The best DNS servers for privacy in 2025

BitLaunch -

The Domain Name System (DNS) forms a key part of the modern internet. It allows users to enter a memorable domain name (bitlaunch.io) and let a remote server handle its conversion into the machine-readable, numerical IP address (172.66.41.25) necessary to fetch the content.

A user's Internet service provider (ISP) typically handles this process silently and almost instantaneously. But while some ISPs are more trustworthy than others, user privacy is rarely their primary objective. Many are bound by law to keep a log of these DNS requests and may provide them to law enforcement or even sell them to advertisers. This is very important to be aware of since DNS request logs detail every website you have visited, at what time, and from which IP address (device). Your DNS resolver also has the power to censor certain websites.

Thankfully, ISPs aren't the only option for resolving DNS requests. Changing DNS servers only takes a few clicks, with several providers that promise greater privacy, security, and performance. We'll round up the best DNS servers for privacy in the guide, covering:

  1. A refresher on DNS server terminology
  2. What does a privacy DNS protect you against?
  3. What is the best DNS server for privacy?
  4. How to host your own DNS services

    5. A refresher on DNS server terminology

    We'll be mentioning several technologies and terms throughout this article that we won't always be able to explain in-line. To fully understand what these mean for your privacy, it may be a good idea to brush up on the following:

    • DoT, DoH, and DoQ: Forms of encryption for DNS queries, standing for DNS over TLS, DNS over HTTPS, and DNS over QUIC, respectively. These are all methods to encrypt DNS queries, which helps to protect them from snooping and interception on their journey from your machine to your DNS provider's resolution server.
    • Public DNS server: DNS servers that are accessible to anyone, typically for free. They usually translate domain names into IP addresses for the general, global internet. They're typically used as a replacement for the DNS services offered by a local internet service provider (ISP).
    • Private DNS server: A private DNS server typically refers to a DNS resolver set up for a specific organization, network, or user, rather than a public DNS service like Google or Cloudflare. It is sometimes also used to refer to DNS over encrypted connections.
    • Authoritative name server: This is the final holder of the IP for a website’s address that has been configured from the original source. When you try to visit a site like bitlaunch.io, your computer eventually checks with the authoritative name server, which tells it exactly what the IP address is so it can load the site. It contains the most recent and accurate information.
    • Recursive name server: Recursive name servers keep a copy (cache) of DNS information for a certain amount of time (TTL). They must retrieve the answer to the DNS query from another server or from their cache, if it is still available there.
    • DNSSEC: A security protocol that adds cryptographic signatures to DNS records to determine that a DNS lookup is authentic and has not been tampered with. This helps to prevent man-in-the-middle attacks, where an attacker will redirect a DNS query to their own malicious site.
    • Query name minimization: A DNS privacy technique where recursive resolvers only send the minimal amount of information needed to get a result at each step of the DNS lookup.

    What a privacy DNS protects you against

    A privacy DNS is intended to protect you against your ISP analyzing and misusing DNS requests by sharing the websites you visit with advertisers or government agencies. Encrypted DNS can also help prevent your DNS requests from leaking or being tampered with by attackers. Some DNS providers also filter out malicious or harmful sites.

    DNS servers do not protect you from the following:

    • The website from knowing you visited it.
      Your browser connects directly to a site when it loads it. A DNS, therefore, won't hide your visit from the website owner.
    • Your IP address from being exposed.
      DNS resolution is just one way that your IP address is exposed. To reliably hide your IP address from sites, you need a VPN.
    • Advanced censorship and blocking.
      If your ISP blocks websites at the network level, changing your DNS won't help.
    • All Website trackers.
      Cookies and trackers can still follow you across the web unless you take additional precautions, such as using a privacy browser.

    In short, a privacy DNS hides the sites you ask for, but not what happens after that point.

    What is the best DNS server for privacy?

