← Guides

Private DNS Setup Guide: Stop Your ISP From Logging Every Domain You Visit

Privacy ToolsDNSGuidesMarch 2026~8 min read

Every time you open a site, your device makes a DNS lookup to turn a domain into an IP address. By default that request goes out in plain text, often to your ISP's resolver. Your ISP can log the domain, the time, and the pattern. Encrypted DNS fixes that with little cost. DNS-over-HTTPS is defined in IETF RFC 8484 and wraps DNS inside HTTPS so your ISP cannot read the lookup.

Key points

What encrypted DNS does not fix: Websites still see your IP address. Encrypted DNS is not a VPN. It hides domains from your ISP. It does not make you anonymous. For IP privacy, pair it with a no-logs VPN.
0
ISP DNS logs with encrypted DNS configured
DoH/DoT hides domain names from your ISP resolver
53
Plain DNS port exposed to your ISP by default
UDP/TCP port 53 is unencrypted and easy to log
853
DNS-over-TLS port
RFC 7858. DoH uses HTTPS on port 443

Choosing a DNS Provider

Private DNS provider comparison
ProviderJurisdictionLogsAuditNotes
Mullvad DNSSwedenNo logsCure53 ✓Optional blocking. Best default pick.
Quad9SwitzerlandNo logsPartialNon-profit. DNSSEC. Good malware blocking.
NextDNS🇺🇸 USOptionalNoStrong features. US jurisdiction is the catch.
Self-hosted UnboundYour hardwareYou controlN/AMost control. More work.

Mullvad DNS is the default answer here: Swedish jurisdiction, outside investors kept at a distance, and a public audit trail. Quad9 is close behind. It is a Swiss non-profit and moved its headquarters to Zürich for better legal protection. NextDNS has the nicest control panel, but it is still a US company. For sensitive traffic, that matters.

Setup: Android (Simplest)

Android 9+ already has Private DNS built in. No extra app needed.

1
Go to Settings → Network & Internet → Advanced → Private DNS
2
Select Private DNS provider hostname and enter one of:
  • dns.mullvad.net Mullvad DNS (recommended)
  • dns10.quad9.net Quad9 (malware blocking)
  • dns11.quad9.net Quad9 without malware blocking
3
Verify: Visit dnsleaktest.com → Extended Test. You should see only Mullvad or Quad9. If your carrier's DNS shows up, the setup failed.

Setup: iOS (Requires Configuration Profile)

iOS has no simple built-in Private DNS switch. You need a configuration profile or an app.

1
Download Mullvad's iOS DNS profile from mullvad.net/en/help/dns-over-https-and-dns-over-tls. Use the DNS-over-HTTPS profile.
2
Install the profile: Open the file, then go to Settings → General → VPN & Device Management, tap the Mullvad DNS profile, and install it.
3
Alternative: DNSCloak app gives you a simple interface for DoH and DoT without manual profile work. It works with Mullvad and Quad9.

Setup: Windows

Windows 11 supports DoH natively. Windows 10 needs a workaround.

1
Windows 11: Settings → Network & Internet → Wi-Fi (or Ethernet) → Hardware properties → DNS server assignment → Edit → Manual → toggle IPv4 on → enter 194.242.2.2 (Mullvad DNS) → set DNS over HTTPS to "On (automatic template)"
2
Windows 10 / alternative method: Install dnscrypt-proxy, point Windows DNS to 127.0.0.1, and let the proxy forward queries to Mullvad or Quad9 over DoH or DoT.

Setup: macOS

macOS needs either a profile or a third-party app. There is no plain GUI toggle for DoH.

1
Use Lockdown Privacy from the App Store if you want the easy route. It can send DNS through Quad9, Cloudflare, or a custom provider.
2
Or install a configuration profile using the same general method as iOS. Mullvad and Quad9 both publish profiles for macOS.

Setup: Router (Protects Every Device at Home)

Router-level encrypted DNS covers every device on your home network, including smart TVs, IoT junk, and anything else that ignores local settings.

