Privacy DNS guide — Quad9, Mullvad DNS and DNS-over-HTTPS
Every time you visit a website, a DNS request is made — a translation of domain name to IP address. By default this goes through your ISP or Google (8.8.8.8). Those parties log what you request, when, and how often.
Privacy DNS guide
Every time you visit a website, a DNS request is made — a translation of domain name to IP address. By default this goes through your ISP or Google (8.8.8.8). Those parties log what you request, when, and how often.
A privacy-friendly DNS resolver solves this: no logging, no sale of your query data, and often protection against malware domains too.
Who this is useful for
This guide is mainly useful for readers who:
- want to give their internet provider less visibility into their browsing behaviour
- want a small but meaningful privacy improvement without new hardware
- are looking for a simple network step with little maintenance
For most readers, this is a low-friction baseline measure, not an advanced project.
If you are unsure whether this is a useful improvement or just another technical hobby project, use this rule of thumb: privacy-friendly DNS is usually worth doing; building your own full DNS stack usually comes later.
What you gain, and what it costs
With privacy-friendly DNS, you usually gain:
- less direct visibility for your internet provider into which domains you look up
- encrypted DNS traffic if you use DoH or DoT instead of plain default DNS
- sometimes extra malware or tracker blocking, depending on the provider
But it does not solve everything:
- websites still see your IP address
- tracking cookies and browser fingerprinting still exist
- you move trust from your provider to a different DNS operator
Adoption friction is usually low. Maintenance is also low, as long as you choose a simple provider configuration instead of self-hosted DNS.
For most readers, this is a sensible baseline improvement. It becomes overkill when you turn a simple DNS change into a self-hosted network project before your more important basics are in place.
What the right next step is for most readers
For most PrivacyGear readers, the right route is simple:
- choose a reliable provider such as Quad9
- set it system-wide on your phone or computer
- leave router-wide or self-hosted DNS until you have a concrete reason to manage it
Choose roughly like this:
- choose Quad9 if you want one solid default setting with very little thought or maintenance
- choose Mullvad DNS if you deliberately want to compare different blocking variants
- choose AdGuard Home or router DNS only if you are already actively managing your home network
What is DNS and why does it matter?
DNS (Domain Name System) is the phone book of the internet. When you type privacygear.nl, your device asks a DNS server: “What is the IP address of privacygear.nl?”
The problem: Your internet provider or network administrator sees these queries by default. Even if you use HTTPS for the website’s content, the DNS query is visible — unless you use DNS-over-HTTPS or DNS-over-TLS.
What DNS providers see:
- Which domains you request
- What time
- How often
- From which IP address
How providers handle this differs by company and country. That is exactly why it makes more sense not to send DNS unencrypted through your default provider unless you have to.
DNS-over-HTTPS and DNS-over-TLS
Standard DNS travels unencrypted over the network (UDP port 53) — visible to your ISP, router, or anyone monitoring your network.
DNS-over-HTTPS (DoH): DNS queries are sent as HTTPS traffic (port 443). Indistinguishable from normal web traffic. Supported by Firefox, Chrome, Windows 11, Android.
DNS-over-TLS (DoT): DNS queries are encrypted over TLS (port 853). More clearly recognisable as DNS, but also encrypted. Better suited for routers and system-wide configuration.
Which to choose? For browser level: DoH. For system-wide or router: DoT or DoH with system settings.
Quad9 — recommended for most users
Quad9 is the default recommendation for most PrivacyGear readers.
Why Quad9:
- Non-profit — no advertising model
- Based in Switzerland
- Blocks malware domains via Threat Intelligence feeds
- Positioned as a privacy-friendly resolver with very low maintenance friction
Quad9 addresses:
| Type | Address |
|---|---|
| IPv4 | 9.9.9.9 / 149.112.112.112 |
| IPv6 | 2620:fe::fe / 2620:fe::9 |
| DoH | https://dns.quad9.net/dns-query |
| DoT | tls://dns.quad9.net |
Variants:
9.9.9.9— with malware blocking (recommended)9.9.9.10— no blocking, privacy only9.9.9.11— with blocking + ECS (slightly faster via geolocation, slightly less private)
Best fit: normal users and privacy-conscious readers who want one good system-wide setting without having to manage filters, dashboards or custom rules.
Mullvad DNS
Mullvad DNS is the DNS service from Mullvad VPN. Available without using Mullvad VPN too.
Advantages:
- No logging
- Optional ad and tracker blocking
- Based in Sweden
Best fit: readers who already know they want to compare different blocking levels, or who are already looking at Mullvad for VPN as well.
