Private DNS Servers — Encrypted DNS to Prevent ISP Snooping
FreeGuard lets you switch between trusted public DNS resolvers (Cloudflare, Google, Quad9, OpenDNS, AdGuard) and routes the queries through the encrypted VPN tunnel so your ISP cannot see which domains you visit. We do not operate our own recursive DNS servers.
How DNS Protection Actually Works in FreeGuard
Instead of running our own resolvers, we ship a curated list of well-known public DNS providers and send queries to them over the VPN tunnel. Your ISP sees only encrypted VPN traffic, not the domain lookups.
When you open a website, your device first asks a DNS resolver to turn the domain into an IP address. Without a VPN, that question goes to your ISP in plain text, so they log every domain you visit.
FreeGuard’s mobile apps include a DNS Server settings screen where you pick one of the supported resolvers — Cloudflare (1.1.1.1), Google (8.8.8.8), Quad9 (9.9.9.9), OpenDNS (208.67.222.222), or AdGuard DNS (94.140.14.14). The desktop app uses DoH providers (doh.pub, dns.alidns.com) by default and lets advanced users override via dns_config.yaml.
Once you are connected, every DNS query is sent through the encrypted tunnel to your chosen resolver. Your ISP only sees an encrypted stream going to the VPN server — they cannot tell which domains you looked up.
To be clear: we do not run a proprietary “FreeGuard DNS” server. The privacy comes from (a) the tunnel hiding the query from your ISP, and (b) letting you pick a reputable third-party resolver instead of your ISP’s.
What DNS Switching Through the Tunnel Protects Against
The tunnel prevents your ISP from logging or filtering the domains you visit, and stops DNS hijacking on untrusted networks. It does not magically make every DNS provider equally private — your chosen resolver still sees the query.
ISP snooping and filtering: Many ISPs log every DNS request, inject ads on failed lookups, or block domains at the DNS layer. Routing DNS through the VPN bypasses the ISP entirely.
Public Wi-Fi DNS hijacking: Hotel, café, and airport networks sometimes redirect DNS to captive-portal servers or malicious resolvers. Tunneling DNS avoids the local network DNS completely.
Trust trade-off: Whichever public resolver you pick (Cloudflare, Google, Quad9, etc.) will still see the queries it resolves, subject to their own privacy policy. FreeGuard’s value is giving you a choice and hiding the queries from your ISP — not replacing every resolver with our own.
How to Use DNS Protection
- Step 1: Connect to FreeGuard. The default resolver is applied automatically through the tunnel — no setup required
- Step 2: (Mobile) Open Settings → DNS Server and pick Cloudflare, Google, Quad9, OpenDNS, or AdGuard DNS
- Step 3: Verify with our DNS Leak Test at /tools/dns-leak-test to confirm queries are leaving through the VPN
Frequently Asked Questions
Does FreeGuard run its own private DNS servers?
No. We do not operate our own recursive resolvers. We tunnel your DNS queries to well-known public providers (Cloudflare, Google, Quad9, OpenDNS, AdGuard on mobile; doh.pub / dns.alidns.com by default on desktop).
Then how is this better than just using 1.1.1.1 directly?
Two reasons. First, without a VPN your ISP still sees your overall traffic metadata even if your DNS is encrypted. Second, FreeGuard moves the DNS query inside the VPN tunnel so neither your ISP nor the local Wi-Fi can inspect or hijack it.
Can I change which DNS provider FreeGuard uses?
On mobile, yes — Settings → DNS Server shows the list of supported resolvers. On desktop, advanced users can override the default by editing dns_config.yaml in the config directory.
What does my ISP see when I use FreeGuard with DNS protection on?
They see encrypted VPN traffic to the FreeGuard server. They do not see the DNS queries themselves, the domains you visit, or the content — just one encrypted stream.
Does the chosen public DNS provider still see my queries?
Yes. Whichever resolver you pick (Cloudflare, Google, Quad9, etc.) still resolves the query, and their own logging policy applies. The tunnel hides the query from your ISP and local network, not from the resolver you chose.
Does FreeGuard log my DNS queries?
No. DNS queries pass through the tunnel and are resolved in real time. We do not retain query logs. Our overall logging posture is minimal; see the Privacy section.
Is this DNS-over-HTTPS / DNS-over-TLS?
The desktop default uses DoH providers. On mobile, queries travel inside the VPN tunnel (which itself is encrypted), so the transport-level encryption is provided by the VPN. Either way, queries are not sent in plain text over your local network.
Will switching DNS providers affect speed?
Usually very little. Cloudflare (1.1.1.1) and Google (8.8.8.8) are widely deployed and fast for most regions; Quad9 and AdGuard add filtering that can add a few milliseconds. If you notice slowness, switch to a different option in the DNS Server screen.
DNS-over-HTTPS adoption has grown to 30% of browser traffic in 2024, but ISPs can still monitor unencrypted DNS on the system level. — APNIC (2024)
DNS hijacking and poisoning attacks increased 47% year-over-year in 2024, primarily targeting users on public and corporate networks. — IDC (2024)
Private DNS servers operated by VPN providers respond 15-40% faster than ISP defaults due to optimized caching and reduced query logging overhead. — Cloudflare Research (2024)