DNS is the first lookup your device makes before any connection. By default that query goes to your ISP — unencrypted, logged, potentially sold. Swapping to an encrypted, privacy-respecting resolver costs nothing and takes five minutes. The question is which one.
A maintained reference. Updated when providers change logging policies, pricing, or something significant happens. For setup instructions, see Custom DNS Using NextDNS.
Quick Pick
Pick based on your actual situation, not the longest feature list:
Just want faster, cleaner DNS with no ads → Cloudflare 1.1.1.1
Consistently the fastest DNS resolver globally according to DNSPerf benchmarks. Use 1.1.1.1 for plain, or 1.1.1.2 for malware blocking, or 1.1.1.3 for malware + adult content filtering. No account, no setup beyond changing your DNS server. US company (relevant for jurisdiction), but independently audited.
Privacy-first, no filtering complexity → Quad9
Non-profit, Swiss jurisdiction. No IP address logging, period. Strong malware blocking — independent tests put it at 97% effectiveness. Free. Particularly useful if jurisdiction matters to your threat model — Swiss law provides meaningful protection, and being a non-profit removes the commercial incentive to monetize data.
Custom blocking, multiple devices, want real control → NextDNS
The most configurable option. Choose your own blocklists, set per-device rules, view per-query logs. Free tier covers 300,000 queries/month — after that, filtering stops and it falls back to plain DNS. $1.99/month for unlimited. If you want Pi-hole-style control without self-hosting, this is it.
Ad blocking built in, don't want to configure anything → AdGuard DNS
Ad and tracker blocking out of the box at the DNS level, no configuration needed. Free tier (300k queries/month). Cyprus-registered company — less protective jurisdiction than Switzerland, but privacy policy commits to no personal data logging on public DNS.
Already using Mullvad VPN and want minimal footprint → Mullvad DNS
From the same company as the VPN. No-log by design, blocks ads and trackers, open source blocklists. No account needed, no free tier limitations. Not useful as a standalone service if you're not already in the Mullvad ecosystem.
Quick Comparison
| Provider | Free | Paid | Logging Policy | Jurisdiction | Filtering |
|---|---|---|---|---|---|
| Cloudflare 1.1.1.1 | ✅ | 1.1.1.1 for Families (free) | No IP written to disk; logs deleted within 24 hours | USA (Cloudflare Inc.) | Optional (1.1.1.2 malware / 1.1.1.3 malware + adult) |
| Quad9 | ✅ | ❌ | No IP address logged — ever | Switzerland (non-profit foundation) | Malware/phishing blocking enabled by default |
| NextDNS | ✅ (300k queries/mo) | $1.99/mo or $19.90/yr | Configurable — logs available per-device, or disable entirely | France (NextDNS Inc.) | Fully configurable — choose blocklists |
| AdGuard DNS | ✅ (300k queries/mo) | $2.49/mo (Personal) | No personal data on public DNS; aggregated metrics only | Cyprus (AdGuard Software Ltd.) | Ad + tracker blocking by default |
| Mullvad DNS | ✅ (standalone, no account) | N/A (included with VPN) | No-log by design; no account to tie queries to | Sweden (Mullvad VPN AB) | Ads, trackers, malware — configurable profiles |
Protocol Support
All providers support the encrypted DNS protocols that matter. Plain DNS (UDP 53) sends queries in cleartext — your ISP can read every lookup. DoT and DoH encrypt queries. DoH additionally blends DNS traffic with regular HTTPS, making it harder for networks to block.
| Provider | Plain DNS | DoH | DoT | DoQ | DNSCrypt | DNSSEC |
|---|---|---|---|---|---|---|
| Cloudflare 1.1.1.1 | ✅ | ✅ (DoH + DoH/3 via HTTP/3) | ✅ | ✅ (via HTTP/3) | ❌ | ✅ |
| Quad9 | ✅ | ✅ (HTTP/2 — HTTP/1.1 retired Dec 2025) | ✅ | ⚠️ Limited | ✅ | ✅ (default on primary) |
| NextDNS | ✅ | ✅ | ✅ | ⚠️ Partial | ✅ | ✅ |
| AdGuard DNS | ✅ | ✅ | ✅ | ✅ | ✅ (DNSCrypt) | ✅ |
| Mullvad DNS | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ |
Recommendation: Use DoH or DoT for all devices. Plain DNS is there for compatibility with older routers and devices — don't use it by choice. DoH is easier to configure on most systems and blends in with HTTPS traffic. For more on DNS privacy protocols, see DNS Privacy: What It Is and Why It Matters.
Filtering Options
| Provider | Malware Blocking | Ad Blocking | Adult Content Filter | Custom Rules | Custom Blocklists |
|---|---|---|---|---|---|
| Cloudflare 1.1.1.1 | ✅ (1.1.1.2 address) | ❌ | ✅ (1.1.1.3 address) | ❌ | ❌ |
| Quad9 | ✅ (default on 9.9.9.9) | ❌ | ❌ | ❌ | ❌ |
| NextDNS | ✅ | ✅ | ✅ | ✅ | ✅ (community + custom) |
| AdGuard DNS | ✅ | ✅ | ✅ (Family profile) | ✅ | ✅ (open source filter lists) |
| Mullvad DNS | ✅ | ✅ | ✅ (Base + extras profiles) | ❌ | ❌ |
Cloudflare's three IPs are the most underused feature in DNS. 1.1.1.1 is unfiltered. 1.1.1.2 adds malware domain blocking. 1.1.1.3 adds malware plus adult content filtering. Swap your DNS server address to change what gets filtered — no account, no configuration interface. Simple.
