The federal government has authorized your internet service provider to spy on you. The right was enshrined by a 2017 act of Congress that cancelled anti-spying regulations enacted by the Obama-era Federal Communications Commission. Today, your ISP can log every place you go online and use that data any way it wants, such as building user profiles for its own or other companies’ advertising platforms.

But ISPs’ most powerful spying tool is now easy to block, by encrypting what’s called a DNS request—a bit of data that announces the websites you visit. Mozilla’s Firefox browser already offers DNS encryption as an option, and it’s about to turn it on by default in the coming days or weeks. This protects you not only from a snooping ISP but also from a hacker who wants to watch your surfing or even redirect you to bogus sites containing malware.

Google also plans to make DNS encryption possible in its Chrome web browser and Android operating system, although in a much slower fashion that involves coordinating with the internet service providers. Nevertheless, ISPs recently sent a letter to six House and Senate Committees asking them to stop Google from moving forward. News site Motherboard also unearthed a misleading slide deck that Comcast lobbyists are using to sway politicians.

The skinny on DNS

While the politics play out, you can take simple steps right now to secure your surfing. Here’s a quick explanation of how DNS works, and how to encrypt it.

Typing “Google.com” into your browser means nothing to the internet, which needs a numerical IP address like 172.217.7.196 in order to find Google’s web servers, which host its site. To resolve the problem, your browser first visits a domain name system (DNS) server, which maintains a lookup table of web domains and their corresponding IP addresses. By default, your computer (or phone or tablet) uses the DNS server provided by your ISP, giving the company a handy list of all the sites you visit.

The privacy solution is called DNS over HTTPS, which uses the same encryption that secures your connections to most websites. (You can spot those web addresses because they start with “https” and are designated by a lock icon.) Mozilla is the furthest along, introducing both the encryption technology and an encrypted DNS service provider, run by cloud computing company Cloudflare. The latter has agreed to purge any data it collects and not provide it to any other parties. Mozilla is close to signing on additional DNS providers under the same terms, says Marshall Erwin, senior director of trust and security at Mozilla.

Setting it up

The easiest fix is to use the Firefox browser, as the switchover to DNS over HTTPs is about to start. If you just can’t wait, or you want to use another browser, here’s what to do.