Encrypted DNS: Stop Your ISP From Watching You Browse

Why DNS Privacy Matters

Every website you visit starts with a DNS lookup. By default, these requests are sent in plain text to your ISP, who logs them, may sell them to advertisers, and hands them over to law enforcement without a warrant in many jurisdictions.

Encrypted DNS prevents your ISP from seeing your browsing history. It's one of the simplest privacy upgrades you can make.

Quick Comparison

Feature Quad9 NextDNS Cloudflare
Primary Address 9.9.9.9 Custom per account 1.1.1.1
Price Free Free (300K queries) / $1.99/mo Free
Jurisdiction Switzerland USA (Delaware) USA
Logging Policy No IP logging Configurable (0-2 years) 24-hour anonymized
Malware Blocking Yes (default) Yes (configurable) Optional (1.1.1.2)
Ad Blocking No Yes (configurable) No
Customization Minimal Extensive Minimal
Speed (Global Avg) 15-22ms 12-18ms 10-14ms
Our Rating Best for privacy Best for customization Best for speed

Understanding DNS Encryption

The Problem with Regular DNS

Traditional DNS sends queries in plain text over UDP port 53. Anyone between you and the DNS server can see exactly what domains you're looking up: your ISP, your employer, anyone on the same WiFi network, and network equipment along the way.

Encryption Protocols

  • DNS-over-HTTPS (DoH): Encrypts DNS inside HTTPS traffic on port 443. Looks like normal web traffic, hard to block.
  • DNS-over-TLS (DoT): Encrypts DNS with TLS on port 853. Easier to identify and block than DoH.
  • DNS-over-QUIC (DoQ): Newer protocol using QUIC. Lower latency than DoT, supported by fewer providers.
Protocol Quad9 NextDNS Cloudflare
DNS-over-HTTPS Yes Yes Yes
DNS-over-TLS Yes Yes Yes
DNS-over-QUIC No Yes No
DNSCrypt No Yes No

The Providers Compared

Quad9: Best for Pure Privacy

Quad9 is a Swiss non-profit founded in 2016 by IBM, Packet Clearing House, and Global Cyber Alliance. It's the most privacy-focused option, operating under Swiss privacy laws with a strict no-logging policy.

DNS Addresses

  • 9.9.9.9: Secured with malware blocking
  • 9.9.9.10: No malware blocking (unfiltered)
  • 9.9.9.11: Secured + ECS support
  • 9.9.9.12: Unfiltered + ECS support

Privacy Policy

  • No IP address logging: keeps reply addresses in RAM only
  • Swiss jurisdiction: outside Five Eyes, GDPR-compliant
  • Non-profit status: no commercial incentive to monetize data
  • Public commitment: would withdraw from countries that compel logging
  • Third-party audited: independent verification of policies

Security Features

  • Malware blocking: blocks known malicious domains by default
  • Phishing protection: prevents access to phishing sites
  • Threat intelligence: 19+ threat feeds including IBM X-Force
  • DNSSEC validation: prevents DNS spoofing attacks

Limitations

  • No customization (all-or-nothing filtering)
  • No ad blocking
  • Slower than Cloudflare in some regions
  • No analytics or query logging (good for privacy, bad for troubleshooting)

Best for: Users who want set-and-forget privacy with malware protection. Those concerned about jurisdiction and logging. Privacy advocates who don't need customization.

NextDNS: Best for Power Users

NextDNS is a fully customizable encrypted DNS service. It's like Pi-hole in the cloud: you can configure your own blocklists, see detailed analytics, and apply different settings to different devices.

Pricing

  • Free: 300,000 queries/month: after limit, works as unfiltered DNS
  • Pro: $1.99/month or $19.90/year: unlimited queries
  • Business: $19.90/month per 50 employees

Key Features

  • Custom blocklists: choose from dozens of ad, tracker, and malware lists
  • Denylist/Allowlist: manually block or allow specific domains
  • Parental controls: safe search enforcement, content filtering, recreation time limits
  • Per-device settings: different configurations for different devices
  • Real-time analytics: see what's being blocked and why
  • Configurable logging: choose retention from 1 hour to 2 years, or disable entirely
  • Native apps: easy setup on all platforms

Privacy Considerations

  • US jurisdiction: subject to US data laws
  • You control logging: can be fully disabled
  • No selling data: explicitly stated in privacy policy
  • Anonymous account option: can sign up without email

Limitations

  • US-based company
  • Free tier limited to 300K queries
  • Analytics require logging (privacy trade-off)
  • More complex than simple DNS providers

Best for: Power users who want granular control. Families needing parental controls. Anyone who wants Pi-hole functionality without self-hosting.

Cloudflare (1.1.1.1): Best for Speed

Cloudflare DNS is consistently the fastest public DNS resolver globally. It's backed by Cloudflare's massive CDN infrastructure, providing excellent performance everywhere.

