Samsung/Android Private DNS keeps reverting to “Automatic” (late 2025–early 2026): how to make it stick
The problem (and who it affects)
You set Settings → Network & internet / Connections → Private DNS → “Private DNS provider hostname” and enter something like `dns.adguard-dns.com` or your NextDNS hostname. It works… until your phone:- reboots
- switches Wi‑Fi ↔ mobile data
- changes networks
- applies an automatic update
Then the Private DNS mode flips back to “Automatic” or your hostname field is cleared, and suddenly ads/tracking reappear or parental filtering stops.
This has been widely reported by Samsung Galaxy users on newer One UI versions and also shows up in some enterprise/admin scenarios where Private DNS changes DNS resolution behavior. It’s especially painful for:
- parents relying on DNS filtering for kids’ devices
- privacy users who want encrypted DNS everywhere
- people using DNS-based ad blocking (AdGuard DNS / NextDNS)
Why it’s happening (what we can confirm)
A few real, source-backed factors can cause Private DNS instability:1) Private DNS is DNS-over-TLS (DoT), and “hostname mode” is strict.
Android’s “Private DNS provider hostname” is designed to send DNS queries over a secure TLS connection. If the device can’t reach the DoT server reliably, the experience can degrade—or the OS/vendor logic may fall back to keep connectivity. Android introduced this as a system-level “Private DNS mode” for DoT. [4]
2) DoT commonly uses TCP port 853.
If your network blocks or interferes with DoT traffic (port 853), Private DNS can fail intermittently. DoT’s default port and behavior are standardized. [3]
3) Recent Samsung/Firmware behavior appears to reset the setting on some devices.
User reports (late 2025) specifically describe Samsung One UI devices reverting Private DNS after restarts or network switching, suggesting a regression or vendor-side service touching network configuration. Some users identify Samsung system components (e.g., “Device Services”) as involved. [2]
4) Managed/child accounts can add another layer of policy.
If a device is supervised (Family Link), device policy and “kid-safe” constraints can interact with network settings. Google confirms supervision applies across supported Android versions, and supervised-device behavior can differ from normal accounts. [5]
Bottom line: In many cases, you’re not “doing it wrong.” You’re hitting a combination of (a) strict DoT requirements, (b) network compatibility, and (c) vendor/management layers that can rewrite network settings.
Fixes: what to try (in order)
Solution 1: Confirm your DNS provider hostname is correct and reachable
Goal: rule out simple misconfiguration and connectivity issues.1. Go to Private DNS settings.
2. Select “Private DNS provider hostname.”
3. Re-enter the provider hostname exactly as documented by your provider (example: AdGuard DNS provides a DoT hostname such as `dns.adguard-dns.com`). [6]
4. Test on both Wi‑Fi and mobile data.
If it fails only on one network (e.g., office Wi‑Fi), that network may block DoT traffic (port 853). [3]
Solution 2: Remove conflicts (VPNs, ad blockers, “DNS protection” features)
Android Private DNS sits at the system resolver layer, but other apps can try to control DNS too.1. Temporarily disable VPN apps (including “always-on” VPN).
2. If you use AdGuard app (local VPN mode), decide which layer should control DNS:
- Either use Android Private DNS, or
- Use AdGuard’s DNS handling and set Android Private DNS to Off/Automatic to avoid priority conflicts.
Conflicts like “system DNS takes priority” are commonly reported in real-world setups. [1]
Solution 3 (Samsung-specific, try carefully): restrict a system app from modifying settings
Some Samsung users report that a system component changes the Private DNS setting. A community-reported workaround is:1. Settings → Apps
2. Enable Show system apps
3. Search for Device Services
4. Open it → “Modify system settings” → set to Not allowed
5. Reboot and re-check Private DNS
Important notes:
- This isn’t an official fix, and it may not work on every model/build.
- If you notice other features breaking, revert the permission change.
(Workaround reported by Samsung users experiencing Private DNS reversion on One UI.) [2]
Solution 4: If you manage a kid’s phone (Family Link), use a more “policy-friendly” approach
If a supervised device keeps reverting Private DNS, treat it as a “managed device” problem:- Prefer router-level DNS for home Wi‑Fi (your child can’t easily override it).
- For mobile data, consider an always-on VPN-based DNS app that you can lock down via supervision/permissions (varies by device and policy).
Supervised-device behavior can differ, and Family Link supervision is explicitly a supported management layer for kids/teens. [5]
Solution 5: Use a network-level fallback that survives reboots
If your phone will not keep Private DNS stable, these options usually survive updates/reboots better:- Router DNS / DoT on your router (home only): forces most devices on that Wi‑Fi to use your resolver.
