July 16, 2026

A two-minute privacy fix for every Starlink subscriber

DNS over HTTPS and Starlink: What you need to know about the privacy trade-off

Your Internet Service Provider knows where you go online. Even when you’re browsing over HTTPS—the encrypted protocol that protects what you do on a website—Starlink can still see which websites you visit. It’s not a bug in the system; it’s how DNS works by default. And unless you enable DNS over HTTPS (DoH), your Starlink router is logging every single domain you access.

Here’s what you need to know about this privacy gap, whether it matters for your setup, and what you can actually do about it.

What is DNS and why your ISP can see it

Think of DNS like the internet’s phonebook. When you type a website address—say, reddit.com—your device doesn’t know where to find it. It sends a request to a DNS resolver (usually your ISP’s server) asking for the numerical IP address that matches that domain. The resolver sends back the answer, and your browser connects. The whole process takes milliseconds and happens invisibly every time you click a link.

The problem is that this DNS lookup is unencrypted. It’s plaintext. Your ISP—in this case, Starlink—can see the request, log it, and hold onto that data. They see reddit.com. They see bankofamerica.com. They see every domain, regardless of whether the site itself is encrypted.

This is different from HTTPS. HTTPS encrypts what you do on a website. It prevents Starlink from seeing which specific Reddit thread you’re reading or what search terms you’re using at Google. But HTTPS does not hide which websites you visit. The domain name in the URL is visible to your network.

Starlink’s default DNS setup

By default, Starlink routes DNS requests through Cloudflare’s resolver (1.1.1.1) as its standard, not a proprietary Starlink DNS server. This is actually good news from a performance and privacy perspective compared to many other ISPs—Cloudflare is generally regarded as faster and more privacy-respecting than typical ISP DNS servers.

But here’s the catch: the traffic between your network and Cloudflare’s servers is still unencrypted. Starlink can see the requests passing through its network.

Standard DNS vs DNS over HTTPS

Standard DNS (port 53) is what you’re using by default. Unencrypted. Fast. Ubiquitous. But visible.

DNS over HTTPS (DoH) wraps those DNS queries in HTTPS encryption, the same protocol that protects your banking and email. From the outside, Starlink can see that encrypted DNS traffic is happening, but it cannot see what domains you’re querying. The actual lookup requests are encrypted.

There’s also DNS over TLS (DoT), which does the same thing via a different protocol, but DoH is more common and easier to set up for most people.

The trade-off is minimal: DoH adds a tiny bit of latency (usually 10 to 50 milliseconds per query), but browsers cache DNS results aggressively, so the practical impact on browsing speed is negligible. For most Starlink users, you won’t notice it.

The privacy trade-off you need to understand

Here’s where things get philosophically messy. Enabling DoH on your Starlink connection doesn’t make you invisible. It just shifts which party can see your DNS queries.

When you enable DoH, your device sends encrypted DNS requests directly to a third-party resolver—typically Cloudflare, Google, Quad9, or another public DNS provider. Starlink can no longer see your queries. But the DNS provider you choose can still see them.

This is not a net privacy loss if you choose wisely. Cloudflare commits to not logging your IP address and purges all logs within 24 hours, submitting to annual third-party audits of these practices. Google, by contrast, logs your full DNS records temporarily and retains a sampled subset of anonymized data for up to two weeks. Both services are vastly different in privacy terms.

The real point is this: you’re choosing who has access to that metadata. Starlink (your ISP) or a third-party resolver (usually a larger company with different incentives). Many people argue that a company whose primary business is not advertising is a better choice than the ISP sitting at the gateway.

But you should know what you’re trading. You’re not becoming invisible. You’re changing who can see.

Starlink users have options

How you implement DoH depends on your setup. If you’re using Starlink’s router in standard mode, you have two paths: browser-level DoH (the easiest) or router-level DoH configuration (more complex, but covers all devices on your network).

If you’re running your Starlink router in bypass mode with a third-party mesh system, you still have the same options—browser-level DoH is the simplest, and some third-party routers support DoH or DoT natively, though support varies by model.

For most Starlink subscribers, browser-level DoH is the path of least resistance. It requires no router configuration at all.

How to enable DoH in your browser

Firefox: Open Settings, scroll to Privacy and Security, find DNS over HTTPS, and toggle it on. The browser defaults to Cloudflare, but you can select other providers. I highly recommend Cloudflare, though. It’s rock solid.

Chrome and Edge: Go to Settings, Privacy and Security, Security, and look for Use Secure DNS. Toggle it on. Chrome defaults to Cloudflare or Google depending on your region.

Safari: This is trickier. Safari supports DoH but doesn’t expose the setting directly. You can install the Cloudflare 1.1.1.1 app for iOS or macOS, which enforces DoH system-wide.

That’s it. No reboots. No configuration. You’re done.

The caveats

One real-world issue: some networks and firewalls block encrypted DNS traffic. You may see a privacy warning from Apple devices, saying the network is “blocking encrypted DNS traffic.” This is usually a false alarm on Starlink (Starlink doesn’t block it), but it happens if a network doesn’t allow DoH queries to reach external resolvers. It’s not common, but if you see it, try disconnecting and reconnecting to your network.

Another caveat: switching DNS providers won’t hide your browsing from everyone. Your ISP still knows you’re online and roughly how much data you’re using. HTTPS hides what you do on a site. A VPN hides both your IP address and your traffic patterns. DoH hides your DNS queries from your ISP, but not your overall internet behavior.

If you’re running Starlink with a VPN, then DoH and VPN overlap in some ways—the VPN already encrypts your DNS—but it doesn’t hurt, and it adds an extra layer.

Should you enable DoH?

If you care about preventing Starlink from logging which sites you visit, then yes. Enabling DoH at the browser level takes two minutes and has zero downside on a typical home connection.

If you’re indifferent to Starlink’s DNS logging, or if you trust Starlink more than you trust a third-party resolver, then you can skip it. Pro Tip!!! Don’t skip it.

The practical impact on privacy is real but limited. DoH is one layer in a much larger privacy picture. It’s worth doing, but it’s not a substitute for other privacy practices—like not using services that explicitly harvest your data, not clicking suspicious links, and using strong passwords.

What Cloudflare actually does

Since Starlink routes to Cloudflare by default, and since Cloudflare is often the best choice for DoH, it’s worth knowing what they claim. Cloudflare built its public DNS reputation on privacy and does not sell DNS data to advertisers, with core business in network infrastructure rather than advertising. They’ve also been independently audited multiple times.

This doesn’t mean you have to trust them. But it means they have stronger structural incentives around privacy than, say, Google (whose primary business is advertising).

If you want something even more privacy-focused, Quad9 (9.9.9.9) is a non-profit option that also adds malware blocking at the DNS level. It’s slightly slower than Cloudflare but has a stronger privacy and security posture.

Setting it and forgetting it

The good news is that DoH is a set-it-and-forget-it solution. Once you enable it in your browser, it runs continuously. You don’t manage it. You don’t think about it. It just works.

For most Starlink users, the overhead is imperceptible. For those concerned about ISP snooping, it’s a meaningful step. For everyone else, it’s a harmless privacy improvement that costs nothing.

Give it a try. Turn it on in Firefox or Chrome. See if you notice any difference. You won’t. And Starlink won’t be able to see where you’re browsing anymore.

The only password manager you’ll ever need

Leave a Reply

Your email address will not be published. Required fields are marked *