Privacy DNS guide — Quad9, Mullvad DNS and DNS-over-HTTPS
Your DNS provider sees every website you visit. Switch from Google or your ISP to a privacy-friendly DNS like Quad9 or Mullvad DNS.
Privacy DNS guide
Every time you visit a website, a DNS request is made — a translation of domain name to IP address. By default this goes through your ISP or Google (8.8.8.8). Those parties log what you request, when, and how often.
A privacy-friendly DNS resolver solves this: no logging, no sale of your query data, and often protection against malware domains too.
What is DNS and why does it matter?
DNS (Domain Name System) is the phone book of the internet. When you type privacygear.nl, your device asks a DNS server: “What is the IP address of privacygear.nl?”
The problem: Your ISP sees all these queries by default. Even if you use HTTPS for the website’s content, the DNS query is visible — unless you use DNS-over-HTTPS or DNS-over-TLS.
What DNS providers see:
- Which domains you request
- What time
- How often
- From which IP address
In many countries, ISPs can legally sell this data to advertisers.
DNS-over-HTTPS and DNS-over-TLS
Standard DNS travels unencrypted over the network (UDP port 53) — visible to your ISP, router, or anyone monitoring your network.
DNS-over-HTTPS (DoH): DNS queries are sent as HTTPS traffic (port 443). Indistinguishable from normal web traffic. Supported by Firefox, Chrome, Windows 11, Android.
DNS-over-TLS (DoT): DNS queries are encrypted over TLS (port 853). More clearly recognisable as DNS, but also encrypted. Better suited for routers and system-wide configuration.
Which to choose? For browser level: DoH. For system-wide or router: DoT or DoH with system settings.
Quad9 — recommended for most users
Quad9 is a non-profit organisation founded by IBM and the Global Cyber Alliance, based in Switzerland (outside EU and US jurisdiction).
Why Quad9:
- Non-profit — no advertising model
- Based in Switzerland — strong privacy laws
- Blocks malware domains via Threat Intelligence feeds
- No logging of personal data
- Independently audited
Quad9 addresses:
| Type | Address |
|---|---|
| IPv4 | 9.9.9.9 / 149.112.112.112 |
| IPv6 | 2620:fe::fe / 2620:fe::9 |
| DoH | https://dns.quad9.net/dns-query |
| DoT | tls://dns.quad9.net |
Variants:
9.9.9.9— with malware blocking (recommended)9.9.9.10— no blocking, privacy only9.9.9.11— with blocking + ECS (slightly faster via geolocation, slightly less private)
Mullvad DNS
Mullvad DNS is the DNS service from Mullvad VPN. Available without using Mullvad VPN too.
Advantages:
- No logging
- Optional ad and tracker blocking
- Based in Sweden
Addresses:
| Type | Address |
|---|---|
| DoH (no blocking) | https://dns.mullvad.net/dns-query |
| DoH (ad-blocking) | https://adblock.dns.mullvad.net/dns-query |
| DoT | tls://dns.mullvad.net |
DNS provider comparison
| Provider | Privacy | Malware blocking | Ad blocking | Owner | Location |
|---|---|---|---|---|---|
| Quad9 | ✅ Good | ✅ | ❌ | Non-profit | Switzerland |
| Mullvad DNS | ✅ Good | ❌ | Optional | Mullvad VPN | Sweden |
| Cloudflare (1.1.1.1) | Fair | Via 1.1.1.2 | Via 1.1.1.3 | Cloudflare Inc. | US |
| Google (8.8.8.8) | ❌ Poor | ❌ | ❌ | US | |
| NextDNS | ✅ Good | ✅ | ✅ | NextDNS Inc. | US |
| AdGuard DNS | ✅ Good | ✅ | ✅ | AdGuard | Cyprus |
Cloudflare 1.1.1.1 is fast and better than Google, but Cloudflare is a US company. They log minimally but retain data for 25 hours. For serious privacy users: choose Quad9 or Mullvad DNS.
