Our 7 Best DNS Providers for Privacy (and adblocking) 2022
This post was originally published on 29 JAN 2022. It has since been updated and revised.
DNS enables your devices to connect to the internet as we currently know it
However, what happens if your resolver is either insecure or untrustworthy (and often, both) - such as the resolvers of many, if not all, the Internet Service Providers (ISPs) out there? What if the DNS resolvers completes everything in plaintext - for anyone to view by eavesdropping? What if the resolver logs your DNS queries, tying them back to you and using that data however they see fit?
Unfortunately, for many, the default option for DNS this is typically the case. So, naturally, this is why we're sharing our top picks for privacy-focused and secure (read: encrypted) DNS server providers in this post.
Lost? If you would like to dig deeper into DNS and how it affects/relates to online privacy, then please visit the main DNS page to catch up.
At a glance
All providers listed here support DoH, DNSSEC, and QName Minimization at a minimum! Learn More
| Service Logo | Name | Type | Server Locations | Logging | DoT Support | DNSCrypt | Domain filtering | Custom Configurations | Source code | Infrastructure | Go to service |
|---|---|---|---|---|---|---|---|---|---|---|---|
 |
Quad9 | Non-Profit | Anycast, based in Switzerland | Malicious domains on all servers; can use a server without blocking |
Not public | In-house Hosted by Global Secure Layer, Packet Clearing House |
Visit service | ||||
 |
NextDNS | Commercial; offers free tier |
Anycast; based in US | Optional; dependent on server choice |
Adblocking and malicious domains; dependent on server choice |
Not public | In-house | avoidthehack Affiliate ( more info ) | |||
 |
AdGuard | Commercial | Anycast, based in Cyprus | Some | Adblocking and Malicious domains; dependent on server choice |
Hosted by Choopa and Serveroid | Visit service | ||||
 |
Mullvad DNS | Commercial; free | US, UK, Switzerland, Sweden | Adblocking and malicious domains | (adblock lists only) | In-house | Visit Service | ||||
 |
DeCloudUs | Commercial; free | Anycast | Adblocking and malicious domains; dependent on user server/subscription choice |
Not public | In-house | Visit service | ||||
 |
Cloudflare | Commercial; free | Anycast; based in US | Some | Malicious domains only | Not public | In-house | Visit service | |||
 |
DNS.Watch | Free project | Based in Germany | Not public | In-house | Visit service |
Quad9
If you follow avoidthehack on Twitter, then you know that we're quite fond of them and all they do!
Quad9 is a non-profit organization that operates operates high performing and privacy-respecting public DNS resolvers. Quad9 DNS servers are found around the world. Specifically, their infrastructure spans 150 locations in 90 different nations.
Their DNS servers feature no logging, retaining no personal data about users who utilize their servers. There is no sign-up required to use the service; the IP addresses for their DNS servers are listed and available for all to use at will.
Quad9 is based in Switzerland, having relocated from being primarily based in the US. As of writing, they're still working on being incorporated fully in Switzerland. This relocation is/was a huge deal because Switzerland has some of the most robust consumer data and online privacy around.
Quad9 features threat blocking on all servers. This means that when using Quad9's DNS resolvers, they will automatically deny connections to known malicious domains - ultimately promoting and improving the security of your devices and their connections.
It's worth noting that Quad9 does provide servers without threat blocking; you have the option to choose which to connect with. However, it's highly recommended to use the server that makes use of their threat blocking technology because it's an effortless increase in the levels of your device and/or network security (and also your privacy - by not connecting to known malicious domains).
These known malicious domains are provided by varying threat intelligence entities partnered with Quad9 and are constantly being updated to offer better protection against newer threats.
Quad9 supports the DoH, DoT, and DNSCrypt protocols. Additionally, their infrastructure is a blend of in-house equipment and hosting services provided by Packet Clearing House and Global Secure Layer.
NextDNS
NextDNS prominently aims to be the "new firewall for the modern Internet."
