DNS-over-HTTPS or DNS-over-TLS), using a recursive resolver like Unbound instead of trusting your ISP or Google’s 8.8.8.8, and filtering tracking domains at the network level. A VPN hides the content of your traffic but not its destination — your DNS queries still announce where you’re going. Closing that gap stops your ISP, your DNS provider, and trackers from profiling your browsing intent, and it does it in three stackable phases: encrypted filtering, recursive resolution, and network-wide enforcement. You can complete phase one in ten minutes today.

Why your current DNS setup is leaking every site you visit

Here’s the blind spot almost nobody is told about. A VPN protects what travels inside your connection, but before any of that happens, your device has to ask where google.com lives. If that question — the DNS query — still goes to your ISP’s server, then your ISP sees exactly where you’re trying to go, even though it can’t see what you do once you arrive.

That’s a DNS leak, and it’s the quiet flaw in most privacy setups. Your ISP, your DNS provider, or any observer on the network can assemble a complete profile of your intent just by watching the questions you ask. Free DNS providers like Google and Cloudflare aren’t doing you a favour — they’re harvesting your resolution data to train models and build profiles, and every site you reach updates their database with your behaviour.

The stakes run past tracking. A malicious or compromised DNS server can answer your question with a lie — sending you to mybank.ir instead of mybank.com — a trick called DNS hijacking. You’re not just being watched. You’re being led across the internet by a map you don’t control.

How to run the DNS leak test and read the result

You don’t have to take this on faith. Visit dnsleaktest.com in your browser and look at the names that come back.

• See your ISP’s name or your DNS provider’s corporate name? You have a leak — your queries are unencrypted or routed through an untrusted resolver.
• See your VPN provider’s name? That’s acceptable: you’ve chosen to trust them.
• See multiple DNS servers from different providers? Your system is misconfigured and queries are splitting between resolvers.

One free test tells you, in five seconds, whether the rest of this article is theoretical or urgent for you.

Plain-text vs encrypted DNS: what DoH and DoT actually change

Traditional DNS runs over Port 53 and sends queries in plain text. Anyone on your network, your ISP, or any observer on the wire can read them. Type google.com and the request travels naked to your DNS server, which replies with the IP.

Two encryptions fix the exposure. DNS-over-HTTPS (DoH) wraps the whole query in an HTTPS tunnel on Port 443, so it looks like ordinary web traffic — your ISP sees you’re talking to a DoH provider but can’t see which domains. DNS-over-TLS (DoT) encrypts the same traffic over TLS on Port 853; also private, but easier for a network to block because it sits on a dedicated port.

But here’s the catch neither one solves: you’re still asking someone else — Cloudflare, Quad9, NextDNS — for the answer. They can see every query and build a profile. Encryption hides your questions from the network, not from the resolver. The real sovereignty upgrade isn’t encrypting the question — it’s removing the middleman who hears it.

Forwarders vs recursive resolvers: the autonomy that actually matters

A forwarder — like 1.1.1.1 or 8.8.8.8 — takes your query, asks its upstream providers, and hands you the answer. It sees everything you ask.

A recursive resolver like Unbound does something different: it takes your query and goes straight to the root nameservers of the internet, the authoritative sources. It asks Root A, follows the chain to the correct nameserver, and returns the answer itself. No middleman. Your own machine does the work. Running Unbound locally means:

• No external party sees your queries, unless you intentionally forward them.
• You’re immune to DNS-level censorship from your ISP or DNS provider.
• You reduce your exposure to DNS hijacking and poisoning.
• You own the resolution logic entirely.

This is the turn: privacy by asking a stranger nicely is not privacy — sovereignty is not needing to ask at all.

Phase 1: encrypted filtering, the foundation you set up today

Start here if DNS sovereignty is new to you. Use a managed encrypted DNS service that also filters tracking domains. What you’re doing is routing all DNS queries through an encrypted tunnel to a provider that blackholes known tracking, analytics, and spyware domains at 0.0.0.0 — your computer doesn’t even attempt to connect to them. The tools worth considering:

• NextDNS: cloud-based DoH filtering with customisable block lists (analytics, native tracking, adult content, harmful software), per-device rules, and auditable logs. Good for households with mixed privacy needs.
• Quad9: a non-profit DNS service with DNSSEC validation and harmful software blocking — simpler than NextDNS, less granular.
• Mullvad DNS: a privacy-first resolver from the VPN company Mullvad. No logging, no filtering — you supply your own content filters.

To configure it, set DoH or DoT in your network settings or browser. On iOS: Settings > General > VPN and Device Management > DNS. On macOS: System Settings > Network > Wi-Fi > Advanced > DNS. On Android: Settings > Network & internet > Advanced > Private DNS. That’s phase-one sovereignty — your queries encrypted and your trackers filtered, in less time than it takes to make coffee.

Phase 2: recursive resolution, the autonomy layer

For high-stakes privacy, run your own recursive resolver on a machine you control — a home server or a dedicated appliance. Unbound is the standard open-source choice: it queries the root nameservers directly, caches results, and validates DNSSEC signatures (cryptographic proofs that an answer is authentic). It trusts no upstream provider. The steps:

• Install Unbound on a home server or Raspberry Pi.
• Configure your devices to query your local Unbound instance instead of any external DNS provider.
• Unbound goes to the root servers, follows the resolution chain, and caches the result.
• Add block lists to Unbound if you want to filter tracking domains locally.

The honest trade-off: Unbound is slightly slower on the first query to a domain — roughly 20–50ms depending on your connection — because it must reach the root servers. After caching, subsequent queries are nearly instant. In exchange you own the entire stack: no external visibility, no logging, no data collection. This is the final hardening against DNS poisoning, and it’s where “private” becomes “no one else is in the room.”

