Browser and DNS: The Two Levers That Matter Most

If you change nothing else about your digital life after reading this series, change your browser and your DNS resolver. These two adjustments take fifteen minutes combined, cost nothing, and reduce your surveillance exposure more than any other single action short of leaving a platform entirely. Your browser determines what trackers follow you across the web. Your DNS resolver determines who can see every website you visit. Together, they are the highest-leverage privacy tools available to anyone with an internet connection, and the fact that most people never touch either one is a testament to how well the defaults serve the interests of the companies that set them.

Why This Matters for Sovereignty

The surveillance economy, as Zuboff documented in The Age of Surveillance Capitalism (2019), operates on behavioral surplus — the data generated by your activity that exceeds what is needed to provide you the service you requested. When you visit a website, you need the page to load. You do not need your ISP to log the visit, the website to drop tracking cookies that follow you to the next site, or an advertising network to build a behavioral profile based on your browsing pattern. But all of that happens by default, because the defaults were configured by entities whose revenue depends on that surplus extraction.

Changing your DNS resolver and your browser is not a technical exercise. It is a sovereignty decision — a deliberate choice to replace defaults that serve someone else’s interests with configurations that serve yours. Thoreau did not use the road that led to town because it was the only road. He chose his path because it led where he wanted to go. The analogy is not perfect, but the principle is: the default path through the internet was laid by companies that profit from watching you walk it. You can choose a different path, and the cost of doing so is trivially small.

How It Works

Every time you type a website address into your browser — or click a link, or an app connects to a server — your device needs to translate that human-readable address into a numerical IP address that computers understand. This translation is performed by a DNS resolver. By default, your device uses the DNS resolver provided by your internet service provider. Your ISP’s resolver sees every single DNS request your household makes. Every website, every app connection, every service — all of it logged, all of it visible to your ISP, and in many cases sold to data brokers or used for the ISP’s own advertising purposes.

Changing your DNS resolver means pointing your device (or, better, your home router) at a different resolver that does not log your requests. Cloudflare’s 1.1.1.1 is the most widely recommended option — it is fast, independently audited, and Cloudflare has committed to not logging identifying DNS data. Quad9 (9.9.9.9) adds malware-blocking by refusing to resolve known malicious domains. Mullvad DNS is operated by the same team behind Mullvad VPN and is designed specifically for privacy. Any of these is a significant improvement over your ISP’s default.

The change itself is mechanical. On your router, you replace the default DNS server addresses with the addresses of your chosen resolver. On most routers, this is in the network or internet settings under DNS. If you cannot access your router settings, you can change the DNS on individual devices — every operating system has a DNS setting in its network configuration. At the router level, every device on your network benefits. At the device level, only that device is covered.

DNS over HTTPS (DoH) adds a second layer. Standard DNS queries travel in plain text — anyone monitoring your network traffic can see which domains you are resolving. DoH encrypts those queries so that even your network operator cannot see which sites you are looking up. Firefox, Chrome, and most modern browsers support DoH and can be configured to use it. Firefox is the simplest: in Settings, search for DNS, and enable DNS over HTTPS with your preferred resolver. This takes about two minutes, and the privacy improvement is immediate and meaningful.

The browser itself is the second lever. Your browser is the application through which most of your internet activity flows, and the choice of browser determines how much of that activity is tracked, fingerprinted, and reported back to advertising networks.

Firefox is the strongest general-purpose choice for privacy. It is open-source, maintained by Mozilla (a nonprofit), and includes Enhanced Tracking Protection that blocks known trackers, cryptominers, and fingerprinters by default. Setting Enhanced Tracking Protection to “Strict” mode increases its effectiveness with minimal impact on most websites. Firefox also supports the most important privacy extension available: uBlock Origin, a free, open-source ad and tracker blocker that is the single most impactful browser extension you can install. uBlock Origin does not just block ads — it blocks the tracking infrastructure that ads ride on, the scripts that fingerprint your browser, and the network requests that report your behavior to third parties.

Brave is a Chromium-based alternative that blocks trackers aggressively out of the box. It is a credible privacy choice, though it has attracted some controversy for its cryptocurrency features (the BAT token and Brave Rewards system) that not everyone wants in their browser. Safari, on Apple devices, provides good default privacy protections including Intelligent Tracking Prevention, though its extension ecosystem is more limited than Firefox’s.

