Every time you open a site, your device runs a DNS lookup to turn the name into an address (how DNS works covers that step by step). For most of the internet’s history that lookup traveled in plain text, readable by anything on the network path. Newer DNS protocols change this – some encrypt the lookup, one proves the answer is genuine. Here is what each one does and when it matters.
Traditional DNS (sometimes written Do53, after its port number 53) sends queries and answers in plain text. It is fast and universal – every device supports it – but it has two weak points. Anyone between you and the resolver (your internet provider, a public WiFi operator, or someone sharing the network) can see which names you look up, and in principle alter the answer before it reaches you. Nothing about plain DNS is broken; on its own it simply offers no privacy and no tamper-checking.
DNS over TLS wraps the same queries in an encrypted channel, the way TLS protects a banking page. It runs on a dedicated port (853), so a network can easily recognise the traffic as DNS – handy for an administrator who wants to manage it, and a limit if a network chooses to block it. On Android, the built-in “Private DNS” setting is DoT, which is the simplest way for most phone users to switch it on.
What DoT gives you: others on the network path can no longer read or change your lookups. What it does not give you: the resolver you connect to still sees every name you request, so encryption moves the trust to whichever resolver you pick rather than removing it.
DNS over HTTPS also encrypts the lookup, but sends it over the same port as ordinary web traffic (443), so it blends in with everything else your browser does. That makes it harder for a network to single out and block, and it is the method most web browsers now offer in their settings. The trade-off mirrors DoT: because it looks like normal HTTPS, it is harder for an administrator to see and manage – which some home users want and some workplaces specifically do not.
Functionally DoH and DoT protect the same thing: the confidentiality of your lookups in transit. The practical difference is visibility. DoT is openly DNS on its own port; DoH hides inside web traffic. Which is “better” depends on whether you want your DNS easy to manage or hard to distinguish.
DNSSEC is often mentioned alongside DoH and DoT, but it solves a different problem and encrypts nothing. Instead it adds a digital signature to DNS records, so a resolver can verify the answer really came from the domain’s owner and was not tampered with along the way.
A simple way to picture it: DoH and DoT seal the envelope so no one can read the letter; DNSSEC is the signature that proves the letter is genuine. They are complementary – you can have one, both, or neither. Encrypted transport hides your lookups; DNSSEC vouches for their authenticity.
You rarely need to choose these by hand – they are listed here so the names are familiar when you meet them.
For most home users the choice is simple:
Two things to keep in mind. First, encrypted DNS protects the lookup, not your whole connection – it is not a VPN, and the resolver you choose still sees your queries, so pick one you are comfortable trusting. Second, on a managed or workplace network, encrypted DNS may be intentionally disabled; that is a policy choice, not a fault.
You can confirm that names resolve, whichever protocol you use:
example.com.If a site stops loading right after you switch on encrypted DNS, a quick lookup shows whether the new resolver is answering at all. For how the lookup itself works step by step, see how DNS works, and the DNS Lookup help page explains each field.
Is DoH or DoT better?
They protect the same thing. DoT is easier for a network to recognise and manage; DoH is harder to distinguish from normal web traffic. Choose based on whether you want DNS visible or blended in.
Does encrypted DNS hide everything I do online?
No. It hides which names you look up from others on the network path, but the resolver still sees them, and it does not hide the addresses you then connect to. It is not a replacement for a VPN.
Is DNSSEC the same as encryption?
No. DNSSEC proves an answer is genuine and untampered; it does not make it private. Encryption (DoH and DoT) and DNSSEC solve different problems and can be used together.
How do I turn on encrypted DNS on my phone?
On Android, set “Private DNS” in the network settings to a provider that supports it – that is DoT. On iOS, it is enabled through a configuration profile or an app that sets it.
When you join a WiFi network, you pick it by name – and that name is the SSID. But the device actually talking to your phone is identified by something else, the BSSID. Most of the time you never need the distinction, yet it explains a lot: why a single “network” can be served by several devices, why your phone sometimes clings to a weak signal, and how to tell your network apart from a neighbour’s with the same name.
The SSID (Service Set Identifier) is simply the network’s name – “HomeWiFi”, “TP-Link_2.4G”, or whatever you set on the router. It is a label of up to 32 characters, nothing more. You choose it, your devices remember it, and they reconnect whenever it is in range. Because it is just text, two completely separate routers can even use the same SSID – which is exactly what larger home setups rely on.
The BSSID (Basic Service Set Identifier) identifies the specific radio that is broadcasting the SSID – in practice, the hardware address (MAC address) of that access point. If the SSID is the name of the network, the BSSID is the name of the particular device serving it. Your phone is always connected to one BSSID at any moment, even when the SSID makes it look like a single seamless network.
