DNS Providers & Privacy DNS 2026 — Cloudflare 1.1.1.1, Route 53, Quad9, NextDNS, ControlD, Mullvad, Pi-hole, AdGuard Home Deep Dive

Prologue — "DNS is just a 50ms piece of infrastructure," and other lies

"DNS just turns domains into IPs." Say that in 2026 and someone raises an eyebrow. The truth is sharper: DNS is where you leak information first. Before TLS, before the VPN tunnel, before your ad blocker, your DNS query is already sitting on the ISP resolver in plaintext. The ISP sees it. They pretend not to. They do.

In 2026 DNS is being pulled in three directions at once. Privacy — DoH/DoT/DoQ encrypt the query, ODoH separates query from client IP. Security — DNSSEC, DNS firewalls, and malware-blocking resolvers strip out bad domains. Performance and cost — Anycast pushes P50 below 10 ms globally, and the new HTTPS/SVCB records (RFC 9460) cut the first handshake to a single round trip.

This post maps the whole terrain. Nine public resolvers (Cloudflare, Quad9, Google, OpenDNS, AdGuard, NextDNS, ControlD, Mullvad, dns0.eu), seven authoritative options (Cloudflare DNS, Route 53, Cloud DNS, Azure DNS, NS1, DNS Made Easy, registrar DNS), six self-hosted choices (PowerDNS, BIND9, CoreDNS, Knot, Unbound, dnsmasq), and five home-privacy resolvers (Pi-hole 6, AdGuard Home, Technitium, Unbound+Stubby, Blocky). It closes with Korean and Japanese ISP DNS, attack scenarios, and a decision checklist.

DNS isn't 50 ms of infrastructure. It's the trust plane of the internet.

1. DNS fundamentals — hierarchy, records, recursive vs authoritative

A bit of terminology first. DNS is a tree. Root (.) → TLD (com., kr.) → authoritative server (example.com.) → host (www.example.com.). Each level is connected by delegation, and each authoritative server is the source of truth for its own zone.

Record types you actually meet are a short list.

TTL (time to live) is how many seconds a resolver may keep the answer cached. Too long and changes propagate slowly; too short and you hammer the authoritative server. General web: 300–3600 s. Games and CDNs: often under 60 s.

2. DNS over HTTPS (DoH, RFC 8484)

DoH wraps DNS queries in HTTPS POST/GET on port 443. Standardised in 2018 (RFC 8484), Firefox switched it on by default for US users in 2020, and Chrome added "DNS Secure" the same year, auto-upgrading when the OS resolver supports DoH.

The wins are clear. Port 443 is hard to block, and your ISP can't read the query in plaintext. The costs are real too — captive portals break, and corporate split DNS fights back.

Cloudflare 1.1.1.1 DoH endpoints.

https://cloudflare-dns.com/dns-query
https://1.1.1.1/dns-query
https://1.0.0.1/dns-query

Querying with curl — just set Content-Type.

# DoH JSON API (Cloudflare extension)
curl -s -H 'accept: application/dns-json' \
  'https://1.1.1.1/dns-query?name=example.com&type=A' | jq .

# DoH wire format (RFC 8484 standard)
echo -n 'AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE' | \
  curl -s -H 'accept: application/dns-message' \
       -H 'content-type: application/dns-message' \
       --data-binary @- \
       https://cloudflare-dns.com/dns-query | xxd

Beyond browsers, OS-level DoH exists too. Windows 11 lets you pick a DoH template from Settings → Network → DNS server assignment, and macOS accepts a .mobileconfig profile that pins DoH.

3. DNS over TLS (DoT, RFC 7858)

DoT wraps DNS in TLS on port 853. RFC 7858 (2016) made it the older standard, and it remains the friendlier option on mobile. From Android 9 Pie onward "Private DNS" turns on OS-level DoT.