    Privacy DNS services, more technically known as public recursive name servers, are a relatively new concept. They are fundamentally built on the promise that they will have limited logging and will quickly wipe all DNS queries from their database after they are used. Beyond that, however, there can be significant variation in feature set, reputation, performance, and more. We've taken the time to assess each of them so that you can find the best for your needs. Or, if you're in a hurry, reference the table below:

    DNS Provider Primary DNS (IPv4) Secondary DNS (IPv4) Key Privacy Features Security Focus Performance Notes Key Drawbacks
    AdGuard DNS 94.140.14.14 94.140.15.15 Default/family/non-filtering modes, private DNS with optional logging, no sharing/selling of personal info, DoH/DoT/DoQ/DNSCrypt. Ad/tracker blocking, malware/phishing blocking, optional adult content blocking and safe search. Servers in 15+ global locations, aims for fast response times, generally reliable. Some logging in certain modes, payment information collection, might have higher latency in some locations, potential website breakage, mobile apps might require local VPN, personal plan device limit.
    CleanBrowsing 185.228.168.9 185.228.169.9 Free filters no logging of DNS requests/IPs, NXDOMAIN redirection without tracking, optional logging in paid plans, DoH/DoT/DNSCrypt. Security filter, adult filter, family filter. Anycast network, numerous data centers, aims for low latency, enforces DNSSEC. No third-party audits, based in the US (Five Eyes), long data retention for paid users, no crypto payments, limited customization on free tier.
    Cloudflare 1.1.1.1 1.0.0.1 No selling data, anonymized logs deleted within 24-25 hours, DoH/DoT, query name minimization, annual audits. Optional malware and adult content blocking (1.1.1.2/1.1.1.3). One of the fastest globally, extensive network, high uptime. No manual blocking in basic service, potential ISP blocking, unlinked data for research, some app compatibility issues.
    Control D 76.76.2.0 76.76.10.0 No browsing history/timestamps stored on free tier, customizable EDNS subnet, DoH/DoT/DoQ, supports custom filters, self-hosted analytics. Ad/tracker blocking, malware/phishing blocking, parental controls, optional proxy routing (paid). Anycast network, minimal latency, high-speed performance, reliable, stable connections, numerous global locations. Logs source IP on premium, based in Five Eyes (Canada), analytics via Posthog, limited customization on free tier, traffic redirection limited to HTTP/S, not ideal for critical anonymity.
    Google Public DNS 8.8.8.8 8.8.4.4 Temporarily logs IP addresses (erased within 24-48 hours), anonymized location data kept longer, no use of personal info for targeted ads, DoH. Basic security measures. Widely used, reliable, quick query resolution, extensive network. Privacy concerns due to data collection, limited customer support, complex UI for some, no content filtering (mostly), potential issues with some ISPs/CDNs.
    Mullvad DNS 193.138.219.74 193.138.218.74 No logging of DNS requests, available to VPN subscribers and non-subscribers, servers run in RAM, regular audits, DoH/DoT. Ad/tracker blocking, malware blocking. Generally fast, especially with WireGuard VPN. Smaller server network, inconsistent speeds on some servers, struggles with streaming, DNS filtering limitations, limited customizability, 14-eyes jurisdiction (Sweden).
    NextDNS 45.90.28.0 45.90.28.255 Highly customizable logging (user control), no selling data, query name minimization, DoH/DoT/DoQ. Ad/tracker blocking, security threat blocking, parental controls. Anycast network, generally reliable. Free tier query limit, setup can be difficult, limited customer support, occasional website breakage, mobile apps might conflict with VPNs.
    OpenDNS 208.67.222.222 208.67.220.220 Data may be collected and used for business operations, retention policies vary, DoH/DoT. Customizable filtering (parental controls), some phishing protection. High-speed, reliable servers, global infrastructure, large DNS caches. May log browsing activity, limited privacy protections, free version limited, premium plans expensive, content filtering limited to home network, NXDOMAIN redirection in free version.
    Quad9 9.9.9.9 149.112.112.112 No logging of querying IPs, GDPR compliant, mission to keep personal data under user control, DoH/DoT/DNSCrypt. Blocks malicious domains using threat intelligence. High-performing servers globally, fast speeds, very high uptime. Fewer customization options, might be slightly slower in some regions, no manual filtering, potential for false positives.

    The gold standard of privacy DNSs

    We consider four DNS providers to be sufficiently private for our recommendation. Our criteria include:

    • Support for DoH/DoT or other encryption protocols
    • Query name minimization
    • No clear commercial interests that are opposed to anonymity
    • No logs of DNS requests on their public DNS
    • Minimal or  no personally identifiable information (PII) collected/stored, according to their privacy policy

    We have not included performance in this criterion as it is highly individual based on your location. It's rare to find a DNS provider that does not have good latency for some users.

