Why DNS Privacy Matters
Every time you type a URL into your browser, a DNS query is fired off to translate that human-readable domain into an IP address. This happens before any connection to the website is established. Most users never see this process, but it carries real privacy consequences.
By default, DNS queries travel in plaintext. Your internet service provider sees every single domain you request. In many countries, ISPs are legally required to retain these logs for months or years. Even without legal mandates, ISPs routinely collect DNS data for targeted advertising, network management, or sell it to third-party data brokers.
Consider what a complete DNS log reveals: the medical websites you visit, your political interests, your financial institutions, every streaming service and social platform you access, and the exact times you access them. A DNS log is a near-complete map of your online life.
Public Wi-Fi networks make this worse. On an open network, anyone positioned between you and the access point can intercept plaintext DNS queries using packet sniffing tools. Your browsing history is exposed to the network operator, other connected users, or anyone running a simple packet capture.
Even on your home network, your ISP DNS resolver is a single point of failure for privacy. If the resolver is compromised or compelled by a court order, it can return modified results — redirecting you to fake versions of legitimate websites without any visible warning in your browser.
A privacy-focused DNS provider addresses the first layer of this problem: they do not log your queries. But true DNS privacy also requires encryption (to prevent interception) and a trustworthy jurisdiction (to resist legal pressure to start logging). This guide covers all three.
What Makes a DNS Provider Private
Not all DNS providers that claim to be private actually deliver on that promise. A meaningful privacy commitment requires several components working together.
No-Log Policy
A true no-log DNS provider does not record which domains you query, when you queried them, or which IP address sent the request. The distinction matters: some providers claim "no logs" while still retaining aggregated metadata, connection timestamps, or IP addresses. Read the privacy policy carefully. Look for specific language about what is and is not collected, and whether any data is retained after the query is resolved.
The strongest no-log policies are backed by independent third-party audits. A provider that submits to external auditing has skin in the game — if they were secretly logging, the auditor would catch it. Providers like Cloudflare and Quad9 have undergone exactly these kinds of audits.
Jurisdiction
Where a DNS company is legally incorporated determines which laws apply to it. A provider based in a Five Eyes country (US, UK, Canada, Australia, New Zealand) can be compelled to start collecting data under national security orders, sometimes without the provider even being allowed to disclose the order.
Switzerland and Sweden are commonly cited as strong privacy jurisdictions. Switzerland is not part of any intelligence-sharing alliance and has robust data protection laws. Sweden has strong legal protections for digital privacy, though it participates in Nine Eyes intelligence cooperation — a factor worth weighing.
Jurisdiction alone is not a guarantee. A company registered in a privacy-friendly country but operated from a Five Eyes nation may still be subject to pressure. The best providers combine strong jurisdiction with transparent operations and public audit reports.
Encryption Support
A no-log policy only helps if your queries actually reach the resolver without being intercepted first. Unencrypted DNS on a public network can be read and modified by anyone on the path. This is why encryption protocols matter: DNS over HTTPS (DoH), DNS over TLS (DoT), and DNS over QUIC (DoQ) all encrypt your queries so your ISP and local network can see the destination IP but not the domain name.
DoH is the most broadly supported — it works through standard HTTPS on port 443, making DNS queries indistinguishable from regular web traffic. DoT uses port 853 and is easier for network administrators to identify and block. DoQ is the newest option, offering the best performance characteristics through QUIC's connection multiplexing.
Independent Audits
An audit report from a reputable firm (KPMG, Deloitte, PricewaterhouseCoopers) is the gold standard for verifying a no-log claim. Without an audit, a privacy policy is just words on a page. The audit should be recent, cover the full scope of data collection, and the summary should be published publicly so users can verify the claims independently.
Top 5 DNS Servers for Privacy in 2026
These five providers combine strong no-log policies with encryption support and favorable jurisdictions. Each has been evaluated on privacy policy strength, audit status, encryption options, and jurisdiction.
1. Quad9 — 9.9.9.9
Quad9 is a nonprofit security company headquartered in Zurich, Switzerland. It provides DNS resolution with built-in threat blocking and does not log identifying information from user queries. Swiss jurisdiction gives Quad9 strong legal protection against data retention orders.
Quad9 supports DNS over HTTPS, DNS over TLS, and DNS over QUIC. The service is free, operated by the non-profit Quad9 Foundation, and backed by industry partners including IBM and Packet Clearing House. Its Swiss incorporation means it operates outside all intelligence-sharing alliances, including Five Eyes, Nine Eyes, and Fourteen Eyes.
The no-log policy is explicit: Quad9 does not store IP addresses or user-identifiable data. The service has been validated through independent audits, and the nonprofit structure means there is no commercial incentive to monetize user data. For privacy-focused users who also want built-in malware blocking, Quad9 is the strongest overall choice.
2. Cloudflare — 1.1.1.1
Cloudflare's 1.1.1.1 public DNS resolver is one of the fastest in the world and carries a strong privacy commitment. Cloudflare commits to purging all query logs within 24 hours, and the company publishes a transparency report detailing any government requests received.