Based out of the US, NextDNS offers both free and paid (but affordable!) DNS resolving services. The free tier is limited to 300,000 queries a month but allows for access to all features, unlimited devices, and unlimited configurations. Their servers use Anycast so reliable service can be provided across multiple locations.NextDNS' DNS resolvers can block ads, trackers, and malicious domains.
Generally speaking, 300,000 queries a month is reasonable for a couple of devices. However, it's recommended going for the unlimited queries if you have a lot of devices on your network. For reference, when counting devices on your network, this includes any device that uses your Wi-Fi to connect to the internet; you may have more internet-connected devices than you think!
The service features no logging as long as users don't opt in; NextDNS states that "...some features require some sort of data retention; in that case, our users are given the option, control, and full access to what is logged and for how long." So, ultimately, logging depends on user server/feature choice, which is fair.
NextDNS has a whole host of settings and abilities to really fine-tune the level of blocking and filtering on your connected devices and/or network. For example, you can specify whether you want to block wide-spectrum trackers, "disguised" third-party trackers, affiliate links, or you can block all. Additionally, you can add and change around entire blocklists used - similar to the blocklists function found in Pi-Hole.
NextDNS has security-focused settings available as well. You have the discretion to utilize threat intelligence feeds and/or AI assisted threat detection to minimize security risks. You also can specifically elect to safeguard against the likes of cryptojacking, typosquatting, parked domains, and domains registered for less than 30 days. If needed, you can block entire domains/subdomains/specific URLs as you see fit.
For those with children, it also has a Parental Control tab on the dashboard that allows blocking and unblocking of specific websites or categories of websites.
For payment options, NextDNS does offer payment via cryptocurrency. Additionally, they're have made available a beta version for DNS-related support of decentralized Web3 technologies such as IPFS.
Furthermore, it's worth mentioning that they're a trusted partner of Mozilla Firefox to deliver Firefox's DNS-over-HTTPS feature.
AdGuard
AdGuard is a company that's perhaps most known for its adblocking services - which, fortunately, also happen to be privacy friendly.
As of writing, they're currently re-launching their DNS service and making it both public and free for all to use.
AdGuard's DNS provides its adblocking services and technology on the network level. AdGuard's DNS resolvers can block ads, trackers, and known malicious domains. In fact, we recommend AdGuard for mobile devices (free or paid) in the Tracker Blocking section of avoidthehack.
AdGuard is based out of Cyprus and uses Anycast for their servers, which helps promote faster DNS resolving speeds from just about anywhere in the world. Their infrastructure for their DNS resolver services are hosted by Choopa and Serveroid.
AdGuard's DNS service does feature some amount of logging as detailed in their DNS privacy policy.
They do not collect personal data such as IP addresses, but they do store aggregated performance metrics for their DNS servers. This aggregated information includes such as data as completed requests to another particular server, the number of blocked requests, and the speed of processing these requests.
They also do keep and store an anonymous database of domains requests within the last 24 hours. The anonymized data collected isn't shared with third parties either.
AdGuard's DNS resolvers support the DoT and DNSCrypt protocols. Additionally, they publish their server source code for review on GitHub!
Mullvad
If you're at all familiar with Mullvad, then you probably know them best for their fantastic Mullvad VPN service. As a whole, Mullvad is a business that stands firmly in its belief that user privacy is important and should be protected; we can see this reflected in their services, policies, and other business practices.
Near the end of 2021, Mullvad opened up their DNS servers for public use. Currently, this public DNS service is still in beta but it is more or less ready for "production," or for users to use for resolving DNS queries. Since it's in beta, users should expect changes that may affect the service. Mullvad DNS service is provided independently of their VPN service. While the VPN service is paid, the DNS service is free.
Mullvad has DNS servers located in the US, UK, Sweden, Switzerland, Australia, Singapore, and Germany. When using this service, the closest DNS server (in terms of hops, not geographical location) will be used for answering queries first.
Mullvad's public DNS service offers a strict no logs policy as detailed in their privacy policy. Mullvad's public DNS comes in two distinct flavors; servers that utilize adblocking lists and those that don't. Naturally, given the nature of this post, we recommend using the ones that have adblocking functionality.
