Privacy Tool Spotlight: DNS (Part 2)
In our last post, "Privacy Tool Spotlight: DNS", we covered the key points about the Domain Name System, or DNS:
- What DNS is: It converts easy-to-remember domain names like "example.com" into the actual network addresses computers use, such as "127.0.0.1".
- Most people never notice DNS until it stops working.
- Your internet service provider can see every DNS request you make.
- Some ISPs collect and use that data for marketing.
- Switching to a better DNS provider can block ads, trackers, and malware.
- Secure DNS options exist that can hide your traffic from prying eyes.
That was a lot to take in!
If you only want to clean things up on your mobile phone, try the Control D app set to their "family" resolver and pair it with the privacy-focused Brave browser. This simple change can remove a tremendous amount of junk from your browsing. Best of all, if anything feels off, you can disable Control D DNS with one tap. Nothing on your phone is permanently changed.
But what if you want similar protection across your entire home network? Or you would like to fully encrypt all your traffic so your ISP cannot snoop? We have some great options worth considering.
DNS Privacy & Security Comparison
As we have seen, there are many DNS choices. Everything from the default "it just works" option provided by your ISP to fully encrypted solutions. Here is a clear comparison of the main options:
| DNS Solution | DNS Provider Tracking | ISP Visibility | DNS Tampering Protection | Encryption | Content Filtering | Notes |
|---|---|---|---|---|---|---|
| ISP DNS | High | Full | None | None | Limited (firewall only) | Least private. |
| Better DNS (ex. NextDNS, AdGuard, etc) |
Medium¹ | Full | Partial² | None | Yes (ads, trackers, malware, etc.) | Queries sent in plaintext. ISP still sees everything. |
| DoH / DoT / DoQ | Medium¹ | None | Partial² | Yes | Provider or firewall | Encrypted to the resolver. You must trust the provider. |
| VPN with Built-in DNS (ex. Proton VPN + NetShield) |
Low-Medium⁴ | None | Strong | Full | Yes (NetShield ad/malware block) | All traffic (including DNS) goes through the VPN. No leaks if set up correctly. |
| Unbound | None | Full | Full (DNSSEC) | None³ | None (or via separate network-wide ad blocker) | Validates responses from the root servers. No third party involved. |
| Unbound + VPN | None | None | Full (DNSSEC) | Full | None (or via separate network-wide ad blocker) | Strongest overall privacy and integrity. Filtering needs extra tools. |
Footnotes
¹ Even privacy-friendly providers could log or change queries (even if they promise not to). DNSSEC helps but is not fully under your control.
² Your ISP can tamper with plaintext DNS unless you use encryption (DoH/DoT/DoQ or VPN).
³ You can add DoT/DoH upstream or run it over a VPN for encryption.
⁴ Audited no-logs VPNs like Proton handle DNS internally. You trust the VPN provider instead of your ISP.
Virtual Private Network (VPN)
One of the strongest options is using a reputable VPN from a privacy-focused provider such as Mullvad, Proton, or similar audited services. A VPN encrypts all traffic between your device (or entire home network) and the VPN provider. This includes your DNS requests.
On phones and tablets, it is usually as simple as installing an app and flipping a switch on or off. Many VPN apps also include built-in filtering to block ads, trackers, and malware. Proton VPN, for example, offers its NetShield feature for this purpose.
For your whole home network, it depends on your router. Newer routers often support VPN clients, but setup takes a few extra steps. With Proton VPN, you generate a configuration file on their website and load it into your router (either via QR code or by uploading the file).
This approach gives excellent privacy, especially with a trusted no-logs provider. It does require a bit more effort and usually involves a subscription cost, but many people find it well worth it.
Unbound
Another powerful option is Unbound, a free and open-source recursive DNS resolver that you run on your own local network. Unlike most other solutions, Unbound does not rely on any third-party DNS provider. It starts at the root DNS servers and validates every response itself using DNSSEC (Domain Name System Security Extensions) for maximum integrity and security.