DoH vs DoT comes down to port and visibility.

systemd-resolved gets DoT with a single block — /etc/systemd/resolved.conf.

[Resolve]
DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
DNSOverTLS=yes
DNSSEC=yes

On Android, Settings → Network and internet → Private DNS → "Private DNS provider hostname", then 1dot1dot1dot1.cloudflare-dns.com or dns.quad9.net — DoT is on.

4. DNS over QUIC (DoQ, RFC 9250)

DoQ is the newest transport, standardised in RFC 9250 (2022). DNS rides on top of QUIC (UDP, 0-RTT) on port 853 (same number, but UDP). Connection migration is smooth on mobile and the initial RTT is short.

AdGuard DNS, NextDNS, ControlD, and Cloudflare all support DoQ. Clients include dnsproxy, AdGuard Home 6.x, and patched Stubby builds.

Using dnsproxy as a local DoQ client.

dnsproxy --upstream='quic://dns.adguard-dns.com' \
         --listen=127.0.0.1 --port=53

5. Oblivious DoH (ODoH) — hide the IP too

DoH/DoT/DoQ solve "stop the ISP from reading my queries." But the resolver itself (Cloudflare, Quad9) still sees my IP and my query together. ODoH (Cloudflare + Apple + Fastly, 2020; RFC 9230, 2022) breaks that pair.

The structure is simple. Client → Oblivious Proxy → Oblivious Target (the resolver).

• The proxy sees the client IP but not the query (queries are encrypted to the target's public key).
• The target sees the query but not the client IP (the proxy hid it).

Cloudflare runs an ODoH target on 1.1.1.1, paired with an independent proxy (Surfshark, etc.). iOS 17 quietly supports system-level ODoH, and dnscrypt-proxy 2.1+ supports it officially.

Configuring dnscrypt-proxy for ODoH.

# /etc/dnscrypt-proxy/dnscrypt-proxy.toml
server_names = ['odoh-cloudflare']

[sources.'odoh-servers']
urls = ['https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md']
cache_file = '/var/cache/dnscrypt-proxy/odoh-servers.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'

[sources.'odoh-relays']
urls = ['https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md']
cache_file = '/var/cache/dnscrypt-proxy/odoh-relays.md'
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'

Adoption is low, but ODoH is one of the only standards that lets you separate IP from query without a VPN.

6. DNSSEC — signed DNS, slow rollout

DNSSEC has authoritative servers sign responses while resolvers verify the chain (root KSK → TLD ZSK → zone). It defends against cache poisoning and spoofed answers. Standards: RFC 4033/4034/4035 (2005).

The problem is uptake. As of 2026 about 30% of global zones have DNSSEC enabled; .kr is lower; .com allows it but most registrants leave it off.

Checking DNSSEC validation.

# +dnssec flag exposes RRSIG records
dig +dnssec example.com A

# The AD bit = Authenticated Data — the resolver validated for us
dig @1.1.1.1 +dnssec icann.org SOA | grep -E 'flags|RRSIG'

Opinions split. Advocates call DNSSEC the last line of defence against cache poisoning. Sceptics say "DoT/DoH already authenticate the channel — zone signing only adds operational weight." 2026 take: sign your authoritative zones, and let resolvers handle client-side validation.

7. DNS firewalls — filter malicious domains

A DNS firewall returns NXDOMAIN for known-bad domains right at the resolver. RPZ (Response Policy Zone, originally from BIND9), Cloudflare Gateway, Quad9's default policy, and Cisco Umbrella (formerly OpenDNS) all fit here.

RPZ expresses the policy as a zone file. To NXDOMAIN example.com and all subdomains.

$TTL 60
@               SOA  rpz.local. admin.local. (1 1h 15m 30d 2h)
                NS   rpz.local.

; NXDOMAIN example.com and all subdomains
example.com     CNAME .
*.example.com   CNAME .

; Walled-garden some-malware.example.org
some-malware.example.org CNAME walled-garden.local.