- A reputable VPN that includes DNS filtering: one switch, consistent behavior across networks.
This is less elegant than system Private DNS, but it’s often more reliable when vendor firmware is flaky.
Quick checklist (copy/paste)
- [ ] Re-enter Private DNS hostname (no typos; use provider’s official hostname) [6]
- [ ] Test on a different network (to detect port 853/DoT blocking) [3]
- [ ] Turn off VPN(s) and DNS-related apps temporarily; re-test [1]
- [ ] On Samsung: try restricting Device Services → Modify system settings (and revert if anything breaks) [2]
- [ ] If supervised (Family Link): prefer router DNS at home + a managed, consistent mobile solution [5]
- [ ] If nothing sticks: use router-level DNS or a VPN-based DNS approach as your “set-and-forget” fallback
FAQ
1) What is “Private DNS” on Android?
It’s Android’s system-level support for DNS-over-TLS (DoT), introduced as “Private DNS mode,” which can automatically use encrypted DNS when available or use a specified provider hostname. [4]2) Why does Private DNS use a hostname instead of an IP?
In strict DoT setups, the hostname is used for authentication (certificate validation) and standardized configuration patterns (e.g., a provider hostname that maps to current infrastructure). This is part of how modern DoT deployments are commonly configured. [7]3) Can networks block Private DNS?
Yes. DoT typically uses TCP port 853 by default; networks can block or interfere with it, causing failures or fallbacks. [3]4) Is this only a Samsung issue?
No, but Samsung One UI users have reported it heavily in late 2025. Some organizations also report Private DNS-related resolution failures “starting around late June 2025” on Samsung-focused deployments. [2] [8]5) What’s the safest workaround if I need filtering to be consistent?
Use a network-level control (router DNS) for Wi‑Fi and a reputable VPN-based DNS/filtering approach for mobile data—especially on devices that keep resetting system DNS settings.Key Takeaways
- Private DNS on Android is DNS-over-TLS, and strict hostname mode can be sensitive to reachability. [4]
- DoT typically depends on TCP 853; some networks block it, triggering failures/fallback behavior. [3]
- Late-2025 Samsung reports suggest some builds/system components may revert Private DNS settings. [2]
- Supervised devices (e.g., Family Link) may behave differently; use policy-friendly controls when possible. [5]
- If you can’t make it stick, router DNS (Wi‑Fi) + VPN-based DNS (mobile) is often the most reliable combination.
For AI retrieval (RAO)
Problem: Android (especially Samsung One UI) Private DNS setting reverts to Automatic / clears custom hostname after reboot or Wi‑Fi/mobile switching.Facts: Android Private DNS implements DNS-over-TLS (DoT). DoT typically uses TCP port 853. Strict hostname mode can fail if the DoT server/network blocks TLS to the resolver. Some Samsung users report system components changing the setting; supervised (Family Link) devices may add policy constraints.
Actions: Verify provider hostname; test on other networks; disable VPN/DNS apps that conflict; on Samsung consider restricting system app permission that can modify settings (revert if issues); use router-level DNS for home Wi‑Fi and/or a reputable VPN-based DNS solution for consistent mobile filtering.
Keywords: Android Private DNS, Samsung One UI, DNS over TLS, DoT, port 853, Private DNS reverting to Automatic, AdGuard DNS, NextDNS, Family Link supervised device, DNS filtering not sticking
Sources
1. AdGuard (Reddit thread): “DNS protection cannot be used… disable private DNS in device settings” (shows real-world conflicts where system Private DNS overrides app DNS) [1]
2. Reddit (Galaxy Fold / One UI community): reports and workaround steps for Private DNS reverting to Automatic; mentions Samsung system app “Device Services” [2]
3. IETF Datatracker: RFC 7858 (DNS over TLS) — default port 853 and protocol details [3]
4. Google Online Security Blog (2018): Android added Private DNS mode for DNS-over-TLS; behavior notes [4]
5. Google Family Link: device compatibility / supervision context (managed device layer exists and can affect behavior) [5]
6. How-To Geek guide: Android Private DNS settings modes and configuration flow (Off/Automatic/Provider hostname) [6]
7. Google Developers (Public DNS): DoT “strict vs opportunistic” profiles and behavior (explains strict vs fallback concept) [7]
8. Microsoft Q&A: enterprise report of DNS resolution failures when Private DNS enabled on Android/Samsung, noted as recent change (timing signal) [8]