Follow ZDNET: Add us as a preferred source on Google
ZDNET key takeaways
- Private DNS is a must these days.
- If you’re not already using it, consider one of these options.
- You can use most of these services for free.
You might think the security of your PC, laptop, phone, or tablet ends with an antivirus, malware, and firewall combination. Although those tools are a good start, there’s one area you should seriously consider: DNS.
DNS, or Domain Name System, is responsible for translating human-readable domain names (such as zdnet.com) to machine-readable IP addresses (such as 199.232.194.154). Without DNS, you’d have to memorize IP addresses instead of domain names.
I don’t know about you, but my brain doesn’t have enough room to hold that much information. Ergo, DNS.
Also: How to turn on Private DNS Mode on Android – and why it’s a must for security
Standard DNS sticks to the playbook and makes those translations, with everything out in the open. If you point your browser to zdnet.com, anyone who can sniff out your internet traffic can see what you’re looking at. That’s where secure DNS comes into play.
Secure DNS encrypts the traffic so no one can read it. With secure DNS, even your ISP can’t view your traffic. Even if you’re on your home Wi-Fi network, you should use secure DNS.
In other words, without secure DNS, you’re not nearly as secure or private as you might think.
Also: The best VPN services (and how to choose the right one for you)
An extra layer of security means using secure DNS. But which service should you consider?
Here are my favorites.
1. Google Public DNS
It should come as no surprise that Google offers secure DNS. I’ve used these particular DNS servers for years, without issue. Google Public DNS features automatic mode (in Chrome), DNSSEC validation for authenticity, support for TLS 1.3, cache poisoning protection (via query name case randomization), and performance optimization.
Google’s DNS prevents tampering, eavesdropping, and spoofing. This service’s privacy policy ensures that no data is logged, so you don’t have to worry that Google is retaining your encrypted traffic.
Also: How to upgrade your ‘incompatible’ Windows 10 PC to Windows 11 – for free
The IP addresses for Google’s secure DNS are 8.8.8.8 and 8.8.4.4. You can use the service for free on as many machines as you like.
2. Cloudflare DNS
Cloudflare is another of my favorites. This service uses DNS over HTTPS (DoH) and DNS over TLS (DoT) to encrypt all of your queries.
Cloudflare DNS includes a fast, secure, and reliable authoritative DNS service with guaranteed 100% uptime, leveraging a 310-plus city Anycast network. Some of the key features of Cloudflare DNS include built-in DDoS mitigation, DNSSEC for security, and CNAME flattening for apex domain optimization.
Also: The best VPN services for iPhone and iPad (yes, you need to use one)
The DNS server addresses for Cloudflare are 1.1.1.1 and 1.0.0.1. Those addresses work for desktops and laptops. On the other hand, if you want to use Cloudflare’s secure DNS on your phone, you’ll need to install the 1.1.1.1 + Warp app (Android/iOS).
As for its privacy policy, you can be certain that Cloudflare will not log your IP addresses. The service promises to delete all associated logs within 24 hours.
3. Quad9
Quad9 is another free public DNS service that uses encryption to rebuff would-be hackers. Quad9 goes a bit further than some services by blocking lookups of malicious host names from an up-to-the-minute list of threats. This approach means your device is much more secure from malware, phishing, spyware, and botnets. Quad9 claims to be 97% effective against malicious and phishing domains.
Quad9 is run by a Swiss company that has proven itself to be secure and reliable over the years. The feature set of Quad9 includes malicious domain blocking, real-time intelligence, DNSSEC validation, no personal data logging or user profiling, easy setup, no content filtering, and operates in over 200 locations in 90-plus nations.
Also: 7 apps I use to lock down, encrypt, and store my private files – and most are free
There are three different DNS servers you can use from Quad9, which are:
- 9.9.9.9 – Secure service with malware and phishing blocking, and DNSSEC.
- 9.9.9.10 – Unsecure service with no threat blocking. This DNS is best used for testing and debugging.
- 9.9.9.11 – Secure + ECS. This DNS service includes EDNS Client Subnet (ECS) support.
Quad9 can be used for free.
4. OpenDNS
OpenDNS can protect nearly anything that connects to your network, including PCs, laptops, phones, tablets, and even TVs.
OpenDNS is fast, includes built-in protection for malicious phishing, offers parental controls, has customizable content filtering, and includes ad blocking and tracking protection.
Also: The best VPNs for streaming your favorite shows and sports
As you probably guessed, OpenDNS is also free. The service uses the IP addresses 208.67.222.222 and 208.67.220.220, and all logs are only retained for a short period of time.
For security, OpenDNS provides customizable filtering options and protection against phishing and malware.
5. NextDNS
NextDNS provides secure DNS, content filtering, ad blocking, wide-spectrum tracker blocking, user-configurable log retention, native support for all platforms, unlimited configurations, custom deny and allow lists, a customizable block page, rewrites, DNSSEC, and a peer-to-peer naming session.
There’s a free version of NextDNS, which gives you 300,000 queries per month, unlimited devices, unlimited configurations, access to all features, and community support. There are also paid versions, which you can read about here.
Also: 5 great Chrome browser alternatives that put your privacy first
The NextDNS server addresses are 45.90.28.232 and 45.90.30.232.
6. AdGuard DNS
AdGuard DNS uses an app to configure your device to its secure DNS servers, which means you don’t need to remember the IP addresses.
To use AdGuard DNS, you do have to install an app (for MacOS and Windows), and the only caveat is that the GUI app isn’t available for Linux (although there is a CLI tool).
AdGuard DNS includes extensive security features (such as blocking and tracking protection), user-customizable log retention (even a no-logs option), and anonymized logging for filtering based on user preferences.
Also: Your PC’s critical security certificates may be about to expire – how to check
AdGuard DNS is free (for the Starter plan), and there is a more private option, but you have to sign up for an account. The AdGuard Private account is free, and the web-based UI is quite nice. The Starter plan limits you to 300,000 DNS requests and 20 devices. If you need more, you’ll have to cough up $19 per year, and that plan gives you 10 million requests, 20 devices, five servers, and 1k rules.
The IP addresses for AdGuard DNS are 94.140.14.14 and 94.140.15.15.