After enabling the RPZ block in named.conf, dig @localhost example.com returns NXDOMAIN.

8. Cloudflare 1.1.1.1 — the most-cited public resolver

Cloudflare 1.1.1.1 launched on April 1, 2018 (April Fools', but real). Cloudflare worked with APNIC to get 1.1.1.0/24 and commits to "no logging of queries, no selling," with an annual KPMG audit to prove it.

Three flavour endpoints.

IPv6 mirrors at 2606:4700:4700::1111, ::1001, ::1112, ::1113.

DoH/DoT/DoQ all supported, and 1.1.1.1 itself runs on Anycast in 300+ PoPs — average P50 is a single-digit millisecond. Korean users typically hit Incheon, Osaka, or Singapore.

The big criticism is centralisation. A huge share of the world's DNS goes through Cloudflare, which is a single point of observation. Even advocates suggest mixing in Quad9 or dns0.eu rather than running Cloudflare alone.

9. Quad9 9.9.9.9 — Swiss, no logging, malware blocking

Quad9 was founded in 2017 by IBM Security X-Force, Packet Clearing House, and the Global Cyber Alliance. It runs as a Swiss non-profit (since 2021) under GDPR and Swiss data-protection law.

Endpoints.

IPv6: 2620:fe::fe, 2620:fe::9.

Quad9 wins on two fronts. Legal protection — Swiss jurisdiction is harder on national security letters than the US or UK. 17 malware intel feeds — IBM, Anomali, Domain Tools, Proofpoint, and others merged in real time into the block list.

Performance is slightly behind Cloudflare (P50 15–20 ms from Korea), but malware blocking with near-zero false positives makes it the default recommendation for enterprises and schools.

10. Google 8.8.8.8 — fast, but logs

Google Public DNS (launched 2009) is one of the oldest public resolvers. 8.8.8.8 and 8.8.4.4 are the two IPs every network engineer has memorised.

Pros: massive global coverage, DNS64 support (IPv4 reachability inside IPv6-only networks), and DoH/DoT.

Cons: it logs. Google splits logs into a short-term tier (24–48 hours including IPs) and a permanent tier (anonymised). Not used for ads directly, but the policy is clearly weaker than Cloudflare or Quad9's no-logs stance.

The 2026 take: fast and stable, but not your top pick when privacy is the priority. Often used as a fallback when ISP DNS is unbearably slow.

11. AdGuard DNS — ad blocking as default

AdGuard DNS runs out of Cyprus (AdGuard Software) and blocks ads at the DNS layer. By NXDOMAINing ad domains it strips ads from every app, no browser extension required.

Endpoints.

DoH: https://dns.adguard-dns.com/dns-query. DoT: dns.adguard-dns.com. DoQ: quic://dns.adguard-dns.com.

The limits are obvious. First-party ads (served from the same domain as the site) can't be blocked, and DOM-level tracking scripts survive. AdGuard recommends pairing DNS blocking with a browser extension.

12. NextDNS — customisable plus analytics

NextDNS is a French startup that launched in 2019. The differentiator is per-profile customisation.

After signing up you get an ID (like abcdef) that becomes part of the endpoint.

https://dns.nextdns.io/abcdef
abcdef.dns.nextdns.io  (DoT/DoQ)

The dashboard hands you 100+ block lists (EasyList, OISD, StevenBlack, Hagezi…), category blocking (social media, gambling, adult, malware), log retention (0 / 24h / 3 months / longer), and storage region (EU/US/Switzerland) — every knob is yours.

Pricing: free up to 300k queries/month, $1.99/month or$19.90/year above that (family, unlimited devices).

The real value is the analytics dashboard. Which device queried which domain, how often, at what time — all visible. In family mode you can spot every new tracker your kid's tablet has been talking to.

13. ControlD — fast and routable resolver

ControlD comes from the Windscribe VPN team in Canada. Similar concept to NextDNS but leans harder on speed and traffic routing.

