This post was originally published on 29 JAN 2022. It has since been updated and revised.

DNS enables your devices to connect to the internet as we currently know it, translating the human-readable domain name to a machine-readable IP address.

However, what happens if your resolver is either insecure and/or untrustworthy? Many, if not all, the Internet Service Providers' (ISPs) resolvers are unencrypted and privacy-unfriendly, passing queries in plaintext or logging information associated with your devices' queries.

Using a DNS with domain filtering capability is also a great way to enjoy adblocking on your device(s) or on your network. While some people will agree ads are annoying, unsightly, and otherwise a waste of time, targeted ads pose both privacy and security risks to end users.

Lost? If you would like to dig deeper into DNS and how it affects/relates to online privacy, the you can learn some more here.

At a glance

Per the avoidthehack criteria, providers listed here support DoH, DNSSEC, and QName Minimization at a minimum.

Quad9

Quad9 is a non-profit organization that operates operates high performing and privacy-respecting public DNS resolvers. Quad9 DNS servers are found around the world. Specifically, their infrastructure spans 150 locations in 90 different nations.

Their DNS servers feature no logging, retaining no personal data about users who utilize their servers. There is no sign-up required to use the service; the IP addresses for their DNS servers are listed and available for all to use at will.

Quad9 is based in Switzerland, having relocated from being primarily based in the US. As of writing, they're still working on being incorporated fully in Switzerland. This relocation is/was a huge deal because Switzerland has some of the most robust consumer data and online privacy around.

Quad9 features threat blocking on all servers. This means that when using Quad9's DNS resolvers, they will automatically deny connections to known malicious domains - ultimately promoting and improving the security of your devices and their connections.

It's worth noting that Quad9 does provide servers without threat blocking; you have the option to choose which to connect with. However, it's highly recommended to use the server that makes use of their threat blocking technology because it's an effortless increase in the levels of your device and/or network security (and also your privacy - by not connecting to known malicious domains).

These known malicious domains are provided by varying threat intelligence entities partnered with Quad9 and are constantly being updated to offer better protection against newer threats.

Quad9 supports the DoH, DoT, and DNSCrypt protocols. Additionally, their infrastructure is a blend of in-house equipment and hosting services provided by Packet Clearing House and Global Secure Layer.

Visit service

NextDNS

NextDNS prominently aims to be the "new firewall for the modern Internet."

Based out of the US, NextDNS offers both free and paid (but affordable!) DNS resolving services. The free tier is limited to 300,000 queries a month but allows for access to all features, unlimited devices, and unlimited configurations. Their servers use Anycast so reliable service can be provided across multiple locations.NextDNS' DNS resolvers can block ads, trackers, and malicious domains.

Generally speaking, 300,000 queries a month is reasonable for a couple of devices. However, it's recommended going for the unlimited queries if you have a lot of devices on your network. For reference, when counting devices on your network, this includes any device that uses your Wi-Fi to connect to the internet; you may have more internet-connected devices making more queries than you think!

Users can opt-in to logging; according to NextDNS "...some features require some sort of data retention; in that case, our users are given the option, control, and full access to what is logged and for how long." Ultimately, logging depends on user server/feature choice.

NextDNS has an extensive control panel for fine-tuning the user blocking/filtering experience. For example, users can specify whether they want to block wide-spectrum trackers, "disguised" third-party trackers, affiliate links, or simply blocking them all.

NextDNS has security-focused settings available as well. Users have discretion when using threat intelligence feeds and/or AI assisted threat detection to minimize security risks. Users can also choose to safeguard against the likes of cryptojacking, typosquatting, parked domains, and domains registered for less than 30 days. Depending on your needs as a user, entire domains/subdomains/specific URLs can be blocked.

For those with children, it also has a Parental Control tab on the dashboard that allows blocking and unblocking of specific websites or categories of websites.

NextDNS has integrations with other tools/providers, such as Tailscale and Twingate (platforms that allow users to deploy zero-trust VPNs easily), as well.

NextDNS supports DoT and DNSCrypt. Users can choose to download the NextDNS app on compatible devices. DNSSEC is supported by default.