    Quad9

    Quad9 (9.9.9.9) is a Swiss non-profit founded in 2016 by Packet Clearing House, IBM, Global Cyber Alliance, and SWITCH. In terms of privacy, it does everything right.  There are no obvious commercial interests, generous Swiss privacy laws, and a promise to never log any data containing users' IP addresses or PII in its systems. Instead, it stores the "reply to" address in RAM and does not send it to any third parties. Furthermore, it promises that if a country were to compel it to deanonymize users, it would withdraw from that country and offer its services from nearby countries instead.

    Quad9 also has several useful security features. It maintains and blocks a real-time list of malicious host names while using standards-based cryptography, DNSSEC, and ECS. It has high-performance servers in over 200 locations across 90 nations.

    Quad9 downsides

    Quad9 is not highly configurable, with no option to manually configure blocked websites or other parameters (although you can choose whether to use DNSSEC and ECS). This can be problematic if the service blocks a domain that it considers malicious, but you want to access. There is also no ad or tracker blocking to speak of — DNS request privacy is exclusively the focus here.

    Additionally, while Quad9 has good coverage, it is not comparable to giants such as Cloudflare or Google. You may experience higher latency in some regions of Africa, Asia, and Russia due to the limited availability of nearby servers. If you live in Europe or the US, however, Quad9 is fast and clearly one of the best choices of DNS server if privacy is your priority.

    Mullvad DNS

    Mullvad is a well-established VPN provider based in Sweden with a good reputation for privacy. Its public DNS service is intended to enhance the privacy of non-VPN users, with features such as DoH and DoT designed to prevent third-party snooping.

    Mullvad DNS has basic content, ad, tracker, and malware blocking features, with users able to choose which of these features to enable. It also uses QNAME minimization to provide less information to DNS servers in the query process. Its DNS resolution is generally fast.

    Mullvad states clearly that it does not store any activity logs of any kind. This includes traffic, DNS requests, connections, IP addresses, user bandwidth, and account activity. It does not ask for a username, password, or email address to use its DNS or other services. It does not have a paid DNS service and therefore does not collect user payment information. It may collect the payment information of its VPN users as is legally required, but does provide options to pay with cryptocurrency or even cash.

    Mullvad regularly has third-party audits. This includes audits of its security, infrastructure, account and payment services, DNS servers, and log keeping. It states that it is prepared to shut down its service should a government succeed in legally forcing it to spy on its users, and its DNS servers run in RAM. As a result, there should not be traces of DNS requests left on disk.

    Mullvad DNS disadvantages

    Mullvad is located in Sweden, which is part of the 14-eyes surveillance sharing agreement. Most of Sweden's surveillance legislation does not apply to Mullvad and does not allow the government to spy on its users. However, it may be forced to hand over information it has on a person should it be presented with a valid request from Swedish or foreign authorities. Law enforcement may also be able to seize computers. It's worth noting that Mullvad has been raided by law enforcement in the past, but its computers did not surface anything useful.

    Mullvad DNS performance is likely to be slow in Africa and some parts of Asia due to a lack of infrastructure there. It also does not have advanced customization options, with users unable to manually whitelist or blacklist sites.

    Overall, Mullvad is an excellent choice for a privacy DNS. Though it is a shame that it's headquartered in a 14-eyes country, court cases show that it has not had any information to hand over when compelled to by warrants previously.

    DNS0

    DNS0 was founded by NextDNS co-founders Romain Cointepas and Oliver Poitrey in 2022. Based in France, it's a non-profit with a focus on privacy, data sovereignty, and internet safety.

    DNS0 claims that it does not log any personally identifiable information (PII), as defined by the GDPR. Its infrastructure is located in the EU, and DNS0 promises that its DNS traffic never geographically or legally leaves the EU.

    From a technical perspective, DNS0 uses a custom EDNS Client Subnet that anonymizes users' IP addresses from authoritative name servers, as well as query name minimization. It also supports the usual security protocols such as DoH and DoT, as well as the more modern DNS-over-QUIC, DNS-over-HTTP/3, and DDR encrypted upgrade. Additionally, we found no trackers on its site. It doesn't get much better than this for public DNS privacy, in our opinion.

