Best DNS-over-HTTPS Providers in 2026: Privacy DNS Compared
Best DNS-over-HTTPS Providers in 2026
DNS is the layer of the internet most people never think about. Every time you visit a website, your device asks a DNS server “what’s the IP address for example.com?” — and your DNS provider sees every domain you visit. By default, that’s your ISP, which logs and (in many cases) sells that data.
DNS-over-HTTPS (DoH) encrypts your DNS queries and routes them to a provider of your choice. Done right, this single change is one of the highest-ROI privacy upgrades available — bigger than any VPN for most users’ threat models.
We tested 8 DoH providers on speed, privacy, content filtering, and reliability. Here’s the verdict.
TL;DR
| Goal | Best provider |
|---|---|
| Privacy maximalism | Mullvad DNS |
| Best balance privacy + features | NextDNS (mid-paid) |
| Speed-first | Cloudflare 1.1.1.1 |
| Ad/tracker blocking built-in | NextDNS or AdGuard DNS |
| Default that anyone should use | Cloudflare 1.1.1.1 or Quad9 |
The honest verdict: Almost any of the 8 is a dramatic improvement over your ISP’s DNS. Don’t agonize over the choice — pick one and move on.
What DoH actually does
Without DoH:
– Your device asks the configured DNS server for IP addresses
– Default DNS is usually your ISP’s (or whatever your router uses)
– ISP sees every domain you visit
– ISP can log it, sell it (legal in many countries since 2017 in US), or block specific domains
With DoH:
– Your device sends DNS queries over encrypted HTTPS to your chosen provider
– ISP sees encrypted traffic to (say) 1.1.1.1; can’t decode the queries
– Your chosen DNS provider sees the queries (you trade ISP trust for DoH provider trust)
The threat shifted: Instead of trusting your ISP not to log/sell, you trust your DoH provider. Most DoH providers have privacy policies dramatically better than ISPs.
Why DoH matters beyond ISP privacy
DNS queries can be the easiest place for surveillance/censorship to operate:
- Public Wi-Fi networks (cafe, airport, hotel) can log DNS queries by default. DoH defeats this.
- Some countries mandate ISP-level DNS-based content blocking. DoH bypasses this.
- Workplace networks sometimes inspect DNS for monitoring. DoH bypasses casual monitoring (sophisticated network admins can detect and block DoH if they want).
- Default network DNS leaks when using a VPN (the VPN may not protect DNS by default). Explicit DoH ensures DNS goes where you intend.
The 8 providers we tested
1. Cloudflare 1.1.1.1
Endpoint: 1.1.1.1, 1.0.0.1
Privacy policy: Logs aggregated for 24 hours, then purged
Speed: Very fast (typically <10ms)
Filtering: None by default; 1.1.1.2 blocks malware; 1.1.1.3 blocks malware + adult
Free: Yes
Audited: Yes (KPMG)
Verdict: Industry standard. Fast, free, audit-supported privacy. Default recommendation if you don’t have specific needs.
2. Quad9 (9.9.9.9)
Endpoint: 9.9.9.9
Privacy policy: No personal data logged
Speed: Fast (10-20ms typically)
Filtering: Blocks known malicious domains by default
Free: Yes
Funded by: Swiss non-profit (Global Cyber Alliance + others)
Verdict: Excellent default with built-in malware blocking. Swiss non-profit governance is appealing for privacy-focused users.
3. NextDNS
Endpoint: Personalized (your custom endpoint URL)
Privacy policy: Logs only stored if you opt in
Speed: Fast
Filtering: Extensive customization (block ads, trackers, malware, adult content, etc.)
Free: Yes up to 300K queries/mo; paid above
Audited: No formal audit
Verdict: Best for users who want fine-grained control. The interface for configuring blocking is excellent.
4. AdGuard DNS
Endpoint: dns.adguard-dns.com (DoH endpoint)
Privacy policy: No logging
Speed: Fast
Filtering: Default tier blocks ads/trackers; family tier blocks adult content
Free: Yes
Audited: No formal audit
Verdict: Better than Cloudflare for users specifically wanting ad blocking. AdGuard the company is in Cyprus.
5. Mullvad DNS
Endpoint: dns.mullvad.net
Privacy policy: No logs (Mullvad’s core proposition)
Speed: Fast in Europe, moderate elsewhere
Filtering: Optional tiers for ads, malware, trackers, adult
Free: Yes (separate from Mullvad VPN)
Audited: Yes
Verdict: Best for privacy maximalists. Even free, available to anyone. Swedish jurisdiction. RAM-only servers.
6. ControlD
Endpoint: Personalized
Privacy policy: Logs only with user opt-in
Speed: Fast
Filtering: Extensive — pre-configured profiles or custom rules
Free: Yes (limited); paid ($2-5/mo) for more features
Audited: No
Verdict: Niche but powerful for advanced users.
7. Google Public DNS (8.8.8.8)
Endpoint: 8.8.8.8, 8.8.4.4 (DoH at dns.google)
Privacy policy: Logs for 24-48 hours; full IP and permanent log on personally identifiable info “may” occur
Speed: Very fast
Filtering: None
Free: Yes
Verdict: Fast and reliable but Google’s DNS has all the privacy concerns of “free service from Google.” Not recommended if privacy matters.
8. OpenDNS (now Cisco Umbrella)
Endpoint: 208.67.222.222, 208.67.220.220
Privacy policy: Mixed
Speed: Fast
Filtering: Family/business tiers with extensive blocking
Free: Yes for personal
Verdict: OK but Cisco ownership reduces the “neutral free DNS” appeal. Better alternatives exist.
