Best DNS for privacy and ad blocking

DNS queries allow for the creation of detailed user profiles, which include browsing habits, preferences, and potentially sensitive data such as records of visits to health-related websites or financial transactions. When intercepted, this data can be used for targeted advertising, spoofing, and man-in-the-middle attacks, which are all serious security concerns. 

You can minimize the risk by using a privacy-focused DNS service that replaces plain-text DNS requests with encrypted ones. This will make your online activity more secure and private. What’s more, some of the DNS servers also allow you to block ads and certain websites. 

Which one should you choose? Here’s our pick of the best DNS providers in 2024.

→ Jump to the last paragraph to view our selection criteria.

In short, the best DNSs for privacy are:

1. Quad9
2. NextDNS (once you disable logs in settings)
3. DeCloudUs
4. ReThinkDNS 
5. DNSWatch

Read on to learn more about each one of them.

Or learn more about how Incogni can help you remove your personal data from the internet.

Best DNS services for privacy and ad blocking – Overview table:

DNS service	No-logs policy	Blocks ads	Jurisdiction	DoT encryption	DoH encryption	DNSSEC	Domain filtering	Customization	Free version
Quad9	YES	NO	Switzerland	YES	YES	YES	YES	YES	YES
NextDNS	YES (not by default)	YES	US	YES	YES	YES	YES	YES	YES, up to 300,000 queries
AdGuard DNS	Unclear	YES (Paid)	Cyprus	YES	YES	YES	YES	YES	YES (Free version up to 300,000 queries)
Control D	YES	YES	Canada	YES	YES	YES	YES	NO	NO
Alternate DNS	NO	YES	US	Not mentioned	Not mentioned	Not mentioned	NO	YES	YES
DeCloudUs	YES	YES (Paid)	Not mentioned	YES	YES	YES	YES	YES	YES
ReThinkDNS	YES	YES	US	YES	YES	NO	YES	YES	YES
Cloudflare DNS	NO	NO	US	YES	YES	NO	YES	NO	YES
OpenDNS (Cisco Umbrella)	NO	Some	US	YES	YES	YES	YES	YES (Free and Paid Plans)	YES
DNSWatch	YES	NO	Not mentioned	YES	YES	YES	YES	YES	YES

Quad9

Quad9 is a free, public DNS service based in Zurich, Switzerland. It’s also a not-for-profit organization that relies on grants and partnerships for income. It’s a DNS resolver that doesn’t store DNS query logs, has a global reach, and a strict and transparent privacy policy. For these reasons alone, it deserves, hands down, to be at the very top of this list. 

This DNS server excels in security features, with robust support for DNSSEC (Domain Name System Security Extensions), which protect against DNS spoofing and tampering. It supports both DNS over HTTPS (DoH) and DNS over TLS (DoT) encryption to thwart  eavesdropping and prevent unauthorized access to DNS traffic.

Quad9 offers customization options, allowing users to update DNS filtering rules. However, it’s worth noting that it does not provide any features that specifically block internet ads as part of its DNS filtering.

The service is easy to use and set up, and the website offers video tutorials and a community support forum to help you out. That said, the service does not come with a help center you could contact in case of trouble.

Pros: All the security features with strict privacy rules at no cost.

Cons: No ad block. No support center.

NextDNS

NextDNS, similar to Quad9, is a public DNS service designed to enhance security and privacy for users. Developed with a strong focus on user protection, NextDNS goes beyond being just a DNS resolver by offering a dedicated application called the NextDNS app. This app makes this service stand out, making it more straightforward to customize DNS settings.

NextDNS checks all the security boxes with support for both DNSSEC DoH and DoT encryption to bolster user privacy. However, being based in the US, this DNS service stores logs of DNS requests by default. You can decide how long the logs will be recorded or disable them in settings. If you don’t mind NextDNS storing logs, you can determine where they will be stored, choosing from the US, UK, EU, or Switzerland. 

Pros: Dedicated app, ad blocking, customer support. Free version up to 300,000 queries.

