How to Set Up Encrypted DNS (DoH / DoT) on Your Router in 2026

Plain DNS is the quiet part of every connection. Each time a device looks up a domain, that request has historically traveled unencrypted, readable by anyone on the path between you and the resolver. Encrypted DNS closes that gap. And the most efficient place to apply it is not on one phone or one laptop, but at the router, where every device on your home network passes through a single point.

This guide explains what encrypted DNS is, why the router is a sensible place to set it, and how to do it in 2026 across the common kinds of router firmware. It is written to be used alongside the tools you already have, not as a replacement for them.

TL;DR: Encrypted DNS (DoH or DoT) hides your domain lookups from observers on the network path. Setting it once at your router applies it to every connected device automatically. Most modern router firmware supports either DoH (over port 443) or DoT (over port 853) — pick whichever your hardware offers, enter your resolver's address, save, and verify.

What Is Encrypted DNS

Encrypted DNS is a way of sending domain-name lookups over an encrypted connection, so they cannot be read or altered by other parties on the network path.

When you visit a site, your device first asks a DNS resolver "what is the address for this domain?" Traditionally that question and its answer traveled in plain text. Encrypted DNS wraps that exchange in transport encryption. Two standards dominate in 2026:

• DoH — DNS over HTTPS. Lookups travel over the same encrypted HTTPS channel as ordinary web traffic, on port 443. Because it blends in with normal browsing, it is hard to single out.
• DoT — DNS over TLS. Lookups travel over a dedicated encrypted port, 853. It is cleanly separated from web traffic, which some network operators prefer for visibility and management.

Both achieve the same core goal: the contents of your DNS queries stay private in transit. The difference is mostly about which port they use and how they fit into a given network.

One honest clarification worth stating plainly: DNS, encrypted or not, sees domains, not full URLs or page contents. A resolver learns that a device asked for example.com. It does not see the specific page, the form you filled in, or anything inside an HTTPS session. Encrypted DNS protects the lookup; the rest of the page is already protected by HTTPS itself.

Why Set Encrypted DNS at the Router

You can configure encrypted DNS on an individual device, and sometimes that is exactly what you want. But the router has one clear advantage: reach.

One configuration covers everything

A home network in 2026 is rarely three or four computers. It is laptops, phones, a couple of tablets, a smart TV, a thermostat, a game console, maybe a speaker or two. Many of those devices give you no way to set a custom DNS resolver at all. Configure encrypted DNS at the router, and every one of them is covered the moment it joins the network — no per-device setup, no devices left behind.

It survives new devices

When a guest connects, or you add a new gadget, it inherits the network's DNS settings automatically. There is nothing to remember and nothing to repeat.

It pairs cleanly with the tools you already use

Setting DNS at the router does not compete with the screen-time and digital-wellbeing features built into your phones and tablets. Apple's Screen Time and Google's Digital Wellbeing work at the device and app level — they manage how long an app is used and when. Network-level DNS works at a different layer: it decides which domains resolve at all, for every device. The two are complementary. Use the device tools for time and intent, and the router for a consistent baseline across the whole household. They cover different gaps, and together they cover more.

DoH vs DoT: Which Should You Choose

For most home setups, the practical answer is: use whichever your router firmware supports. Neither is meaningfully "more secure" than the other for everyday use — both encrypt your lookups.

Aspect	DoH (DNS over HTTPS)	DoT (DNS over TLS)
Port	443 (shared with web traffic)	853 (dedicated)
Blends with normal traffic	Yes	No, clearly separate
Common config field	A full HTTPS URL	A hostname (and sometimes port)
Typical use	Browsers, many routers, mobile	Routers, Android Private DNS

A useful rule of thumb: if the setting asks for a URL (something starting with https://), it expects DoH. If it asks for a hostname (just a domain name, no https://), it expects DoT. Knowing which one a field wants saves a lot of trial and error.

How to Set Up Encrypted DNS on Your Router

Router interfaces vary, but the shape of the task is consistent. Here is the general flow, followed by notes for the common firmware families.

