DNS Providers Below (on this page)
Quad9	NextDNS	Cloudflare	Mullvad
OpenDNS	AdGuard	Control D	Clean Browsing
dns0.eu	DNS4EU	Canadian Shield	PDNS
Other DNS Pages
Test Your DNS	Long DNS Explanation	Still More To Say

Suggested DNS Providers

There are many choices for DNS providers and the normal default, using DNS servers from an ISP, is typically the worst option. The list below of DNS providers is far from complete, it is just those I would feel comfortable using.

Most of these providers offer more than plain vanilla DNS resolution. They offer ad blocking, tracker blocking and/or malware blocking. Many people get some of this by installing a browser extension such as uBlock Origin. DNS offers another solution to the same problem and they can both work concurrently. Also, DNS can work at the OS level, something no browser extension can do.

Old insecure DNS is specified with IP addresses (normally two of them). New Secure DNS is specified with a server name. If you are not familiar with Old vs. new DNS, see the DNS Long Explanation page. Typically a company offers one server for DoH and another for DoT. That said, the two secure DNS flavors use different TCP ports, so it is possible for both to be available on a single server.

• Quad9 has three services. See their Documentation Overview and Service Addresses & Features for all of their services. Not shown below is their unfiltered service.
  NOTE: October 9, 2025. DOH HTTP/1.1 Retirement December 15, 2025 a blog from Quad9. Quoting: "Quad9 will be discontinuing support within DNS-over-HTTPS (DOH) using HTTP/1.1 on December 15, 2025. This should have no impact on most users, but there are some older or non-compliant devices or software which may be unsupported after that time with DOH and which will have to revert to unencrypted DNS or shift to DNS-over-TLS."
  
  Their main service offers Malware Blocking and DNSSEC validation
   IP addresses: 9.9.9.9 and 149.112.112.112
   DoH: https://dns.quad9.net/dns-query
   DoT: tls://dns.quad9.net
  
  Their Secured w/ECS service offers Malware blocking, DNSSEC Validation, ECS enabled
   IP addresses: 9.9.9.11 and 149.112.112.11
   DoH: https://dns11.quad9.net/dns-query
   DoT: tls://dns11.quad9.net
  
  
• Cloudflare offers three different DNS services. The original service does no filtering. In April 2020, Cloudflare introduced two filtering DNS services. See an overview. Note: In a June 2023 test by Nexxwave (see the "Testing DNS Services" section at the bottom of the page) the malware blocking offered by 1.1.1.2 was very bad.
  
  Block maware:
    IPv4: 1.1.1.2 and 1.0.0.2
    DoH: https://security.cloudflare-dns.com/dns-query
  
  Block malware and porn:
    IPv4: 1.1.1.3 and 1.0.0.3
    DoH: https://family.cloudflare-dns.com/dns-query
  
  Block nothing:
    IPv4: 1.1.1.1 and 1.0.0.1
    DoH: https://cloudflare-dns.com/dns-query
  
  
• NextDNS: My personal preference is NextDNS which blocks ads and trackers. It is a free service, up to a point. You do not need an account to use NextDNS but there are advantages to creating one such as using Secure DNS and configuring block/allow lists. NextDNS allows you to create customized DNS profiles for a group of your devices, for a single device or even just for a single browser on one device. These customized profiles can have their own block/allow lists. NextDNS can also do logging, of both allowed and blocked DNS requests. Setup instructions for all supported operating systems are available on their website after you click on the blue Try it now button on the home page. This generates a free temporary account good for 7 days. The setup instructions will include IP v4 addresses for old insecure DNS. Unlike other DNS providers, these IP addresses seem to vary, but expect them to start with 45.90.
  
  In the below, xxxxxx is the NextDNS profile ID. A NextDNS account can have one or more profile IDs. Generic refers to all devices/browsers that share a profile ID. Customized refers to naming a specific device/browser within a given profile. Customization is very useful when logging DNS requests.
  