    DNS0 downsides

    France is part of the 14 Eyes. This means French intelligence agencies could be asked to spy on/raid DNS0 on behalf of other countries and share the data with them. That said, if DNS0 truly does not collect PII as it claims, this should not be an issue — there is no data to pass on. Unfortunately, we cannot verify this definitively, as though DNS0 says it welcomes audits, it has not published the results of any.

    Unlike NextDNS, DNS0 does not have a high degree of customizability. You'll get preset blocking lists here, which likely makes it easier to maintain users' privacy. The other major downside, of course, is DNS0's EU focus. You're unlikely to get great performance in regions far from the continent.

    Private enough for some

    These providers did not meet the criteria, but they might fulfill yours. You may want to consider them if you require more advanced filtering, or Mullvad, Quad9, or DNS0 do not perform well. Often, they keep logs for their paid DNS users but not public, or track users on their site/during payment. Essentially, you can use them, but you should exercise some caution when interacting with them.

    Control D

    Control D is a Canada-based DNS founded by Windscribe VPN. It looks to provide a strong alternative to NextDNS by maintaining cutting-edge features and broad compatibility, while maintaining privacy.

    Control D's free offering supports the usual suite of DNS encryption protocols (DoH and DoT), as well as query name minimization and a customized EDNS client subnet that doesn't expose the source IP address to authoritative DNS servers. It also claims not to store any individual browsing history, timestamps, or logs. Further, it states that it will not sell or license any user data it must collect and will do its best to avoid any forced policy changes. This includes moving country if required.

    Control D is the only free DNS we have seen that allows users to build a customized DNS filter. Users are able to choose which blocking categories directly on its site, including Ads & trackers, adult content, dating, drugs, gambling, government sites, malware, phishing, and social media. It also supports third-party, open-source filters.

    The primary motive for paying for Control D is more filter options and custom blocklists, with the ability to further block AI sites, clickbait, crypto, file hosting, and gaming sites. It also allows users to direct all activity through a proxy location of their choice.

    DNSPerf suggests that Control D has very good (~7ms) performance in North America, and good performance in Europe and South America (<15ms). Latency in Oceania, Africa, and Asia is less than 35ms.

    Control D downsides

    Control D is based in Canada, which is a Five-Eyes country. It also keeps logs for its premium resolvers, including the source IP address. It claims that this information is necessary to provide its custom filters and that the threat to user privacy is very limited, as users can use its proxy feature and share IPs with others, and it does not have a way to track which user used which proxy IP.

    Control D says in its FAQ that it does not run any third-party trackers on its site, and this is technically true. However, it does track user behaviour using a self-hosted web analytics platform and passes this information to third-party Posthog to analyze it. The data it collects includes your user-agent, language, screen resolution, referring website, and a subset of your IP address. Posthog may collect data on your page clicks, page navigation, and feature usage. Ideally, you should use a private browser such as Tor to access its site.

    AdGuard DNS

    Adguard DNS wears its focus on its sleeve. Its primary focus is to block ads, trackers, and malicious sites. However, AdGuard's DNS isn't too bad when it comes to privacy, either. It's located in Cyprus, which is technically outside of the 14 Eyes surveillance agreement.

    It claims that its public DNS does not process any of users' personal data when they use it, though it does collect "general statistics on the use of AdGuard," which it says is anonymized. It also supports secure DNS protocols such as DNSCrypt, DoH, DoT, DoQ, and DNSSEC.

    AdGuard's private DNS is highly customizable, with the ability to use blocking lists or manually block domains, as well as implement parental controls. As with most services, however, enabling these features comes with a hit to privacy.

    AdGuard DNS downsides

    AdGuard's paid, private DNS logs DNS queries to enable filtering and statistics on your dashboard. These logs include the status and content of requests, names of the companies that own the resources, names of connected devices, and dates of requests. IP addresses are also logged when you enable the feature, at the subnet level. Logs are stored for the amount of time you choose in your account settings.

    AdGuard also stores the email address you used to create your account and processes credit card payments via a third party, Paddle. Paddle may collect information such as your postcode, bank card details (including name), email, and country of residence. Its privacy policy states that it may combine this with information it has gathered about you from other sources. It may share this information with third parties for payment processing, legal obligations, and fraud prevention.

    That said, AdGuard allows users to bypass Paddle entirely by paying with cryptocurrency via Cryptomus. This only requires an email address, but does come with the caveat that Cryptomus may log your IP address, browser/OS info, and device fingerprint for up to five years. From a privacy perspective, users are almost always better off not paying for a service, and AdGuard is no different. With precautions such as using Tor and crypto, however, AdGuard is less invasive than many.