What's different:

• Free resolvers at 76.76.2.0/76.76.10.0 with pre-defined profiles (p0, p1, p2…).
• Custom profiles with proxy routing — "Netflix through a US IP, BBC through a UK IP" expressed as per-domain SOCKS5 routing returned through DNS responses.
• PoPs: 100+ globally, single-digit P50 in most regions.

DoH endpoint https://dns.controld.com/p2 (malware + ads + trackers + social) is free.

ControlD's weakness is being new. It launched in 2020 and the community list library isn't as deep as NextDNS. The speed-plus-routing combo is unusual, though.

14. Mullvad DNS — a DNS from a VPN company

Mullvad is a Swedish VPN company. In November 2022 they shipped a separate public DNS service, branded as "the strongest privacy DNS you can use without an account."

Endpoints and policies.

DoH/DoT/DoQ all supported. IPs may rotate, so use the hostname.

Mullvad's edge is legal and technical no-logging. Sweden is in the EU but with light data-retention laws, and Mullvad showed it in 2020 when Swedish police raided their offices — "no logs on the servers, nothing to hand over."

15. dns0.eu — an EU communal resolver (free)

dns0.eu, launched in 2023, is a non-profit EU resolver headquartered in Paris, GDPR-strict, EU-funded.

Endpoints.

DoH/DoT/DoQ all supported. PoPs are centred in Europe.

dns0.eu is part of the European digital sovereignty trend — an EU-internal resolver not bound to Cloudflare or Google. For Korean/Japanese users PoPs are sparse, but it matters for diversity of choice.

16. Authoritative DNS — Cloudflare DNS vs Route 53 vs Cloud DNS vs Azure DNS vs NS1

The authoritative DNS market (the side that serves your zones) is split.

Most startups put their web domains on Cloudflare DNS. Teams deep in a single cloud lifecycle use that cloud's DNS (Route 53, Cloud DNS, Azure DNS). Teams that truly need geo or weighted routing (global SaaS, gaming) pick NS1.

Cloudflare DNS is free but genuinely fast at the authoritative layer. In 2026 dnsperf benchmarks Cloudflare typically ranks first or second globally (P50 10–12 ms), trading places with NS1.

17. Route 53 — AWS integration end-game

Route 53 bundles authoritative DNS, domain registration, health checks, and traffic policy into one service. Launched 2010.

Pricing is per zone ($0.50/zone/month — no free-tier zones) and per query (first billion/month at$0.40/million).

Routing policies are rich.

Latency-routed alias to ALB with Terraform.

resource "aws_route53_zone" "main" {
  name = "example.com"
}

resource "aws_route53_record" "api" {
  zone_id = aws_route53_zone.main.zone_id
  name    = "api.example.com"
  type    = "A"
  set_identifier = "us-east-1"
  latency_routing_policy {
    region = "us-east-1"
  }
  alias {
    name                   = aws_lb.us_east.dns_name
    zone_id                = aws_lb.us_east.zone_id
    evaluate_target_health = true
  }
}

Route 53's weaknesses are UI friction and price compounding. Dozens of zones means tens of dollars a month before you do anything. Still the default for AWS-locked teams.

18. Self-hosted DNS — PowerDNS, BIND9, CoreDNS, Knot, Unbound, dnsmasq

Both authoritative and recursive self-hosting options are mature.

CoreDNS' Corefile — the same shape K8s ships.

.:53 {
    errors
    health {
       lameduck 5s
    }
    ready
    kubernetes cluster.local in-addr.arpa ip6.arpa {
       pods insecure
       fallthrough in-addr.arpa ip6.arpa
       ttl 30
    }
    prometheus :9153
    forward . /etc/resolv.conf
    cache 30
    loop
    reload
    loadbalance
}

dnsmasq is the core of every holiday router and Pi-hole — 100 KB of binary does DHCP, DNS forwarding, and TFTP at once.

