Table of Contents
- Why DoH and DoT matter in 2026
- Cloudflare 1.1.1.1 deep-dive
- NextDNS deep-dive
- Quad9 deep-dive
- Self-hosted resolver deep-dive
- Comparison table: 5 options × 10 criteria
- Recommendations by profile
Why DoH and DoT matter in 2026
DNS was designed in 1983 with a single requirement: correctness. Privacy was not on the agenda. Every DNS query you send — the hostname of every site you visit, every API you call, every update your phone checks — travels in plaintext by default. Your ISP can read it. The operator of any public WiFi network can read it. Any nation-state running a middlebox on a transit network can read it.
In 2026, this is not a theoretical threat. Regulatory mandates for DNS-based filtering are active in the EU, UK, Australia, India, and dozens of other jurisdictions. ISPs in multiple countries monetize DNS query logs by selling them to data brokers. DPI-based content injection — where your ISP rewrites DNS responses or injects content into HTTP connections — was documented in at least 14 countries in 2025. Unencrypted DNS is simultaneously the easiest attack surface on your network and the one most frequently left unpatched.
Two protocols address this. DNS-over-TLS (DoT) wraps DNS in a TLS connection on port 853. It encrypts the query, but because port 853 is exclusive to DoT, network operators can identify and block the traffic trivially. DNS-over-HTTPS (DoH) sends DNS queries inside standard HTTPS on port 443, indistinguishable to passive observers from ordinary web browsing. This makes DoH significantly harder to censor and dramatically raises the cost of surveillance.
Beyond these two, DNS-over-QUIC (DoQ) runs DoH-equivalent semantics over the QUIC transport, eliminating TCP handshake overhead and improving latency on mobile networks. Cloudflare and a small number of other providers support DoQ in 2026, but OS-level support is still narrow.
The shift in threat model since 2020 is worth naming explicitly. Three years ago, the main argument for encrypted DNS was ISP logging. That remains true, but three additional vectors have emerged:
GDPR and data protection exposure. In the EU, query logs held by a resolver constitute personal data under Article 4(1). If you route all household DNS through a commercial provider with retention, you are creating a data controller relationship that most users have never consented to in any meaningful sense.
Public WiFi MITM. Cafes, airports, hotels, and conference venues routinely run DNS interception. With unencrypted DNS, they can redirect you silently. DoH eliminates this attack vector because the resolver endpoint is verified by TLS certificate.
Censorship bypass. State-mandated DNS blocks are the first layer of censorship infrastructure in most countries. Encrypting and tunneling DNS through a port-443 endpoint defeats this layer without requiring a full VPN. For users in restricted-access environments, DoH is often the minimum viable privacy tool.
The remaining sections evaluate the four main deployment options available in 2026: Cloudflare 1.1.1.1, NextDNS, Quad9, and self-hosted resolvers. Each section covers protocol support, privacy posture, filtering capabilities, jurisdiction, and relevant audit history.
Cloudflare 1.1.1.1 deep-dive
Cloudflare launched 1.1.1.1 in April 2018 as a privacy-first public resolver. In 2026 it remains the fastest public DNS resolver by global median latency and the most widely deployed DoH endpoint on the internet, integrated by default into Chrome on Android, several router firmwares, and the iOS Private Relay infrastructure.
Protocol support. 1.1.1.1 supports DoH (RFC 8484), DoT (RFC 7858), and DoQ (RFC 9250). The DoH endpoint is https://cloudflare-dns.com/dns-query and https://1.1.1.1/dns-query. The DoT server is one.one.one.one on port 853. For DoQ, clients like AdGuard DNS client support the quic://dns.cloudflare.com endpoint.
Privacy posture. Cloudflare publishes an annual privacy report audited by KPMG. Key commitments: no selling of DNS query data to third parties, no use of 1.1.1.1 query data to target ads, and deletion of full IP address logs within 25 hours. Stub resolver metadata (truncated IPs, aggregated query counts) is retained for operational metrics. Cloudflare is incorporated in the United States, subject to NSLs and FISA Section 702 orders. For threat models that include US government legal process, this is a non-trivial limitation.
Filtering variants. Cloudflare operates three distinct resolvers. The base 1.1.1.1 applies no filtering. 1.1.1.2 (Cloudflare Security) blocks known malware and phishing domains using Cloudflare's threat intelligence. 1.1.1.3 (Cloudflare Family) adds adult content filtering on top. The DoH equivalents use subdomains: security.cloudflare-dns.com and family.cloudflare-dns.com.
Latency. Cloudflare's Anycast network spans 300-plus points of presence. Median latency from Western Europe is roughly 5 to 12ms, the lowest of any major public resolver. From Southeast Asia and Latin America, it typically runs 15 to 30ms — still competitive with ISP resolvers.
Audit history. Three KPMG audits have been published (2019, 2021, 2023). All confirmed Cloudflare's compliance with stated data practices. The 2023 audit confirmed no evidence of IP-to-query linkage in retained logs. The next scheduled audit covers 2025 operations.
