Why DNS Privacy Matters
Every website you visit starts with a DNS lookup. By default, these requests are sent in plain text to your ISP, who logs them, may sell them to advertisers, and hands them over to law enforcement without a warrant in many jurisdictions.
Encrypted DNS prevents your ISP from seeing your browsing history. It's one of the simplest privacy upgrades you can make.
Quick Comparison
| Feature | Quad9 | NextDNS | Cloudflare |
|---|---|---|---|
| Primary Address | 9.9.9.9 | Custom per account | 1.1.1.1 |
| Price | Free | Free (300K queries) / $1.99/mo | Free |
| Jurisdiction | Switzerland | USA (Delaware) | USA |
| Logging Policy | No IP logging | Configurable (0-2 years) | 24-hour anonymized |
| Malware Blocking | Yes (default) | Yes (configurable) | Optional (1.1.1.2) |
| Ad Blocking | No | Yes (configurable) | No |
| Customization | Minimal | Extensive | Minimal |
| Speed (Global Avg) | 15-22ms | 12-18ms | 10-14ms |
| Our Rating | Best for privacy | Best for customization | Best for speed |
Understanding DNS Encryption
The Problem with Regular DNS
Traditional DNS sends queries in plain text over UDP port 53. Anyone between you and the DNS server can see exactly what domains you're looking up: your ISP, your employer, anyone on the same WiFi network, and network equipment along the way.
Encryption Protocols
- DNS-over-HTTPS (DoH): Encrypts DNS inside HTTPS traffic on port 443. Looks like normal web traffic, hard to block.
- DNS-over-TLS (DoT): Encrypts DNS with TLS on port 853. Easier to identify and block than DoH.
- DNS-over-QUIC (DoQ): Newer protocol using QUIC. Lower latency than DoT, supported by fewer providers.
| Protocol | Quad9 | NextDNS | Cloudflare |
|---|---|---|---|
| DNS-over-HTTPS | Yes | Yes | Yes |
| DNS-over-TLS | Yes | Yes | Yes |
| DNS-over-QUIC | No | Yes | No |
| DNSCrypt | No | Yes | No |
The Providers Compared
Quad9: Best for Pure Privacy
Quad9 is a Swiss non-profit founded in 2016 by IBM, Packet Clearing House, and Global Cyber Alliance. It's the most privacy-focused option, operating under Swiss privacy laws with a strict no-logging policy.
DNS Addresses
- 9.9.9.9: Secured with malware blocking
- 9.9.9.10: No malware blocking (unfiltered)
- 9.9.9.11: Secured + ECS support
- 9.9.9.12: Unfiltered + ECS support
Privacy Policy
- No IP address logging: keeps reply addresses in RAM only
- Swiss jurisdiction: outside Five Eyes, GDPR-compliant
- Non-profit status: no commercial incentive to monetize data
- Public commitment: would withdraw from countries that compel logging
- Third-party audited: independent verification of policies
Security Features
- Malware blocking: blocks known malicious domains by default
- Phishing protection: prevents access to phishing sites
- Threat intelligence: 19+ threat feeds including IBM X-Force
- DNSSEC validation: prevents DNS spoofing attacks
Limitations
- No customization (all-or-nothing filtering)
- No ad blocking
- Slower than Cloudflare in some regions
- No analytics or query logging (good for privacy, bad for troubleshooting)
Best for: Users who want set-and-forget privacy with malware protection. Those concerned about jurisdiction and logging. Privacy advocates who don't need customization.
NextDNS: Best for Power Users
NextDNS is a fully customizable encrypted DNS service. It's like Pi-hole in the cloud: you can configure your own blocklists, see detailed analytics, and apply different settings to different devices.
Pricing
- Free: 300,000 queries/month: after limit, works as unfiltered DNS
- Pro: $1.99/month or $19.90/year: unlimited queries
- Business: $19.90/month per 50 employees
Key Features
- Custom blocklists: choose from dozens of ad, tracker, and malware lists
- Denylist/Allowlist: manually block or allow specific domains
- Parental controls: safe search enforcement, content filtering, recreation time limits
- Per-device settings: different configurations for different devices
- Real-time analytics: see what's being blocked and why
- Configurable logging: choose retention from 1 hour to 2 years, or disable entirely
- Native apps: easy setup on all platforms
Privacy Considerations
- US jurisdiction: subject to US data laws
- You control logging: can be fully disabled
- No selling data: explicitly stated in privacy policy
- Anonymous account option: can sign up without email
Limitations
- US-based company
- Free tier limited to 300K queries
- Analytics require logging (privacy trade-off)
- More complex than simple DNS providers
Best for: Power users who want granular control. Families needing parental controls. Anyone who wants Pi-hole functionality without self-hosting.
Cloudflare (1.1.1.1): Best for Speed
Cloudflare DNS is consistently the fastest public DNS resolver globally. It's backed by Cloudflare's massive CDN infrastructure, providing excellent performance everywhere.
