PrivacyOn
Privacy GuideMay 29, 20269 min read

How to Use a Privacy-Focused DNS Service

SC

By Sarah Chen

Head of Privacy Research

How to Use a Privacy-Focused DNS Service

Every time you type a website address into your browser, your device sends a DNS query to translate that domain name into an IP address. By default, those queries go to your internet service provider — giving your ISP a complete, real-time log of every website you and your household visit. ISPs can use this data to build behavioral profiles, sell it to advertisers, or hand it to data brokers. Switching to a privacy-focused DNS service is one of the simplest and most effective steps you can take to reclaim your browsing privacy.

What DNS Does and Why It Matters for Privacy

The Domain Name System (DNS) is often called the phone book of the internet. When you visit a site like example.com, your device asks a DNS resolver to look up the corresponding IP address so it can connect. Without DNS, you would need to memorize numeric IP addresses for every website.

The problem is that standard DNS queries travel in plaintext. Anyone between your device and the DNS server — your ISP, your network administrator, or an attacker on public WiFi — can see exactly which domains you are requesting. Your ISP's DNS servers log these queries by default, creating a detailed record of your online behavior: the news sites you read, the health conditions you research, the financial services you use, and every other domain your devices contact throughout the day.

Your ISP Sees Every Domain You Request

Even if you use HTTPS on every website, your ISP's DNS server still sees the domain name in every query. HTTPS encrypts the content of your connection, but it does not encrypt the DNS lookup that happens before the connection is made. ISPs in the United States can legally sell this browsing data to advertisers and data brokers without your consent.

Top Privacy-Focused DNS Providers

Several reputable organizations offer free DNS services designed to protect your privacy. Here are the strongest options available today:

Cloudflare DNS (1.1.1.1)

  • Primary: 1.1.1.1 / Secondary: 1.0.0.1
  • Jurisdiction: United States
  • Logging: All logs purged within 24 hours; no IP addresses are ever written to disk
  • Extras: Optional malware blocking (1.1.1.2) and malware plus ad blocking (1.1.1.3)
  • Best for: Speed and reliability — Cloudflare consistently ranks among the fastest public DNS resolvers

Quad9 (9.9.9.9)

  • Primary: 9.9.9.9 / Secondary: 9.9.9.10
  • Jurisdiction: Switzerland (nonprofit organization)
  • Logging: No IP address logging whatsoever
  • Extras: Malware and phishing domain blocking enabled by default
  • Best for: Users who want strong privacy under Swiss jurisdiction with built-in threat protection

NextDNS

  • Primary/Secondary: Custom addresses assigned per account
  • Jurisdiction: Varies (distributed infrastructure)
  • Logging: User-controlled, disabled by default
  • Extras: Highly customizable — malware blocking, ad blocking, parental controls, per-device settings, and blocklist management
  • Best for: Users who want granular control over their DNS filtering and the ability to tailor blocking rules

AdGuard DNS

  • Primary: 94.140.14.14 / Secondary: 94.140.15.15
  • Jurisdiction: Cyprus
  • Logging: Disabled by default
  • Extras: Malware and ad blocking included; family protection mode available
  • Best for: Users who want aggressive ad and tracker blocking at the DNS level without browser extensions

Mullvad DNS

  • Primary: 194.242.2.2
  • Jurisdiction: Sweden
  • Logging: Absolute zero logs — no query data, no IP addresses, no metadata
  • Extras: Optional malware and ad blocking variants available
  • Best for: Users who prioritize the strictest possible no-logging policy

Which Provider Should You Choose?

If you want the fastest resolver with strong privacy, start with Cloudflare (1.1.1.1). If Swiss jurisdiction and nonprofit governance matter to you, choose Quad9. If you want maximum customization and filtering control, go with NextDNS. If zero-log absolutism is your priority, Mullvad DNS is the strongest choice. All five are vastly better than your ISP's default DNS.

Encrypt Your DNS With DoH or DoT

Switching to a privacy-focused DNS provider is a good first step, but if you do not also encrypt your DNS traffic, your queries still travel in plaintext. Anyone monitoring your network — including your ISP — can intercept and read them. Two protocols solve this problem:

DNS over TLS (DoT)

DNS over TLS wraps DNS queries in TLS encryption and sends them over a dedicated port (853). Your queries are fully encrypted in transit, preventing eavesdropping. The one limitation is that an observer can see you are making DNS requests because DoT uses its own port — they just cannot see the content of those requests.

DNS over HTTPS (DoH)

DNS over HTTPS sends DNS queries over the same HTTPS port (443) used by regular web traffic. This means your encrypted DNS queries are indistinguishable from normal web browsing — an observer cannot even tell that DNS lookups are occurring. DoH typically adds 12 to 18 milliseconds of latency, which is imperceptible during normal browsing.

