DNS & Secure DNS

DNS Settings

DNS (Domain Name System) is the internet's address book. It translates human-readable domain names like google.com into IP addresses that computers use to connect. By default, these lookups are unencrypted, allowing your ISP to see every website you visit even if the site itself uses HTTPS.

Stealth's secure DNS features protect this vulnerability by encrypting your DNS queries and routing them through trusted servers.

Understanding the Risk

Visibility. Your ISP can log every domain you query, building a detailed profile of your online activity. This data is often sold to advertisers or retained for government requests.

Manipulation. Unencrypted DNS can be intercepted and modified. Attackers on your network could redirect you to fake websites, and some ISPs inject ads or redirect failed lookups to their own pages.

DNS Providers

Choose a provider in Settings → Tools → DNS Settings. For most users, Cloudflare offers the best combination of speed and privacy.

System Default Restores DHCP / automatic DNS from your network
Cloudflare 1.1.1.1 / 1.0.0.1 - fastest performance, no logging
Google 8.8.8.8 / 8.8.4.4 - reliable global infrastructure
Quad9 9.9.9.9 - security-focused with built-in malware blocking
AdGuard 94.140.14.14 - ad blocking and privacy filtering at the DNS level
Custom Unlimited custom entries, each with name, primary + optional secondary IPv4, plus optional color and icon for visual identification

Cloudflare Content Filtering

A unique feature when using the Cloudflare provider: the filtering level automatically routes you to the matching Cloudflare resolver pair.

None 1.1.1.1 / 1.0.0.1
Malware 1.1.1.2 / 1.0.0.2 - blocks known malicious domains, phishing, and command-and-control servers
Malware + Adult Content 1.1.1.3 / 1.0.0.3 - adds adult content blocking, useful for shared or family computers

The DNS window monitors this and warns if your filtering level doesn't match the actual configured resolver. Filtering automatically clears when you switch away from Cloudflare.

DNS-over-HTTPS (DoH)

DoH is an encryption layer that wraps DNS queries inside HTTPS, so ISPs and network observers can't see them. Stealth ships DoH templates for each supported provider (Cloudflare, Google, Quad9, AdGuard - including malware and family variants) and applies them through Windows' native Add-DnsClientDohServerAddress when DNS Encryption is enabled.

Recommendation: Keep DNS Encryption enabled at all times. The performance impact is negligible, and it provides meaningful privacy protection.

IPv6 Support

Built-in providers automatically apply matching IPv6 servers (Cloudflare, Google, Quad9, AdGuard). For custom providers, IPv6 is applied when the address contains :.

Cloudflare WARP Awareness

If Cloudflare WARP is installed and connected, Stealth coordinates with it before applying changes - sets WARP to warp+doh mode, skips the WARP adapter when configuring system DNS, and restores your prior WARP mode when you Reset to System.

Operations

Apply Writes static DNS to all active adapters via netsh (requires admin)
Reset to System Restores DHCP / automatic DNS and clears proxy settings
Flush DNS Cache Runs Clear-DnsClientCache and ipconfig /flushdns
Renew IP Optional ipconfig /renew after applying
Verify Post-apply snapshot of the resolved DNS configuration

Backup & Restore

Stealth keeps a dns-backup.json of your original adapter DNS so changes are fully reversible.

  • Restore original - undo all Stealth-applied DNS
  • DHCP fallback - used when no good backup exists
  • Reset backup to current - manually capture your current configuration as the new baseline
  • Emergency reset - force every adapter back to DHCP if something goes wrong
  • Startup check - warns if any adapter has localhost DNS, a sign of broken or interrupted setup

How DNS Works with VPN

When VPN is active, DNS queries flow through layered protection:

  1. The VPN tunnel hides DNS queries from your local network and ISP
  2. Trusted DNS servers prevent third-party logging
  3. DoH adds another encryption layer for defense in depth

Troubleshooting

If websites fail to load after enabling secure DNS:

  1. Try a different DNS provider - some networks block specific providers
  2. Disable DoH temporarily to test if HTTPS encryption is the issue
  3. Check the Cloudflare content filtering level mismatch warning
  4. Use Reset to System, then reconfigure
  5. Run Flush DNS Cache to clear stale entries