TL;DR
Yes, other users on your WPA2 WiFi network can potentially see the websites you visit via DNS requests. However, there are several ways to prevent this, ranging from using encrypted DNS (DNS over HTTPS or DNS over TLS) to enabling a Virtual Private Network (VPN). This guide explains how.
Understanding the Problem
When you type a website address into your browser (e.g., google.com), your computer needs to find out the IP address associated with that name. It does this by sending a DNS request to a DNS server. On a typical home network, this request often goes through your router. If someone else on the same WiFi network is monitoring network traffic, they can see these requests and therefore infer which websites you are visiting.
Solutions
- Use Encrypted DNS (DNS over HTTPS or DNS over TLS)
- Encrypted DNS scrambles your DNS requests so that others on the network can’t easily read them.
- Most modern operating systems and browsers support this natively.
- Windows: Go to Settings > Network & Internet > Ethernet (or WiFi) > Change adapter options > Right-click your network connection > Properties > Select Internet Protocol Version 4 (TCP/IPv4) > Properties > Advanced… > DNS tab. Select ‘Use custom DNS servers’ and enter the addresses for a provider that supports DoH or DoT, such as Cloudflare (
1.1.1.1and
1.0.0.1) or Google Public DNS (
8.8.8.8and
8.8.4.4). You may also need to configure DoH within your browser settings (see below).
- macOS: System Preferences > Network > Select your network connection > Advanced… > DNS tab. Add the addresses for a provider that supports DoH or DoT, such as Cloudflare (
1.1.1.1and
1.0.0.1) or Google Public DNS (
8.8.8.8and
8.8.4.4).
- Browsers (Chrome, Firefox): Check your browser settings for ‘DNS over HTTPS’ or similar options. Enable it and select a provider. For example, in Firefox: Settings > General > Network Settings > Settings… > Enable DNS over HTTPS.
- Use a Virtual Private Network (VPN)
- A VPN encrypts all of your internet traffic, not just DNS requests, providing the strongest protection.
- It routes your connection through a server in another location, masking your IP address and making it much harder to track your online activity.
- Choose a reputable VPN provider with a strong privacy policy. There are many paid options available.
- Router Configuration (Advanced)
- Some routers allow you to configure DNS settings directly, enabling encrypted DNS for all devices on your network. Check your router’s manual or web interface.
- Look for options like ‘DNS over TLS’ or ‘DoT’. This is the most effective solution as it protects all devices without individual configuration.
- Use a Different Router (Advanced)
- Some newer routers come with built-in support for DNS over HTTPS/TLS and other security features. Upgrading your router can be an easy way to improve your network’s security.
- Monitor Network Traffic (For Detection)
- Tools like Wireshark can capture network traffic, allowing you to see DNS requests and other data being sent over the WiFi network. This is useful for identifying potential issues but requires technical knowledge.
Important Considerations
- WPA3: If your router and devices support WPA3, upgrade to it. It offers stronger security than WPA2.
- Router Security: Ensure your router’s firmware is up-to-date and that you have a strong password set on the router itself.