Our public DNS service offers DNS over HTTPS (DoH) and DNS over TLS (DoT), with QNAME minimization and basic ad blocking. It has been audited by the security experts at Assured. You can use this privacy-enhancing service even if you don’t use Mullvad.
What this guide covers
- Two different options
- When to use our DNS service
- How to use our DNS service
- Using Android
- How do I know it’s working?
- IP-addresses, ports and hostnames
- DNS server locations
- How the ad blocking works
- Ad-blocking version – adblock.doh.mullvad.net
- Without ad blocking – doh.mullvad.net
Note that we also have ad-blocking and tracker-blocking in our Mullvad app for iOS and desktops (from version 2021.4). If you use that then it’s not necessary to enable DoH/DoT.
We recommend that you use our encrypted DNS service only when you are not connected to Mullvad. When you are connected to Mullvad the DNS requests will be sent through the encrypted VPN tunnel to the DNS server on the Mullvad VPN server that you are connected to, and that is faster.
Although we have encrypted DNS servers around the world and there may be one in your country it can happen that you get routed to a server far away in another continent. This would make the DNS requests slow and Android may give up trying to connect to it. It should work best if you are located in Europe.
If you want Ad blocking, tracker blocking and malware blocking on Android with Mullvad VPN then you can instead enable "Use custom DNS server" in the Android app and enter 100.64.0.7.
- In a Firefox browser window, click the menu button and choose Options or Preferences.
- In the search box, type “network”, then click on the Settings button in the results.
- At the bottom, check the box next to Enable DNS over HTTPS.
- Next to Use Provider, choose Custom.
- In the text box that appears, enter
- Click OK.
- In the address bar of the browser, type in
about:configand hit Enter.
- If a warning pops up, click “Accept the Risk and Continue”.
- In the search box, type
- Change the value to 3 and press Enter. (this will disable the unencrypted fallback).
Follow the steps to use DNS over TLS:
- Open your device’s Settings.
- Navigate to Network & internet > Advanced > Private DNS.
- Select Private DNS provider hostname.
- In the textbox, type in
- Click Save.
After you’ve followed the instructions, go to https://mullvad.net/check. You should have no DNS leaks. Click on “No DNS leaks” for details; the server that is listed should have “dns” in its name, for example “se-mma-dns-001.mullvad.net”.
Some manually configured DoH/DoT clients require additional server information.
Note that the hostname is the same for both DoH and DoT despite that the subdomain is “doh”.
DoT only uses port 853, while DoH uses port 443.
Without ad blocking
doh.mullvad.net has address 22.214.171.124
doh.mullvad.net has IPv6 address 2a07:e340::2
With ad blocking
adblock.doh.mullvad.net has address 126.96.36.199
adblock.doh.mullvad.net has IPv6 address 2a07:e340::3
The nearest DNS server will be used. If one server is down, the next-closest will be used and so on.
Keep in mind that nearest is in terms of networking hops, this can differ between your ISP and their
connectivity to our hosting providers.
Our servers are located in
- United Kingdom
- United States (NYC, DAL and LAX).
The ad blocking DNS uses filter lists which contain domains that serve ads. The DNS server is instructed to not resolve these domains to their IP-addresses and so the ads cannot be loaded.
The lists we use are published at our GitHub. There are many public filter lists available and we may consider adding more lists in the future.
We still recommend that you use the extensions uBlock Origin and Privacy Badger in your web browser. See our guide Privacy tools for your browser.