Chrome is the browser you should move away from if privacy is a concern. Chrome is made by Google, whose primary business is advertising, and Chrome’s default configuration is optimized for Google’s advertising infrastructure. This is not speculation — it is the business model working as designed. Chrome has been removing support for extensions that block tracking (the Manifest V3 transition has limited the capability of ad blockers like uBlock Origin), and its privacy features consistently trail Firefox’s.

The Proportional Response

Here is the fifteen-minute upgrade, in order.

First, install Firefox if you do not already have it. Import your bookmarks and saved passwords from your current browser — Firefox makes this straightforward during setup. Set Enhanced Tracking Protection to Strict (Settings > Privacy & Security > Enhanced Tracking Protection > Strict). This alone blocks a significant percentage of cross-site tracking.

Second, install uBlock Origin from the Firefox Add-ons store. The default settings are excellent. You do not need to configure it further unless you want to. uBlock Origin will block ads, trackers, and malicious scripts across every website you visit. The web will load faster, because a surprising amount of page load time is consumed by tracking scripts and ad networks loading in the background.

Third, enable DNS over HTTPS in Firefox. Go to Settings, search for “DNS,” and enable DNS over HTTPS. Choose Cloudflare (1.1.1.1) or your preferred resolver from the dropdown. This encrypts your DNS queries so that your ISP cannot see which websites you are visiting through Firefox.

Fourth — and this step protects your entire network, not just your browser — change the DNS settings on your home router to use 1.1.1.1, 9.9.9.9, or your preferred privacy-respecting resolver. This covers every device on your network: phones, tablets, smart TVs, IoT devices, and anything else that connects to your home Wi-Fi. The router settings interface varies by manufacturer, but the process is typically: log into your router’s admin page (usually 192.168.1.1 or 192.168.0.1), find the DNS settings under WAN or Internet, and replace the existing DNS addresses with your chosen resolver’s addresses.

That is it. Fifteen minutes. The ongoing cost is zero. The impact is years of reduced surveillance exposure across every website you visit and every DNS query your household generates.

What to Watch For

Browser fingerprinting is the tracking method that browser settings and DNS changes do not fully address. Even without cookies, a website can identify your browser by its unique combination of settings, installed fonts, screen resolution, timezone, language preferences, and dozens of other attributes. This combination is often unique enough to track you across sites without any cookies at all. The EFF’s Panopticlick project (now Cover Your Tracks) demonstrated that the vast majority of browsers have a unique fingerprint.

Firefox’s Enhanced Tracking Protection in Strict mode includes some fingerprinting resistance. Firefox also offers a privacy.resistFingerprinting option in about:config that standardizes many of the attributes used for fingerprinting, making your browser look more like every other Firefox browser with the same setting. This can cause some website display issues, so it is a trade-off between privacy and convenience. For most people, Strict mode without resistFingerprinting is the proportional choice. For those with a higher threat model, enabling it is worth the occasional display quirk.

What you should skip: installing multiple privacy extensions that conflict with each other. uBlock Origin is sufficient for tracker and ad blocking. Adding Privacy Badger, Ghostery, NoScript, and three other extensions on top of it creates conflicts, can break websites, and does not meaningfully improve on what uBlock Origin already provides. One good tool, configured well, is better than five overlapping tools fighting each other.

You should also skip paid browser add-ons and “privacy browsers” without a track record. The privacy browser market has attracted opportunists selling marginal modifications of open-source browsers at premium prices. Firefox is free, open-source, independently audited, and maintained by a nonprofit. Unless you have a specific technical need that Firefox does not meet, it is the right choice.

The broader context matters too. Browser and DNS changes are the foundation, not the whole building. If you change your browser and DNS but remain logged into Google, Facebook, and Amazon throughout your browsing session, those companies track you by account, not by IP or cookie. The browser and DNS changes protect you from the ambient surveillance infrastructure — the thousands of trackers, ad networks, and data brokers that monitor the open web. They do not protect you from the platforms you are voluntarily logged into. That is a different problem, addressed elsewhere in this series, and it requires a different kind of decision — not a technical configuration, but a choice about which platforms earn your continued participation.

The sovereign posture here is clear: start with the highest-leverage, lowest-cost changes. Browser and DNS are those changes. They are the foundation on which every other privacy decision in this series rests.

This article is part of the Data & Privacy series at SovereignCML.

Related reading: VPNs: What They Actually Do (And Don’t Do), The Privacy Landscape: What’s Real, What’s Theater, Your Privacy Action Plan: The 80/20 in Priority Order