~/tools/dns
DNS & Network
last updated 2026-06-17 · 6 recommendations · what changed
Every site you visit starts with a DNS lookup, and by default those lookups go to
your ISP in plaintext. Switching to an encrypted, filtering resolver is a
ten-minute change that upgrades every device on your network,
blocking ads and malware before a connection is ever made.
before you pick
DNS filtering blocks requests at the name level: strong against trackers and
malware domains, weaker against ads served first-party (YouTube's, for instance).
It complements blocking in the browser;
it doesn't replace it. And any third-party resolver requires trusting that
party with your query log; self-hosting is the only way out of that trade.
what actually matters
encrypted transport
DoH or DoT keeps lookups unreadable on the wire. Every pick here supports both; your OS or router does too.
logging policy
The resolver sees every domain you visit. What it keeps, for how long, and under whose laws is the core question.
filtering control
From fixed lists (zero effort) to fully custom rules per device. More control means more maintenance: pick your tier.
consistency with your tunnel
If you run a VPN, your DNS should match its infrastructure: a mismatched resolver fragments your fingerprint and leaks intent.
recommendations
AdGuard DNS
the default pick
🇨🇾 cyprusdoh/dot/doqstrong blocklistsbroad device supportfree · ~$3/mo
A practical, reliable encrypted resolver with strong blocking lists and the
broadest device support in the category: the public resolver
(94.140.14.14) blocks ads and trackers with zero setup
and no account. Not fully open source server-side, but the company
has a long, consistent track record in the security space, and its home-server
sibling (AdGuard Home) is fully FOSS. Covers the majority of everyday use
cleanly; the paid tier adds dashboards and custom rules.
good
- Ad and tracker blocking with no account needed
- Supports DoH, DoT, and newer DNS-over-QUIC
- Long-running company with an open-source culture
- Paid tier adds per-device profiles and custom rules
mind the
- Public tier keeps anonymized 24h logs for operations
- Server side isn't fully open source
- Cyprus jurisdiction is less battle-tested than Switzerland
- Founded in Moscow in 2009 before later relocating its HQ to Cyprus
Mullvad DNS
the contextual pick
🇸🇪 swedendoh/dot onlyno logsno accountfree
Mullvad's public resolver, free for everyone (not just VPN customers), with
the same no-logs posture as the VPN and optional ad/tracker filtering
endpoints. The headline use is consistency: when you're on
Mullvad's VPN (or Tor), keeping DNS inside the same infrastructure preserves a
uniform fingerprint instead of announcing a third party. It's been growing
into a solid standalone recommendation as well.
good
- Clean no-logs policy from a raid-tested operator
- Filtering variants (ads, trackers, malware) selectable by hostname
- The right answer whenever Mullvad VPN is already in your stack
mind the
- Encrypted transport only: no plain port-53 fallback for dumb devices
- No dashboards, analytics, or per-device control at all
- Fixed lists; can't allowlist a single false positive
Quad9
the neutral pick
🇨🇭 switzerlanddoh/dotmalware blockingno loggingfree
Set 9.9.9.9 and you're done: a Swiss nonprofit resolver that blocks
malware domains, keeps no per-user logs, and asks nothing of you. It doesn't
filter ads; it's a security resolver, not an ad blocker,
which is exactly why it's worth knowing: a clean, trustworthy, threat-focused
option when you want neutrality rather than curation.
good
- Nonprofit under Swiss privacy law: no commercial incentive to log
- Malware/phishing blocklist on by default
- Anycast network; fast nearly everywhere
mind the
- No ad/tracker filtering: pair with browser-level blocking
- No customization or per-device control at all
- Occasional false positives are hard to appeal quickly
NextDNS
the power-user pick
🇺🇸 usadoh/dotcustom blocklistsper-device profilesfree tier · ~$2/mo
A Pi-hole in the cloud: pick your blocklists, see analytics per device, set
parental controls, and carry the config everywhere your devices roam.
The most filtering power you can get without hosting anything,
with good logging-transparency options to match (retention is configurable,
including to zero). More tool than appliance; budget the occasional evening
of allowlisting.
good
- Granular blocklists, allowlists, and per-profile settings
- Works on the go: profiles follow your phone off the home network
- Configurable log retention and storage region, including none
mind the
- US company; logging is opt-out by configuration, not impossible by design
- Past the free quota (300k queries/mo) it stops filtering until you pay
- Easy to over-block and spend evenings whitelisting
Self-host
the self-host pick
self-hostedopen sourceany blocklistlan-widefree + hardware
Run your own filtering resolver on a Raspberry Pi or any always-on box, and
no third party sees your lookups at all, the only complete
answer to the trust question every entry above carries. AdGuard Home is the
slicker, FOSS, encrypted-out-of-the-box option; Pi-hole is the decade-old
community classic. Pair either with Unbound and you're not even trusting an
upstream resolver.
good
- Your hardware, your rules, your logs (or none)
- Covers smart TVs and IoT junk that can't run blockers
- With Unbound upstream, fully independent recursive resolution
- AdGuard Home speaks DoH/DoT natively, both directions
mind the
- You're now a sysadmin: updates, uptime, and "the internet is broken" complaints are yours
- Only protects you at home unless you route back via WireGuard
- Needs an always-on device (~€40 Pi or an existing server)
ControlD
the customization pick
🇨🇦 canadadoh/dot/doqper-device profilesgranular block listsfree · paid tiers
The dial-in-everything option: per-device profiles, toggleable block-list
categories (ads, malware, social, gambling, and dozens more), custom rules per
domain, and analytics, all from one dashboard. More granular than
NextDNS in the controls it exposes, at the cost of a steeper setup
curve; this is the pick for someone who wants to tune exactly what's blocked
on exactly which device, not someone who wants to set it once and forget it.
good
- Very granular per-device and per-profile block-list control
- Supports DoH, DoT, and DNS-over-QUIC
- Free tier is genuinely usable, not just a trial
- Custom routing rules (split DNS, redirects) beyond simple blocking
mind the
- The dashboard's depth is a learning curve, not a five-minute setup
- Canada is a Five Eyes jurisdiction, if that's in your model
- Easy to over-configure and spend an evening tuning rules
at a glance
all support encrypted transport (self-hosted via upstream configuration; mullvad is encrypted-only).
worth knowing
Set it at the router if you can. One change covers every device,
including the ones you can't configure. Phones and laptops that leave the house
should also get the resolver set per-device (iOS/Android both support DoT/DoH
profiles natively).
Match DNS to your VPN. A VPN tunnel
carries its own DNS. On Mullvad, use Mullvad DNS; on Proton, NetShield.
Keeping resolution consistent with the tunnel's infrastructure preserves a
uniform fingerprint; fighting your VPN to use a third party does the opposite.
Expect some breakage, know the fix. A login page that won't load
or an email link that dies is usually one allowlist entry away. Filtering DNS
without knowing how to whitelist is how people end up back on the ISP default.
Your resolver sees a lot: choose like it matters. Domain
history is a complete map of your interests. "Free" resolvers from ad companies
are free for a reason; everything recommended here has a published, plausible
reason to exist, and self-hosting removes the question entirely.