Setting up on different devices
Android
System-wide Private DNS (Android 9+):
- Settings → Network → Advanced → Private DNS
- Select “Private DNS provider hostname”
- Enter:
dns.quad9.net
This encrypts all DNS on your Android device, including outside apps.
iOS / iPadOS
iOS has no built-in DoH/DoT setting. Use a configuration profile:
- Download the Quad9 profile from
quad9.net/service/about - Open in Safari → Settings → Downloaded Profile → Install
- Settings → General → VPN & Device Management → Activate the profile
Alternative: use a DNS filtering app like AdGuard for iOS.
Windows 11
- Settings → Network & internet → WiFi/Ethernet → Edit
- DNS server assignment → Manual
- IPv4:
9.9.9.9and149.112.112.112 - Choose “DNS over HTTPS (automatic template)“
macOS
- System Settings → Network → select connection → Details
- DNS → + → Add
9.9.9.9and149.112.112.112 - For DoH/DoT: use a DNS profile or configure via Terminal
Router (OPNsense)
In OPNsense: Services → Unbound DNS → DNS over TLS
Name: Quad9
Server IP: 9.9.9.9
Server Port: 853
Verify CN: dns.quad9.netRouter-wide DNS means all devices on your network are protected, including smart TVs and IoT devices you can’t configure individually.
Firefox
- Settings → Privacy & Security → DNS over HTTPS
- Enable DNS over HTTPS
- Choose “Custom” →
https://dns.quad9.net/dns-query
AdGuard Home — self-hosted DNS with blocking
If you have a home server or Raspberry Pi, AdGuard Home is a more powerful option: a local DNS resolver with configurable blocklists.
Advantages over external DNS:
- All logging stays local
- Block lists fully customisable
- Per-device statistics
- Can forward upstream to Quad9 via DoH/DoT
Installation (Docker):
docker run -d \
--name adguardhome \
-p 53:53/tcp -p 53:53/udp \
-p 3000:3000/tcp \
-v /opt/adguardhome/conf:/opt/adguardhome/conf \
-v /opt/adguardhome/work:/opt/adguardhome/work \
adguard/adguardhomeNavigate to http://[server-ip]:3000 for the configuration wizard.
See also the AdGuard Home review for a complete discussion.
Limits of DNS privacy
DNS encryption solves one problem, but not everything:
What DNS privacy does NOT solve:
- SNI (Server Name Indication): When connecting to an HTTPS website, the domain name is visible in the TLS handshake, unless Encrypted Client Hello (ECH) is active
- IP address tracking: Your IP address remains visible to websites you visit
- Tracking via cookies/fingerprinting: DNS says nothing about what happens afterwards on the website
For complete protection:
- DNS privacy: Quad9 or Mullvad DNS
- IP address: VPN (Mullvad, ProtonVPN) or Tor
- Tracking: uBlock Origin, Firefox + strict mode
DNS privacy is one layer — not a complete solution.
Verification — does it work?
Test whether your DNS setting works:
Browser test:
- Visit
https://1.1.1.1/help— shows which DNS resolver you’re using - Visit
https://dns.quad9.net/dns-check— Quad9 verification
Command line:
# Check which DNS server you're using
nslookup whoami.akamai.net
# Test Quad9 directly
dig @9.9.9.9 example.comDNS leak test:
Use dnsleaktest.com to verify that your DNS is not leaking through your ISP, including when using a VPN.
Conclusion
Switch today from Google DNS (8.8.8.8) to Quad9 (9.9.9.9). It takes five minutes and your ISP no longer has direct access to your browsing history. Enable DNS-over-HTTPS for encrypted transport.
For home users with a server or Raspberry Pi: AdGuard Home with Quad9 as upstream gives the most control and statistics.
See also:
- AdGuard Home review — self-hosted DNS blocking
- OPNsense and Protectli Vault review — router-wide DNS filtering
- Tailscale mesh VPN guide — DNS via your own network
- Browser comparison: Firefox, Brave and Tor — browser choice also affects DNS privacy