How does Google DNS use encryption?

[Gmayl]

If I change my router DNS to Google DNS, are my DNS requests encrypted? Am I protected from an attacker finding out which websites/domains I´m trying to visit? Can my ISP see my requests? (I ask because I know that HTTPS adds some level of protection/privacy but DNS lookups give away some information, like the domains someone is trying to reach)

[TrongChuong Dao]

You can test Dnscrypt .It's will encryt your data on the net .Protect privacy for you always ISP and Man in the middle attacck and so much .Please test tor project .Tks nice post.

[Alex Dupuy]

Normal DNS requests, of the kind that are typically generated by router DNS resolvers, are not encrypted, and can be seen by your ISP and potentially anyone else with access to the network between your router and your ISP (e.g. other devices connected to a cable internet segment if your router is using one to reach your ISP).

There are several systems that you can use to protect DNS requests between your router and your configured recursive resolver. 

Some client libraries offer support for these, and there are some DNS proxies that can provide gateways to these services from clients on your local network that use classic DNS protocols. One of them (pforemski/dingo) supports Google's DNS over HTTPS and OpenResolve; there are many others that support just one of these systems.

• DNS over TLS (RFC 7858) – available at unicast.uncensoreddns.org (89.233.43.71 or 2a01:3a0:53:53::) from UncensoredDNS.
  
• DNSCrypt – available at OpenDNS (208.67.222.222, 208.67.220.220, 2620:0:ccc::2, or 2620:0:ccd::2), Yandex (77.88.8.8, 77.88.8.1, 2a02:6b8::feed:0ff, or 2a02:6b8:0:1::feed:0ff), and selected Tier2 OpenNIC servers.
• OpenResolve – DNS lookups via RESTish HTTPS API available at OpenDNS.
• DNS over HTTPS – available at dns.google.com from Google Public DNS.

All of these use encrypted communications between the client and the recursive resolver to ensure privacy from your ISP and prevent forged responses. All of them (by necessity) expose your domain lookups to the recursive resolvers, which may or may not have privacy policies (OpenDNS, Yandex, and Google Public DNS do) and/or be subject to search warrants from different governments depending on their operations.

Apart from privacy protections between your clients and a recursive resolver, note that recursive resolvers generally do not encrypt any of your queries that they forward to authoritative name servers, so those may be visible to root and TLD authoritative name servers. Although OpenDNS uses DNSCurve to encrypt queries to the very few domains that support DNSCurve, neither OpenDNS nor any other large public resolver implements QNAME minimization (RFC 7816) so the domain names you query may in some cases be "leaked" to parent domain name servers (e.g. queries for curveprotect.org or subdomains may be sent by recursive resolvers to the Afilias name servers for .ORG or root name servers, even though OpenDNS will use DNSCurve when contacting the authoritative name servers for curveprotect.org).

[TrongChuong Dao]

Tks your feedback.Why googledns not support dnscrypt.I very like product of googledns but google not support dnscrypt.When google can protect and anominity online and protect.

[bobv...@gmx.com]

Is there anyway for me using a chrome browser on a windows computer being able to use google dns over http?

Why did nobody write any software to utalise this. It's very strange.