Best DNS for privacy

Which public DNS resolvers keep the fewest logs, skip EDNS Client Subnet, and encrypt your lookups end to end — and what DNS privacy can't protect.

Updated 8 min read

The short answer

The best DNS for privacy is a resolver that publishes a no-logging policy, disables EDNS Client Subnet, and supports encrypted DNS-over-HTTPS or DNS-over-TLS. Among widely used public resolvers, Cloudflare, Quad9, AdGuard DNS, and Control D fit that description — the differences come down to whether they also filter content and which jurisdiction they operate in.

Every claim below is drawn from the resolver's own published privacy policy, linked next to each entry. Treat "no logging" as a stated policy, not something you can verify independently from outside the resolver.

What "DNS privacy" actually covers

Every time your device visits a new site, it first asks a DNS resolver to translate the domain name into an IP address. That lookup happens before the page ever starts loading, and by default it travels in plain text over port 53 — anyone on the network path, including your ISP, can see it. DNS privacy is about closing three separate gaps in that process:

A resolver that scores well on all three still cannot make your internet activity invisible — more on that limitation below. But it meaningfully reduces who can see and retain your browsing pattern at the DNS layer.

Query logging and retention

Every public resolver operator can, in principle, log every query it receives: the domain requested, the timestamp, and your source IP address. What differs is policy — whether they choose to retain that data, for how long, and whether it's tied to your identity or anonymized. A resolver's privacy policy is the only place this is actually stated; there is no way to verify logging behavior purely by using the service. Look for resolvers that publish specifics (a retention window measured in hours, not "as needed"), and prefer ones that have published independent audits of their claims.

EDNS Client Subnet: the leak most people don't know about

EDNS Client Subnet is a DNS extension that lets a resolver include part of your IP address — typically a /24 network prefix, not your exact address — when it asks an authoritative nameserver for an answer. The purpose is legitimate: large CDNs use it to route you to a geographically closer server, which can shave time off the very first connection to a new site. The privacy cost is that the authoritative server, which may belong to a company you've never directly interacted with, now learns a fragment of your network location on every lookup that uses ECS. Resolvers built around privacy disable ECS by default, trading a possible sliver of CDN-routing efficiency for not sharing your subnet with third parties.

How DoH and DoT encrypt your lookups

DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) both wrap the same DNS query inside an encrypted channel — DoH inside a standard HTTPS request, DoT inside a dedicated TLS connection on port 853. Either way, the query is no longer readable in plain text as it crosses your Wi-Fi, router, or ISP's network. That stops passive eavesdropping and casual tampering along the path. It does not, on its own, change what the resolver itself does with your query once it arrives — encryption protects the trip, not the destination's logging policy. That's why transport encryption and a no-logging policy are two separate boxes to check, not one.

No-log resolvers with ECS disabled

Among the resolvers in our comparison, the following state a no-logging policy and do not use EDNS Client Subnet by default. Addresses and privacy notes are pulled directly from each provider's published information — verify against their own privacy policy before switching.

Cloudflare DNS

Cloudflare

The fastest major resolver on most connections, with a strong no-logging privacy stance and no default filtering.

Primary
1.1.1.1
Secondary
1.0.0.1
  • No-log : yes
  • DNSSEC : yes
  • Malware blocking : no
  • Ad blocking : no
  • Family filter : no
Read the full review

Quad9

Quad9 Foundation

A security-first non-profit resolver that blocks known malicious domains and keeps no source-IP logs.

Primary
9.9.9.9
Secondary
149.112.112.112
  • No-log : yes
  • DNSSEC : yes
  • Malware blocking : yes
  • Ad blocking : no
  • Family filter : no
Read the full review

AdGuard DNS

AdGuard

Blocks ads, trackers, and malware for every device on your network without installing anything.

Primary
94.140.14.14
Secondary
94.140.15.15
  • No-log : yes
  • DNSSEC : yes
  • Malware blocking : yes
  • Ad blocking : yes
  • Family filter : no
Read the full review

Control D

Windscribe

Highly customizable free resolvers — pick unfiltered, malware-blocking, ad-blocking, or family in one click.