19. Pi-hole 6 — the home DNS sinkhole

Pi-hole started as a GitHub project in 2015 — a home DNS blocker famously deployed on a Raspberry Pi. Pi-hole 6 (2025 release; 2024 beta) threw out the PHP web UI in favour of an all-Go REST API and a brand-new front end.

The mechanism is simple. It runs as a dnsmasq-based forwarder, NXDOMAINs ad/tracker/malware domains, and forwards everything else to an upstream resolver (Cloudflare, Quad9, etc.). Per-household whitelist and blacklist management is centralised.

Docker install in a minute.

docker run -d \
  --name pihole \
  -p 53:53/tcp -p 53:53/udp \
  -p 80:80/tcp \
  -e TZ=Asia/Seoul \
  -e WEBPASSWORD=changeme \
  -v $PWD/etc-pihole:/etc/pihole \
  -v $PWD/etc-dnsmasq.d:/etc/dnsmasq.d \
  --restart=unless-stopped \
  pihole/pihole:latest

Point your router's DHCP DNS at the Pi-hole IP and every device on the network funnels through it. Typical ad-block rate is 30–50%; mobile app ads fall too.

Limits: HTTPS ad slots turn into broken layouts, and clients with their own DoH (Firefox, some Chrome builds) bypass Pi-hole entirely. The fix is either router-level DoH blocking or forcing redirects.

20. AdGuard Home — the modern Pi-hole alternative

AdGuard Home is the same idea as a single Go binary. Where Pi-hole stitches dnsmasq with PHP, AdGuard Home ships everything in one binary.

What's different:

• DoH/DoT/DoQ upstream built in — no cloudflared sidecar needed.
• Encrypted DNS server mode — clients outside the home can hit your AdGuard Home over DoH/DoT.
• Per-client policies — different filter lists by device or IP, schedule-based blocking (no social media after 10pm on the kids' tablet).
• Optional DHCP server.

Docker install.

docker run --name adguardhome \
  --restart unless-stopped \
  -v $PWD/work:/opt/adguardhome/work \
  -v $PWD/conf:/opt/adguardhome/conf \
  -p 53:53/tcp -p 53:53/udp \
  -p 80:80/tcp -p 443:443/tcp -p 443:443/udp \
  -p 3000:3000/tcp \
  -p 853:853/tcp \
  -p 784:784/udp \
  -d adguard/adguardhome

Pi-hole vs AdGuard Home — both are battle-tested. Pi-hole has the bigger community and docs; AdGuard Home has the more modern UX and features. For fresh 2026 installs, AdGuard Home is the more common pick.

21. Technitium, Unbound + Stubby, Blocky — solid minor options

Beyond Pi-hole and AdGuard Home there are other choices.

• Technitium DNS Server: .NET-based, full authoritative + recursive + blocker + cache + DoH/DoT/DoQ server in one. Very rich UI. Great when you want to run your own internal zone (say home.local) alongside a home blocking resolver.
• Unbound + Stubby: classic NLnet Labs stack. Unbound is a true recursive resolver (walks from the root itself, no upstream trust), and Stubby is a DoT client daemon. Together they form "self-host the lot, trust no external resolver."
• Blocky: a small Go DNS proxy. Lighter than Pi-hole, with elegant Prometheus/Grafana metrics. People run it inside Kubernetes as an internal blocker.

Minimal Unbound config for self-recursive — /etc/unbound/unbound.conf.

server:
  interface: 127.0.0.1
  interface: ::1
  access-control: 127.0.0.0/8 allow
  access-control: ::1 allow

  do-ip4: yes
  do-ip6: yes
  do-udp: yes
  do-tcp: yes

  hide-identity: yes
  hide-version: yes
  qname-minimisation: yes
  harden-glue: yes
  harden-dnssec-stripped: yes
  use-caps-for-id: yes
  prefetch: yes

Now clients don't touch 1.1.1.1 either — your server walks the root itself. The most decentralised option you can run at home.