  DoT Generic:  xxxxxx.dns.nextdns.io  |  Customized: MichaelFirefox-xxxxxx.dns.nextdns.io
  DoH Generic: https://dns.nextdns.io/xxxxxx | Customized: https://dns.nextdns.io/xxxxxx/MichaelsLaptop
  Chrome browser -> Use Secure DNS with Custom: same as DoH above
  Firefox browser -> Enable DNS over HTTPS with Custom: same as DoH above
  Android Private DNS Generic: xxxxxx.dns.nextdns.io | Customized: MichaelsFone-xxxxxx.dns.nextdns.io
  
  For the Apple world (iOS and macOS) NextDNS has an Apple Configuration Profile Generator at apple.nextdns.io. On iOS 14 and later, iOS profiles are one way to specify DNS settings as the system level. Blocking things in the iOS Safari browser is a separate thing, supported via Safari extensions. An iOS profile file generated by NextDNS will include a NextNDS profile id. As of Dec. 2023, the instructions for installing the iOS profile file seem fairly simple: Settings -> Profile Downloaded -> Install in the upper-right corner -> etc. How this works, or does not work, with an active VPN is not explained and I have not tested it.
  
  NextDNS also has an iOS app. I tested app version 2.0.1 (29) on iOS version 17.2 in January 2024. After installing the app, you have to modify System settings at: Settings -> General -> VPN and Device Management -> DNS -> enable NextDNS. If you have a NextDNS account (you should) then you should configure the app to use a custom configuration. Toggle this option on and enter one of your NextDNS Configuration IDs (they are like profiles). If a parent is using DNS to restrict what a child does, then they would want to set an app run passcode to block the use of the NextDNS app. I verified that the app does, in fact, cause the device to use NextDNS - when a VPN is not running. However, with an active VPN connection to Mullvad, the system used the Mullvad DNS, not NextDNS. The Mullvad iOS app does allow for a custom DNS but you can only provide a single IP address, which does not allow for the use of NextDNS profiles.
  
  NextDNS offers many configuration options. You do not need to change anything, but perhaps you should. These articles/video offer some help in configuring your account.
  1. NextDNS-Config by Github user yokoffing. Very complete, often cited as a reference.
  2. A comprehensive guide to setting up NextDNS by Jake Anto Sept 4, 2023
  3. Privacy Toolkit: NextDNS by Stephen Bolen Sept 23, 2022
  4. The ULTIMATE Guide to Mastering NextDNS! video by Techlore. July 3, 2023. 42 minutes
  
  
• VPN companyMullvad offers free DNS services to the public, in addition to the DNS service they offer their customers. Mullvad is very trustworthy.
  
  Their public DNS service has expanded over the years. When I first came across it, there were only two services: non-blocking (aka unfiltered) and ad blocking. Now (last verified June 2025) there are seven different services that can block combinations of: Ads, Trackers, Malware, Adult, Gambling and Social media. In addition, they still offer an unfiltered service.
  
  This article is their main documentation and they have continually updated it.
  DNS over HTTPS and DNS over TLS   (last updated: April 22, 2025)
  
  The article has setup instructions for web browsers, iOS, Android, Windows, macOS and Linux. I was very impressed with this Apple warning in their instructions: "Note: If you have enabled iCloud Private Relay then the DNS queries may go to DNS servers provided by Apple even if you use our DNS profile." For Windows, their instructions are for Windows 11 only. The article also links to their tester page where you can verify that their DNS service is actually being used. Two configuration examples are below.
  
  To block ads, trackers and malware:
  Server: base.dns.mullvad.net  IP address: 194.242.2.4
  
  To block ads, trackers, malware, adult and gambling:
  Server: family.dns.mullvad.net  IP address: 194.242.2.6
  
  Mullvad customers can also chose from the same six categories of DNS blocking (ads, trackers, malware, gambling, social media, adult content) in the Mullvad VPN app. Customers get a toggle for each individual category so the configuration is more flexible than the free public service. If these categories are insufficient, Mullvad VPN customers can instead provide the IP address(es) of a custom DNS server.
  