    Perhaps a bigger issue, however, is AdGuard's limited infrastructure outside of Europe and North America. As you can see, its Africa coverage is limited to servers in Johannesburg, and similarly with Sao Paulo and South America. South Asia coverage is likely to be a struggle also due to a complete lack of servers in the region. Indeed, our testing using a Mumbai VPN revealed an average of 700ms, which most users would consider unacceptable.

    Overall, AdGuard's public DNS isn't a bad choice for those in Europe or the US if adblocking is a must, though be aware that you will be limited to filtering on 300k queries per month.

    NextDNS

    NextDNS is a modern, security and privacy-based DNS. Its focus is on blocking ads and trackers while protecting users from security threats. It surpasses some other DNS solutions by not only blocking a list of malicious domains but also analyzing DNS queries in near real-time to detect and block malicious behavior. Parents can take this further by enabling parental controls, which allow them to filter search engines, YouTube, and adult sites, as well as deny access to specific online apps and games after a certain time. If you're looking for a DNS that's highly customizable, NextDNS should certainly be on your radar.

    Like many third-party DNS servers, it supports DNSSEC to verify DNS responses, as well as DoH and DoT to protect your DNS requests against snooping from your ISP and other parties.

    NextDNS downsides

    While NextDNS is great at protecting you from other internet sites and services, it's not as good at protecting you from itself. There is some confusion regarding its public and private DNS services:

    • The NextDNS public resolver, which does not require an account, does not keep logs.
    • NextDNS with an account, including free trials, keeps logs by default, requiring you to opt out. You can also reduce the time logs are kept to hours or days.

    From a privacy perspective, we would much rather that logging on its private DNS were opt-in, rather than opt-out. Visiting its website, you are prompted to try the DNS via a free trial, which comes with logging enabled. While we understand logs are necessary for some of the advertised features, disabling logs is somewhat unintuitively in the "Settings" section rather than "Privacy". We'd prefer it if users had a dialog asking whether they want to enable or disable logs at the top of the "Setup" screen.

    NextDNS's speed is just okay according to DNSPerf, with an average worldwide query time of ~25ms. It appears to be fastest in South America, Europe, and Oceania, with NA and Asia hovering between 30-35ms and Africa around 50ms. Our real-world tests in Europe weren't as flattering, however, with a median query time of 150ms. A reminder that DNS performance can vary wildly depending on the infrastructure around you.

    NextDNS's free tier is limited to 300,000 filtered queries per month; after this limit is reached, the DNS will continue resolving but will not block or log. Some heavy users and families report exceeding this limit. However, it's not a significant issue if privacy is your primary objective, as you will likely disable all logging anyway.

    CleanBrowsing DNS

    CleanBrowsing DNS is aimed at creating a family-friendly browsing environment, but it claims to be privacy-conscious, too. Its free DNS tier does not log requests, IP addresses, or other user activities. Blocked pages are redirected to a NXDOMAIN, which does not track. Additionally, the company promises that it does not sell, share, or misuse any of the data it does collect, and that it does not even log data to prevent misuse.

    CleanBrowsing blocks adult content and malware well, while supporting technologies such as DoH, DoT, and DNSCrypt. Its free plan allows users to choose between a family, security, and adult filter. The paid plan allows users to choose between 19 filter lists and 21 filter categories, as well as manually add websites to their blog list. Like many DNSs, its paid plan includes logs. However, this is customizable, with the ability to not log at all if you wish to forgo its activity monitoring features.

    CleanBrowsing DNS downsides

    We could not find third-party audits of its CleanBrowsing, so you must trust that the company is being entirely honest and transparent. CleanBrowsing DNS appears to be located in the US, which means it falls under the Five Eyes intelligence sharing agreement. US companies do not have strong protections against law enforcement requests, and could hand over the data you have to authorities if compelled to. Indeed, its privacy policy states that it will use personally identifiable information (PII) to "comply with legal obligations", as well as investigate and prevent fraudulent transactions and other illegal activities.

    Additionally, while privacy appears to be acceptable for free users, paid users are subject to increased data collection and sharing. CleanBrowsing states that information collected about paid users, which may include IP addresses and traffic data, may be shared with resellers and sales partners, in the event of a merger or acquisition, or to aid the prevention of illegal activities. CleanBrowsingDNS claims that it does not permit its service providers to sell information they share with them or use it for their own marketing purposes, but we would feel more comfortable if they did not share it at all.