This means no company is logging your queries, and you get strong protection against DNS tampering. On its own, Unbound does not block ads or trackers, but you can easily combine it with a network-wide ad blocker such as Pi-hole or AdGuard Home for that extra layer of protection.
Unbound works especially well on a home server, Raspberry Pi, or router that supports it. Setup is a little more technical than a simple app, but there are excellent guides available. Once running, it delivers fast, private, and trustworthy DNS for your entire home network. Instructions for setting up a Raspberry Pi running Pi-hole and Unbound are available at https://docs.pi-hole.net/guides/dns/unbound/ or search for the many tutorials on YouTube.
Unbound + VPN
For the best of both worlds (full privacy plus encryption), you can run Unbound locally on your network and route its traffic through a VPN. This powerful combination gives you complete control over DNS validation with DNSSEC while hiding all your activity from your ISP. It is widely considered one of the strongest setups available for privacy-conscious users.
A great example is using a Firewalla router in router mode. Firewalla devices include built-in tools to block ads, trackers, and malware, plus full VPN client support. They also allow you to run Unbound and easily send all DNS requests over the VPN tunnel. For this setup to work properly, simply disable the "Force DNS over VPN" option in the Firewalla settings.
This combination can take the most effort to set up (or be fairly straightforward depending on your router), but once running it delivers outstanding privacy and protection across your entire home while still blocking unwanted content.
Potential Issues with Streaming Services and Other Platforms
While the privacy setups we have discussed work great for everyday browsing, they can sometimes create challenges with popular streaming services and certain other systems.
Streaming platforms such as Netflix, Paramount+, Amazon Prime Video, Disney+, Hulu, and others use sophisticated detection systems to enforce content licensing agreements and prevent bypassing regional restrictions. When they detect unusual DNS activity (from DoH, DoT, Unbound, or a VPN), they may treat your connection as suspicious. You might see:
- Messages saying you appear to be using a VPN or proxy
- Black screens or endless loading
- Certain titles that will not play
- Slower speeds or random connection drops
This issue shows up most often with full-home solutions like Unbound + VPN or router-level VPNs. Even plain DoH or DoT can occasionally cause trouble on smart TVs, streaming sticks, or game consoles.
Similar problems can appear on Ubuntu (and other Linux systems). Some Ubuntu services, including apt package updates, Snap packages, and Canonical infrastructure tools, expect traditional DNS resolution. Aggressive filtering, encrypted DNS, or certain VPN configurations can cause update failures, connection timeouts, or errors when fetching packages and repositories.
Easy Workarounds
The good news is you do not have to choose between strong privacy and enjoying your favorite shows or keeping your systems updated. Most people solve these issues with a few simple adjustments:
- Temporarily turn off your VPN or custom DNS just for the streaming device or Ubuntu machine
- Use split tunneling or device-specific rules so your TV, streaming box, or Linux computer uses normal ISP DNS while the rest of the house stays protected
- Switch to a VPN server that is known to work well with streaming (many providers offer dedicated streaming-friendly locations)
- Create custom routing rules for specific apps, services, or domains
Continuing with the Firewalla example, you can set up two separate VPN tunnels. One tunnel does not force DNS over the VPN, while the second one does. You can then create rules that send your streaming apps or Ubuntu update traffic through the appropriate tunnel. This way, nearly all of your traffic still goes through a VPN and uses Unbound for DNS, but your streaming services and system updates get the right path to work smoothly.
In the end, the best setup depends on how much protection you want and how often you stream or update systems. Take time to test things on your own network. Most of these solutions are easy to tweak, and you will quickly find a balance that keeps both your privacy and your entertainment (plus system maintenance) intact.
You Have Options
We started by explaining what DNS is and why it matters, then explored better alternatives, and finally looked at ways you can run your own DNS resolver for maximum privacy.
The truth is there are many practical steps you can take to protect your browsing history and online activity. Whether you start small with a simple app on your phone or go all-in with a full-home Unbound + VPN setup, every improvement helps.
We hope this guide has given you a clearer picture of the options available and encouraged you to try at least one or two.
Remember: We may not have anything to hide, but everything to protect.