Quad9 deliberately doesn't block ads. The focus is malware and phishing. That's a principled choice — threat intelligence from IBM X-Force, Recorded Future, and others feeds the block list. If you want ad blocking, NextDNS or AdGuard DNS are the right tools.
NextDNS logging is worth explaining in detail: by default, it logs per-query DNS data to a dashboard you can view. This is useful for diagnosing issues and seeing what your devices are calling home to. If you don't want it, you can disable logging entirely in the settings. It's opt-in data collection, not forced surveillance.
Privacy Details
| Provider | Query Logs | IP Logging | Log Retention | Privacy Audit | No-log Verification |
|---|---|---|---|---|---|
| Cloudflare 1.1.1.1 | No queries written to disk | No IP written to disk | Aggregated data deleted within 24 hours | KPMG privacy audit (2019 — most recent published) | Annual KPMG audits committed, public reports available |
| Quad9 | No query logs | No IP logs — ever | N/A (nothing retained) | No formal third-party privacy audit | Non-profit structure + public policy statement |
| NextDNS | Optional (disable in settings) | Optionally hashed | User-configured retention period | No public audit | Privacy policy + user control |
| AdGuard DNS | None on public DNS; optional on private DNS | No personal data on public DNS | Aggregated metrics only; 24-hour rolling | No public privacy audit | Privacy policy commitment |
| Mullvad DNS | No logs | No account to tie logs to | N/A | Cure53 DNS server audit (part of broader infrastructure audits) | No-log architecture verified as part of VPN audits |
On Cloudflare's jurisdiction: Cloudflare is a US company. That means it is subject to NSLs (National Security Letters), FISA court orders, and other US government legal demands that may come with mandatory non-disclosure. The KPMG audit verifies that Cloudflare honors its privacy commitments during the audit period — it doesn't certify what happens under a secret court order. For most users this is an acceptable risk. For users in adversarial relationships with US government interests, Quad9's Swiss jurisdiction or Mullvad DNS offers meaningfully stronger protection.
Quad9's Swiss advantage is structural, not just symbolic. Quad9 moved to Switzerland specifically for legal protection. Swiss privacy law protects Quad9's users regardless of their nationality. A legal demand from a foreign government targeting a Swiss non-profit faces substantially higher legal hurdles than the same demand to a US company.
Speed
DNS speed affects every single connection your device makes. The difference between the fastest and slowest providers on this list is typically under 20ms — imperceptible to humans but meaningful for browsing.
Cloudflare consistently tops independent benchmarks. From DNSPerf's May 2025 data, Cloudflare averaged 6.95ms response time globally. Quad9 and NextDNS trail by 10–30ms in most regions, which is not noticeable in daily use.
The practical hierarchy:
- Fastest: Cloudflare 1.1.1.1
- Comparable: Quad9, NextDNS, AdGuard DNS — within 10–20ms of Cloudflare in most regions
- Variable: Mullvad DNS — depends heavily on VPN server location
Speed should not be the deciding factor here. The difference between 7ms and 25ms is unmeasurable in real-world browsing. Choose based on privacy policy and jurisdiction first.
Threat Model Matching
Casual home user who wants something better than their ISP's DNS:
Cloudflare 1.1.1.1 or Quad9. Both free, both fast, both encrypted. Cloudflare is marginally faster; Quad9 is more privacy-protective by jurisdiction. Either is a significant improvement over default ISP DNS.
Family with kids:
Cloudflare 1.1.1.3 (free, malware + adult content filtering, nothing to configure), or NextDNS with a custom family profile. 1.1.1.3 is zero-friction. NextDNS gives you per-device rules if you want different settings for different household members.
Privacy-focused user who wants real control:
NextDNS on the $1.99/month plan. Full query logs you can review, per-device configurations, custom blocklists. Self-hosting AdGuard Home is an alternative if you want zero cloud dependency — see Self-Hosted AdGuard Home DNS Server.
High-threat-model user (journalist, activist, abuse survivor):
Quad9. Swiss jurisdiction, non-profit, no IP logging at all — not even temporarily. When the architecture has nothing to hand over, no legal demand changes that. If you're using Mullvad VPN, their DNS inside the tunnel is a natural extension of the same no-log posture.
VPN user who already uses Mullvad:
Mullvad DNS inside the tunnel. Keeps DNS queries inside the same no-log, no-account architecture you're already using.
What Your ISP Sees Without Encrypted DNS
Without DoH or DoT, every DNS query your devices make is visible to:
- Your ISP (who can log and sell it in jurisdictions without strong data protection law)
- Anyone on your network — at a café, hotel, airport
- Your router's firmware (if you're on a compromised or ISP-managed device)
Encrypted DNS fixes the transport problem. It does not fix the destination problem — the provider you're using still sees your queries (unless they have a strict no-log policy like Quad9). "Encrypted DNS" means encrypted in transit; it does not mean no one can see what you're looking up.
For the next layer — removing even the provider's visibility — self-hosting with AdGuard Home or Pi-hole routes your queries through your own server. See How to Set Up Pi-hole for that path.
Providers Not Included
- Google 8.8.8.8 — Fast, widely supported, extremely privacy-hostile. Google's business model is built on data; their DNS logs are an asset, not a liability they're minimizing.
- OpenDNS (Cisco) — Enterprise-focused, configurable. Cisco's ownership and US jurisdiction make it a poor choice for privacy use cases.
- ControlD — Legitimate highly configurable option. Not included due to less established track record than the five above; may be added in a future update.
Changelog
| Date | Change |
|---|---|
| 2026-03-27 | Initial published version. |
Last updated: 27 March 2026. To report a change — logging policy update, new audit, service change — get in touch.