Phase 3: network-wide enforcement, closing every back door

Now stop any device — including IoT gadgets that hard-code their own DNS — from bypassing your sovereign resolver. The problem is real: Google Home, smart TVs, and some apps ignore your system DNS and quietly use their own (usually 8.8.8.8), leaking queries around your defences.

The fix is to configure your router to intercept all Port 53 and Port 853 traffic and redirect it to your local resolver using DNAT (Destination NAT) rules. Access your router’s advanced settings (usually 192.168.1.1 or 192.168.0.1), find “Port Forwarding” or “NAT Rules,” create rules redirecting Port 53 (UDP) and Port 853 (TCP) to your Unbound instance, then save and re-test with dnsleaktest.com — no leaks should appear. Every device on your network now uses your DNS, whether it wanted to or not.

DNSSEC, browser bypass, and mobile: the gaps people forget

DNSSEC validation uses cryptographic signatures to prove a DNS answer came from the real domain owner, not an incidenter. Unbound validates DNSSEC by default; Quad9 and NextDNS support it too. If a response fails validation, your resolver rejects it — protection against poisoning incidents that inject fake answers at the protocol level.

Browser-level “Secure DNS” is the sneaky one. Chrome, Firefox, and Edge sometimes ignore your system DNS and use their own DoH provider — well-intentioned, but it breaks your network-level filtering. Turn it off: Chrome (Settings > Privacy and security > Security > Secure DNS), Firefox (Preferences > Privacy & Security > DNS over HTTPS > Off), Edge (Settings > Privacy, search, and services > Security > Secure DNS).

On mobile, your phone leaks queries constantly unless told otherwise. On iOS, install a DoH or DoT configuration profile under Settings > General > VPN and Device Management > DNS — this enforces encrypted DNS even on 5G. On Android, set the hostname under Settings > Network & internet > Advanced > Private DNS (e.g. dns.nextdns.io), which works on mobile data too. For maximum sovereignty, point both at your home Unbound instance.

Monitoring and jurisdiction: who can still see, and who can compel

Once sovereign DNS is running, audit what’s actually being queried — it exposes devices phoning home and apps with excessive telemetry. With NextDNS, the dashboard shows a real-time list of every query: which device, which domain, blocked or allowed. If a device queries a telemetry server 5,000 times an hour, that’s a leak — cut its internet or uninstall the app. With Unbound, enable logging in /etc/unbound/unbound.conf and parse it with tools like awk. Watch for query-volume spikes, unblocked tracker domains, unfamiliar devices, and queries at times you weren’t using the device.

If you use a managed service (phase 1), the provider’s jurisdiction sets your legal exposure — query logs can be subpoenaed, sold, or accessed. Privacy havens like Iceland, Switzerland, and Romania sit outside the Five-Eyes intelligence-sharing bloc; Five-Eyes jurisdictions (USA, UK, Canada, Australia, New Zealand) can compel companies to hand over logs. Both NextDNS and Quad9 claim zero-knowledge architectures, but Switzerland-based Quad9 carries stronger legal protection. If you want zero trust in any external party, phase 2 ends the question — no logs exist outside your control.

There’s a documented case that shows why this is more than privacy theatre. In 2024, an independent journalist living under heavy ISP-level DNS filtering needed access to international news sites her ISP had poisoned — major outlets redirected to blocked pages. Because she ran Unbound locally with traffic tunnelled through Tor, her queries bypassed the ISP’s DNS entirely; her resolver went to the global root servers and resolved the real addresses while the rest of her city’s standard-DNS users hit a wall. DNS sovereignty isn’t only privacy — when you own your resolver, you choose your own freedom to connect.

Frequently asked questions

Will sovereign DNS slow down my internet?
Phase 1 (encrypted filtering) is as fast as your normal DNS because it’s cached globally. Phase 2 (Unbound locally) is slightly slower on the first query to a domain — about 20–50ms — because it must query root servers, but subsequent queries are instant thanks to caching. For most people it’s imperceptible, and DNSSEC validation adds minimal overhead.

Can my ISP see my queries if I use DNS-over-HTTPS?
No — not the domains. With DoH, your queries are wrapped in ordinary HTTPS traffic on Port 443, so your ISP can see that you’re connecting to a DoH provider but cannot read which sites you’re resolving. The one party that still sees your queries is the DoH resolver itself, which is exactly why phase 2 (running Unbound locally) exists: it removes even that observer.

Do I still need a VPN if I have sovereign DNS?
They solve different problems. Sovereign DNS protects your destinations — the questions your device asks. A VPN protects the content and route of the traffic that follows, and masks your IP from the sites you visit. The strongest setup uses both: encrypted, self-resolved DNS so no one profiles your intent, plus a VPN (or Tor) so no one ties your traffic back to you.

Is running my own resolver worth it for a normal household?
For most households, phase 1 captures the bulk of the benefit for ten minutes of effort. Phase 2 is for higher-stakes privacy or anti-censorship needs, where trusting any external provider is unacceptable. There’s no shame in stopping at phase 1 — the leak you close there is the one that was profiling you every day.

You ran the test on a whim and saw your ISP’s name where your privacy was supposed to be. That wasn’t a glitch — it was the truth the green shield never showed you. The questions your devices ask have always been broadcast in the open, mapped and sold and occasionally rewritten to point you somewhere you didn’t choose. Now you can close that. Start with phase one today and watch the leak test come back clean; go further when you’re ready. You’re no longer being led across the internet by a map someone else drew. You hold the resolver now — and the freedom to connect is yours to grant, not theirs to approve.