Secure DNS servers

I was sure this has been already posted on my blog, but I guess I was wrong (or was it my old blog). Anyway, here they are, listed again. Most widely known and used DNS servers that can be used as alternative to the DNS servers provided by your ISP. In general, most users don’t really need to use these, but those who want extra security in a form of blocking websites that are serving malware or host phishing sites along with DNS poisoning defense, these alternative DNS servers can be useful. Some also offer blocking of porn, but you have to visit their webpage for those IP addresses, I’m only listing the antimalware/antiphishing one). Instructions to use each are also provided on their webpages if you don’t know how to set them up.

List Updated: June 2020


Cloudflare DNS (USA) or (DNS only) or (Malware blocking)

SecureDNS (Netherlands)
DNS-over-TLS + Ads/Tracking Blocking:
SPKI key: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=

Neutopia DNS (France)

DNS.Watch (Germany)

FreeDNS (Romania)

LibreDNS (Powered by OpenNIC)

OpenNIC (DNS servers operated by users worldwide)

Open DNS (USA)

Quad 9 (USA)

Neustar UltraDNS (USA)

VeriSign Public DNS (USA)

Comodo Secure DNS (USA)

Adguard DNS (Cyprus)

Yandex.DNS (Russia)

Google DNS (USA)

9 thoughts on “Secure DNS servers

  1. Hello Rejzor,

    Thank you for sharing this list :), but do you plan on testing them (including Yandex DNS and ranking them based on best overall blocking of malicious websites (including grayware/whatever like spam, scam, adware, phishing, potentially unwanted software, browser exploits, et cetera)?

    I think that it would be nice to see how you rank them in terms of malicious website protection. 😉

    Thank you,
    -John Jr


    1. From my experience, Symantec DNS is the most aggressive. The rest doesn’t really block much. Haven’t tried Yandex yet though. I mostly use these for reliability over protection. Antiviruses usually have much better URL blocking anyway…


      1. Hello Rejzor,

        Thank you for responding. 🙂

        You are right about antimalware/antivirus products usually having better URL blocking, but I like to have layers of protection especially layers that do no need to be installed and that can work across different operating systems; and I often use inferior antimalware products like Microsoft Security Essentials/Windows Defender and ClamTK because they are a better fit for the people that I usually help who can not handle having to register their products or buy their products or deal with ads in products et cetera so having extra layers is helpful.

        I use Windows and Ubuntu Linux so having an extra layer of protection for my Ubuntu partition is helpful even though malware has never been a problem on this partition yet but I like to have some protection, most people who I help with computer problems usually have malware infected computers because they do not have functional or updated antimalware products and most of them need automatic layers of protection to help them because they do not know much and are not willing or able to learn, and so every little automatic and free layer of protection like that helps a bit. 😉

        I hope that you and/or someone else will do an annual test of these free DNS services to see how they rank in malicious URL blocking each year, it would nice to have updated tests each year from different people to have a better idea of how well they perform, because most of the tests that I have seen are from years ago and I have seen no test for Yandex DNS because it is the newest.

        Thank you,
        -John Jr


  2. All the official Cisco DNS resolvers log traffic so may not be wanted if privacy is also an issue.
    See here
    You will also notice Cloudflare DNS in the list and that they do not keep logs.

    DNSCrypt adds encryption and validation to your DNS lookups, thus helping to protect against man in the middle attacks.
    It also supports the unique identifier keys used by the Cisco Umbrella DNS, should you want or need to use it.

    From the full list of supported Open DNS (including official Cisco DNS), you can filter by DNSSec, logging and filtering.
    Many of the resolvers also use Quad9, and SimpleDNSCrypt will fallback to regular Quad9 to fetch the resolver list if it cannot use its own.

    You can select your preferred DNS by country or filters
    By default it will automatically use the fastest from the list.
    Disable automatic mode to select as many specific resolvers as you prefer.

    Block lists can be imported into the SimpleDNSCrypt client, and it recognises standard ad-block HOSTS files such as MVPS and hpHosts
    If you prefer to manage your own block lists, you can opt to use this instead of a HOSTS file or a resolver with filters

    Quad9 Note:
    Recent tests showed that the site blocking provided by Quad9 is not good.
    View at
    It clearly shows that DNS filters are no where near as good as AV or manual HOSTS management.


    Having a secure connection between you and your DNS is only half of the picture.
    You may stop a man in the middle between you and the DNS, but is there a MITM between the site and the DNS it uses ?
    If you would like to see if the site you are connected to is using DNSSec, and can actually be properly validated (separate to cert validation) you can use this site

    To add DNSSec/DANE validation to your browser you have to use an extension, but it will make you very unhappy as you browse, because you will quickly see how few sites are configured to use DNSSec or configured properly.

    Liked by 1 person

  3. Hello Rejzor,

    I have been using Adguard DNS for over a year now, having ad-blocking at the DNS level is helpful when we are using the Xbox 360 and whatever else is connected to the network, but I am not sure how good its malicious / greyware website blocking is compared to other services like Norton ConnectSafe or whatever it is called now so I hope that someone will test it one day against other DNS services.

    Have you tried Adguard DNS yet?

    -John Jr


  4. Hello,

    It may be time to remove Norton ConnectSafe DNS now that it is retired.

    Also I was wondering if there was a reason that you have not included Adguard DNS?

    Is there some kind of privacy and / or security issue with it or something or is it just not worth using?

    Thank you,

    -John Jr


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s