Cons: Stores logs by default (can be disabled in settings).

AdGuard DNS

As the name suggests, AdGuard DNS is a DNS server that focuses on blocking ads. The company was founded in Moscow and later relocated to Cyprus. Its servers are based in Frankfurt, Germany.

Setting up AdGuard DNS is relatively straightforward, as it can be configured at the network level, eliminating the need for individual device installations. Its security features include malicious-website and phishing blocking features, parental controls, and access to filtering statistics, where some websites can be listed. 

AdGuard DNS supports DoH and DoT encryption for enhanced data security. Regarding privacy, their privacy policy states that they do not sell or share any user data (including IP addresses). AdGuard DNS stores DNS requests by default so users can see them on their dashboards. You can turn off DNS logging in settings.

Pricing starts at $2.49 per month, and they offer a free plan for up to 300,000 queries. 

Pros: Parental controls and filtering customization. Free version up to 300,000 queries.

Cons: Ambiguous privacy policy; it’s unclear whether the service logs user queries.

Control D

Control D is a user-configurable DNS service that distinguishes itself through robust features and extensive customizability. The service operates on a global anycast network, deploying transparent proxies with exit locations in over 69 countries.

Two of Control D’s key features are its support for multiple protocols and a very user-friendly UI that allows for good customization and compatibility. The level of customization exceeds that of many competitors, acknowledging nuances in CDNs and allowing users to configure different DNS profiles and set filters at specific time frames (to improve productivity).

Control D offers extensive filtering options, including blocking categories (e.g., ads or explicit content), malicious domains, or specific services (e.g., Facebook or Minecraft). If you encounter issues with any of these, expect their customer service to return to you within several days.

Privacy-wise, Control D does not keep logs of users’ activity and has a transparent privacy policy.

Pricing starts at $2 per month or $20 per year for the basic plan.

Pros: Good customization options and UI are appreciated by many users.

Cons: Unresponsive customer service.

DeCloudUs

DeCloudUs stands out as a feature-rich ad-blocking DNS server, offering protection against ads, trackers, malware, phishing, and other potentially harmful content. It employs standard encryption protocols to secure DNS queries and enhance user privacy (DoH and DoT).

It’s also highly customizable and includes parental controls, full DNS customization, and custom filtering lists.

The service follows a freemium model with three distinct tiers offering different features. The free version provides encrypted DNS queries, access to some DeCloudUs features, and one server location in Germany. Premium tiers unlock additional server options and advanced blocking capabilities for $0.49 per month (when billed annually). 

In terms of privacy, DeCloudUs states that, by default, its servers are configured to keep no DNS logs. Logs can be enabled in the Premium package by request.

Pros: Highly customizable DNS provider with ad blocking and parental controls. No-logs policy.

Cons: The free version is very limited. 

ReThinkDNS

ReThinkDNS offers an open-source and deployable DNS resolver featuring an app for the Android OS. As part of the Mozilla Builders MVP program, it stands out for its commitment to transparency and user privacy.

The platform offers a variety of block lists, including parental controls and ads, a tracker list, and malware lists like EasyPrivacy, EasyList, and the Block List Project, allowing users to tailor their blocking preferences. It offers support for DoT, with DNSSEC available based on server choice.

ReThinkDNS prioritizes transparency in its infrastructure, with DoH servers primarily running on Cloudflare (250+ locations) and DoT servers on Fly.io (35+ locations). The DoH resolver is a proxy between the user’s device and Cloudflare’s 1.1.1.1 recursive resolver. ReThinkDNS operates as a serverless and diskless service, ensuring user privacy by not logging queries. The fact that infrastructure providers may log some data is transparently communicated.

This app is in Early Access, and you can start using the service for free without the need for registration. 

Pros: Open-source, transparent, and free with a no-logs policy.

Cons: Early access implies potential instability or incomplete features.

