Private DNS and Ad-Blocking on Android Without Root

Ads on Android do not just appear in browsers. They are baked into apps, bundled into SDKs, and phoned home via background telemetry - often without any visible indicator to the user. The good news is that Android has shipped a system-wide DNS encryption feature since version 9 that, when pointed at the right resolver, blocks a significant portion of that traffic before it ever leaves your device. No root, no custom ROM, no third-party firewall app required.

This guide covers how Private DNS works, which filtering resolvers are worth using, how to configure everything in under five minutes, and where the limits of DNS-level blocking lie.

How Private DNS Works on Android

Every time an app or browser needs to reach a hostname, it sends a DNS query to translate the name into an IP address. By default, Android forwards these queries to whatever resolver your Wi-Fi router or mobile carrier provides - unencrypted and in plaintext. Anyone on the same network, your ISP, or a malicious hotspot can read or manipulate those queries.

Android 9 introduced DNS-over-TLS (DoT), branded as “Private DNS,” which wraps DNS queries in a TLS connection. The system-wide setting lives at:

Settings > Network & internet > Private DNS

Three modes are available:

• Off - plaintext DNS, no filtering.
• Automatic - uses the carrier or DHCP-assigned resolver; attempts DoT opportunistically if the resolver supports it.
• Private DNS provider hostname - forces DoT to a specific hostname you type in. This is the mode that enables filtering.

When you enter a hostname such as dns.nextdns.io, Android resolves it once, then maintains a persistent TLS connection to that resolver for all subsequent queries from all apps. The resolver can then apply blocklists before returning (or refusing) answers.

A note on DNS-over-HTTPS (DoH): the system-wide Private DNS toggle uses DoT exclusively. Browsers like Firefox and Brave implement their own DoH stacks independently of the operating system, which means browser DNS traffic can be routed differently from system DNS traffic depending on each browser’s individual settings. The two mechanisms coexist but do not share configuration.

For a broader look at Android privacy hardening beyond DNS, see our Android privacy hardening checklist.

Choosing a Filtering DNS Resolver

Not all resolvers are equal. The table below compares the most practical options for privacy-focused Android users:

Resolver	DoT Hostname	Free Tier	Blocklists	Logs Policy	Notable Feature
NextDNS	[id].dns.nextdns.io	300k queries/mo	Fully customizable	No logs (configurable)	Per-device profiles, analytics dashboard
AdGuard DNS	dns.adguard-dns.com	Unlimited	Ads + trackers	No logs (default)	Family filter option, no account needed
Mullvad DNS	dns.mullvad.net (+ variants)	Unlimited	Ads, trackers, malware (variants)	No logs	Operated by Mullvad VPN, open infrastructure
Cloudflare 1.1.1.1	1dot1dot1dot1.cloudflare-dns.com	Unlimited	None (1.1.1.1) / Malware (1.1.1.2) / Malware+adult (1.1.1.3)	Temporary logs purged within 24h	Fastest average latency globally
dns0.eu	dns0.eu	Unlimited	Phishing, malware	No logs	GDPR-native, EU-operated, threat-intel feeds

NextDNS is the most flexible option if you want to tune what gets blocked. After creating a free account at nextdns.io, you get a unique ID that becomes part of your DoT hostname. You can enable curated blocklists (EasyList, AdGuard, Steven Black, OISD), whitelist individual domains, and see per-app query logs in real time. The free tier covers 300,000 queries per month - roughly sufficient for a single heavy-use device.

AdGuard DNS is the zero-friction choice. The default DoT hostname (dns.adguard-dns.com) needs no account and blocks ads and trackers using AdGuard’s own curated lists. It is a reasonable default for anyone who does not want to manage a dashboard.

Mullvad DNS offers several hostnames that add incrementally stricter filtering. base.dns.mullvad.net blocks ads and trackers; extended.dns.mullvad.net adds additional tracker lists; all.dns.mullvad.net adds adult content filtering. Because Mullvad’s VPN product is audited and transparent about its no-log infrastructure, their DNS resolver inherits that credibility.

Step-by-Step: Setting Up Private DNS on Android

The exact path varies slightly between manufacturer skins (One UI, MIUI, OxygenOS), but the setting exists on all Android 9+ devices.

On stock Android / Pixel:

1. Open Settings.
2. Tap Network & internet (or Connections on Samsung).
3. Tap Private DNS.
4. Select Private DNS provider hostname.
5. Enter the DoT hostname for your chosen resolver.
6. Tap Save.

Android will immediately test the connection. If the hostname is unreachable or the TLS handshake fails, it will warn you and revert to the previous setting rather than silently falling back to plaintext - which is the correct fail-closed behaviour.

For NextDNS specifically, you need to substitute your account ID into the hostname:

<your-id>.dns.nextdns.io

Your ID is shown on the Setup tab of the NextDNS dashboard after creating a free account.

Verifying it works:

Navigate to https://test.nextdns.io (NextDNS) or https://adguard.com/en/test.html (AdGuard) in any browser. Both pages confirm whether your queries are reaching the resolver and whether filtering is active.