Verdict. Cloudflare 1.1.1.1 is the right choice for users who prioritize latency and broad platform support, and whose threat model does not specifically include US government legal process. For high-sensitivity use cases, the US jurisdiction is a genuine limitation.
NextDNS deep-dive
NextDNS launched in 2019 as a configurable public resolver. Its core differentiator is per-account customization: blocklists, allowlists, analytics, parental controls, and per-device policies. In 2026, NextDNS has approximately 2 million active users and processes over 200 billion queries per month.
Protocol support. NextDNS supports DoH, DoT, DoQ, and DNSCrypt. Each account gets a unique resolver endpoint (https://dns.nextdns.io/XXXXXX) enabling per-account policy enforcement. This is architecturally different from Cloudflare and Quad9, which apply global policies.
Privacy posture. NextDNS is incorporated in Delaware (US). The privacy model is opt-in analytics: by default, query logging is disabled. If you enable logs, you choose the retention period (one hour, one day, one week, one month, or forever). The dashboard shows real-time query analytics when logging is enabled. NextDNS's privacy policy states that query data is not sold or used for advertising. However, the US jurisdiction means the same NSL/FISA caveat as Cloudflare applies. For users who disable logging entirely, the practical exposure is minimal.
Blocklists and customization. NextDNS ships with 40-plus curated blocklists: ad networks, trackers, malware, phishing, coinminers, adult content, social media, and more. You can combine them, add custom domains, and create per-device allowlists. The analytics dashboard shows which lists blocked the most queries, making tuning straightforward. This level of control has no equivalent in Cloudflare or Quad9.
Pricing. Free tier: 300 000 queries per month, full features. A typical active user generates 50 000 to 150 000 queries per month. Families or network-wide setups easily exceed 300 000. The Pro plan costs $1.99 per month or $19.90 per year, with no query cap. By privacy software standards, it is cheap.
Performance. NextDNS operates data centers in Europe and North America, with a smaller footprint than Cloudflare. Median latency from Western Europe is roughly 15 to 25ms. From regions outside NextDNS's coverage, latency can spike to 60 to 100ms. For users in Central or Eastern Europe, Asia, or Latin America, latency is a real consideration.
Verdict. NextDNS is the best choice for users who want deep filtering control, per-device policies, and real-time analytics. The US jurisdiction and the smaller PoP footprint are the two main limitations versus Quad9.
Quad9 deep-dive
Quad9 launched in November 2017 as a joint project between IBM, Packet Clearing House, and the Global Cyber Alliance. In 2020 it moved its headquarters from San Francisco to Zurich, Switzerland, and restructured as a Swiss non-profit foundation. This move was deliberate: Swiss law provides among the strongest data protection regimes for a resolver, with no mandatory retention for query logs and no bulk surveillance framework equivalent to US FISA Section 702.
Protocol support. Quad9 supports DoH (https://dns.quad9.net/dns-query), DoT (dns.quad9.net on port 853), and DNSCrypt. DoQ support is on the roadmap but not yet available in production as of mid-2026.
Privacy posture. Quad9's core commitment is not logging end-user IP addresses in production. Query content (the queried hostname) is used in aggregate for threat intelligence but not linked to IP addresses. Quad9 publishes an annual transparency report. Being a Swiss foundation, it is not subject to US NSLs or FISA orders. EU GDPR applies through Quad9's European presence. In 2021 the German regional court in Munich initially issued an injunction ordering Quad9 to block a specific piracy domain; Quad9 appealed and won on all counts, establishing that a DNS resolver is not liable for content it resolves.
Malware filtering. Quad9's security feed aggregates threat intelligence from 25-plus partners including F-Secure, Secureworks, Abuse.ch, and several national CERTs. The default endpoint (9.9.9.9, 149.112.112.112) blocks domains associated with malware, ransomware, phishing, and botnet C2 infrastructure. An unfiltered endpoint is available at 9.9.9.10 for users who want encryption without blocking.
Performance. Quad9 operates approximately 200 PoPs, primarily in Europe and North America. Median latency from Western Europe is 8 to 18ms. Coverage in Southeast Asia, Latin America, and Africa is thinner than Cloudflare but expanding. For European users, Quad9 is typically within a few milliseconds of Cloudflare.
Verdict. Quad9 is the strongest public resolver option for users with a serious privacy threat model. Swiss jurisdiction, non-profit structure, no IP logging, and robust malware filtering make it the default recommendation for users who want a managed resolver without self-hosting.
Self-hosted resolver deep-dive
Self-hosting a DNS resolver eliminates the third-party logging problem entirely. No external entity receives your query log. The trade-off is operational complexity: you are responsible for uptime, security patching, and configuration correctness.
The four most practical options in 2026 are:
Unbound. A validating, recursive resolver maintained by NLnet Labs. Unbound performs full DNSSEC validation and supports DoT as an upstream forwarder. It does not natively support DoH server-side but pairs well with a DoH frontend like dnsdist. Unbound is the reference choice for users who want a lean, auditable resolver. Configuration is text-based and well-documented.
