Your ISP Has Been Watching Your Browsing This Whole Time — Here's the Windows 11 Fix

The Domain Name System, while essential for translating human‑readable URLs into IP addresses, traditionally operates without encryption. In the United States, the 2017 rollback of the FCC's broadband privacy safeguards gave ISPs broader authority to log and analyze these queries, turning a routine network function into a privacy liability. Unencrypted DNS not only exposes users to corporate profiling but also to malicious redirection attacks, where threat actors intercept and alter DNS responses to steer victims toward phishing sites or malware.

DNS‑over‑HTTPS (DoH) resolves these concerns by tunneling DNS traffic inside standard HTTPS connections on port 443, making it indistinguishable from regular web traffic. Windows 11’s Settings app now includes a straightforward GUI for enabling DoH, allowing users to pick from reputable providers—Cloudflare (1.1.1.1), Google (8.8.8.8), or Quad9 (9.9.9.9)—and to disable the fallback to plaintext, ensuring encryption persists even if a server momentarily fails. The interface also supports IPv6 addresses, catering to modern ISP deployments. By configuring DoH at the OS level, every application, from email clients to background services, benefits from encrypted name resolution without additional plugins.

Adopting system‑wide DoH has broader implications for enterprise security and consumer trust. Organizations can enforce a unified privacy posture across devices, reducing the attack surface for DNS‑based threats and simplifying compliance with data‑protection regulations. For individual users, the change restores a degree of anonymity that was eroded after the 2017 policy shift. As more operating systems and browsers standardize DoH, the industry moves toward a more encrypted internet, compelling ISPs to adapt their analytics models and encouraging the development of privacy‑first networking services.