Which public DNS resolvers keep the fewest logs, skip EDNS Client Subnet, and encrypt your lookups end to end — and what DNS privacy can't protect.
Updated ·8 min read
The short answer
The best DNS for privacy is a resolver that publishes a no-logging policy, disables EDNS Client Subnet, and supports encrypted DNS-over-HTTPS or DNS-over-TLS. Among widely used public resolvers, Cloudflare, Quad9, AdGuard DNS, and Control D fit that description — the differences come down to whether they also filter content and which jurisdiction they operate in.
Every claim below is drawn from the resolver's own published privacy policy, linked next to
each entry. Treat "no logging" as a stated policy, not something you can verify independently
from outside the resolver.
What "DNS privacy" actually covers
Every time your device visits a new site, it first asks a DNS resolver to translate the
domain name into an IP address. That lookup happens before the page ever starts loading, and
by default it travels in plain text over port 53 — anyone on the network path, including your
ISP, can see it. DNS privacy is about closing three separate gaps in that process:
Query logging. Does the resolver operator keep a record of which domains
you looked up, tied to your IP address, and for how long?
EDNS Client Subnet (ECS) leakage. Does the resolver forward part of your
IP address to third-party authoritative servers as part of the lookup?
Transport encryption. Is the lookup itself sent in plain text, or wrapped
in DNS-over-HTTPS (DoH) / DNS-over-TLS (DoT) so it can't be read or tampered with in
transit?
A resolver that scores well on all three still cannot make your internet activity invisible —
more on that limitation below. But it meaningfully reduces who can see and retain your
browsing pattern at the DNS layer.
Query logging and retention
Every public resolver operator can, in principle, log every query it receives: the domain
requested, the timestamp, and your source IP address. What differs is policy — whether they
choose to retain that data, for how long, and whether it's tied to your identity or
anonymized. A resolver's privacy policy is the only place this is actually stated; there is no
way to verify logging behavior purely by using the service. Look for resolvers that publish
specifics (a retention window measured in hours, not "as needed"), and prefer ones that have
published independent audits of their claims.
EDNS Client Subnet: the leak most people don't know about
EDNS Client Subnet is a DNS extension that lets a resolver include part of your IP address —
typically a /24 network prefix, not your exact address — when it asks an authoritative
nameserver for an answer. The purpose is legitimate: large CDNs use it to route you to a
geographically closer server, which can shave time off the very first connection to a new
site. The privacy cost is that the authoritative server, which may belong to a company you've
never directly interacted with, now learns a fragment of your network location on every
lookup that uses ECS. Resolvers built around privacy disable ECS by default, trading a
possible sliver of CDN-routing efficiency for not sharing your subnet with third parties.
How DoH and DoT encrypt your lookups
DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) both wrap the same DNS query inside an encrypted
channel — DoH inside a standard HTTPS request, DoT inside a dedicated TLS connection on port
853. Either way, the query is no longer readable in plain text as it crosses your Wi-Fi,
router, or ISP's network. That stops passive eavesdropping and casual tampering along the
path. It does not, on its own, change what the resolver itself does with your query once it
arrives — encryption protects the trip, not the destination's logging policy. That's why
transport encryption and a no-logging policy are two separate boxes to check, not one.
No-log resolvers with ECS disabled
Among the resolvers in our comparison, the following state a no-logging policy and do not use
EDNS Client Subnet by default. Addresses and privacy notes are pulled directly from each
provider's published information — verify against their own privacy policy before switching.
Highly customizable free resolvers — pick unfiltered, malware-blocking, ad-blocking, or family in one click.
Primary
76.76.2.0
Secondary
76.76.10.0
No-log: yes
DNSSEC: yes
Malware blocking: yes
Ad blocking: yes
Family filter: yes
Privacy feature comparison
A quick side-by-side of the properties that matter most for DNS privacy, beyond raw speed.
Privacy feature comparison of no-log DNS resolvers
Resolver
No-log policy
ECS disabled
Encrypted transport
DNSSEC
Cloudflare DNS
Yes
Yes
Yes
Yes
Quad9
Yes
Yes
Yes
Yes
AdGuard DNS
Yes
Yes
Yes
Yes
Control D
Yes
Yes
Yes
Yes
Reading each resolver's privacy note
Cloudflare DNS
No query logging to disk and no client IP retained; anonymized data is purged within 24 hours. Independently audited.
Quad9
Blocks malicious domains using threat intelligence and does not retain source IP addresses. Operated as a Swiss non-profit.
AdGuard DNS
Blocks ads and trackers at the DNS level and stores anonymized statistics only, with no personally identifying logs.
Control D
Offers several free, purpose-built resolvers (unfiltered, malware, ad-blocking, family) with a no-logging free tier.
What DNS privacy cannot do
Even a fully encrypted, no-log, ECS-free resolver leaves gaps. Your internet service provider
still sees the IP address every connection goes to, since that routing information has to be
visible for the connection to work at all. On most sites today, the TLS handshake also sends
the plaintext server name (SNI) — the hostname you're connecting to — before encryption fully
kicks in, so a network observer can often infer which site you visited even without seeing the
DNS lookup. Encrypted Client Hello (ECH) is starting to close that specific gap on supporting
sites, but it isn't universal yet. And a resolver's no-logging policy protects you from that
operator's own retention — it says nothing about your VPN provider, your browser, or apps on
your device, each of which can independently log or share your activity. Switching resolvers
is one layer of a broader privacy setup, not a complete solution by itself.
Verifying speed alongside privacy
Privacy and speed are separate questions, and this page only answers the first one. Once
you've picked a resolver whose policy fits your needs, run the free
DNS speed test from your own connection to confirm it also
answers quickly enough for daily use — the two goals don't have to trade off against each
other with the resolvers listed here.
Privacy DNS — frequently asked questions
What is the most private DNS resolver?
There is no single official ranking — but resolvers that publish a no-logging policy and disable EDNS Client Subnet (Cloudflare, Quad9, AdGuard, and Control D among them) go the furthest. Read each provider's own privacy policy, since wording and audits differ, and pick the one whose policy and feature set — filtering or not, jurisdiction, independent audits — matches what you need.
Does DNS privacy hide what I browse from my ISP?
No. Encrypting the DNS lookup (DoH or DoT) hides the domain name from your ISP and from anyone on the local network, but your ISP can still see the IP address you connect to and, on most sites, the plaintext server name (SNI) during the TLS handshake. A private DNS resolver changes who sees your lookups, not whether your connection itself is visible.
What is a no-log DNS resolver?
A no-log resolver states that it does not retain records tying your queries to your IP address or another identifier. Policies vary in detail — some purge raw logs within 24 hours and keep only anonymized, aggregated data; others go further. Always check the resolver's own privacy policy for specifics, since "no logging" is a claim, not a technical guarantee you can verify from outside.
What is EDNS Client Subnet (ECS) and why does it matter for privacy?
ECS is an optional extension that lets a resolver forward part of your IP address to the website's authoritative DNS server, so that server can route you to a nearby CDN location. It can improve performance for some sites, but it also means a third party learns a piece of your network location. Resolvers built for privacy disable ECS by default.
Is a secure DNS test the same as a speed test?
No. A speed test measures latency; it does not tell you whether a resolver logs your queries or leaks your subnet — that comes from reading the provider's stated policy, which is why this page lists it directly. You can still use the live DNS speed test to check that a privacy-respecting resolver is also fast enough on your connection.