AdGuard Home. A full DNS server with an integrated web UI, blocking engine, and per-client policies. AdGuard Home supports DoH, DoT, DoQ, and DNSCrypt on both the upstream and listener sides. Setup takes under 30 minutes on any Linux system. The blocking UI is the most accessible of the self-hosted options. AdGuard Home is open-source (GPL-3.0) and actively maintained.
Pi-hole with a DoH proxy. Pi-hole is the most widely known home DNS blocker, primarily targeting ads and trackers. By default it does not encrypt upstream queries. Adding dnscrypt-proxy or cloudflared as a local DoH proxy provides encryption. This two-component setup is functional but has more moving parts than AdGuard Home.
dnscrypt-proxy. A flexible, low-footprint proxy that supports DoH, DoT, DNSCrypt, and anonymized DNSCrypt (routing queries through a relay to hide the resolver from the source IP). dnscrypt-proxy is the right tool for users who want maximum protocol flexibility or anonymized routing. It runs on Linux, macOS, Windows, and BSD.
Deployment considerations. For home use, a Raspberry Pi 4 running AdGuard Home handles household traffic at under 5% CPU load. For a small team or office, a $6/month VPS is sufficient. The primary operational risk is availability: if your resolver goes down and you have hardcoded it as the only nameserver, DNS resolution fails for all devices on the network. Configuring a fallback upstream — ideally Quad9 or another non-logging resolver — mitigates this.
Verdict. Self-hosting is the maximum-privacy option and worth the setup cost for power users, privacy-focused families, and small teams. AdGuard Home is the recommended starting point for most users; Unbound is the choice for users who want a lean, dependency-minimal stack.
Comparison table: 5 options × 10 criteria
| Criterion | Cloudflare 1.1.1.1 | NextDNS | Quad9 | Self-hosted (AdGuard Home) | Self-hosted (Unbound) |
|---|---|---|---|---|---|
| Jurisdiction | US | US | Switzerland | You | You |
| Encryption protocols | DoH, DoT, DoQ | DoH, DoT, DoQ, DNSCrypt | DoH, DoT, DNSCrypt | DoH, DoT, DoQ, DNSCrypt | DoT (upstream), DoH via proxy |
| Malware filter | Optional (1.1.1.2) | Yes (configurable) | Yes (default) | Yes (blocklists) | No (blocklist via RPZ) |
| Custom blocklists | No | Yes (40+ curated + custom) | No | Yes (extensive) | Yes (RPZ/local zones) |
| Query analytics | No | Optional (opt-in) | No | Yes (local only) | No |
| Independent audit | Yes (KPMG annual) | No | Yes (annual transparency) | N/A | N/A |
| Price | Free | Free / $1.99/mo | Free | Free (hardware cost) | Free (hardware cost) |
| Latency Europe/US | ~10ms / ~5ms | ~20ms / ~10ms | ~13ms / ~8ms | <5ms (local) | <5ms (local) |
| Censorship bypass | Good | Good | Good | Excellent | Excellent |
| Self-host possible | No | No | No | Yes | Yes |
Recommendations by profile
Home power user. Deploy AdGuard Home on a Raspberry Pi or mini PC. Configure Quad9 DoH as the upstream resolver. This gives you local control over blocklists, zero external query logging, Swiss-jurisdiction upstream, and malware protection. The setup takes two hours; maintenance is under 30 minutes per month.
Developer with a VPN. Use NextDNS with logging disabled. The per-device policy system lets you toggle blocking on and off per environment. The DoH endpoint integrates cleanly into split-tunnel VPN configurations. If your VPN provider offers its own encrypted resolver, prefer that — it reduces the number of entities that can correlate your queries.
Family with children. NextDNS Pro with the Threat Intelligence + Native Tracking Protection + Parental Controls stacks enabled. The per-device policy system lets you set stricter rules for children's devices without affecting adult devices. Enable query logging for a week to tune the blocklists, then set retention to one hour or disable it.
Paranoid or corporate profile. Self-hosted Unbound on a hardened VPS in a jurisdiction you control, with DNSSEC validation enabled, no forwarder logging, and dnscrypt-proxy anonymized routing for the recursive step. Pair with a network-level firewall that blocks all outbound UDP/53 and TCP/853 except through your controlled stack. This setup maximizes the number of actors you can remove from the query path.
For all profiles: regardless of which resolver you choose, also enforce encrypted DNS at the OS or router level rather than relying solely on browser-level DoH. Browser-level DoH creates a split where some applications use your configured resolver and others use the browser's own endpoint. System-level configuration closes this gap.
Internal resources: State of browser privacy 2026 covers fingerprinting, TLS identity, and OS-level hardening that complement DNS encryption. iOS Lockdown Mode and JSC performance examines the trade-offs of maximum-isolation mode on Apple devices.
