Keep Factually independent
Whether you agree or disagree with our analysis, these conversations matter for democracy. We don't take money from political groups - even a $5 donation helps us keep it that way.
How does DuckDuckGo implement DNS privacy—does it default to DoH or DoT and which providers are used?
Executive Summary
DuckDuckGo’s public materials indicate its VPN and related privacy features route DNS queries to DuckDuckGo-operated DNS servers by default, and users can configure custom DNS providers inside the VPN, but the documentation and audit do not explicitly state whether those servers use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) as the default transport. DuckDuckGo’s help pages and security audit emphasize use of in-house DNS to prevent ISP logging and permit user-specified DNS, while broader ecosystem documentation — notably Cloudflare’s DoH guidance — illustrates common DoH deployments that many browsers and services pair with, but there is no definitive DuckDuckGo statement in the provided materials about DoH vs DoT [1] [2] [3] [4].
1. What DuckDuckGo actually claims about DNS — the core company position that matters
DuckDuckGo’s support pages and VPN materials state the VPN is pre-configured to use DuckDuckGo’s DNS servers, with the explicit goal of protecting DNS queries from being logged or monetized by ISPs or third-party DNS providers; the interface also permits choosing a third-party DNS provider within VPN settings if users prefer. The company frames this as a privacy protection designed to keep DNS resolution under DuckDuckGo’s privacy practices rather than the user’s ISP or other resolvers, and it supplements this with features like a Scam Blocker that leverages DNS blocklists. The official help pages and subscription/privacy policy documents focus on this operational stance and user control options, but they do not specify the DNS transport protocol (DoH vs DoT) used by DuckDuckGo’s servers [1] [2] [5].
2. What the security audit reveals and what it leaves out — gaps in the technical record
DuckDuckGo’s 2024 VPN security audit documents vulnerabilities found and mitigations implemented, and it highlights accepted low-impact risks, but the audit does not disclose whether DuckDuckGo’s DNS servers use DoH or DoT, nor does it describe the DNS transport cryptographic choices in detail. The audit focuses on implementation vulnerabilities, inter-process communication, and platform-specific behaviors rather than network protocol selection for DNS encryption. That omission is notable: a rigorous third-party audit would usually call out transport choices for DNS if they are a central privacy claim. The audit therefore confirms active security work but leaves a crucial protocol-level question unresolved in the public materials [3].
3. How the broader ecosystem shapes expectations — DoH is common, and browsers push it
Industry documentation from major resolver operators and browser vendors shows a clear trend: DoH (DNS-over-HTTPS) is widely implemented and supported by browsers and public resolvers, and providers like Cloudflare publish comprehensive DoH guidance and integration steps. This ecosystem context explains why observers often assume DoH when an organization says “encrypted DNS”: DoH runs over port 443 and can blend with web traffic, making deployment and compatibility simpler in many environments. However, the presence of DoH in the ecosystem does not prove DuckDuckGo uses it, and Cloudflare’s documentation is illustrative rather than declarative about DuckDuckGo’s choices [6] [7] [4].
4. Practical takeaways for users — what you can verify and configure today
Users who want to know precisely what transport DuckDuckGo uses should check their device-level or app-level connection during VPN operation and examine traffic or logs, or ask DuckDuckGo directly for a technical statement; the company’s help pages do provide that users can select custom DNS under VPN settings, which is a practical workaround if you require a specific resolver or protocol. Because the materials state the VPN uses DuckDuckGo’s DNS by default and supports custom DNS configuration, users can enforce a known provider with a documented protocol if the default is unclear. The absence of explicit DoH/DoT documentation means the safest path for strict protocol requirements is to configure a known resolver yourself [1] [2].
5. Where to look next and why transparency matters — pinging the company and auditing needs
For definitive answers, DuckDuckGo should publish a short technical note or update its VPN/security audit to specify whether its DNS servers accept DoH, DoT, or both, the endpoints and ports used, and any logging or retention practices tied to DNS queries; that level of transparency is standard for privacy-focused services and would settle questions raised by the current documentation gap. In the meantime, third-party audits and ecosystem operator docs provide context but not confirmation; users and auditors should therefore treat DuckDuckGo’s DNS default and custom-DNS options as established facts while regarding the DoH/DoT question as unresolved until the company provides explicit protocol-level details [3] [4].