DNS Addresses

  • 1.1.1.1: Standard resolver (no filtering)
  • 1.1.1.2: Blocks malware
  • 1.1.1.3: Blocks malware + adult content (family filter)

Privacy Policy

  • No IP logging for advertising: explicit commitment
  • 24-hour log retention: anonymized after 24 hours
  • Third-party audited: KPMG audits privacy claims annually
  • No selling data: never uses data for advertising

Performance

  • Fastest globally: 10-14ms average response time
  • Anycast network: servers in 300+ cities
  • WARP VPN integration: optional VPN service (free tier available)

Limitations

  • US company: subject to US law, including national security letters
  • 24-hour logging: even anonymized, some data is retained
  • Commercial entity: privacy isn't the primary business model
  • No customization: can't add your own blocklists
  • Cloudflare sees significant internet traffic already: concentration concern

Cloudflare's Position

Cloudflare already handles a significant percentage of internet traffic through their CDN. Using their DNS means even more of your internet activity flows through one company. For some users, this concentration is a concern.

Best for: Users prioritizing speed over maximum privacy. Gamers. Those who want a simple, fast upgrade from ISP DNS.

Privacy Comparison

Jurisdiction Matters

Provider Location Five Eyes Notable
Quad9 Switzerland No Strongest privacy laws
NextDNS USA (Delaware) Yes User controls logging
Cloudflare USA Yes Subject to NSLs

What Gets Logged

Provider IP Address Queries Retention
Quad9 Never stored Aggregate only None
NextDNS Optional Optional Configurable (0-2yr)
Cloudflare 24hr, then deleted 24hr, anonymized 24 hours

Setup Instructions

On Your Router (Protects Entire Network)

  1. Log into your router's admin panel
  2. Find DNS settings (usually under WAN or Internet)
  3. Replace your ISP's DNS with your chosen provider
  4. Save and reboot the router

DNS Addresses to Use

  • Quad9: 9.9.9.9 and 149.112.112.112
  • Cloudflare: 1.1.1.1 and 1.0.0.1
  • NextDNS: Custom addresses from your dashboard

On Individual Devices

Windows 11

  1. Settings → Network & Internet → Wi-Fi (or Ethernet)
  2. Click your network → DNS server assignment → Edit
  3. Switch to Manual, enable IPv4
  4. Enter preferred and alternate DNS

macOS

  1. System Settings → Network → Wi-Fi (or Ethernet)
  2. Click Details → DNS
  3. Add DNS servers with + button

iOS

  1. Settings → Wi-Fi → tap (i) on your network
  2. Configure DNS → Manual
  3. Add DNS servers

Android

  1. Settings → Network & Internet → Private DNS
  2. Select "Private DNS provider hostname"
  3. Enter: dns.quad9.net, dns.nextdns.io, or 1dot1dot1dot1.cloudflare-dns.com

Using DNS-over-HTTPS in Browsers

Firefox

  1. Settings → Privacy & Security → scroll to DNS over HTTPS
  2. Select Max Protection
  3. Choose provider or enter custom URL

Chrome/Edge

  1. Settings → Privacy and Security → Security
  2. Enable "Use secure DNS"
  3. Choose provider

Which Should You Choose?

Choose Quad9 if:

  • Privacy is your top priority
  • You want a non-profit, non-US provider
  • Swiss jurisdiction matters to you
  • You want malware protection without configuration
  • You prefer set-and-forget simplicity

Choose NextDNS if:

  • You want Pi-hole features without self-hosting
  • You need parental controls
  • You want to see analytics of your DNS queries
  • You want ad blocking at the DNS level
  • You have multiple devices with different needs

Choose Cloudflare if:

  • Speed is your priority
  • You want the simplest upgrade from ISP DNS
  • You're gaming and need low latency
  • You're okay with a US company
  • You want WARP VPN integration

Our Recommendation

For Privacy: Quad9

Quad9's Swiss jurisdiction, non-profit status, and strict no-logging policy make it the best choice for privacy-focused users. The built-in malware blocking is a bonus.

For Customization: NextDNS

If you want ad blocking, parental controls, or detailed analytics, NextDNS offers unmatched flexibility. Disable logging for privacy or enable it for troubleshooting: your choice.

For Speed: Cloudflare

If you just want faster DNS with reasonable privacy improvements over your ISP, Cloudflare is the fastest option globally.

Beyond DNS: What Encrypted DNS Doesn't Protect

Encrypted DNS Has Limits

Encrypted DNS prevents your ISP from seeing your DNS queries, but they can still see:

  • IP addresses you connect to: they can't see the domain, but can see the server
  • SNI (Server Name Indication): reveals the domain during TLS handshake (unless using Encrypted Client Hello)
  • Traffic patterns: volume, timing, and destinations

For complete privacy from your ISP, you need a VPN or Tor. Encrypted DNS is one layer of defense, not a complete solution.

Related Guides

Frequently Asked Questions

Will encrypted DNS slow down my internet?

Usually the opposite: ISP DNS servers are often slow. Cloudflare and Quad9 are faster than most ISP DNS. The encryption overhead is negligible.

Can my ISP still see what I'm doing?

They can't see your DNS queries, but they can see the IP addresses you connect to. For full privacy, combine encrypted DNS with a VPN.

Does encrypted DNS block ads?

Only NextDNS and self-hosted options (Pi-hole, AdGuard Home). Quad9 and Cloudflare don't block ads.

Is encrypted DNS legal?

Yes, in virtually all countries. You're simply choosing a different DNS provider and encrypting the connection.

What if my encrypted DNS provider is blocked?

In censored environments, DoH on port 443 is hardest to block since it looks like regular HTTPS traffic. Some countries block known DoH providers anyway: in that case, consider running your own DNS resolver or using a VPN.


Last updated: 2025-12-13