Wi-Fi & Network · Beginner explainer

What is DNS, and why does it break Wi-Fi?

When you type a website name into a browser, the browser does not actually know how to find it. It asks DNS — the Domain Name System — to translate that name into the numeric address the site's servers live at. This translation happens before every website loads, every email sends, every app fetches data. When DNS is slow, the whole internet feels slow. When DNS is broken, you get "Wi-Fi connected, no internet."

The mental model

DNS is the phone book of the internet. You know the name of who you want to call; DNS looks up the actual number.

Computers do not talk to each other using names like google.com — they use IP addresses like 142.250.80.46. The phone book lookup is what DNS does.
Every device on your network has a DNS server set somewhere — usually the one your ISP picked. Every time you visit a website, your device asks that server, "what's the IP for this name?" before it can connect.
You can change which phone book your device uses (Cloudflare, Google, Quad9). You can also encrypt the lookup so your ISP and the local coffee shop cannot see which names you are looking up.

Words you will see

DNS: Domain Name System. Translates human-readable website names into the numeric IP addresses computers actually use.
DNS resolver: The server that does the lookup for you. Your device sends every name query to it. Your ISP runs one; Cloudflare, Google, and Quad9 also run public ones anyone can use.
DoH (DNS-over-HTTPS): Encrypts your DNS lookups so the ISP and any other party on the network cannot see what names you are resolving. Built into Firefox, Chrome, Windows 11, iOS 14+, Android 11+, and macOS.
DoT (DNS-over-TLS): Same idea as DoH, different transport. DoT uses its own port (853); DoH rides on regular HTTPS traffic. Both encrypt the lookup.
Cloudflare 1.1.1.1: Cloudflare's free public DNS. Independent benchmarks in 2026 consistently rank it among the fastest globally. No-logs privacy posture.
Quad9 (9.9.9.9): Swiss non-profit DNS. Blocks known malware and phishing domains at the DNS layer by default. Strong privacy posture; supports DoH, DoT, and DoQ in 2026.
Captive portal: The login page on hotel, airport, or coffee-shop Wi-Fi. It works by hijacking your first DNS query and redirecting it to a login page. Custom DNS bypasses this hijack, which is why captive portals never appear when you have custom DNS set.

What DNS does

Computers do not understand names. They understand IP addresses — numbers like 142.250.80.46. Humans understand names. DNS is the layer that translates between the two.

Every time you type a URL, click a link, or open an app, your device sends a DNS query: "what's the IP for this domain?" A DNS server somewhere replies with the address, and only then can your device connect. This happens in 20-100 milliseconds — fast enough that you do not normally notice.

When DNS is slow, everything feels sluggish; when DNS is broken, websites fail to load while raw network connectivity still works.

The 2026 DNS resolver landscape

Every device gets a DNS resolver from somewhere — usually whichever one your router told it to use. The big public options in 2026:

**ISP default** — set automatically when you connect. Often the slowest in independent benchmarks, and the ISP logs every query. **Cloudflare 1.1.1.1 / 1.0.0.1** — fastest in 2026 benchmarks; no-logs, 24-hour anonymized telemetry only. **Google 8.8.8.8 / 8.8.4.4** — fast, reliable, but Google sees your queries.

**Quad9 9.9.9.9** — Swiss non-profit. Blocks known malware/phishing domains automatically. **NextDNS** — paid (~$2/month). Full ad/tracker blocking, per-device profiles, custom blocklists. **AdGuard DNS** — free tier blocks ads and trackers; family tier adds adult content filtering. **Pi-hole or AdGuard Home** — self-hosted DNS on a Raspberry Pi or NAS inside your house. Network-wide ad blocking, full control.

Encrypted DNS — what changed in 2025-2026

Until recently, DNS queries were sent in plain text. Anyone on the path — your ISP, the coffee-shop Wi-Fi, a malicious hotspot — could see every domain you looked up. DoH and DoT changed that by encrypting the lookup.

iOS 14+ and macOS 11+ support DoH and DoT via configuration profiles. Android 11+ supports DoH; Android 13+ supports DoH3 (faster). Windows 11 has built-in DoH client support. Firefox flipped DoH on by default for US users in 2020; Chrome followed.

What this means: with encrypted DNS, your ISP can still see which IP addresses you connect to, but not the human-readable names. They cannot easily build a list of every website you visited. The coffee shop can see almost nothing.