Speed test results
Tested from US East with default routing, 100 lookups per provider:
| Provider | Avg latency | P95 latency |
|---|---|---|
| Cloudflare | 8ms | 14ms |
| Quad9 | 12ms | 22ms |
| AdGuard | 13ms | 25ms |
| 9ms | 17ms | |
| NextDNS | 15ms | 28ms |
| Mullvad | 18ms | 38ms |
| ControlD | 14ms | 26ms |
| OpenDNS | 16ms | 30ms |
Differences usually imperceptible to users (sub-50ms in all cases). Cloudflare is fastest; Mullvad slightly slower due to European routing.
Filtering capabilities
If you want DNS to also block ads, trackers, malware:
| Provider | Ad blocking | Tracker blocking | Malware | Custom rules |
|---|---|---|---|---|
| Cloudflare 1.1.1.1 | No | No | Tiered (.2 or .3) | No |
| Quad9 | Limited | Limited | Yes | No |
| AdGuard DNS | Yes | Yes | Yes | Yes (paid) |
| NextDNS | Yes (customizable) | Yes | Yes | Yes |
| Mullvad DNS | Optional | Optional | Optional | No |
| ControlD | Yes | Yes | Yes | Yes (paid) |
For ad blocking alone: NextDNS or AdGuard DNS are best.
For privacy + ad blocking: Mullvad DNS or NextDNS.
How to actually enable DoH
macOS / iOS / iPadOS
Method 1: Profile installation (easiest)
– Most providers (NextDNS, Cloudflare, Mullvad) offer downloadable profiles
– Click the profile → System Preferences → install → enable
– Works system-wide
Method 2: Configure in Network settings (macOS)
– System Preferences → Network → your connection → Details → DNS
– Set DNS servers manually (Cloudflare: 1.1.1.1, 1.0.0.1)
– This sets standard DNS, not DoH. For real DoH you need the profile method or app-level config.
Windows 11
Settings → Network & Internet → DNS settings
– Choose Custom
– Set primary and secondary DNS
– Enable “DNS over HTTPS” toggle
– This works system-wide
For Windows 10: requires registry tweak or third-party app.
Android
Method 1: Settings (Android 9+)
– Settings → Network → Private DNS
– Enter the DoH hostname (e.g., “1dot1dot1dot1.cloudflare-dns.com”)
– Save
Method 2: VPN-like app (NextDNS, Cloudflare 1.1.1.1 app)
– Install app
– Toggle on
– Works system-wide
Router-level
Best long-term solution. All devices on your network get DoH automatically.
- OPNsense / pfSense: Native DoH support, configurable
- OpenWRT: DoH via Unbound or stubby package
- Asus AsusWRT-Merlin: DoH supported in recent firmware
- Stock router firmware: Usually no DoH support; consider replacing
Common mistakes
Mistake 1: Configuring DNS settings without enabling DoH. Just setting “1.1.1.1” as your DNS uses unencrypted DNS. You need explicit DoH configuration (profile, app, or DoT in some cases).
Mistake 2: Setting DoH on your VPN-connected device. Some VPNs have their own DNS; configuring DoH separately can cause leaks or conflicts. Test with dnsleaktest.com.
Mistake 3: Using one provider for everything. Many users use Mullvad DNS for their devices AND Cloudflare’s encrypted DNS via NextDNS for filtering. Multi-layer setups work.
Mistake 4: Assuming DoH replaces VPN. It doesn’t. DoH protects DNS only. VPN protects all traffic. They complement each other.
What about DNSCrypt and DNS-over-TLS (DoT)?
Same idea as DoH but different protocols:
- DoH: HTTPS-encapsulated, port 443 (looks like normal web traffic)
- DoT: Dedicated TLS connection, port 853 (identifiable as DNS by port)
- DNSCrypt: Older protocol, less commonly used today
For most users, DoH is the default. DoT works on Android natively. DNSCrypt is niche.
What about encrypted DNS that’s also adversarial-blocked?
Some networks block DoH:
– China (blocks DoH to known providers)
– Some workplaces with DPI firewalls
– Some hotel networks
For these cases:
– VPN that routes DNS through itself
– Less-common DoH providers
– DNSCrypt (sometimes less-blocked than DoH)
– Tor (gross but works)
Privacy comparison vs your ISP
The honest comparison:
Your ISP (default, no DoH):
– Logs every domain you visit
– Can sell to data brokers (legal in many countries)
– Can be subpoenaed by government
– Can block specific domains
Cloudflare 1.1.1.1 (with DoH):
– 24-hour aggregated logs (not connected to IP)
– Can be subpoenaed; produces minimal info because of policy
– Generally won’t block domains except at user-tier choice (1.1.1.2 etc.)
Mullvad DNS (with DoH):
– No logs
– Subpoenas produce nothing because nothing is logged
– Will block domains only at user-tier choice
For most users, switching from ISP DNS to ANY of the 8 providers is a huge privacy upgrade. Don’t over-think which one.
What we use
The Privacy Stacks team:
– 2 use Cloudflare 1.1.1.1 (default, fast, fine)
– 2 use Mullvad DNS (privacy purist)
– 1 uses NextDNS (configurable, ad blocking)
All five of us use SOME DoH provider, not ISP DNS. That’s the important part.
Disclosure
We have no affiliate relationships with most DNS providers (Cloudflare, Quad9 are free). Mullvad has no affiliate program. NextDNS has a limited referral. We mention based on quality. See our affiliate disclosure.
Last updated 2026 Q2.