    CleanBrowsingDNS keeps the personal data of website visitors for six months after the last interaction and customer information for the duration of the contract plus 7 years. The retention of customer information, in particular, feels very long. This is exacerbated by the fact that CleanBrowsing does allow users to pay with crypto — it only supports credit card payment via Stripe. As a result, this information may include users' full names and addresses.

    We recommend that privacy-conscious users stick to CleanBrowsing's public DNS and that they use a tracker blocker and/or VPN if they need to visit its site.

    Cloudflare

    Cloudflare was the first major player to offer privacy DNS, and it has some unique advantages. As well as managing to nab the memorable 1.1.1.1 URL, Cloudflare is a CDN provider, which means it has spent years building high-speed infrastructure in almost every corner of the world. This typically makes it one of the fastest DNS resolvers for many people, but particularly those in the Americas, Europe, and Oceania. Performance is even acceptable in Africa, which is often a problem region for other DNS providers. This can be particularly useful if latency is a significant concern for you — for example, if you participate in competitive online gaming or trading.

    In terms of privacy, Cloudflare supports DoT, DoH, and ODoH. It also uses query name minimization to gather and transmit as little information as possible in the resolution process. Cloudflare also offers WARP, an optional free VPN-like service that helps to hide traffic from your ISP further. It promises not to sell or share the data of its public resolver users and retains only the source IP address from a random sample of 0.05% of queries for troubleshooting purposes. Other IPs are stored only in volatile storage (likely in memory) and anonymized.

    Lastly, but perhaps most importantly, Cloudflare has regular third-party audits to prove that it is doing everything it says it is.

    Cloudflare DNS downsides

    Though 1.1.1.1 is a good DNS service, there are several reasons why you may want to consider other options. Firstly, it keeps logs for 24 hours. These logs include a host of metadata about your query and may aggregate this data to inform statistics that it will retain permanently.

    Cloudflare is a U.S. company, which means it falls under the Five Eyes surveillance umbrella. This means it may come under increased pressure from law enforcement and other agencies, which can potentially request logs within the 24-hour period.

    There is also the matter that Cloudflare's status as a certificate authority, as well as its general dominance in web infrastructure and security, gives it more control than some might be comfortable with. This popularity is also Cloudflare's downfall in other ways, as it may be more likely to be blocked by ISPs or other entities who do not want users changing DNS.

    Finally, Cloudflare has middling performance in the Asian region, where options such as NextDNS and GoogleDNS often have a lower query time.

    We believe the following DNSs should not be used by any privacy-conscious user, despite often featuring in similar lists.

    Google Public DNS

    Cloudflare may have been one of the first public privacy resolvers, but Google DNS (8.8.8.8) was one of the first good public resolvers, period. As you would expect from a global search and video giant, Google has an excellent infrastructure and resolves DNS requests quickly. Perhaps not quite as quickly as Cloudflare, but close enough that the vast majority of people won't notice a difference. Google DNS is widely used, has excellent uptime, and is entirely free for consumers with no premium tier. Some ISPs even use it as a fallback should their own DNS services go down.

    Google DNS downsides

    Let's talk about the elephant in the room. Google is one of the world's biggest advertising firms and has plenty of reason to want data about users' browsing habits. It promises that any personal information collected through its DNS will not be used to target ads. It does, however, log your IP address and other technical information for 24-48 hours for maintenance and "to identify and mitigate security threats of other activity that we deem abusive or otherwise malicious". With many providers that log for 24 hours or not at all, this makes it hard to recommend.

    Additionally, Google retains some information from these logs even after the 48h period. These replace your IP address with a local city/region level one, and Google claims therefore contain no personal information about you. However, it also stores metadata such as the request type, request size, transport protocol, client's autonomous system number, timestamp, processing time, etc. Though none of this metadata is classed as personally identifiable information, it could still be powerful when combined with information from other sources.

    Finally, Google complies with legal requests to restrict access to content and is part of the Five-Eyes. It only has basic security features and configuration options. Ultimately, Google DNS might be better than some shady ISPs that sell your data, but there are better options.