In 2019, Cloudflare engaged KPMG to audit its 1.1.1.1 privacy practices. The audit confirmed that Cloudflare was deleting query data within 24 hours as promised. Cloudflare supports DoH and DoT, making encrypted resolution straightforward on any modern device.
The main trade-off: Cloudflare is incorporated in the United States, a Five Eyes member. While the company has demonstrated strong privacy practices, US law could theoretically compel it to begin collecting data under a National Security Letter with a gag order. Cloudflare has publicly committed to fighting such orders and has a track record of pushing back on overbroad government requests. For users who prioritize speed alongside privacy, 1.1.1.1 is an excellent choice.
3. Mullvad DNS
Mullvad is a Swedish VPN company known for its commitment to privacy — it does not require an email address to sign up, accepts cash payments, and has a transparent, audited no-log policy. Its DNS resolver extends this philosophy to DNS resolution.
Mullvad DNS does not log queries and supports both DoH and DoT. Sweden has strong data protection laws, though it is a Nine Eyes member. Mullvad's operational practices — anonymous accounts, no personal data collection, regular third-party audits — mitigate the jurisdictional concern.
If you already use Mullvad VPN, using their DNS resolver is a natural fit. Even without the VPN, Mullvad DNS is a strong standalone privacy option. The company publishes regular transparency reports and has undergone security audits by Assured AB and Cure53.
4. NextDNS
NextDNS takes a different approach: it gives you full control over what gets logged. The service is configurable, allowing you to enable or disable logging based on your needs. When logging is off, no query data is stored.
NextDNS supports DoH, DoT, and DoQ. The service includes built-in ad blocking, tracker blocking, and malware protection that you can customize through a web dashboard. It works across all devices and can be configured at the router level.
The free tier limits you to 300,000 queries per month, which is more than enough for most households. The paid plan removes this limit and adds premium features. NextDNS is incorporated in the Netherlands (a Nine Eyes member), but the user-configurable logging gives you direct control over your data footprint.
5. AdGuard DNS
AdGuard DNS is operated by AdGuard, a privacy-focused software company. The service offers both a standard DNS resolver and a family-safe variant that blocks adult content. Neither variant logs your browsing queries.
AdGuard DNS supports DoH, DoT, and DoQ. The service is based in Cyprus, which is not part of any major intelligence alliance. AdGuard publishes a clear privacy policy detailing exactly what is and is not collected, and the company has a strong track record in the privacy tools space with its ad-blocking browser extensions and VPN service.
The free tier provides 300,000 queries per month. The paid plan adds more query capacity and access to dedicated servers. For users who want privacy alongside ad and tracker blocking, AdGuard DNS covers both needs in a single resolver.
Privacy Jurisdictions Explained
The legal jurisdiction of a DNS provider directly affects how much protection your data receives. Intelligence-sharing alliances, data retention laws, and government surveillance programs vary significantly between countries.
Five Eyes
The Five Eyes alliance includes the United States, United Kingdom, Canada, Australia, and New Zealand. These countries share intelligence freely and have extensive surveillance infrastructure. ISPs in Five Eyes countries may be legally required to retain DNS logs, and national security letters or equivalent orders can compel providers to begin data collection without public disclosure.
Cloudflare (US) and Quad9's upstream infrastructure partners operate partially within Five Eyes jurisdictions. This does not automatically disqualify them — operational practices and legal resistance matter — but it is a factor in the overall privacy calculation.
Nine and Fourteen Eyes
The Nine Eyes alliance extends Five Eyes to include Denmark, France, the Netherlands, and Norway. The Fourteen Eyes further adds Germany, Belgium, Italy, Spain, and Sweden. Providers based in these countries are subject to intelligence-sharing agreements that may override local privacy protections in national security cases.
Sweden (Mullvad) and the Netherlands (NextDNS) are Nine Eyes members. This does not mean these providers log data — their policies and practices clearly say otherwise — but it does mean the legal framework could theoretically change under political pressure.
Swiss Privacy
Switzerland stands outside all major intelligence alliances. The country's Federal Act on Data Protection (FADP) provides strong protections for personal data, and Swiss law requires a court order for any targeted surveillance — with narrow exceptions for national security that still require judicial oversight.
Quad9's Swiss incorporation is one of the strongest jurisdictional choices available for a DNS provider. Switzerland also hosts the headquarters of several other privacy-focused companies, benefiting from a well-established legal infrastructure for data protection.
What Jurisdiction Means in Practice
Jurisdiction is one factor among many. A provider with strong operational practices (no-log architecture, encrypted transport, regular audits) in a moderate jurisdiction may offer better real-world privacy than a poorly operated provider in a privacy haven. The strongest approach combines favorable jurisdiction with technical measures and transparent governance.
DNS Encryption Options Compared
Encryption protects your DNS queries from interception by your ISP, network operator, or anyone positioned between you and the DNS resolver. Three main protocols are available, each with different trade-offs.
DNS over HTTPS (DoH)
DoH sends DNS queries as HTTPS requests over port 443 — the same port used for secure web browsing. This makes DNS traffic indistinguishable from regular HTTPS traffic to network observers. Your ISP can see that you are connecting to a specific IP address, but cannot read the domain name in the query.