1
OpenWrt or DD-WRT routers: Install stubby or unbound as a local DoT resolver. Forward to Quad9 or Mullvad on port 853.
2
Standard consumer routers: Many newer Asus, Netgear, and TP-Link routers now include a DoT or Encrypted DNS setting in the WAN menu. Enter dns10.quad9.net and the matching IP.
Router DNS caveat: This only helps when you are on that home network. On mobile data or other WiFi, devices fall back to whatever the network gives them. Set up encrypted DNS on the device too.

The VPN + DNS Interaction

When the VPN is on, DNS usually goes through the VPN provider's resolver and overrides your normal system setting. Here is what that means in practice:

Verifying Your Configuration

# Test 1: DNS leak test (web)
# Visit: dnsleaktest.com → Extended Test
# Should show ONLY your chosen provider (Mullvad, Quad9)
# If your ISP appears: your DoH config is not working

# Test 2: Check what DNS server you're using (Linux/macOS terminal)
resolvectl status         # Linux (systemd-resolved)
scutil --dns | grep nameserver  # macOS

# Test 3: Confirm DoH is actually encrypted (not just different DNS)
# The easiest check: does your ISP still appear in dnsleaktest.com?
# If yes: still leaking. If only your provider appears: working.

Advanced: Self-Hosted DNS with Unbound

If you do not want any third-party resolver, run Unbound on a VPS outside Five Eyes countries. It acts as a recursive resolver and talks to authoritative DNS servers directly.

# On a VPS (Debian/Ubuntu):
sudo apt install unbound

# /etc/unbound/unbound.conf basic privacy-hardened config:
server:
    interface: 127.0.0.1
    port: 53
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    hide-identity: yes    # Don't reveal server identity
    hide-version: yes     # Don't reveal version
    qname-minimisation: yes  # QNAME minimisation (privacy)
    val-log-level: 0
    use-caps-for-id: yes  # DNS 0x20 encoding (spoofing resistance)

# Point your devices at the VPS IP with dnscrypt-proxy
# forwarding to the VPS over DoH

In this setup, your ISP sees encrypted traffic to your VPS, not direct DNS lookups. The VPS still sends standard DNS queries onward, but you control the box doing it.

Cunicula receives no funding from DNS providers. Mullvad DNS, Quad9, and NextDNS are all independently operated services. Our recommendation is based on jurisdiction, audit history, and business model.

Follow the Money

DNS data makes money. ISPs can sell query data. Ad-tech giants use it to feed bigger tracking systems. A privacy-first resolver cuts that off.

$DNS data monetisation and the case for private resolvers
ISP DNS
Default resolver path. The incentive is simple: log what people look up and turn it into another data product.
Ad-tech DNS
Big-name DNS services can feed wider security, analytics, or ad businesses. Free usually means the data pays.
Privacy alternatives
Mullvad DNS and Quad9 do not need an ad business to justify the service. That changes the incentives.

Frequently Asked Questions

What does encrypted DNS actually protect you from?

Encrypted DNS hides your domain lookups from your ISP. Without it, DNS requests are plain text and your provider can log every domain you query. DoH and DoT encrypt that step. They do not hide your IP from websites, replace a VPN, or stop the DNS provider itself from seeing your queries.

Which private DNS provider is most trustworthy?

Mullvad DNS is the top pick for most people: Swedish jurisdiction, Cure53 audit, and a long no-logs track record from the same company behind Mullvad VPN. Quad9 is a strong second choice with Swiss non-profit status and good malware blocking. NextDNS has strong features, but US jurisdiction makes it a weaker choice for sensitive use.

If I use a VPN, do I still need to configure private DNS?

Usually no while the VPN is connected, because most good VPNs route DNS through their own resolver. You may still want encrypted DNS at the system level for split-tunnel apps or for the moment the VPN drops.

How do I check if my DNS is actually private?

Go to dnsleaktest.com and run the extended test. You should see only your chosen DNS provider. If your ISP shows up, your setup is leaking. ipleak.net is another quick check.

← PreviousChatGPT vs. Private AI: What Each Platform LogsNext →Deploying a Privacy App Privately: Next.js on a No-KYC VPS

Related