    OpenDNS

    OpenDNS is a highly configurable DNS service owned by Cisco. It is aimed primarily at enterprises but has a free consumer arm. It was one of the fastest-performing DNSs in our testing and focuses primarily on security, with built-in protection against phishing and the option to implement parental and other content-blocking controls. It also supports DNS over HTTPS. This means that your requests will be encrypted and hidden from snoopers such as your ISP.

    Cisco says it will "stop logging your DNS lookups on a go-forward basis" if you disable the logging option in your control. By default, this option is turned off on the free, home network plan.

    OpenDNS downsides

    OpenDNS often makes these kinds of lists, but we include it primarily because we think it should not. It has commercial interests due to being owned by the US-based Cisco. Its privacy policy reflects this, with several concerns and a lack of clarity about exactly what DNS information it keeps.

    According to the service's privacy policy, it collects personal data related to users and may use this information for marketing purposes relating to its other subsidiaries. This includes sharing the data with "Cisco business partners or vendors". Cisco also makes it clear that it's happy to share data with law enforcement on request. While its control panel mentions that it won't log DNS lookups unless you enable the feature, it doesn't mention metadata or other personal information. Its privacy policy states that it may store device identifiers and telemetry (such as IP or MAC address) when such data is linked or tied to a specific individual’s device.

    Overall, OpenDNS is fast and offers some useful security features; however, it should not be considered if privacy is your primary objective due to these issues.

    How to host your own DNS services

    If you don't like relying on third-party DNS services, you can host some parts of the DNS infrastructure yourself. Options include:

    1. Running your own recursive DNS resolver: Software such as Unbound, BIND, and Knot lets you create your own DNS resolver to grant you a large degree of control over your DNS privacy and security.
    2. Hosting your own DoH or DoT resolver: You can add encryption to your DNS while blocking ads and trackers by setting up a resolver that supports DoH/DoT. Options include AdGuard Home, PiHole + Unbound, and Technitium.
    3. Host a filtering DNS: PiHole, AdGuard Home, and NextDNS self-host let you perform advanced filtering of DNS requests, similar to what you see in many paid DNS providers, without the third-party logging that typically accompanies it. You can easily pair PiHole with public DNS providers during its setup process.

    Many users do not have a home server to perform DNS forwarding on or a good network setup. They can instead pay for an anonymous VPS server and allow connections to it only from selected networks using a VPN. This can cost less than paying for a premium DNS from AdGuard or OpenDNS and allows you to access your filtering from anywhere.

                ┌─────────────────────────────────────────────┐
            │ Do you want to block ads or track your DNS? │
            └─────────────────────────────────────────────┘
                          │
              ┌───────────┴───────────┐
              │                       │
              ▼                       ▼
     "Yes, block ads & see stats"   "No, just private resolution"
              │                       │
     ┌────────┴────────┐         ┌────┴────┐
     ▼                 ▼         ▼         ▼
 Pi-hole + Unbound  AdGuard   Unbound    Knot Resolver
   (local network)   Home     (fast +     (privacy
                    (easier   modern)     focused)
                     UI)

          ┌────────────────────────────┐
          │ Want to access it from     │
          │ anywhere on the internet?  │
          └────────────────────────────┘
                      │
            ┌─────────┴─────────┐
            ▼                   ▼
        Host on VPS         Keep local only
     (BitLaunch, Hetzner,   (best for home
      etc. in safe region)     networks)

    Regardless of how you host, it is essential to secure your server effectively. Always use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT), do not allow open recursive access, and ensure effective monitoring and maintenance.

    RENT A VPS SERVER

    How to set up PiHole + Unbound VPN server

    PiHole is easy to install and intuitive to configure. However, running it on a VPS requires some additional configuration. This is because if your recursive DNS server is open to the internet, attackers will exploit it by sending large numbers of DNS requests for a specific site. This is a form of DDoS called a DNS amplification attack, which aims to make the victim's website inaccessible.  

    To avoid this, you have two options:

    1. Set up your PiHole/Unbound server to be accessible only via a WireGuard VPN or Tailscale. You connect your client devices (phone, laptop, etc.) to the VPN and can then use your VPS server for DNS filtering to block ads, malware, etc. This will also let you use your DNS service when you're away from home.
    2. You allow connections to your server only from your home router/specific devices by specifying their IP addresses in the firewall.