22. Routers as the privacy front line — OpenWRT, Mikrotik, UniFi

Pinning DNS at the router protects everything on the network at once, OS or device be damned.

• OpenWRT + dnsmasq + https-dns-proxy: keep dnsmasq as the forwarder and install https-dns-proxy for DoH upstreams (1.1.1.1, 9.9.9.9…). luci-app-https-dns-proxy exposes it in the GUI.
• Mikrotik RouterOS 7.x: beyond the legacy /ip dns mode, RouterOS 7 supports DoH via /ip dns/set use-doh-server=https://....
• Ubiquiti UniFi: UDM/UDR Pro provides Threat Management for DNS category blocking, and OS 3.x experimentally supports DoH.

Force DoH on OpenWRT.

opkg update
opkg install https-dns-proxy luci-app-https-dns-proxy
uci set https-dns-proxy.@https-dns-proxy[0].bootstrap_dns='1.1.1.1,1.0.0.1'
uci set https-dns-proxy.@https-dns-proxy[0].resolver_url='https://cloudflare-dns.com/dns-query'
uci commit https-dns-proxy
service https-dns-proxy restart

Router-level enforcement reduces mobile DoH bypass. If Firefox or Chrome has its own DoH on, the request flies past the router — but some routers block known DoH hostnames to force system DNS.

23. Dual-stack, IPv6, and HTTPS / SVCB records (RFC 9460)

The 2026 DNS isn't just new transports — record types are evolving. HTTPS records (RFC 9460, 2023) carry IPs, ALPN, ECH, and port hints in a single lookup.

example.com. 3600 IN HTTPS 1 . alpn="h3,h2" ipv4hint=93.184.216.34 ipv6hint=2606:2800:220:1::1

A browser that gets that line goes straight to HTTP/3 — no separate A/AAAA round trip. The record also carries ECH (Encrypted Client Hello) keys, eliminating SNI in plaintext.

Cloudflare DNS and Route 53 both accept HTTPS/SVCB records. iOS 14+/Safari and Chrome 100+ use them automatically.

On IPv6 — dual-stack zones publish A and AAAA together, and clients pick the faster path with happy eyeballs (RFC 8305). By 2026 the IPv6 share of major sites is above 50%.

24. Korean and Japanese DNS — KT, SK, LG, IIJ, NTT, Naver, JPDNS

Korean ISP DNS.

KT 168.126.63.1 is the most memorised IP in Korea. But the ISP doesn't officially offer DoH/DoT, and state-level blocks (warning.or.kr) are enforced through SNI inspection and DNS redirects. If you care about privacy, replace it with 1.1.1.1 or 9.9.9.9.

Japanese ISP DNS.

Japan relies less on ISP DNS than Korea, and wholesale ISPs like IIJ run rock-solid public DNS. JPDNS (JPNIC's .jp authoritative) guarantees .jp resolution.

For both Korean and Japanese users: 1.1.1.1 primary + 9.9.9.9 secondary is the easiest upgrade over ISP defaults. Keep the ISP DNS handy as a fallback for some local services that depend on it.

25. DNS attacks — cache poisoning, tunneling, DGA, rebinding

DNS has a wide attack surface. Four classics.

• Cache poisoning (Dan Kaminsky, 2008): stuff a recursive resolver's cache with fake answers so every downstream client lands on the wrong IP. Defence: source port randomisation, 0x20 encoding, DNSSEC.
• DNS tunneling: encode arbitrary data inside plaintext DNS to slip past firewalls. Common in malware C2 (iodine, dnscat2). Defence: DNS firewall, anomaly detection on query rate/size.
• DGA (domain generation algorithm): malware generates thousands of pseudo-random domains daily and only a few get registered for real C2. Defence: ML-based DGA detection, RPZ.
• DNS rebinding: short TTL flips an answer from a public IP to a private one, defeating same-origin protections. Defence: refuse private-IP answers (--stop-dns-rebind in Pi-hole/dnsmasq).