DNS Addresses
- 1.1.1.1: Standard resolver (no filtering)
- 1.1.1.2: Blocks malware
- 1.1.1.3: Blocks malware + adult content (family filter)
Privacy Policy
- No IP logging for advertising: explicit commitment
- 24-hour log retention: anonymized after 24 hours
- Third-party audited: KPMG audits privacy claims annually
- No selling data: never uses data for advertising
Performance
- Fastest globally: 10-14ms average response time
- Anycast network: servers in 300+ cities
- WARP VPN integration: optional VPN service (free tier available)
Limitations
- US company: subject to US law, including national security letters
- 24-hour logging: even anonymized, some data is retained
- Commercial entity: privacy isn't the primary business model
- No customization: can't add your own blocklists
- Cloudflare sees significant internet traffic already: concentration concern
Cloudflare's Position
Cloudflare already handles a significant percentage of internet traffic through their CDN. Using their DNS means even more of your internet activity flows through one company. For some users, this concentration is a concern.
Best for: Users prioritizing speed over maximum privacy. Gamers. Those who want a simple, fast upgrade from ISP DNS.
Privacy Comparison
Jurisdiction Matters
| Provider | Location | Five Eyes | Notable |
|---|---|---|---|
| Quad9 | Switzerland | No | Strongest privacy laws |
| NextDNS | USA (Delaware) | Yes | User controls logging |
| Cloudflare | USA | Yes | Subject to NSLs |
What Gets Logged
| Provider | IP Address | Queries | Retention |
|---|---|---|---|
| Quad9 | Never stored | Aggregate only | None |
| NextDNS | Optional | Optional | Configurable (0-2yr) |
| Cloudflare | 24hr, then deleted | 24hr, anonymized | 24 hours |
Setup Instructions
On Your Router (Protects Entire Network)
- Log into your router's admin panel
- Find DNS settings (usually under WAN or Internet)
- Replace your ISP's DNS with your chosen provider
- Save and reboot the router
DNS Addresses to Use
- Quad9: 9.9.9.9 and 149.112.112.112
- Cloudflare: 1.1.1.1 and 1.0.0.1
- NextDNS: Custom addresses from your dashboard
On Individual Devices
Windows 11
- Settings → Network & Internet → Wi-Fi (or Ethernet)
- Click your network → DNS server assignment → Edit
- Switch to Manual, enable IPv4
- Enter preferred and alternate DNS
macOS
- System Settings → Network → Wi-Fi (or Ethernet)
- Click Details → DNS
- Add DNS servers with + button
iOS
- Settings → Wi-Fi → tap (i) on your network
- Configure DNS → Manual
- Add DNS servers
Android
- Settings → Network & Internet → Private DNS
- Select "Private DNS provider hostname"
- Enter: dns.quad9.net, dns.nextdns.io, or 1dot1dot1dot1.cloudflare-dns.com
Using DNS-over-HTTPS in Browsers
Firefox
- Settings → Privacy & Security → scroll to DNS over HTTPS
- Select Max Protection
- Choose provider or enter custom URL
Chrome/Edge
- Settings → Privacy and Security → Security
- Enable "Use secure DNS"
- Choose provider
Which Should You Choose?
Choose Quad9 if:
- Privacy is your top priority
- You want a non-profit, non-US provider
- Swiss jurisdiction matters to you
- You want malware protection without configuration
- You prefer set-and-forget simplicity
Choose NextDNS if:
- You want Pi-hole features without self-hosting
- You need parental controls
- You want to see analytics of your DNS queries
- You want ad blocking at the DNS level
- You have multiple devices with different needs
Choose Cloudflare if:
- Speed is your priority
- You want the simplest upgrade from ISP DNS
- You're gaming and need low latency
- You're okay with a US company
- You want WARP VPN integration
Our Recommendation
For Privacy: Quad9
Quad9's Swiss jurisdiction, non-profit status, and strict no-logging policy make it the best choice for privacy-focused users. The built-in malware blocking is a bonus.
For Customization: NextDNS
If you want ad blocking, parental controls, or detailed analytics, NextDNS offers unmatched flexibility. Disable logging for privacy or enable it for troubleshooting: your choice.
For Speed: Cloudflare
If you just want faster DNS with reasonable privacy improvements over your ISP, Cloudflare is the fastest option globally.
Beyond DNS: What Encrypted DNS Doesn't Protect
Encrypted DNS Has Limits
Encrypted DNS prevents your ISP from seeing your DNS queries, but they can still see:
- IP addresses you connect to: they can't see the domain, but can see the server
- SNI (Server Name Indication): reveals the domain during TLS handshake (unless using Encrypted Client Hello)
- Traffic patterns: volume, timing, and destinations
For complete privacy from your ISP, you need a VPN or Tor. Encrypted DNS is one layer of defense, not a complete solution.
Related Guides
Frequently Asked Questions
Will encrypted DNS slow down my internet?
Usually the opposite: ISP DNS servers are often slow. Cloudflare and Quad9 are faster than most ISP DNS. The encryption overhead is negligible.
Can my ISP still see what I'm doing?
They can't see your DNS queries, but they can see the IP addresses you connect to. For full privacy, combine encrypted DNS with a VPN.
Does encrypted DNS block ads?
Only NextDNS and self-hosted options (Pi-hole, AdGuard Home). Quad9 and Cloudflare don't block ads.
Is encrypted DNS legal?
Yes, in virtually all countries. You're simply choosing a different DNS provider and encrypting the connection.
What if my encrypted DNS provider is blocked?
In censored environments, DoH on port 443 is hardest to block since it looks like regular HTTPS traffic. Some countries block known DoH providers anyway: in that case, consider running your own DNS resolver or using a VPN.
Last updated: 2025-12-13