Privacy-Focused DNS Resolver Comparison 2026
Your DNS resolver knows every domain you visit — even over HTTPS. Most ISPs log this data for years. Switching to a privacy-focused resolver with encrypted transport hides your queries from your ISP and limits what the resolver itself can log. This guide compares the leading options on the factors that matter for privacy.
What to Evaluate
Before choosing a resolver, answer these questions:
- Does the resolver log queries? If yes, for how long, and can they be subpoenaed?
- Where is the operator incorporated? Jurisdiction determines which laws apply.
- Has it been independently audited?
- What encryption protocols does it support? (DoH, DoT, DoQ)
- Does it filter anything? Malware? Ads? You need to trust their blocklist.
Comparison Table
| Provider | No Logging | Jurisdiction | Audited | DoH | DoT | DoQ | Filtering |
|---|---|---|---|---|---|---|---|
| Mullvad | Yes | Sweden | Yes (2023) | Yes | Yes | Yes | Optional |
| Quad9 | Yes | Switzerland | Yes | Yes | Yes | Yes | Malware only |
| NextDNS | Configurable | USA | No | Yes | Yes | Yes | Configurable |
| Cloudflare 1.1.1.1 | Partial | USA | Yes | Yes | Yes | No | Optional |
| Control D | Configurable | Canada | No | Yes | Yes | Yes | Configurable |
| AdGuard DNS | Yes | Cyprus | No | Yes | Yes | Yes | Ad-blocking |
| DNS.SB | Yes | Germany | No | Yes | Yes | No | None |
Mullvad DNS
Best for: Users who want maximum privacy with no configuration complexity
Mullvad DNS is operated by the Mullvad VPN company, known for their privacy stance. They underwent an independent audit in 2023 confirming their no-logging claims. The resolver requires no account — you just configure your device to use it.
# DoH
https://dns.mullvad.net/dns-query
# DoT
dns.mullvad.net (port 853)
# DoQ
quic://dns.mullvad.net (port 853)
# Plain DNS (not recommended — unencrypted)
194.242.2.2
194.242.2.3
# Test it
curl -s "https://dns.mullvad.net/dns-query?name=example.com&type=A" \
-H "accept: application/dns-json" | jq '.Answer[0].data'
Optional blocking variants:
dns.mullvad.net— no filteringadblock.dns.mullvad.net— ads and trackers blockedbase.dns.mullvad.net— malware blockedextended.dns.mullvad.net— ads, trackers, malware, social media blocked
Quad9
Best for: Malware protection without user profiling
Quad9 is a nonprofit foundation based in Switzerland (not subject to EU or US data retention laws). It blocks domains known to host malware, ransomware, and phishing — based on threat intelligence from 20+ security partners. It does not block ads.
# DoH
https://dns.quad9.net/dns-query # with malware filtering
https://dns10.quad9.net/dns-query # no filtering
# DoT
tls://dns.quad9.net # with malware filtering
tls://dns10.quad9.net # no filtering
# DoQ
quic://dns.quad9.net
# Test malware blocking
curl -s "https://dns.quad9.net/dns-query?name=malware.testcategory.com&type=A" \
-H "accept: application/dns-json" | jq '.Status'
# Returns NXDOMAIN (0 → resolves, 3 → blocked)
Quad9 is a strong default for servers and networks where you want malware protection but not ad blocking.
NextDNS
Best for: Per-device customizable filtering with detailed query logs (optional)
NextDNS gives you a personal resolver with configurable blocklists, per-device profiles, and a query log dashboard. Logs are optional and can be set to 1 hour or disabled entirely.
# Each account gets a unique ID (e.g., abc123)
# DoH
https://dns.nextdns.io/abc123
# DoT
abc123.dns.nextdns.io
# DoQ
quic://abc123.dns.nextdns.io
# Install the NextDNS CLI for always-on encrypted DNS
curl -L https://nextdns.io/install | sh
nextdns install --config abc123 --report-client-info
The US incorporation is a privacy concern for adversarial threat models. For personal browsing where you mainly want ad blocking and parental controls, it is practical.
Cloudflare 1.1.1.1
Best for: Raw speed; less ideal for strong privacy
1.1.1.1 is the fastest public resolver in most speed benchmarks. Cloudflare commits to not selling your data and to purging logs within 25 hours. However, Cloudflare is a US company subject to FISA and National Security Letters.
# DoH
https://cloudflare-dns.com/dns-query
https://1.1.1.1/dns-query # same resolver
# With malware filtering
https://security.cloudflare-dns.com/dns-query
# With malware + adult content filtering
https://family.cloudflare-dns.com/dns-query
# DoT
1dot1dot1dot1.cloudflare-dns.com
# Test performance
time dig example.com @1.1.1.1
time dig example.com @9.9.9.9
time dig example.com @194.242.2.2 # Mullvad
Cloudflare 1.1.1.1 is not a bad choice for most users. For high-risk individuals, Mullvad or Quad9 (Switzerland) are stronger options.