  In February 2023, Mullvad added a way to use their encrypted DNS service on macOS, iPadOS and iOS as per this article: Profiles to configure our encrypted DNS on Apple devices. These Apple Operating Systems require you to configure a "profile".
  
  
• Control D was released in 2021 by the developers of Windscribe. There are free and paid services and good luck drawing the line between them. There are about six standard configurations plus you can create a custom configuration. Quoting: "CONTROL D is a fully customizable DNS service, similar to Pi-Hole, AdGuard or NextDNS, but with proxy capabilities. This means it not only blocks things (ads, porn, etc), but can also unblock websites and services." More here. Their standard configurations include: no filtering, filtering malware, filtering malware, ads and tracking, filtering malware, ads, tracking and social, filtering malware, ads, tracking, Adult Content and Drugs. See too their blog Why You Should (and Shouldn't) Use Control D (June 2022). This may well be a fine service with many features (I have not used it), but I don't think they can explain it to non techies.
  
  
• OpenDNS offers some malware protection by not resolving/translating known bad website names. They started out as an independent company but they are now owned by Cisco. They offer two free services for home use: Family Shield and Home. The difference between these services is not obvious. It seems that one requires an account, the other does not.
  June 2025: Their setup instructions give the impression the service has been abandoned. For example, the instructions for web browsers are old and no longer accurate. The setup instructions for operating systems includes Windows XP, Vista, 7, 8 and 10. Nothing for Windows 11. As for iOS, the setup instructions are version 10, which as of June 2025, is disgracefully ancient.
  
  
• AdGuard offers both free and commercial services and the line between them is confusing to me. They offer three DNS services, the main one blocks ads, tracking and phishing. Their Family Protection service does this too and adds the blocking of adult websites and a Safe search. They also have a non-filtering DNS service. They also offer installable ad-blocking software for Windows, Mac, Android and iOS. Their AdGuard DNS is in beta as of March 2022. For more see Connecting to a public AdGuard DNS server.
  
  Blocks ads, tracking, phishing:
    IPv4: 94.140.14.14 and 94.140.15.15
    DoH: https://dns.adguard.com/dns-query
    DoT: tls://dns.adguard.com
  
  Family Protection
    IPv4: 94.140.14.15 and 94.140.15.16
    DoH: https://dns-family.adguard.com/dns-query
    DoT: tls://dns-family.adguard.com
  
  
• On iOS consider the Privacy DNS app by Disconnect. It is free and blocks trackers and ads. It also does encrypted DNS.
  
  
• The Clean Browsing Security Filter did very well at blocking malware according to the June 2023 article by Nexxwave (see it below). The article says they are based in Texas and they offer subscriptions for both families and businesses to provide their filtered DNS service. In addition to paying subscriptions, they also have a free DNS resolver that filters for phishing, spam and malware domain names.
  
  

THE EUROPEAN UNION AND DNS

• dns0.eu has shut down. As of October 2025 their website says: "The dns0.eu service has been discontinued. We would have liked to keep it running, but it was not sustainable for us in terms of time and resources. We recommend switching to DNS4EU or NextDNS."
  
  
• DNS4EU is billed as the European safe digital space. It is a free service that first went live in June 2025. Quoting: "Supported by the European Union Agency for Cybersecurity (ENISA), the European Union's DNS4EU secure-infrastructure project provides a protective, privacy-compliant, and resilient DNS service to strengthen digital sovereignty and security for EU citizens, governments, and critical infrastructure." They offer services for the Public in addition to other target audiences.
  
  Note however, this article by Jens Link that seems to be valid criticism both of the fact that they are not as EU focused as they claim and that their infrastructue is not a solid as it might be: How much EU is in DNS4EU? June 11, 2025.
  
  And this article, from September 2025, is also critical: DNS4EU – a bit EU, a bit secure, a bit pointless from the Bad Cyber website.
  
  For the general public, they offer five different DNS options/services. Each option supports both DNS over HTTPS (DoH) and DNS over TLS (DoT).
  