For most users, DoH is the better choice because it blends DNS traffic with regular web traffic, making it harder to detect and block. DoT is a solid alternative, especially on Android devices that support it natively as "Private DNS."

How to Set Up a Privacy-Focused DNS on Every Device

Windows

  1. Open Settings and navigate to Network & Internet
  2. Select Wi-Fi or Ethernet depending on your connection type
  3. Click your network connection, then select DNS server assignment and click Edit
  4. Change the setting to Manual
  5. Enable IPv4 and enter your chosen DNS addresses (for example, 1.1.1.1 and 1.0.0.1)
  6. If your version of Windows supports it, set DNS over HTTPS to On for encrypted queries
  7. Save your changes

Mac

  1. Open System Settings and click Network
  2. Select your active connection (Wi-Fi or Ethernet)
  3. Click Details
  4. Select the DNS tab
  5. Remove any existing DNS servers and add your chosen provider's addresses
  6. Click OK and then Apply

iPhone and iPad

  1. Open Settings and tap Wi-Fi
  2. Tap the (i) icon next to your connected network
  3. Scroll down and tap Configure DNS
  4. Select Manual
  5. Delete the existing DNS servers and add your chosen provider's addresses
  6. Tap Save

Android

  1. Open Settings and go to Network & Internet
  2. Tap Private DNS
  3. Select Private DNS provider hostname
  4. Enter the DoT hostname for your chosen provider (for example, 1dot1dot1dot1.cloudflare-dns.com for Cloudflare or dns.quad9.net for Quad9)
  5. Tap Save

Android's Private DNS feature uses DNS over TLS natively, so your queries are encrypted automatically once configured.

Protect Your Entire Network at the Router Level

For the most comprehensive protection, change the DNS settings on your router rather than on individual devices. This ensures every device on your network — including smart TVs, gaming consoles, voice assistants, and IoT devices that do not have their own DNS settings — uses your chosen privacy-focused DNS provider. Access your router's admin panel and update the DNS server fields under the WAN or Internet settings.

How to Test for DNS Leaks

A DNS leak occurs when your DNS queries bypass your chosen DNS provider and go to your ISP's DNS servers instead. This can happen because of misconfigured network settings, VPN software that fails to redirect DNS traffic, or operating system quirks that override your DNS preferences.

To check for DNS leaks:

  1. Configure your device or router to use your chosen privacy-focused DNS provider
  2. Visit ipleak.net or a similar DNS leak test tool
  3. Look at the DNS server results — you should see only your chosen DNS provider's servers, not your ISP's
  4. If you see your ISP's DNS servers listed, your DNS queries are leaking

VPN Users: Check for DNS Leaks

DNS leaks are especially common when using a VPN. If your VPN tunnel does not properly capture DNS traffic, your queries may slip through to your ISP's DNS servers — revealing the domains you visit even though the rest of your traffic is encrypted. Enable DNS leak protection in your VPN app's settings and test regularly at ipleak.net to confirm your queries are not bypassing the VPN tunnel.

DNS Privacy Is One Layer of Protection

Switching to a privacy-focused DNS service stops your ISP from logging every domain you visit. Encrypting that DNS traffic with DoH or DoT prevents anyone on your network from reading your queries in transit. These are meaningful, impactful steps — and they take just minutes to implement.

But DNS privacy protects your browsing activity going forward. It does not address the personal information that has already been collected about you — your name, home address, phone number, email, and family details sitting on data broker and people-search sites for anyone to find. ISPs and other companies have already been feeding this data into the broker ecosystem for years.

PrivacyOn works on the other side of the problem. While your new DNS settings cut off one of the data streams that feeds data brokers, PrivacyOn removes the personal information that has already been collected and published across 100+ data broker sites. Plans start at $8.33 per month, with continuous monitoring that catches and removes your data when it inevitably reappears. Combined with a privacy-focused DNS service, you address both sides of the equation — stopping new data collection and cleaning up what is already exposed.

SC
Sarah Chen

Head of Privacy Research

CIPP/US CertifiedIAPP MemberB.S. Computer Science

CIPP/US-certified privacy researcher with over a decade of experience helping consumers remove their personal information from data brokers.

Related Articles

Privacy Guide

How to Protect Your Privacy From Your ISP

Security

How to Use a VPN to Protect Your Privacy

Security

How to Secure Your Home WiFi Network

Ready to Protect Your Privacy?

Let PrivacyOn automatically remove your personal information from data broker sites and keep it removed.