Mullvad uses a variety of adblocking lists for the servers that perform this service, which is detailed on their GitHub repo. Some of these lists include EasyList and the AdGuardDNS. Currently, it doesn't look like users are able to choose which adblock lists to use nor utilize custom ones through the service, so there is no custom DNS capabilities. However, Mullvad appears to welcome adblock list suggestions on their GitHub.
DeCloudUs
DeCloudUs is a service that follows a freemium model similar to NextDNS. However, there are three tiers that have distinctly different features and offers, though they do share some common things.
Broadly speaking, the servers in the free tier encrypt your DNS queries, allow access to some features as provided by DeCloudUS, and grant access to one server location in Germany.
The Premium tier grants access to the "Echo," Zulu," and "Alpha" servers. These servers feature a choice of global locations, no throttling, and allow you some server choice.
"Echo" provides advanced blocking or ads, trackers and malware; "Alpha" has a focus on deGoogling where in addition to blocking ads, trackers, and known malicious domains, it aims to block Google-related domains as well; "Zulu" is a more tame version of "Alpha" where only some Google domains are blocked.
The Premium Plus tier grants access to everything in the premium tier plus enabling custom DNS configurations.
All servers at DeCloudUS, regardless of subscription tier, encrypt DNS queries using either DoH, DoT, or DNSCrypt. Additionally, per their privacy policy, the DeCloudUs servers are configured not to keep logs of user query history
DeCloudUs is built on open source; the DNS servers at DeCloudUs aren't open source in the "traditional sense," but are instead built with known open source components such as NGINX, Debian OS, acme.sh, and others. In other words, you won't be able to directly clone/view/edit the source code of any of the DeCloudUs DNS servers as they are presently configured.
DeCloudUs allows for payment via cryptocurrency
Cloudflare
First, you may know Cloudflare as the biggest Content Delivery Network (CDN) provider as of writing.
Now, generally, you'll find that CDNs fall within a bit of a gray area in the privacy community; their nature and function is to act as third-party middle man between your device's connection to a website or a web service. In doing so, CDNs provide load balancer and reverse proxy services for the websites that employ them.
Cloudflare also provides a public DNS service (located at 1.1.1.1) that is decently privacy friendly. Cloudflare's resolver blocks and filters malicious domains automatically; it doesn't necessarily offer the blocking of trackers or advertisements. Plainly speaking, Cloudflare has and maintains a list of sketchy domains (where they may be known to send massive amounts of spam, host malware, etc) that the server won't resolve when a request for connection matches a domain on this list. This refusal to resolve means that your device doesn't connect with these known malicious domains, promoting a safer browsing experience on your device or network.
Cloudflare's DNS service does engage in some logging, as detailed on their website. Cloudflare anonymizes most of the data collected. The collected data is purged within 25 hours. Cloudflare engages in limited third party sharing (specifically with the organization APNIC) with a sample size of the data collected.
Cloudflare's DNS supports DoT. The infrastructure for this service is in-house.
Additionally, like NextDNS, it's worth mentioning that they're a trusted partner of Mozilla Firefox to deliver Firefox's DNS-over-HTTPS feature.
DNS.Watch
DNS.Watch is a free DNS resolver service that is based out of Germany. They've been around since circa 2014.
They operate a handful of servers, preferring to be a "small" operation. DNS.Watch's servers aim to deliver uncensored records, the project having a large emphasis on freedom.
DNS.Watch's DNS Resolvers do not filter or block ads or malicious content; the organization prefers to keep their alternative servers more neutral. Their infrastructure is in-house.
DNS.Watch's DNS resolvers do not log personal data; DNS.Watch does use anonymized data for statistics and security research.
The service offers support for DNSCrypt although it seems to be in a beta-phase at the time of writing.
Final thoughts
DNS is at the core of every internet connection for any internet enabled device.
Because of this, it's important to safeguard your DNS queries as much as possible - and often the first step is to stop using your Internet Service Provider's (ISP) DNS resolvers.
Looking for self-hosted options, then please check out the avoidthehack DNS client recommendation list.
As always, stay safe out there!
Like This Post?