For payment options, NextDNS does offer payment via cryptocurrency. Additionally, they're have made available a beta version for DNS-related support of decentralized Web3 technologies, such as InterPlanetary File System (IPFS) and peer-to-peer HandShakes.

NextDNS is a trusted partner of Mozilla Firefox to deliver Firefox's DNS-over-HTTPS feature.

avoidthehack Affiliate ( more info )

AdGuard

AdGuard is a company that's perhaps most known for its adblocking services - which also happen to be privacy friendly. AdGuard is recommended on avoidthehack (free or paid versions) for blocking ads on mobile devices.

However, AdGuard is also respected for its adblocking DNS service. As of July 2022, they have relaunched their DNS service - AdGuard DNS 2.0.

AdGuard's DNS provides its adblocking services and technology on the network level. AdGuard's DNS resolvers can block ads, trackers, and known malicious domains. AdGuard 2.0 supports DoH, DoT, and DNSCrypt protocols; the new infrastructure introduced is open-source. Additionally, with 2.0, AdGuard introduced personalized filtering which allows users to customize their blocklists.

AdGuard is based out of Cyprus and uses Anycast for their servers, which helps promote faster DNS resolving speeds from anywhere in the world. Their DNS server infrastructure is hosted by Choopa and Serveroid.

AdGuard's DNS service does feature some amount of logging as detailed in their DNS privacy policy. However, the AdGuard Server source code is open source, with the code viewable to anyone interested on GitHub.

They do not collect personal data such as IP addresses or log DNS queries, but they do store aggregated performance metrics for their DNS servers. This aggregated information includes data such as:

• completed requests to another particular server
• the number of blocked requests
• the speed of processing these requests

AdGuard also keeps an "anonymous database" of domains requests within the last 24 hours. AdGuard has stated that this collected data is "not shared with any third parties" and is used "solely for internal purposes such as performance analytics."

AdGuard's DNS resolvers support the DoT and DNSCrypt protocols.

avoidthehack Affiliate ( more info )

Control D

Control D is a DNS service provider aiming to help users "improve privacy and productivity."

Control D offers a free DNS resolution service tier; for users that require/want more control, there are two tiers for the premium, subscription service. In either case, Control D has a “no-logs” policy.

Both premium tiers of Control D give users a high degree of customization over their DNS set ups. Naturally, the “Full Control” tier provides more customization and fine-tuning options than the “Some Control” tier.

Control D has numerous filters curated by the service itself. Filters range from adblocking and malicious domain blocking to “clickbait” and IoT telemetry blocking. It also has support for third-party blocklists, deployable via anycast, that aren’t maintained by Control D - some may look familiar.

Custom Rules allow refined control over specific websites. Generally, websites users add as a custom rule can be blocked, bypassed, or automatically redirected to another domain. The Services feature allow for application of rules to popular social media or streaming sites and work in conjunction with filters.

In addition to supporting DoH and DoT, Control D supports DNS-over-QUIC and DNS-over-HTTP3. DNSSEC is supported by default, but premium users can opt to disable DNSSEC on their own configurations.

Control D is a sister company to WindScribe, which has been a reputable virtual private network (VPN) provider over the years. Users may be familiar with WindScribe in the context if their data breach, where unencrypted servers were seized by Ukrainian law enforcement; as of writing, WindScribe has taken steps to learn from this security incident.

Control D’s infrastructure operates from RAM-disk nodes, which treat the data passing through them as temporary; upon powering off the servers, theoretically no data would be present. The service’s infrastructure is in-house.

As of writing, Control D is working on Global EncryptedClientHello (ECH) support, where browsers that support ECH This function would encrypt HTTP and HTTPS traffic entirely, providing similar functionality to a VPN or a secure forward proxy all via DNS.

Visit service

Mullvad

If you're at all familiar with Mullvad, then you probably know them best for their privacy-respecting Mullvad VPN service. As a whole, Mullvad is a business that stands firmly in its belief that user privacy is important and should be protected; we can see this reflected in their services, policies, and other business practices.

Near the end of 2021, Mullvad opened up their DNS servers for public use. At the time, this service was in beta however it seems to have crossed over to a production-ready status. Unlike Mullvad's VPN service, the DNS service is free; there is no requirement to sign up for the VPN service to take advantage of the DNS service.