Why "connected, no internet" is often DNS

When your phone says "connected, no internet," the most common technical cause is that the router can reach the wider internet but cannot resolve names. Apps that talk to known IPs might partially work; web browsers fail completely because every URL needs a DNS lookup first.

The diagnostic is: change your phone's DNS to 1.1.1.1 manually, then try a website. If it suddenly works, the router's DNS forwarder is broken — a router reboot usually clears it. If it still fails, the problem is further out. The wifi-vs-internet explainer has the full layered diagnostic.

The captive portal trap

Hotel, airport, and coffee-shop Wi-Fi all rely on a trick to show you the login page: they hijack your first DNS query and redirect it to the login URL. If your device uses custom DNS or has encrypted DNS turned on, the hijack does not work — the captive portal never appears, and you stay stuck on "connected, no internet" forever.

Three workarounds: temporarily turn off custom DNS on your phone before connecting (Settings → Wi-Fi → tap the network → Configure DNS → Automatic), open a plain HTTP site like `http://neverssl.com` (the missing `s` is the trick), or wait 10-20 seconds for the OS to pop the login sheet automatically (iOS and Android both attempt this in 2026).

Common misconceptions

Many people think: DNS comes from my ISP and that's it.

Actually: Your ISP sets a default, but you can change it on any device. Set it on the router and every device on the network uses it. Set it on your phone and only that phone uses it. The ISP cannot force you to use theirs.

Many people think: Custom DNS makes my internet faster overall.

Actually: Custom DNS can shave 20-100 ms off the first connection to each domain. After that, the address is cached and the lookup is effectively free. The "10x faster internet" claim is misleading — DNS affects how fast a name resolves, not how fast data flows once the connection is open.

Many people think: Encrypted DNS hides everything from my ISP.

Actually: Encrypted DNS hides the names you look up. The ISP can still see which IP addresses your device connects to, and most big sites' IPs are well-known. Encrypted DNS is a real privacy improvement, not full anonymity.

Many people think: My DNS doesn't affect ad blocking.

Actually: DNS-level ad blocking is one of the most effective ad blockers because it works for every device on the network — phone, smart TV, console, smart speaker — without installing anything on those devices. Pi-hole, AdGuard Home, and NextDNS all work this way.

Many people think: Setting 1.1.1.1 is enough to be private.

Actually: 1.1.1.1 by itself uses unencrypted DNS — your ISP still sees every query. For real privacy you need DoH or DoT on top of 1.1.1.1, which requires either a recent OS or a browser with DoH on. Cloudflare's 1.1.1.1 mobile app configures this automatically; manual IP entry alone does not.

Ready to actually fix it?

DNS sits inside the broader "is it me or them?" diagnostic — start there:

Last reviewed

2026-05-27

FAQ

Should I change my DNS to 1.1.1.1?

For most homes, yes — it is usually faster than the ISP default and Cloudflare commits to a stricter no-logs policy. The change is reversible in seconds. Quad9 (9.9.9.9) is a good alternative if you want automatic malware/phishing blocking on top of DNS.

Will custom DNS break anything?

Sometimes. Custom DNS can break captive portals on hotel/airport Wi-Fi, and it bypasses any parental controls or local services your router runs on the ISP's DNS. Set custom DNS per-device rather than on the router if you want flexibility.

Do I need Pi-hole or AdGuard Home?

Only if you want network-wide ad blocking without installing anything on each device. NextDNS or AdGuard DNS as your resolver gives most of the same benefit with zero hardware. Pi-hole / AdGuard Home shine when you have a small always-on box already (Raspberry Pi, NAS) and want full local control.

More explainers

Modem, router, mesh, access point: what each does "Wi-Fi connected, no internet" — what is actually broken What is an IP address, and why does it matter?Bandwidth vs speed vs latency: what each one means Ethernet vs Wi-Fi: when to use each at home Do I need Wi-Fi 7 yet, in 2026?Wi-Fi security: WPA2 vs WPA3 in 2026 Remote access to your home: what it means in 2026 VPN vs Tailscale vs Cloudflare Tunnel What is a NAS, and do I need one in 2026?How much NAS storage do I need?Backup basics: the 3-2-1 rule for households Cloud backup vs local backup: when each one wins What is a UPS, and do I need one for my home?Matter, Thread, Zigbee: smart-home protocols Smart home hub basics: what one does, and when What is a USB-C dock, and why might it fail?USB-C vs Thunderbolt: what each one actually is Printer network basics: why printers go offline All explainers