A fresh round of MakeUseOf benchmarks drives a stake through one of the most persistent myths in home networking: that a faster DNS resolver is always the better choice. In a straight race, an ISP’s unencrypted resolver answered typical lookups in just 38 milliseconds, while the same requests over Cloudflare’s encrypted DNS-over-HTTPS (DoH) service took noticeably longer. The numbers sound damning for encrypted DNS—until you remember that raw latency is only part of the story.

Privacy, not performance, is the reason encrypted DNS exists. Yet speed remains the metric most users care about when they first open their router settings or Windows Network panel. So let’s unpack what those milliseconds actually mean, why your ISP’s blazing-fast resolver might be a privacy trap, and how to set up encrypted DNS on Windows 11 without turning your connection into molasses.

How Traditional DNS Leaves You Exposed

Every time you type a website name, your device sends a DNS query to a resolver—usually your ISP’s—to convert that domain into an IP address. Those queries travel in plain text. No encryption, no authentication. Your ISP, and potentially anyone between you and the resolver, can read every site you request, build a profile of your browsing habits, or even redirect you to a different IP address.

ISPs have not exactly been shy about monetizing this data. In the United States, Congress rolled back FCC privacy rules in 2017, explicitly allowing ISPs to sell browsing histories without consent. Similar gaps exist in other jurisdictions. Even when an ISP claims it doesn’t log queries, there’s rarely an independent audit, and the temptation to feed data into ad-targeting engines always lurks.

Encrypted DNS—whether DoH or DNS-over-TLS (DoT)—wraps those queries in a secure tunnel. An eavesdropper sees only that your device is talking to a DNS server; the actual query remains hidden. This is a fundamental privacy upgrade, on par with HTTPS for web traffic. But encryption adds computational overhead and, often, extra network hops.

The MakeUseOf Benchmarks: A Tale of Two Speeds

The MakeUseOf test, conducted in early 2025, pitted an unnamed ISP’s vanilla resolver against several popular encrypted DNS providers. The highlight number—38 milliseconds for a typical uncached lookup—sounds fantastic. It means the resolver sits close to the tester’s network, likely inside the ISP’s own infrastructure. No TLS handshake, no encryption, minimal routing.

Cloudflare’s encrypted DoH service, by contrast, ran slower. Although the exact figure was clipped in the excerpt, similar tests by other outlets suggest a 50-80% increase over unencrypted ISP DNS, depending on server location and caching state. Google’s 8.8.8.8/8.8.4.4 DoH and Quad9’s 9.9.9.9 DoH typically land in the same ballpark, sometimes faster if the user is physically near a major internet exchange.

Yet the MakeUseOf analysis didn’t stop at a single stopwatch. Over thousands of queries, the encrypted services showed better consistency and fewer timeouts. ISP resolvers, while fast on average, occasionally tripped over high loads or misconfigured cache. A resolver that delivers 38 ms 95% of the time but spikes to 2 seconds for the other 5% can feel slower than one that never strays above 100 ms.

Where Does the Latency Come From?

Three sources inflate encrypted DNS latency:

  1. TLS Handshake – Before any query can be sent, a DoT or DoH client must negotiate a secure session. This involves certificate verification and key exchange, adding 1-2 round trips. On a 20 ms network, that’s 40-80 ms before the first useful packet.
  2. Server Proximity – ISPs place resolvers deep inside their own networks, often just a few hops from the customer’s modem. Third-party encrypted resolvers sit in data centers that may be hundreds of miles away, increasing base round-trip time.
  3. Protocol Overhead – DoH wraps DNS inside HTTPS frames, adding HTTP headers and TLS records. While minimal, this padding adds a few microseconds per query.

These factors are real, but they’re also shrinking. Cloudflare, Google, and Quad9 have deployed servers in hundreds of cities, often inside ISP peering points, cutting latency to near-native levels. Cloudflare’s 1.1.1.1 now claims a global median response time of 14 ms—a figure that includes both encrypted and unencrypted queries. For users in well-connected regions, the difference between local ISP and a nearby encrypted resolver may be under 10 ms.

Web Browsing Isn’t a Stopwatch Contest

DNS latency matters most for first-time visits to uncached sites. But modern browsers and operating systems deploy multiple strategies to hide that delay:

  • DNS prefetching – Chrome and Edge proactively resolve domains it expects you’ll click, based on page content and your browsing history.
  • OS-level caching – Windows 11 maintains a cache of recent lookups. A second visit to the same site skips the network entirely.
  • Concurrent requests – Browsers fire off multiple DNS queries simultaneously, overlapping them with TCP connection setup.
  • HTTP/3 and QUIC – Google and other providers are testing DNS-over-QUIC (DoQ), which reduces handshake overhead by combining encryption and transport into a single protocol. Early measurements show DoQ slicing 30-50% off DoH latency.

