How does DuckDuckGo handle DNS queries in its mobile apps vs DuckDuckGo browser extension or desktop browser?
This fact-check may be outdated. Consider refreshing it to get the most current information.
Executive summary
DuckDuckGo’s mobile apps (iOS/Android) can route DNS queries through DuckDuckGo’s own DNS servers when their VPN-like “App Tracking Protection” or VPN feature is active, and those servers apply a regularly updated blocklist called “Scam Blocker” unless the user disables it (Scam Blocker can be turned off under VPN Settings > DNS Server) [1]. In contrast, the DuckDuckGo browser extension and desktop browsers provide tracker-blocking and HTTPS-enforcement at the browser layer rather than operating system DNS redirection, and DuckDuckGo’s public documentation and issue trackers show that built-in encrypted DNS (DoH/DoT) support in the browser has been requested but is not a standard built-in behavior of the extension/desktop browser as of the sources provided [2] [3] [4].
1. How the mobile apps send DNS and apply a blocklist
When the DuckDuckGo VPN is connected on mobile, DNS queries are sent to a DuckDuckGo DNS server that first checks the requested domain against a regularly updated blocklist feed; if a domain is on that blocklist the DNS server does not return an IP address and the browser will show an error (DuckDuckGo’s help page describes this Scam Blocker behavior and notes that other browsers may display different errors when a site is blocked) [1].
2. User controls and observable behavior in the app
DuckDuckGo’s help documentation explicitly says Scam Blocker can be disabled — if disabled, DNS queries still use DuckDuckGo’s DNS server but are not checked against the blocklist — meaning users have an on/off control for the DNS-level blocking behavior inside the mobile VPN settings [1].
3. The browser extension and desktop browser handle DNS differently
The DuckDuckGo browser extension and desktop browser aim to protect privacy by enforcing encrypted connections (HTTPS) and blocking trackers at the browser layer rather than by changing the system’s DNS server; DuckDuckGo presents these protections as extension/browser features focused on tracker blocking and HTTPS enforcement, which is distinct from routing DNS to DuckDuckGo-operated servers [2].
4. Encrypted DNS (DoH/DoT) and gaps in browser-level DNS control
Community and issue-tracker conversations show users asking for built-in “Secure DNS” and DoH/DoT support in DuckDuckGo’s privacy browser, and the project’s issue history indicates that using encrypted DNS on Android historically required additional apps or VPN-style intermediaries — implying that built-in encrypted DNS was not universally available in the browser by default in the sources provided [3] [4].
5. Real-world interactions and user reports that complicate the picture
User discussions and support threads reveal confusion when third-party DNS providers like NextDNS are used alongside DuckDuckGo’s app-tracking protection or VPN-like features, with reports that block counters and blocking behavior can differ depending on which DNS path is active, underscoring that mixing system DNS, third-party DNS services, and DuckDuckGo’s VPN/DNS can produce inconsistent observable blocking metrics [5].
6. What can’t be confirmed from the provided reporting
The provided material documents mobile VPN/DNS behavior and the extension/browser’s tracker and HTTPS protections, and it records user requests for DoH/DoT — the sources do not supply a formal DuckDuckGo engineering statement that enumerates every difference in packet routing between every desktop browser, extension, and mobile OS combination, so definitive claims about how every desktop browser handles DNS when the extension is installed cannot be asserted from these sources alone [1] [2] [3].