Mullvad has DNS servers located in the US, UK, Sweden, Switzerland, Australia, Singapore, and Germany. When using this service, the closest DNS server (in terms of hops, not geographical location) will be used for answering queries first.

Mullvad's public DNS service offers a strict no logs policy as detailed in their privacy policy. Mullvad's public DNS comes in two distinct flavors; servers that use adblocking lists and those that don't. Naturally, given the nature of this post, we recommend using the ones that have adblocking functionality. As of February 2023, Mullvad added support for profiles to easily configure encrypted DNS on Apple devices.

Mullvad uses a variety of adblocking lists for the servers that perform this service, which is detailed on their GitHub repository. Mullvad's blocking lists include popular and well-respected lists like EasyList and AdGuardDNS. As of writing, users are unable to choose which adblock lists to use nor use custom ones through the service, so there is no custom DNS capabilities. However, Mullvad appears to welcome adblock list suggestions on their GitHub.

Mullvad's DNS service offers DoT servers. Users can choose whether to use an adblocking server or an unfiltered server for both DoH and DoT protocols. As of November 2023, Mullvad's Encrypted DNS servers run in RAM, which eliminates traces of data that may be left/written to disks.

Visit service

DeCloudUs

DeCloudUs is a service that follows a freemium model similar to NextDNS. However, there are three tiers that have distinctly different features and offers, though they do share some common things.

Broadly speaking, the servers in the free tier encrypt your DNS queries, allow access to some features as provided by DeCloudUS, and grant access to one server location in Germany.

The Premium tier grants access to the "Echo," Zulu," and "Alpha" servers. These servers feature a choice of global locations, no throttling, and allow you some server choice.

"Echo" provides advanced blocking or ads, trackers and malware; "Alpha" has a focus on deGoogling where in addition to blocking ads, trackers, and known malicious domains, it aims to block Google-related domains as well; "Zulu" is a more tame version of "Alpha" where only some Google domains are blocked.

The Premium Plus tier grants access to everything in the premium tier plus enabling custom DNS configurations.

All servers at DeCloudUS, regardless of subscription tier, encrypt DNS queries using either DoH, DoT, or DNSCrypt. Additionally, per their privacy policy, the DeCloudUs servers are configured not to keep logs of user query history

DeCloudUs is built on open-source; the DNS servers at DeCloudUs aren't open source in the "traditional sense," but are instead built with known open-source components such as NGINX, Debian OS, acme.sh, and others. In other words, you won't be able to directly clone/view/edit the source code of any of the DeCloudUs DNS servers as they are presently configured.

DeCloudUs allows for payment via cryptocurrency

Visit service

ReThinkDNS

ReThinkDNS is a DNS service provider who has made the DNS resolver itself open-source and open-deployable. The service is maintained primarily by the Celzero team. It is also part of the Mozilla Builders MVP program, which was an incubator program ran by Mozilla until some time in 2020.

Users can easily get started with ReThinkDNS service for free and with no registration required.

Users have many blocklists to choose from, which widely range between parental control lists to some of the most well-known ad/tracker/malware lists, such as EasyPrivacy, EasyList, and the Block List Project. Users are free to mix and match these blocking lists according to their needs/wants; all lists are broadly tagged with Privacy, Security or ParentalControl for easier top-level sorting. Custom denylists and allowlists are an item in ReThink’s roadmap.

ReThinkDNS supports DoT. DNSSEC is also supported, depending on user server choice.

ReThinkDNS is transparent about their infrastructure; their DoH servers primarily run on Cloudflare (featuring approximately 250+ locations) and their DoT servers primarily run on Fly.io (featuring approximately 35+ locations). It’s important to note the DoH resolver forwards queries to Cloudflare’s 1.1.1.1, acting as a proxy between the device and the 1.1.1.1 recursive resolver.

As of writing, ReThinkDNS has began shifting development focus from a majority focus on their Android app to supporting and rounding out the DNS service as a whole. Paid plans are in the roadmap for this service.

ReThinkDNS does not log queries, operating as an effectively serverless and diskless service. However, the service is transparent in acknowledging infrastructure providers (such as server providers) may log some data.

(For more advanced users, if underlying logging from infrastructure providers is an issue, then it is possible to roll their own because the source code for the DNS resolver is open-source.)