DoH/DoT shrink the attack surface but don't erase it. Cache poisoning is a plaintext-port-53 problem, but tunneling and DGA work regardless of channel encryption.

26. Decision checklist — what should your team / your home pick?

Personal / home

1. Single device — flip OS Private DNS to 1dot1dot1dot1.cloudflare-dns.com or dns.quad9.net.
2. Whole family + ad blocking — put Pi-hole 6 or AdGuard Home on a Raspberry Pi/Linux box and point the router's DHCP DNS there.
3. Don't trust any external resolver — run Unbound for self-recursive resolution, optionally fronted by Stubby for DoT.
4. Want analytics — NextDNS or ControlD.

Startups / production authoritative DNS

1. Static site / SaaS, zero cost first — Cloudflare DNS.
2. AWS-locked — Route 53, leaning on alias records and latency routing.
3. Multi-cloud / edge routing — NS1 or Cloudflare DNS Load Balancing.
4. Short-TTL health-check failover — Route 53 + health checks or NS1 Filter Chain.

Enterprise

1. DNS firewall for every corporate device — Cloudflare Gateway or Cisco Umbrella.
2. Own DC, own caches — PowerDNS + Unbound.
3. K8s cluster DNS — CoreDNS (EKS/GKE/AKS default anyway).
4. Multi-region authoritative with geo routing — NS1.

Rule of thumb: escape your ISP's default DNS as soon as you can. Even 1.1.1.1 + 9.9.9.9 dual is an instant upgrade for the average user.

Epilogue — DNS is the trust plane of the internet

The real 2026 lesson on DNS is that DNS is not infrastructure, it's the trust plane. Who do you trust to turn names into IPs, where is that trust logged, where is it blocked, where is it spoofed — that's all DNS-picking comes down to.

The tools are simple. One line of Cloudflare 1.1.1.1 in your OS DNS settings ends ISP plaintext exposure. A Pi-hole or AdGuard Home behind the router ends most ads. But who you wrote into that one line, and for whose benefit — that part is up to you.

Possible next posts: Cloudflare Workers + DNS — pushing Cloudflare end-to-end, Turning DNSSEC on for real — .com/.io/.kr delegation in practice, HTTPS · SVCB records and ECH — everything about the 2026 handshake.

"Choosing a DNS resolver is choosing where you're willing to leak your first piece of information."

— DNS Providers & Privacy 2026, end.

References

• RFC 8484 — DNS Queries over HTTPS (DoH)
• RFC 7858 — DNS over TLS (DoT)
• RFC 9250 — DNS over QUIC (DoQ)
• RFC 9230 — Oblivious DNS over HTTPS (ODoH)
• RFC 9460 — Service Binding and Parameter Specification (SVCB / HTTPS records)
• RFC 4033 — DNSSEC Introduction and Requirements
• Cloudflare 1.1.1.1
• Cloudflare 1.1.1.1 for Families
• Cloudflare Trust Hub — 1.1.1.1 audits
• Quad9
• Google Public DNS
• OpenDNS / Cisco Umbrella
• AdGuard DNS
• NextDNS
• ControlD
• Mullvad DNS
• dns0.eu
• AWS Route 53 Documentation
• Google Cloud DNS
• Azure DNS
• NS1 (IBM)
• PowerDNS
• BIND9 — ISC
• CoreDNS
• Knot DNS — CZ.NIC
• Unbound — NLnet Labs
• dnsmasq
• Pi-hole
• AdGuard Home
• Technitium DNS Server
• Blocky — DNS proxy
• Stubby — DoT client
• OpenWRT https-dns-proxy
• DNSperf — public DNS benchmarks
• APNIC — 1.1.1.1 history