General steps

1. Find your resolver's details. You need either a DoH URL or a DoT hostname from your chosen DNS provider. Keep both handy; you will use whichever your router asks for.
2. Log in to your router. Open the admin page in a browser — commonly an address like 192.168.1.1 or 192.168.0.1, printed on a label on the router itself.
3. Locate the DNS settings. These usually sit under Internet, WAN, Network, or Advanced settings. On firmware that supports encrypted DNS, look for terms like "DoH", "DoT", "DNS over HTTPS", "DNS over TLS", or "Secure DNS".
4. Enter your resolver. Paste the DoH URL into a URL field, or the DoT hostname into a hostname field. Match the field to the protocol, as described above.
5. Disable conflicting overrides. If the router lets individual devices or your ISP push their own DNS, make sure those do not override what you just set.
6. Save and reboot if prompted. Some firmware applies DNS changes immediately; others need a restart.
7. Verify. Browse normally for a few minutes, then confirm lookups are going where you expect (see the verification note below).

Notes by firmware type

• Consumer routers with built-in secure DNS. A growing number of off-the-shelf routers expose a "Secure DNS" or "Encrypted DNS" toggle directly. If yours does, this is the easiest path: enable it, paste your resolver, save.
• Open-source firmware (OpenWrt-style). These give you fine-grained control and usually support DoH or DoT through an add-on package. The setup is more involved but more flexible. Follow your firmware's documentation for the specific package and config file.
• ISP-provided gateways. Many locked-down ISP routers do not let you change DNS at all. If yours is one of them, you have two practical options: put the gateway into bridge or pass-through mode and use your own router behind it, or configure encrypted DNS on each device individually.
• No encrypted-DNS support. If your router cannot do DoH or DoT, you are not stuck. You can run a small resolver on a device on the network and point the router's DNS at it, or simply set encrypted DNS per device. Per-device setup is more steps, but it works everywhere.

Verifying it worked

After saving, the simplest check is behavioral: visit a domain you expect your resolver to handle and confirm it behaves as configured. If your DNS provider gives you a dashboard with live query statistics, watch for your queries appearing there shortly after you browse. Seeing your own lookups show up is the clearest confirmation that traffic is flowing through the right resolver.

How a Guardino Profile Fits In

If you use Guardino, the same router fields apply — you are just pointing them at a Guardino resolver. The detail to know is how your profile is identified:

• For DoH, the URL itself carries a per-profile token. You configure the full DoH URL once per profile, and that token tells the resolver which policies — Mind Shield, parental controls, Safe Search, a social-media bundle, focus mode, your custom allow and deny rules — to apply to traffic coming through it.
• For DoT (and Android's Private DNS, which uses DoT under the hood), you use the bare hostname dns1.guardino.ai. Because a DoT hostname has nowhere to carry a token, profile mapping is handled differently than the URL-token approach used for DoH.

Because policies are configured per profile, a single household can run different settings for different needs — a stricter child profile, a focus profile for work hours — and apply each one wherever it makes sense. The dashboard then shows you real query statistics and logs for what the resolver actually handled, so the network stops being a black box.

On privacy: a Guardino resolver sees domains, not full URLs or page contents. Query metadata is kept for 30 days by default, and that retention is yours to control — you can shorten it or delete logs at any time. Your device IP is not held in long-term storage, and query data is never sold or shared. The full posture is laid out in the privacy policy. For step-by-step device configuration, including the iOS configuration profile and the Android QR code, see the setup guide.

Common Mistakes to Avoid

• Setting a DoH URL in a DoT field, or vice versa. This is the most frequent cause of a setup that silently fails. Match the protocol to the field: a URL means DoH, a hostname means DoT.
• Leaving a second DNS source active. If the router still hands out an ISP DNS as a fallback, devices may quietly use it. Remove or disable secondary DNS entries you did not intend.
• Forgetting devices with hardcoded DNS. A few devices ignore network DNS and talk to a fixed resolver of their own. The router cannot override those; you would address them on the device itself if it matters to you.
• Not verifying. Saving the setting is not the same as confirming it works. Always do a quick check afterward.

Closing Thought

Encrypted DNS at the router is one of those quiet improvements that, once set, mostly disappears into the background — which is the point. It works for every device, it asks nothing of guests, and it sits alongside the screen-time and wellbeing tools you already rely on rather than replacing them. Choose the protocol your hardware supports, enter your resolver, verify once, and let it run.