Alternatively, open a browser and try loading a known ad-serving domain such as doubleclick.net directly. A filtering resolver will return NXDOMAIN or a blocked response.

Private DNS on GrapheneOS and Other Custom ROMs

If you are running GrapheneOS or LineageOS, Private DNS configuration is identical to stock Android - the setting is part of AOSP and both ROMs expose it without modification.

GrapheneOS goes further in a few ways relevant here:

• The Sandboxed Google Play container runs Play Store apps in an isolated profile, so DNS queries from Play apps go through the same system resolver as everything else. There is no privileged escape path.
• GrapheneOS ships Vanadium as its default browser. Vanadium does not override the system resolver with its own DoH stack, so filtering applies consistently to browser traffic as well.
• The network permission toggle per app (available in GrapheneOS) lets you revoke internet access entirely for apps that have no legitimate need to phone home, which is stronger than any DNS filter.

LineageOS does not add DNS-specific hardening beyond AOSP defaults, but it does remove most manufacturer and carrier bloatware that would otherwise generate background DNS traffic you cannot easily audit.

Limitations: What DNS Blocking Cannot Stop

DNS-level ad-blocking is genuinely useful but it is not a complete solution. Being clear about the limits helps you layer defences correctly.

Hardcoded IPs and DNS pinning. A growing number of apps and ad SDKs bypass the system resolver entirely by hardcoding IP addresses or using their own DoH endpoint. Some Google apps fall back to known resolver IPs when the system resolver fails. DNS filtering never sees these queries. The only way to intercept them is with a local VPN that redirects all UDP/TCP port 53 traffic and known DoH endpoints - which requires either root or an app that declares itself a VPN (like the full version of AdGuard for Android).

Same-domain ad serving. Publishers increasingly serve ads from their own subdomain (for example, ads.example.com hosted on the same infrastructure as example.com). Blocking the ad subdomain also blocks the site. DNS filters cannot distinguish between them without breaking legitimate content.

In-app SDKs loaded over HTTPS. An app that bundles its own ad rendering code and fetches creative assets over an established HTTPS connection to a CDN will not generate a separate DNS query that looks like ad traffic. It looks like any other HTTPS request to a legitimate CDN hostname.

Encrypted Client Hello (ECH). As TLS 1.3 with ECH rolls out more broadly, even the SNI field in TLS handshakes becomes encrypted. DNS filtering remains effective at the query stage, but auditing the correlation between DNS blocks and actual connection attempts becomes harder.

For content-level blocking in the browser, pair Private DNS with a browser that has a built-in content blocker (Brave, Firefox with uBlock Origin) or use a VPN app that includes DNS filtering.

Combining Private DNS with Other Android Privacy Tools

Private DNS sits at the network layer. A complete Android privacy setup stacks it with controls at other layers:

• Browser-level: Brave (built-in shields) or Firefox with uBlock Origin blocks first-party ad scripts, CNAME-cloaked trackers, and fingerprinting that DNS cannot see.
• VPN-level: A no-log VPN hides traffic metadata from your ISP and network operator. Some providers (Mullvad, ProtonVPN) let you use their DNS resolver inside the tunnel, combining encryption and filtering in one connection. See our best Android VPN apps guide for vetted options.
• App selection: Installing apps from F-Droid rather than the Play Store dramatically reduces exposure to ad SDK telemetry in the first place. FOSS apps on F-Droid typically contain no ad or analytics SDKs by policy.
• Permission management: Revoking network permissions on apps that have no legitimate need for internet access (on GrapheneOS) or denying unnecessary permissions (all Android versions) reduces the attack surface before DNS ever comes into play.

Private DNS with a filtering resolver is the single highest-leverage, lowest-effort privacy improvement available on an unrooted Android device. Five minutes of configuration gives you system-wide encrypted DNS queries with meaningful ad and tracker blocking across every app on the phone - including apps you never open, running background telemetry you would otherwise never know about.

FAQ

Does Private DNS work on Android without root?

Yes. The Private DNS setting is a built-in feature of Android 9 and later and requires no root access, no custom ROM, and no third-party VPN app. It routes all system DNS queries over an encrypted TLS connection to whatever resolver hostname you enter in Settings > Network & internet > Private DNS.

Which Private DNS resolver blocks the most ads?

NextDNS is the most configurable option, letting you combine multiple curated blocklists (EasyList, AdGuard, OISD, Steven Black) with per-device profiles and query logging. AdGuard DNS is the easiest no-account alternative. The right choice depends on whether you want to tune blocking rules or just set and forget.

Will Private DNS slow down my internet connection?

The latency impact is negligible for most users. The TLS connection to the resolver is established once and reused. Cloudflare's resolver (1dot1dot1dot1.cloudflare-dns.com) consistently ranks fastest in global latency tests; NextDNS and AdGuard DNS are close behind. The filtering lookup itself adds microseconds, not milliseconds.

Does Private DNS block ads inside apps as well as browsers?

It blocks requests to ad-serving domains across all apps, not just browsers, because it operates at the system DNS layer. However, apps that use hardcoded IP addresses or bundle their own DoH client bypass the system resolver entirely, so DNS-level blocking is not guaranteed to catch every ad network.