Visit service

Cloudflare

NOTE: Cloudflare has been accused of filtering domains not typically associated with known malware, ads, trackers, or porn on its 1.1.1.3 "Family-friendly" server. For clarification, this post has always recommended use of the 1.1.1.1 server as opposed to 1.1.1.3

Users may know Cloudflare as a large Content Delivery Network (CDN) provider.

Now, generally, you'll find that CDNs fall within a bit of a gray area in the privacy community; their nature and function is to act as third-party middle man between your device's connection to a website or a web service. In doing so, CDNs provide load balancer and reverse proxy services for the websites that employ them.

However, Cloudflare also provides a free and public DNS service (located at 1.1.1.1) that is decently privacy friendly. Cloudflare's resolver blocks and filters malicious domains automatically; it doesn't necessarily offer traditional advertisement or tracker blocking.

Cloudflare has and maintains its own list of malicious/spammy domains (where they may be known to send massive amounts of spam, host malware, etc) that the server won't resolve when a request for connection matches a domain on this list; if the domain will not resolve, then no connection is made, which promotes a safer browsing experience.

Cloudflare's DNS service does engage in some logging, as detailed on their website. Cloudflare claims to anonymize most of the data collected and to purge collected data within 25 hours. Cloudflare also engages in limited third-party sharing of sample sizes of logged data with organizations like the APNIC.

Cloudflare's DNS supports DoT. The infrastructure for this service is in-house.

Additionally, like NextDNS, it's worth mentioning that they're a trusted partner of Mozilla to deliver Firefox's DNS-over-HTTPS feature.

Visit service

Criteria for filtered/adblocking DNS service providers

At a minimum, to be listed on avoidthehack, DNS providers providing filtering services (domain or adblocking) must:

Provide some level of filtering or blocking

Filtering can include:

• Blocking known malicious/phishing domains
• Blocking ad domains/hosts
• Blocking domains/hosts primarily used for tracking

Ideally, services would allow for some customization of filtering rules. However, customization of filtering (such as adding rules or exceptions) is not a requirement for listing here.

Local resolvers or filtering software that are self-hostable, such as Pi-Hole, does not count.

Provide DoH at a minimum

DoH means DNS queries are encrypted from easy “sniffing” (capture and reading) by third parties such as internet service providers (ISPs), or any other device sitting on a network.

Ideally, a filtered DNS provider would also provide DoT and DNSCrypt enabled servers as well.

Provide QNAME Minimization

Query name Minimization (QNAME) helps minimize unnecessary data related to queries going upstream, providing enhanced privacy to the device (and user) making the query.

Support DNSSEC

DNS Secure Extension (DNSSEC) helps prevent a response from a rogue DNS server from hijacking and/or modifying a query to point to an unintended connection

Minimal or optional logging

Filtered DNS providers should be fully transparent about what is logged and should not automatically log or store queries and personal identifiable information (PII). Logging should be anonymized and not stored for longer than 30 days.

NOTE: "Anonymized" data does not equal anonymity. If enough data points exist, even when "anonymized data" is collected, users can still be identified; if this is a concern, then users should opt for a "no-logs" DNS service provider instead. Ultimately, if anonymity is the goal, users will need to look for tools outside of DNS service providers.

Ideally, providers would not log queries or allow for the user to choose whether to log queries.

Final thoughts

DNS is at the core of every internet connection for any internet enabled device.

Because of this, it's important to safeguard DNS queries as much as possible - and often the first step is to stop using your Internet Service Provider's (ISP) DNS resolvers. ISP DNS resolvers are typically slow(er), sent queries over plaintext, and do not provide any filtering capabilities - in some cases, the ISP DNS resolvers may censor queries, prohibiting visiting certain sites or services.

Ideally, users would use a DNS service provider from this list; even in the case of self-hosting a resolver, users are encouraged to use these services as trusted upstreams. Even in the case where adblocking or malicious domain filtering is unwanted or unneeded, users are still highly encouraged to use a resolver that encrypts queries with DoH at a bare minimum.

Remember: encrypt those queries and perhaps enjoy some adblocking across your devices and/or network as a side benefit!

As always, stay safe out there!