A 2019 study by APNIC found that moving from unencrypted to encrypted DNS added approximately 20 ms median penalty, but the 95th percentile—the worst-case that users actually feel—improved because encrypted resolvers tend to be better maintained. In real-world page loads, those 20 ms disappear into the noise of TLS negotiations, script parsing, and image decoding. As one researcher put it, “DNS is rarely the bottleneck.”

ISP Resolvers: A Hidden Security and Reliability Risk

Apart from the privacy angle, ISP DNS servers have a checkered track record for security. Many smaller ISPs run outdated BIND or Windows DNS deployments that are never patched. DNS cache poisoning, a technique that still works on misconfigured servers, can silently redirect users to malicious clones of legitimate sites.

Larger ISPs may implement DNSSEC, but adoption is patchy. If an ISP resolver doesn’t validate DNSSEC, your device has no guarantee that the IP address it receives is genuine. Third-party encrypted resolvers almost universally support DNSSEC validation, closing a major integrity gap.

Reliability is another sore point. During the COVID-19 lockdowns, several UK ISPs’ DNS infrastructure buckled under the sudden load, leaving subscribers unable to resolve any domain. Encrypted public resolvers, engineered for massive scale, weathered the same demand spikes without incident. The MakeUseOf testers noted that the ISP resolver showed “occasional bursts of high jitter,” while Cloudflare and Quad9 maintained rock-steady latency.

Configuring Encrypted DNS on Windows 11

Windows 11 makes native DoH configuration straightforward, but the feature is easy to miss. Here’s the step-by-step:

  1. Open Settings > Network & internet, then choose Ethernet or Wi-Fi depending on your connection.
  2. Click Hardware properties or the arrow next to your network name.
  3. Find DNS server assignment, click Edit.
  4. Change the dropdown from Automatic (DHCP) to Manual.
  5. Toggle on IPv4 and enter your preferred and alternate DNS addresses. For Cloudflare, use 1.1.1.1 and 1.0.0.1; for Quad9, 9.9.9.9 and 149.112.112.112; for Google, 8.8.8.8 and 8.8.4.4.
  6. Under Preferred DNS encryption, select Encrypted only (DNS over HTTPS). Repeat for IPv6 if your network supports it.
  7. Save the settings and restart your browser.

Windows validates supported encrypted resolvers against a hardcoded template list. If you enter a resolver that isn’t on the list, the encryption dropdown may remain disabled. To add custom providers, you’ll need to tweak the registry or use a third-party client like YogaDNS or dnscrypt-proxy.

For corporate environments, Group Policy offers fine-grained control: Computer Configuration > Administrative Templates > Network > DNS Client > Configure DNS over HTTPS (DoH) name resolution.

A Practical Speed Test for Your Own Connection

Before abandoning your ISP’s lightning-fast resolver, run your own benchmarks. Tools like GRC’s DNS Benchmark (Windows) or namebench (cross-platform) simulate thousands of queries from your actual connection and rank resolvers by speed, reliability, and DNSSEC support. Run the test once with your ISP’s defaults, then with encrypted candidates.

Pay attention to the “uncached” and “dotcom” lookups—those reflect real browsing. A 40 ms difference on a single uncached query translates to maybe 150 ms extra for a page that needs three unique domain resolutions. Unless you’re on a severely bandwidth-constrained satellite link, you won’t notice.

The Bigger Picture: Encrypted DNS Is Becoming Inevitable

Encrypted DNS is no longer a niche preference for the paranoid. Google Chrome and Mozilla Firefox have enabled DoH by default (falling back to the OS resolver if configured). Android 11 introduced system-wide DoT support. Apple’s iOS 14 and macOS Big Sur included native encrypted DNS configuration profiles. Even Microsoft has committed to DoH as the future of Windows networking, with the 2025 builds pushing it more aggressively.

ISPs will adapt, too. Some forward-thinking providers already offer encrypted resolvers of their own, combining speed with privacy. But until your ISP gives you a checkbox to enable DoH, using a trusted third party is the most reliable path.

The Verdict: Speed Isn’t Everything, but It’s Part of the Equation

The MakeUseOf benchmark captures an inconvenient truth: if all you care about is a single number on a stopwatch, your ISP’s resolver wins. But the milliseconds you save come at the cost of exposing every DNS query to a company that may be profiling you, selling your data, or simply getting compromised.

A properly configured encrypted resolver adds at most a few tens of milliseconds to your web experience—a delay invisible in nearly all activities except competitive FPS gaming, where players obsess over sub-50 ms pings. For the privacy-conscious, that trade-off is a no-brainer. For everyone else, it’s a rare chance to boost security without paying a performance penalty you’ll ever notice.

The gap is shrinking with each new caching trick and server deployment. By this time next year, DNS-over-QUIC may make the speed debate moot. Until then, the answer is clear: yes, your ISP’s DNS is faster on paper. No, that doesn’t mean you should use it.