Avoid The Hack: 8 Best DNS Providers for Privacy (and adblocking)

This post was originally published on 29 JAN 2022. It has since been updated and revised.

DNS enables your devices to connect to the internet as we currently know it, translating the human-readable domain name to a machine-readable IP address.

However, what happens if your resolver is either insecure and/or untrustworthy? Many, if not all, the Internet Service Providers’ (ISPs) resolvers are unencrypted and privacy-unfriendly, passing queries in plaintext or logging information associated with your devices’ queries.

Using a DNS with domain filtering capability is also a great way to enjoy adblocking on your device(s) or on your network. While some people will agree ads are annoying, unsightly, and otherwise a waste of time, targeted ads pose both privacy and security risks to end users.

Lost? If you would like to dig deeper into DNS and how it affects/relates to online privacy, then visit the main DNS page to catch up.

At a glance

Per the avoidthehack criteria, providers listed here support
DoH, DNSSEC, and QName Minimization at a minimum.

Service Logo Name Type Server Locations Logging DoT Support DNSCrypt Domain filtering Custom Configurations Source code Infrastructure Go to service
quad9 logo Quad9 Non-Profit Anycast, based in Switzerland Malicious domains on all servers;
can use a server without blocking
Not public In-house
Hosted by Global Secure Layer, Packet Clearing House
Visit service
nextdns logo blue shield NextDNS Commercial;
offers free tier
Anycast; based in US Optional;
dependent on server choice
Adblocking and malicious domains;
dependent on server choice
Not public In-house avoidthehack Affiliate (
more info
adguard logo green shield AdGuard Commercial Anycast, based in Cyprus Some Adblocking and Malicious domains;
dependent on server choice
Hosted by Choopa and Serveroid avoidthehack Affiliate (
more info
controld logo Control D Commercial; offers free tier Anycast, based in Canada Optional; dependent on user choice Adblocking and Malicious domains;
dependent on server choice
Not public In-house Visit service
mullvad vpn logo Mullvad DNS Commercial; free US, UK, Switzerland, Sweden Adblocking and malicious domains (adblock lists only) In-house Visit Service
decloudus small logo DeCloudUs Commercial; free Anycast Adblocking and malicious domains;
dependent on user server/subscription choice
Not public In-house Visit service
rethink dns logo ReThinkDNS Free Anycast; based in US Adblocking and malicious domains; dependent on user choice (mix+match lists) Hosted by Cloudflare and Visit service
cloudflare logo orange cloud Cloudflare Commercial; free Anycast; based in US Some Malicious domains only Not public In-house Visit service


official quad9 logo

Quad9 is a non-profit organization that operates operates high performing and privacy-respecting public DNS resolvers. Quad9 DNS servers are found around the world. Specifically, their infrastructure spans 150 locations in 90 different nations.

Their DNS servers feature no logging, retaining no personal data about users who utilize their servers. There is no sign-up required to use the service; the IP addresses for their DNS servers are listed and available for all to use at will.

Quad9 is based in Switzerland, having relocated from being primarily based in the US. As of writing, they’re still working on being incorporated fully in Switzerland. This relocation is/was a huge deal because Switzerland has some of the most robust consumer data and online privacy around.

Quad9 features threat blocking on all servers. This means that when using Quad9’s DNS resolvers, they will automatically deny connections to known malicious domains – ultimately promoting and improving the security of your devices and their connections.

It’s worth noting that Quad9 does provide servers without threat blocking; you have the option to choose which to connect with. However, it’s highly recommended to use the server that makes use of their threat blocking technology because it’s an effortless increase in the levels of your device and/or network security (and also your privacy – by not connecting to known malicious domains).

These known malicious domains are provided by varying threat intelligence entities partnered with Quad9 and are constantly being updated to offer better protection against newer threats.

Quad9 supports the DoH, DoT, and DNSCrypt protocols. Additionally, their infrastructure is a blend of in-house equipment and hosting services provided by Packet Clearing House and Global Secure Layer.

Visit service


official nextdns logo

NextDNS prominently aims to be the “new firewall for the modern Internet.”

Based out of the US, NextDNS offers both free and paid (but affordable!) DNS resolving services. The free tier is limited to 300,000 queries a month but allows for access to all features, unlimited devices, and unlimited configurations. Their servers use Anycast so reliable service can be provided across multiple locations.NextDNS’ DNS resolvers can block ads, trackers, and malicious domains.

Generally speaking, 300,000 queries a month is reasonable for a couple of devices. However, it’s recommended going for the unlimited queries if you have a lot of devices on your network. For reference, when counting devices on your network, this includes any device that uses your Wi-Fi to connect to the internet; you may have more internet-connected devices making more queries than you think!

Users can opt-in to logging; according to NextDNS “…some features require some sort of data retention; in that case, our users are given the option, control, and full access to what is logged and for how long.” Ultimately, logging depends on user server/feature choice.

NextDNS has an extensive control panel for fine-tuning the user blocking/filtering experience. For example, users can specify whether they want to block wide-spectrum trackers, “disguised” third-party trackers, affiliate links, or simply blocking them all.

NextDNS has security-focused settings available as well. Users have discretion when using threat intelligence feeds and/or AI assisted threat detection to minimize security risks. Users can also choose to safeguard against the likes of cryptojacking, typosquatting, parked domains, and domains registered for less than 30 days. Depending on your needs as a user, entire domains/subdomains/specific URLs can be blocked.

For those with children, it also has a Parental Control tab on the dashboard that allows blocking and unblocking of specific websites or categories of websites.

NextDNS has integrations with other tools/providers, such as Tailscale and Twingate (platforms that allow users to deploy zero-trust VPNs easily), as well.

NextDNS supports DoT and DNSCrypt. Users can choose to download the NextDNS app on compatible devices. DNSSEC is supported by default.

For payment options, NextDNS does offer payment via cryptocurrency. Additionally, they’re have made available a beta version for DNS-related support of decentralized Web3 technologies, such as InterPlanetary File System (IPFS) and peer-to-peer HandShakes.

NextDNS is a trusted partner of Mozilla Firefox to deliver Firefox’s DNS-over-HTTPS feature.

avoidthehack Affiliate (
more info


official adguard logo

AdGuard is a company that’s perhaps most known for its adblocking services – which also happen to be…

*** This is a Security Bloggers Network syndicated blog from Avoid The Hack! authored by Avoidthehack! RSS. Read the original post at: