Most devices use whatever DNS server their ISP hands them by default, without ever being asked.
That default is rarely the fastest option, and it's the one place your ISP doesn't need any
special effort to see exactly which domains you're looking up, covered in more depth in our
DNS explainer. Switching to a
dedicated resolver is one of the easiest privacy changes available, free, and usually a five
minute setup.
Three names come up constantly: Cloudflare, Quad9, and NextDNS. They're not interchangeable.
Each optimizes for something different, and picking based on the wrong priority is the most
common mistake in this decision.
What makes a DNS server "good for privacy"
A few concrete things, not vibes. A published, ideally independently audited, no-logs or minimal-logs policy. Support for encrypted DNS (DoH or DoT, sometimes DoQ) so the query itself isn't sent in plain text. DNSSEC validation, which checks that a response is authentic rather than forged, a separate concern from encryption covered in our DNS explainer. And a clear answer to who operates the resolver and what jurisdiction they're legally based in, since that determines what a government can eventually compel them to hand over or log.
Quick picks
Cloudflare 1.1.1.1
Cloudflare launched 1.1.1.1 in 2018 with a KPMG-audited commitment not to retain personal data from DNS queries beyond 24 hours for debugging purposes, and has repeated that audit periodically since. In independent speed benchmarks it's routinely the fastest public resolver available, which matters more than it sounds: DNS lookups happen constantly in the background, and shaving milliseconds off each one adds up across a normal browsing session.
Two variants exist beyond the plain resolver: 1.1.1.2 adds malware blocking, and 1.1.1.3 adds malware plus adult-content blocking, both with zero extra configuration beyond using a different address. Cloudflare also offers WARP, a free, optional WireGuard-based tunnel that extends the same protection to your full connection rather than just DNS, without the full complexity of a traditional VPN client.
Quad9 9.9.9.9
Quad9 is operated by a Swiss nonprofit foundation rather than a commercial advertising or infrastructure company, which removes a common source of conflicting incentive: there's no ad business anywhere nearby that could benefit from your query data. Its default resolver blocks domains known to be associated with malware, phishing, and botnet command-and-control infrastructure, aggregating threat intelligence from more than a dozen security partners rather than relying on a single source.
Quad9 doesn't log IP addresses tied to individual queries and validates DNSSEC by default on every lookup. It's also been on the receiving end of real legal pressure worth knowing about: Sony Music sued Quad9 in Germany over a domain German courts had ordered blocked elsewhere, a genuine example of the kind of content-blocking demand a resolver operator can face regardless of its own privacy policy. It's a security-filtering resolver first, not a general ad or tracker blocker, which is a common point of confusion covered in the FAQ below.
NextDNS
NextDNS trades some of Quad9's simplicity for control. Instead of one fixed address, you get a personal endpoint tied to an account, with a dashboard for custom allow and block lists, per-device profiles (useful for a household where a kid's tablet needs stricter filtering than a parent's laptop), and query analytics you can actually look at, rather than trusting blindly that filtering is happening correctly.
The free tier is capped by monthly query volume, not by features, and a busier multi-device household can realistically hit that cap before the month ends; queries generally fall back to unfiltered resolution rather than breaking outright once you do. It's the right tool when you actually want to see and shape what's being blocked, and more setup than most people want when they just want a faster, quieter default.
Honorable mentions
A few others worth knowing, even if they didn't make the top three for most people.
| Provider | IP | Best for | Worth knowing |
|---|---|---|---|
|
|
8.8.8.8 | Global reliability, ECS-aware CDN routing | Run by an advertising company; strong uptime, weaker "no incentive" story than a nonprofit |
|
|
208.67.222.222 | Mature category-based content filtering | Owned by Cisco since 2015; dashboard and feature development have stagnated |
|
|
94.140.14.14 | Straightforward ad and tracker blocking | No logging by default; smaller server footprint than Cloudflare or NextDNS |
|
|
194.242.2.2 | Minimal-collection, no-nonsense privacy | Same operator as Mullvad's VPN; works best combined with their own tunnel |
A setup detail that actually matters
Whichever provider you pick, use its encrypted DNS over HTTPS (DoH) or DNS over TLS (DoT) configuration, not the plain, unencrypted address alone. All three main options in this guide support both. On Android this lives under Private DNS in network settings; on iOS and macOS it typically requires a small configuration profile from the provider's own site; most browsers also let you set DoH independently of your system-wide setting, which is worth checking since the two don't always match. Our DNS explainer covers exactly what encrypted DNS does and doesn't protect, including a gap (SNI leakage during the TLS handshake) that catches a lot of people who assume encrypted DNS alone is a complete fix.
One thing worth remembering
Changing your DNS server changes who resolves your lookups and, with encryption enabled, hides the query from your ISP. It does nothing about the sites you actually visit seeing your IP address, and nothing about browser fingerprinting. It's one solid, free layer, not a replacement for the rest of your setup.