Cloudflare DNS

Despite being a popular internet service provider, Cloudflare DNS receives mixed user reviews. This could be due to the fact that Cloudflare DNS lacks anti-phishing measures and content filters. The service has a strong privacy commitment and undergoes yearly audits. That said, according to its privacy policy, it logs DNS queries for 25 hours before deleting them. It also shares data with its partner, APNIC Labs (the regional internet registry for the Asia-Pacific region). Cloudflare claims that the data it shares is minimal and fully anonymized. 

Cloudflare offers a user-friendly interface and a very active community forum. It supports DNS over TLS and DNS over HTTPS encryption and comes with DDoS mitigation and DNSSEC. Additional features include its ability to hide website IPs, provide nameservers, and offer a centralized dashboard for DNS management. Ad blocking is not one of its features. 

Cloudflare is free for up to 100 hostnames. For extra features and access to the help center, it’s $20 per month (when billed annually). 

Pros: Regular third-party audits. User-friendly experience, standard encryption support.

Cons: Lack of content filter features and ad blocking.

OpenDNS

OpenDNS (now part of Cisco Umbrella) was established in 2005 and has been owned by Cisco since 2016. It’s a widely used cloud-based DNS service offering both free and paid plans. It uses anycast routing for faster page load times and connection to the nearest DNS server. Users can enable web filtering, including adult-content blocking and malicious-ad blocking (but not all ad blocking). OpenDNS supports DNS over HTTPS (DoH) encryption.

When it comes to privacy, OpenDNS is very open and not how you’d like it to be. The service records internet activity history by default, although, as per a recent update, you can turn this off in settings. OpenDNS also states that they “may collect data, including personal data, about you as you use our websites and Solutions [sic] and interact with us.”

Regarding pricing, the two free versions include parental controls, some filtering, and email support. Paid options start at $19.95 per year, including domain blocklisting and, surprisingly, access to one year of the web activity log.

Pros: Parental controls, and filtering options in the free version.

Cons: Stores information about DNS requests and IP addresses. Limited ad-blocking tools.

DNSWatch

DNSWatch is a widely embraced DNS provider that stands out for its free-of-charge service. In fact, this DNS server provider has no paid options on offer. DNSWatch proudly labels itself as fast, free, and uncensored. Privacy is indeed a key focus for DNSWatch, as it abstains from logging any DNS queries or maintaining user history.

The core benefits of DNSWatch include its accessible free service, a commitment to an open internet without restricted content, and a robust privacy policy that keeps it from logging DNS queries. However, due to its privacy-focused approach and status as a smaller company, it does not provide security intelligence analysis or comprehensive protection against phishing, malware, or cyberattacks.

Pros: Free service. No-logs policy.

Cons: Only DoH encryption. No customer service.

Alternate DNS

Alternate DNS is a popular DNS option, mainly because it’s free. That said, Alternate DNS has several limitations, including few customization options, reliability concerns reported by some users, and the absence of HTTPS traffic filtering.

In terms of privacy, Alternate DNS collects personal information and stores logs. It also asserts that it does not share, rent, trade, or sell personal information with third parties except under specific circumstances, such as user-authorization or service-provision needs.

In addition to “homemade” graphics, there is little more on the page to reassure us that the service is reliable or that we won’t catch malware while using it. The PayPal account, where users are encouraged to transfer money to support the service, is even less reassuring.

Pros: Free.

Cons: No information about encryption. Lack of features. Stores DNS queries and personal information.

The criteria: what we looked at to evaluate the best DNS servers

Here are some key elements we took a closer look at to evaluate the DNS servers on our list.

• Security features: we checked the security features of each DNS service on the list. The most important is the DNSSEC (Domain Name System Security Extensions) to protect against DNS spoofing and tampering.
• Encryption: we value providers that support DNS over HTTPS (DoH) or DNS over TLS (DoT) to encrypt DNS queries and enhance privacy.
• Privacy: we read the small print to understand how data is handled and checked whether users’ DNS requests are logged.
• Customization: can the DNS filtering rules be updated, and is there an ad-blocking option?
• Price: service cost and how the service is funded if it’s free.
• Ease of use and set-up.
• Availability of customer service in case of issues.

FAQ