Primary
76.76.2.0
Secondary
76.76.10.0
  • No-log : yes
  • DNSSEC : yes
  • Malware blocking : yes
  • Ad blocking : yes
  • Family filter : yes

Privacy feature comparison

A quick side-by-side of the properties that matter most for DNS privacy, beyond raw speed.

Privacy feature comparison of no-log DNS resolvers
Resolver No-log policy ECS disabled Encrypted transport DNSSEC
Cloudflare DNS Yes Yes Yes Yes
Quad9 Yes Yes Yes Yes
AdGuard DNS Yes Yes Yes Yes
Control D Yes Yes Yes Yes

Reading each resolver's privacy note

Cloudflare DNS
No query logging to disk and no client IP retained; anonymized data is purged within 24 hours. Independently audited.
Quad9
Blocks malicious domains using threat intelligence and does not retain source IP addresses. Operated as a Swiss non-profit.
AdGuard DNS
Blocks ads and trackers at the DNS level and stores anonymized statistics only, with no personally identifying logs.
Control D
Offers several free, purpose-built resolvers (unfiltered, malware, ad-blocking, family) with a no-logging free tier.

What DNS privacy cannot do

Even a fully encrypted, no-log, ECS-free resolver leaves gaps. Your internet service provider still sees the IP address every connection goes to, since that routing information has to be visible for the connection to work at all. On most sites today, the TLS handshake also sends the plaintext server name (SNI) — the hostname you're connecting to — before encryption fully kicks in, so a network observer can often infer which site you visited even without seeing the DNS lookup. Encrypted Client Hello (ECH) is starting to close that specific gap on supporting sites, but it isn't universal yet. And a resolver's no-logging policy protects you from that operator's own retention — it says nothing about your VPN provider, your browser, or apps on your device, each of which can independently log or share your activity. Switching resolvers is one layer of a broader privacy setup, not a complete solution by itself.

Verifying speed alongside privacy

Privacy and speed are separate questions, and this page only answers the first one. Once you've picked a resolver whose policy fits your needs, run the free DNS speed test from your own connection to confirm it also answers quickly enough for daily use — the two goals don't have to trade off against each other with the resolvers listed here.

Privacy DNS — frequently asked questions

What is the most private DNS resolver?

There is no single official ranking — but resolvers that publish a no-logging policy and disable EDNS Client Subnet (Cloudflare, Quad9, AdGuard, and Control D among them) go the furthest. Read each provider's own privacy policy, since wording and audits differ, and pick the one whose policy and feature set — filtering or not, jurisdiction, independent audits — matches what you need.

Does DNS privacy hide what I browse from my ISP?

No. Encrypting the DNS lookup (DoH or DoT) hides the domain name from your ISP and from anyone on the local network, but your ISP can still see the IP address you connect to and, on most sites, the plaintext server name (SNI) during the TLS handshake. A private DNS resolver changes who sees your lookups, not whether your connection itself is visible.

What is a no-log DNS resolver?

A no-log resolver states that it does not retain records tying your queries to your IP address or another identifier. Policies vary in detail — some purge raw logs within 24 hours and keep only anonymized, aggregated data; others go further. Always check the resolver's own privacy policy for specifics, since "no logging" is a claim, not a technical guarantee you can verify from outside.

What is EDNS Client Subnet (ECS) and why does it matter for privacy?

ECS is an optional extension that lets a resolver forward part of your IP address to the website's authoritative DNS server, so that server can route you to a nearby CDN location. It can improve performance for some sites, but it also means a third party learns a piece of your network location. Resolvers built for privacy disable ECS by default.

Is a secure DNS test the same as a speed test?

No. A speed test measures latency; it does not tell you whether a resolver logs your queries or leaks your subnet — that comes from reading the provider's stated policy, which is why this page lists it directly. You can still use the live DNS speed test to check that a privacy-respecting resolver is also fast enough on your connection.