Addresses:
| Type | Address |
|---|---|
| DoH (no blocking) | https://dns.mullvad.net/dns-query |
| DoH (ad-blocking) | https://adblock.dns.mullvad.net/dns-query |
| DoT | tls://dns.mullvad.net |
DNS provider comparison
| Provider | Privacy | Malware blocking | Ad blocking | Owner | Location |
|---|---|---|---|---|---|
| Quad9 | Good | Yes | No | Non-profit | Switzerland |
| Mullvad DNS | Good | No | Optional | Mullvad VPN | Sweden |
| Cloudflare (1.1.1.1) | Fair | Via 1.1.1.2 | Via 1.1.1.3 | Cloudflare Inc. | US |
| Google (8.8.8.8) | Poor | No | No | US | |
| NextDNS | Good | Yes | Yes | NextDNS Inc. | US |
| AdGuard DNS | Good | Yes | Yes | AdGuard | Cyprus |
Cloudflare 1.1.1.1 is still better for many people than Google or their ISP’s default resolver, but PrivacyGear still prefers Quad9 or Mullvad DNS because they are a better privacy fit for this site.
Setting up on different devices
Android
System-wide Private DNS (Android 9+):
- Settings → Network → Advanced → Private DNS
- Select “Private DNS provider hostname”
- Enter:
dns.quad9.net
This encrypts all DNS on your Android device, including outside apps.
iOS / iPadOS
iOS has no built-in DoH/DoT setting. Use a configuration profile:
- Download the Quad9 profile from quad9.net/service/about
- Open in Safari → Settings → Downloaded Profile → Install
- Settings → General → VPN & Device Management → Activate the profile
Alternative: use a DNS filtering app like AdGuard for iOS if you explicitly want filtering too, not only a different resolver.
Windows 11
- Settings → Network & internet → WiFi/Ethernet → Edit
- DNS server assignment → Manual
- IPv4:
9.9.9.9and149.112.112.112 - Choose “DNS over HTTPS (automatic template)“
macOS
- System Settings → Network → select connection → Details
- DNS → + → Add
9.9.9.9and149.112.112.112 - For DoH/DoT: use a DNS profile or configure it via Terminal
Router (OPNsense)
In OPNsense: Services → Unbound DNS → DNS over TLS
Name: Quad9Server IP: 9.9.9.9Server Port: 853Verify CN: dns.quad9.net
Router-wide DNS means all devices on your network benefit too, including smart TVs and IoT devices you cannot configure individually.
This only becomes the better next step if you are already actively managing your home network. For most readers, per-device or system-wide DNS comes first.
Firefox
- Settings → Privacy & Security → DNS over HTTPS
- Enable DNS over HTTPS
- Choose “Custom” →
https://dns.quad9.net/dns-query
AdGuard Home — self-hosted DNS with blocking
If you have a home server or Raspberry Pi, AdGuard Home is a more powerful option: a local DNS resolver with configurable blocklists.
Advantages over external DNS:
- All logging stays local
- Block lists fully customisable
- Per-device statistics
- Can forward upstream to Quad9 via DoH/DoT
This is not the default recommendation for most readers. It gives you more control, but also more setup work and more maintenance.
Installation (Docker):
docker run -d \ --name adguardhome \ -p 53:53/tcp -p 53:53/udp \ -p 3000:3000/tcp \ -v /opt/adguardhome/conf:/opt/adguardhome/conf \ -v /opt/adguardhome/work:/opt/adguardhome/work \ adguard/adguardhome
Navigate to http://[server-ip]:3000 for the configuration wizard.
See also the AdGuard Home review for a complete discussion.
Limits of DNS privacy
DNS encryption solves one problem, but not everything:
What DNS privacy does NOT solve:
- SNI (Server Name Indication): When connecting to an HTTPS website, the domain name is visible in the TLS handshake, unless Encrypted Client Hello (ECH) is active
- IP address tracking: Your IP address remains visible to websites you visit
- Tracking via cookies/fingerprinting: DNS says nothing about what happens afterwards on the website
For complete protection:
- DNS privacy: Quad9 or Mullvad DNS
- IP address: VPN (Mullvad, ProtonVPN) or Tor
- Tracking: uBlock Origin, Firefox + strict mode
DNS privacy is one layer — not a complete solution.
Verification — does it work?
Test whether your DNS setting works:
Browser test:
- Visit
https://1.1.1.1/help— shows which DNS resolver you’re using - Visit
https://dns.quad9.net/dns-check— Quad9 verification
Command line:
# Check which DNS server you’re usingnslookup whoami.akamai.net# Test Quad9 directlydig @9.9.9.9 example.com
DNS leak test: Use dnsleaktest.com to verify that your DNS is not leaking through your ISP, including when using a VPN.
Next step
Go further
- Android privacy without a custom ROM — how DNS fits into device settings on Android
- iPhone privacy settings — how DNS fits into device settings on iOS
- Which network setup fits your profile? — only if you want to go beyond device-level DNS
- Tailscale mesh VPN guide — DNS via your own network
Reviews
- AdGuard Home review — self-hosted DNS blocking
- OPNsense and Protectli Vault review — router-wide DNS filtering
- Browser comparison: Firefox, Brave and Tor — browser choice also affects DNS privacy