    Option one is typically best, as it means you do not have to deal with the issue of dynamic IPs. We'll show you how to do it step-by-step below.

    Setting up a recursive DNS on a VPS with PiHole, Unbound, and PiVPN

    We'll be using a few different tools today, but together they make the setup of a DNS on a VPS relatively straightforward. The order here is important: we'll first install PiHole, then Unbound, then PiVPN to protect our installation from DNS amplification.

    1. Connect to your VPS and start the PiHole installation by running the following:
    curl -sSL https://install.pi-hole.net | bash

    Follow the installer instructions until it asks you which DNS to use. Choose custom and enter 127.0.0.1#5335. You can decide whether or not you want to enable query logging, but we strongly recommend choosing anonymous mode for your privacy options rather than the other settings. Note down your PiHole login once the installation is complete. You should change this later.

    2. Install unbound with sudo apt install unbound.

    3. Run sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf to configure Unbound to only listen to queries from our local PiHole installation. Paste the following configuration (provided by PiHole):

    server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to no if you don't have IPv6 connectivity
    do-ip6: yes

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # IP fragmentation is unreliable on the Internet today, and can cause
    # transmission failures when large DNS messages are sent via UDP. Even
    # when fragmentation does work, it may not be secure; it is theoretically
    # possible to spoof parts of a fragmented DNS message, without easy
    # detection at the receiving end. Recently, there was an excellent study
    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
    # in collaboration with NLnet Labs explored DNS using real world data from the
    # the RIPE Atlas probes and the researchers suggested different values for
    # IPv4 and IPv6 and in different scenarios. They advise that servers should
    # be configured to limit DNS messages sent over UDP to a size that will not
    # trigger fragmentation on typical network links. DNS servers can switch
    # from UDP to TCP when a DNS response is too big to fit in this limited
    # buffer size. This value has also been suggested in DNS Flag Day 2020.
    edns-buffer-size: 1232

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

    # Ensure no reverse queries to non-public IP ranges (RFC6303 4.2)
    private-address: 192.0.2.0/24
    private-address: 198.51.100.0/24
    private-address: 203.0.113.0/24
    private-address: 255.255.255.255/32
    private-address: 2001:db8::/32

    Press Ctrl + X, then press Y and Enter to save the file.

    4. Make sure Unbound is working correctly by running the following commands:

    sudo service unbound restart
dig pi-hole.net @127.0.0.1 -p 5335

    5. Install PiVPN using curl -L https://install.pivpn.io | bash.

    6. Follow the installer instructions until it asks you which DNS to use. Choose custom and enter 127.0.0.1#5335. When you reach the "We have detected a Pi-hole installation" screen, choose Yes.

    7. Add a WireGuard client by typing pivpn add. Call the client `pc`.

    8.  Run the ifconfig command and note down your network information.

    9. Modify the client config using sudo nano /home/vpn/configs/pc.conf.

    Replace the AllowedIPs = 0.0.0.0/0, ::0/0 line in your client configuration to match the network settings you noted down earlier. You'll want to look at eth0 your LAN IPs, and wg0 for WireGuard. Your final line should look something like this:

    AllowedIPs = <your-lan-ip/netmask>, <wireguard-ipv4/netmask>, <wireguard-ipv6/netmask>

    Replace the information above with your relevant IP addresses and remove any <>.

    10. That's it! You can now copy and paste this information into a WireGuard config file as covered here, import it to your WireGuard client, and press "Activate". Add a block on a domain in your PiHole portal, which you can now find using http://<dns.ip.from.wireguard>/admin/login. Try navigating to that URL to ensure the blocking is working correctly.

    Final steps and further reading

    Before you go on your merry way, there are a few closing steps you'll want to consider that were beyond the scope of this article:

    • Change your PiHole password from the default: Do this using pihole setpassword.
    • Enable HTTPS on your PiHole web portal: This is an important step for security and privacy, but requires you to own a domain. You can read how to set it up here.
    • Set up DoH/DoQ for Unbound: You can do this by following the official documentation.
    • Configure Unbound to use query name minimization: You can do this by modifying your unbound.conf as outlined here.
    • Secure your server: A few simple steps will greatly reduce the chance that your server is compromised and used to perform man-in-the-middle attacks on you or others.

    BitLaunch users who need help configuring their server or choosing a suitable server size can reach out to our live chat support. Our expert support agents will be happy to assist you if they can.