Setting Up Encrypted DNS on Linux
# Using systemd-resolved (modern Linux)
# /etc/systemd/resolved.conf
[Resolve]
DNS=194.242.2.2#dns.mullvad.net
FallbackDNS=9.9.9.9#dns.quad9.net
DNSOverTLS=yes
DNSSEC=yes
sudo systemctl restart systemd-resolved
# Verify
resolvectl status | grep "DNS Servers"
resolvectl query example.com
# Using stubby (DNS-over-TLS stub resolver)
sudo apt install stubby
# /etc/stubby/stubby.yml
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
idle_timeout: 10000
listen_addresses:
- 127.0.0.1@5353
upstream_recursive_servers:
- address_data: 194.242.2.2
tls_auth_name: "dns.mullvad.net"
- address_data: 9.9.9.9
tls_auth_name: "dns.quad9.net"
DNS Leak Test
After switching resolvers, verify your queries are going where you expect:
# Command line
dig +short TXT whoami.ds.akahelp.net
# Should show your resolver's IP or the upstream resolver's IP
# Check what resolver answers your queries
dig +short TXT o-o.myaddr.l.google.com
# Shows the IP Google sees as your DNS resolver
# DNSleaktest.com API equivalent
curl "https://www.dnsleaktest.com/api/v1/leak" 2>/dev/null | jq '.[].isp'
# Should not show your ISP's name if using an external resolver
Performance Benchmark Script
#!/bin/bash
# dns-benchmark.sh — measure resolver latency
RESOLVERS=(
"1.1.1.1 Cloudflare"
"9.9.9.9 Quad9"
"194.242.2.2 Mullvad"
"8.8.8.8 Google"
)
DOMAINS=(example.com github.com wikipedia.org amazon.com cloudflare.com)
for resolver_entry in "${RESOLVERS[@]}"; do
ip=$(echo $resolver_entry | cut -d' ' -f1)
name=$(echo $resolver_entry | cut -d' ' -f2)
total=0
for domain in "${DOMAINS[@]}"; do
ms=$(dig +noall +stats "$domain" @"$ip" 2>&1 | grep "Query time" | awk '{print $4}')
total=$((total + ms))
done
avg=$((total / ${#DOMAINS[@]}))
echo "$name ($ip): avg ${avg}ms"
done
Implementing Resolver Rotation for Redundancy
Power users can implement client-side resolver rotation to combine the benefits of multiple resolvers:
#!/bin/bash
# rotate-dns.sh — rotate between multiple resolvers for redundancy
RESOLVERS=(
"194.242.2.2" # Mullvad
"9.9.9.9" # Quad9
"1.1.1.1" # Cloudflare
)
CURRENT_INDEX=0
# Update DNS resolver every 24 hours
while true; do
resolver=${RESOLVERS[$CURRENT_INDEX]}
# Update systemd-resolved
echo "[Resolve]" | sudo tee /etc/systemd/resolved.conf > /dev/null
echo "DNS=$resolver" | sudo tee -a /etc/systemd/resolved.conf > /dev/null
echo "FallbackDNS=1.1.1.1 9.9.9.9" | sudo tee -a /etc/systemd/resolved.conf > /dev/null
sudo systemctl restart systemd-resolved
# Log the change
echo "$(date): Switched to resolver $resolver"
# Wait 24 hours before rotating
sleep 86400
# Advance to next resolver
CURRENT_INDEX=$(( (CURRENT_INDEX + 1) % ${#RESOLVERS[@]} ))
done
This approach prevents any single resolver operator from building a complete picture of your browsing habits. Even if a resolver is compromised or forced to log data, the logs are fragmented across multiple operators.
Validating Your DNS Configuration
After switching resolvers, verify that your configuration is actually working:
# Test that you're using the correct resolver
nslookup example.com
# Check resolver via TXT record
dig +short TXT whoami.ds.akahelp.net
# Verify encrypted DNS is in use
curl -v https://dns.mullvad.net/dns-query
# Test DNSSEC validation
dig +dnssec google.com | grep -i "ad"
All of these should show your chosen resolver’s IP (or the encrypted DNS endpoint working correctly), not your ISP’s resolver.
Corporate and ISP Considerations
If you’re behind a corporate network or ISP that requires specific DNS settings, you may encounter constraints when switching resolvers:
- Corporate proxies often intercept DNS queries and redirect them to corporate servers
- ISP-level blocking may prevent connecting to external resolvers
- Captive portals sometimes require specific DNS configurations to function
For these scenarios:
# Use DNS over HTTPS with cURL to bypass ISP blocking
curl --doh-url https://dns.quad9.net/dns-query https://example.com
# Or use a VPN to tunnel DNS alongside all other traffic
# The VPN encrypts DNS before it reaches the ISP
# For corporate networks, check if your IT allows exceptions
# Some enterprises whitelist privacy-respecting DNS for compliance
Related Reading
- Privacy-Focused DNS Filtering with AdGuard Home
- Privacy-Focused DNS over QUIC Setup
- How to Configure DNS over HTTPS for Privacy
- Privacy-Focused DNS Providers Comparison 2026: Privacy
- Claude vs ChatGPT for Drafting Gdpr Compliant Privacy
- AI Autocomplete Accuracy Comparison: Copilot vs Codeium Vs