This matters because a dual-band router has a separate BSSID for its 2.4 GHz and 5 GHz radios, and a mesh system or extender gives every node its own BSSID too. They all broadcast the same SSID on purpose, so your devices treat them as one network and move between them automatically.
If you have a mesh system, an extender, or a modern multi-band router, your single named network is really several access points sharing one SSID. Your device constantly measures the signal of each BSSID it can hear and connects to the strongest, switching as you move around the home. This is what lets you walk from room to room on “the same WiFi” without reconnecting – behind the scenes, your phone is hopping from one BSSID to another.
It also explains a common annoyance: a phone that stays stuck on a distant, weak node instead of switching to a closer one. The name has not changed, but the BSSID it should have moved to is being ignored, so the connection drags even though the network is right there.
Knowing both lets you read your network clearly:
A router can be set to stop broadcasting its name, so the SSID does not appear in the list and you type it in by hand to connect. This can cut down on clutter, but it is worth being clear that it is not a security measure – the network is still there and still detectable, the name is simply not announced. Treat a hidden SSID as tidiness, not protection; a strong password is what actually keeps the network secure.
You can look at the SSIDs and BSSIDs in range rather than guessing:
Seeing them side by side makes the relationship concrete: one name, possibly many radios. For what each value means, see the WiFi Analyzer help page; for how channels and bands fit in, see WiFi channels explained.
What is the difference between SSID and BSSID?
The SSID is the network name you see and connect to; the BSSID identifies the specific access point – its hardware address – serving that name. One SSID can have many BSSIDs.
Why does my network show several BSSIDs?
Because more than one radio is broadcasting the same name – typically a router’s 2.4 GHz and 5 GHz bands, plus any mesh nodes or extenders. They share the SSID so your devices treat them as one network.
Can two networks have the same SSID?
Yes. The SSID is just a name and is not unique, which is why routers and extenders in one system deliberately share it. The BSSID is what tells them apart.
Is hiding my SSID a good security step?
Not really. A hidden SSID is not announced but is still detectable, so it offers little real protection. A strong WiFi password is what keeps the network secure.
DNS, the Domain Name System, turns the website names you type into the numbers computers actually use to find each other. When you enter example.com, your device cannot connect to a name – it needs an IP address like 203.0.113.10. DNS is the lookup that happens in the background, usually in a few milliseconds, every single time you open a site or an app.
DNS is the address book of the internet. People remember names like youtube.com, but the network routes traffic using IP addresses; DNS is the service that maps one to the other. Without it you would have to memorise a string of numbers for every site you visit.
The reason this system exists is that names and addresses change at different rates. A website can move to a new server, and therefore a new IP address, while keeping the same name – DNS quietly updates the mapping so you never notice. The name stays constant for people; the address underneath can change freely.
When you open a site, your device runs a short relay to find the matching address:
.com), which point it to the website’s own authoritative server.This sounds like a lot, but it normally finishes in well under a second. The chain exists because no single machine could hold the address of every site on earth, so the work is split: each step narrows the search until the exact answer is found. Once it is, the answer is cached at several points so the next visit skips most of the journey.
DNS quietly affects your everyday experience in a few ways:
This is why switching to a different DNS resolver sometimes makes browsing feel snappier or fixes a stubborn site. It changes who answers the lookup, not your actual connection. Understanding that the name-to-address step is separate from the connection helps you tell the two kinds of problem apart. Lookups can also be encrypted so others on the network cannot read them – the secure variants are covered in DNS protocols: DoH, DoT, and DNSSEC.
You can run a lookup yourself to see exactly what DNS returns:
example.com.A record you will see the site’s IP address.A domain has several record types, each answering a different question: an A record gives the IPv4 address, AAAA the IPv6 address, MX the mail servers, and NS the name servers responsible for the domain. Running a lookup is also how you confirm a change has taken effect after moving a site or editing records. For what each field means, see the DNS Lookup help page, and for the addresses themselves, how to find your IP address.
What is DNS in simple terms?
It is the system that turns website names into the IP addresses computers use to connect, like a contacts app that turns a name into a phone number.
What is a DNS resolver?
It is the service that does the lookup for you, usually run by your internet provider or a public DNS service. Your device asks it, and it finds the address.
Does changing my DNS make the internet faster?
It can make name lookups faster or more reliable, which makes browsing feel quicker, but it does not change the actual speed of your connection.
Why does a site fail to load when the internet works?
Often the DNS lookup for that specific site failed, so your device never got its address. A lookup tool helps confirm whether DNS is the cause.