DNS Resolvers

Encrypted DNS with third-party servers should only be used to get around basic DNS blocking when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity.

Learn more about DNS

Recommended Providers

These are our favorite public DNS resolvers based on their privacy and security characteristics, and their worldwide performance. Some of these services offer basic DNS-level blocking of malware or trackers depending on the server you choose, but if you want to be able to see and customize what is blocked you should use a dedicated DNS filtering product instead.

DNS Provider	Protocols	Logging / Privacy Policy	ECS	Filtering	Signed Apple Profile
AdGuard Public DNS	Cleartext DoH/3 DoT DoQ DNSCrypt	Anonymized1	Anonymized	Based on server choice. Filter list being used can be found here.	Yes
Cloudflare	Cleartext DoH/3 DoT	Anonymized2	No	Based on server choice.	No
Control D Free DNS	Cleartext DoH/3 DoT DoQ	No3	No	Based on server choice.	Yes
dns0.eu	Cleartext DoH/3 DoH DoT DoQ	Anonymized4	Anonymized	Based on server choice.	Yes
Mullvad	DoH DoT	No5	No	Based on server choice. Filter list being used can be found here.	Yes
Quad9	Cleartext DoH DoT DNSCrypt	Anonymized6	Optional	Based on server choice, malware blocking by default.	Yes

Self-Hosted DNS Filtering

A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed.

Pi-hole

Pi-hole is an open-source DNS-sinkhole which uses DNS filtering to block unwanted web content, such as advertisements.

Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content.

Homepage

AdGuard Home

AdGuard Home is an open-source DNS-sinkhole which uses DNS filtering to block unwanted web content, such as advertisements.

AdGuard Home features a polished web interface to view insights and manage blocked content.

Homepage

Cloud-Based DNS Filtering

These DNS filtering solutions offer a web dashboard where you can customize the blocklists to your exact needs, similarly to a Pi-hole. These services are usually easier to set up and configure than self-hosted services like the ones above, and can be used more easily across multiple networks (self-hosted solutions are typically restricted to your home/local network unless you set up a more advanced configuration).

Control D

Control D is a customizable DNS service which lets you block security threats, unwanted content, and advertisements on a DNS level. In addition to their paid plans, they offer a number of preconfigured DNS resolvers you can use for free.

Homepage

Downloads

• Windows
• macOS
• Linux
• Google Play
• App Store
• GitHub

NextDNS

NextDNS is a customizable DNS service which lets you block security threats, unwanted content, and advertisements on a DNS level. They offer a fully functional free plan for limited use.

Homepage

Downloads

• Windows
• macOS
• Linux
• App Store
• GitHub

When used with an account, NextDNS will enable insights and logging features by default (as some features require it). You can choose retention time and log storage location for any logs you choose to keep, or disable logs altogether.

NextDNS's free plan is fully functional, but should not be relied upon for security or other critical filtering applications, because after 300,000 DNS queries in a month all filtering, logging, and other account-based functionality is disabled. It can still be used as a regular DNS provider after that point, so your devices will continue to function and make secure queries via DNS-over-HTTPS, just without your filter lists.

NextDNS also offers public DNS-over-HTTPS service at https://dns.nextdns.io and DNS-over-TLS/QUIC at dns.nextdns.io, which are available by default in Firefox and Chromium, and subject to their default no-logging privacy policy.

Encrypted DNS Proxies

Encrypted DNS proxy software provides a local proxy for the unencrypted DNS resolver to forward to. Typically, it is used on platforms that don't natively support encrypted DNS.

RethinkDNS

RethinkDNS is an open-source Android client supporting DNS-over-HTTPS, DNS-over-TLS, DNSCrypt and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too.

Homepage

Downloads

• Google Play
• GitHub

dnscrypt-proxy

dnscrypt-proxy is a DNS proxy with support for DNSCrypt, DNS-over-HTTPS, and Anonymized DNS.

Repository

Downloads

• Windows
• macOS
• Linux

Warning

The anonymized DNS feature does not anonymize other network traffic.

Criteria

Please note we are not affiliated with any of the projects we recommend. In addition to our standard criteria, we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.

All DNS products must support:

• DNSSEC.
• QNAME Minimization.
• Anonymize ECS or disable it by default.

Additionally, all public providers:

• Prefer anycast support or geo-steering support.
• Must not log any personal data to disk
  • As noted in our footnotes, some providers collect query information for example, for purposes like security research, but in that case that data must not be associated with any PII such as IP address, etc.

---

1. AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." https://adguard.com/en/privacy/dns.html ↩

2. Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/ ↩

3. Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. https://controld.com/privacy ↩

4. dns0.eu collects some data for their threat intelligence feeds, to monitor for newly registered/observed/active domains and other bulk data. That data is shared with some partners for e.g. security research. They do not collect any Personally Identifiable Information. https://dns0.eu/privacy ↩

5. Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. https://mullvad.net/en/help/no-logging-data-policy/ ↩

6. Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. https://quad9.net/privacy/policy ↩

---

Share this website and spread privacy knowledge

Copy this text to easily share Privacy Guides with your friends and family on any social network!