  
  1. Protective Resolution: Avoids websites with fraudulent or malicious content
  2. Protective + Child Protection: Also avoids websites inappropriate to children, such as sexual content, violence or drugs
  3. Protective + Ad blocking: Also hides advertisements on both websites and applications
  4. Protective + Child Protection + Ad blocking: Self-explanatory
  5. Unfiltered Resolution: Blocks nothing
  
  There are detailed setup instructions for routers, browsers and multiple Operating Systems. The instructions are reasonably well done.
  
  

OTHER GOVERNMENTS AND DNS

• Governmental agencies in England can use a Protective Domain Name Service (PDNS) developed by their National Cyber Security Centre. It blocks malware, and is mandatory for parts of the UK government. I did not see anything about a Tester for the service.
  
  
• In Canada, their Canadian Shield seems very well done (I have not used it, my opinion is based on a review of their excellent documentation). It is a free service, available only in Canada, operated by the non-profit Canadian Internet Registration Authority (CIRA). CIRA works with the Canadian Centre for Cyber Security and all servers are located in Canada. There are three levels of service
  1. Private: No filtering. It is considered private because they do not keep client IP addresses longer than is needed. They do not attempt to relate a client IP address to a person or location or use it for marketing or resale purposes.
  2. Protected: on top of Private, this adds malware and phishing protection
  3. Family: On top of Protected, this adds the blocking of pornographic content. It does not block sites about drugs, gambling, or self-harm.
  For more, see their Configuration guide . They even have a Configuration Tester. Good for them.
  
  
• For the U.S. Government, CISA started a DNS service in 2022. See CISA Launches its Protective DNS Resolver with General Availability for Federal Agencies September 27, 2022. It is only for FCEB agencies, whatever that means. The service blocks malware and is the exact opposite of the Canadian service in that CISA considers spying on their users a good thing. CISA has a Cyber Resource Hub with some links to PDF files. In January 2024, they warned about these links "These documents have features that may not work in certain web browsers. For best use, please open using Internet Explorer." They should be ashamed.
  
  

OTHER LISTS OF DNS PROVIDERS

• European managed DNS providers for anyone looking to avoid the USA
• Known DNS Providers from AdGuard
• DNS over HTTPS a very long list of DNS providers that support DoH
• Avoid The Hack: 8 Best DNS Providers for Privacy (and adblocking) Last Updated April 2024. Avoid The Hack is a one person website by someone who goes by Ashley, who I know nothing about.

TESTING DNS SERVICES

URLhaus is in the business of collecting, tracking and sharing malware URLs. Their Statistics page (in the Blocklist Comparison section) compares DNS providers in terms of blocking malware domains (they do not test ad or tracker blocking). Sadly the data is undated. When I checked in January 2025, the best were OpenBLD, Spamhaus DBL, ProtonDNS and dns0.eu DNS. Among the worst were SURBL, AdGuard DNS and Cloudflare DNS.

Nexxwave
Here too, the test is against malware domains, no ad blocking, no tracker blocking.

1. September 9, 2024: Public DNS malware filters tested in September 2024 by Kris Lowet. In brief: ControlD was the best. Quad9, DNS0 and CleanBrowsing were excellent. Cloudflare for Families was miserable.
2. June 5, 2023: Public DNS malware filters tested by Kris Lowet. The worst was Comodo Secure DNS which blocked nothing. Cloudflare for Families (1.1.1.2) was very bad, blocking only 13%. Quad9 blocked 78%. CleanBrowsing Security Filter blocked 87%. The two best services were dns0.eu and dns0.eu ZERO which both blocked 94%.

Years back there was an issue with the old insecure DNS system that let bad guys intercept an outbound request and forge a response. A fix was created that introduced more randomness in the source port and/or transaction ID of these old insecure DNS requests. Steve Gibson created a DNS spoofability test that evaluates how well a DNS server does in regard to this randomness. The test is a web page with no creation date and no last update date, but the bug/problem/issue first came to light in 2008. The test is not aware of the new secure DNS system, so probably best not to run it from a browser using secure DNS. That said, I tested it with Firefox v114 (June 2023 on Windows) that was using NextDNS for secure DNS. The tester picked up three NextDNS servers and they all tested very well.