DoH is supported by all major browsers (Firefox, Chrome, Edge, Safari), all major operating systems, and all five DNS providers in this guide. It is the most broadly supported encryption option and the easiest to set up. The main disadvantage: because it runs over HTTPS, it adds a small amount of overhead compared to DoT.
Example DoH endpoint: https://dns.quad9.net/dns-query
DNS over TLS (DoT)
DoT sends DNS queries over a dedicated TLS connection on port 853. It uses the same encryption as DoH but operates on its own port, which makes it easier for network administrators to identify and prioritize (or block) DNS traffic.
DoT is natively supported on Android 9+ and can be configured on most Linux distributions. It offers slightly better performance than DoH because it avoids the HTTP framing overhead. However, because it uses a dedicated port, it is easier for network operators to block if they choose to restrict encrypted DNS.
DNS over QUIC (DoQ)
DoQ is the newest encryption protocol, built on the QUIC transport layer. It offers the best performance characteristics: lower latency than DoH (due to QUIC's 0-RTT connection establishment), built-in encryption, and resistance to ossification (the tendency for middleboxes to break non-standard protocols).
DoQ is supported by AdGuard DNS, NextDNS, and Quad9. Browser support is still limited, but system-level support is growing. If your device and resolver both support DoQ, it is the best option for both privacy and performance.
Which Encryption Should You Use?
For most users, DoH is the practical choice — it is supported everywhere and works through corporate firewalls without issues. DoT is preferable if you control your network environment and want the cleanest separation of DNS traffic. DoQ is the best technical option but requires both client and server support.
The most important thing is to use one of them. Unencrypted DNS in 2026 is a unnecessary privacy risk when encrypted alternatives are free and widely supported. Learn more about DoH in our DNS over HTTPS guide.
How to Test for DNS Leaks
Switching to a privacy-focused DNS provider is only useful if your device is actually using it. A DNS leak occurs when your system falls back to your ISP's DNS resolver despite your configuration changes, or when your VPN tunnel fails to route DNS queries through its encrypted channel.
Common Causes of DNS Leaks
The most common cause is incomplete configuration. Changing your DNS settings in one place (like your Wi-Fi adapter) does not automatically override settings on other interfaces (like your cellular connection or VPN tunnel). Some operating systems also use "smart" DNS resolution that queries multiple resolvers simultaneously, potentially sending queries to your ISP even when you have configured a private resolver.
VPNs are another frequent source of DNS leaks. If your VPN does not fully capture DNS traffic, queries may leak outside the encrypted tunnel to your ISP's resolver. This defeats the purpose of using a VPN for privacy.
How to Test
Run our DNS leak test to verify which resolver is actually handling your queries. The test queries multiple domains and checks which DNS servers respond. If the responding servers match the privacy-focused resolver you configured, your setup is working correctly. If your ISP's resolver appears in the results, you have a leak that needs to be addressed.
For the most thorough test, run the leak test on both your Wi-Fi and cellular connections, with and without your VPN active. Each configuration path should be tested independently to confirm DNS is routed through your chosen resolver in every scenario.
Frequently Asked Questions
Does using a private DNS slow down my internet?
Not noticeably. Privacy-focused DNS providers like Quad9 and Cloudflare consistently rank among the fastest resolvers in our speed tests. Cloudflare's 1.1.1.1 is often the fastest public resolver regardless of location. The encryption overhead of DoH or DoT adds less than 1ms of latency in most cases — well below the threshold of human perception.
Can my ISP see that I am using a private DNS?
It depends on the encryption protocol. With DoH, your ISP sees HTTPS traffic to an IP address but cannot distinguish DNS queries from regular web browsing. With DoT (port 853), the dedicated port makes it obvious that encrypted DNS is in use, though the ISP cannot see the actual queries. With DoQ, the situation is similar to DoH — QUIC traffic is difficult to distinguish from standard HTTPS.
Should I use my ISP DNS or a privacy DNS?
For privacy, a no-log DNS provider is almost always better than your ISP's default resolver. ISPs have business incentives to collect and monetize DNS data. Privacy-focused providers have legal, ethical, and reputational incentives not to. The speed difference is negligible, and many private resolvers are actually faster than ISP defaults. See our comparison of DNS providers for more details.
Are free private DNS providers trustworthy?
The five providers in this guide — Quad9, Cloudflare, Mullvad, NextDNS, and AdGuard — all offer free tiers backed by established companies with published privacy policies and, in most cases, independent audit reports. Free does not mean untrustworthy when the provider has a clear business model (paid tiers, hardware sales, or nonprofit funding) that does not depend on selling user data.
What is the difference between DNS privacy and DNS security?
DNS privacy means your queries are not logged or tracked. DNS security means your queries are protected against manipulation, spoofing, and malware. The best providers offer both — encrypted transport prevents interception, no-log policies prevent tracking, and threat blocking prevents connections to known malicious domains. Read our DNS security guide for a deeper comparison.