DNS over HTTPS and DNS over TLS

PRIVACY SECURITY

Last updated: 14 November 2022


Our public DNS service offers DNS over HTTPS (DoH) and DNS over TLS (DoT), with QNAME minimization and basic ad blocking. It has been audited by the security experts at Assured. You can use this privacy-enhancing service even if you don’t use Mullvad.

What this guide covers

Two different options

  • Ad-blocking version – adblock.doh.mullvad.net
  • Without ad blocking – doh.mullvad.net

Note that we also have ad-blocking and tracker-blocking in our Mullvad app for iOS and desktops (from version 2021.4). If you use that then it’s not necessary to enable DoH/DoT.

When to use our DNS service

We recommend that you use our encrypted DNS service only when you are not connected to Mullvad. When you are connected to Mullvad the DNS requests will be sent through the encrypted VPN tunnel to the DNS server on the Mullvad VPN server that you are connected to, and that is faster.

Although we have encrypted DNS servers around the world and there may be one in your country it can happen that you get routed to a server far away in another continent. This would make the DNS requests slow and Android may give up trying to connect to it. It should work best if you are located in Europe.

If you want Ad blocking, tracker blocking and malware blocking on Android with Mullvad VPN then you can instead enable "Use custom DNS server" in the Android app and enter 100.64.0.7.

How to use our DNS service

Firefox

  1. In a Firefox browser window, click the menu button and choose Options or Preferences.
  2. In the search box, type “network”, then click on the Settings button in the results.
  3. At the bottom, check the box next to Enable DNS over HTTPS.
  4. Next to Use Provider, choose Custom.
  5. In the text box that appears, enter https://doh.mullvad.net/dns-query or https://adblock.doh.mullvad.net/dns-query
  6. Click OK.
  7. In the address bar of the browser, type in about:config and hit Enter.
  8. If a warning pops up, click “Accept the Risk and Continue”.
  9. In the search box, type network.trr.mode
  10. Change the value to 3 and press Enter. (this will disable the unencrypted fallback).

Using Android

Follow the steps to use DNS over TLS:

  1. Open your device’s Settings.
  2. Navigate to Network & internet > Advanced > Private DNS.
  3. Select Private DNS provider hostname.
  4. In the textbox, type in doh.mullvad.net or adblock.doh.mullvad.net
  5. Click Save.

How do I know it’s working?

After you’ve followed the instructions, go to https://mullvad.net/check. You should have no DNS leaks. Click on “No DNS leaks” for details; the server that is listed should have “dns” in its name, for example “se-mma-dns-001.mullvad.net”.

IP-addresses, ports and hostnames

Some manually configured DoH/DoT clients require additional server information.

Note that the hostname is the same for both DoH and DoT despite that the subdomain is “doh”.

DoT only uses port 853, while DoH uses port 443.

Without ad blocking

doh.mullvad.net has address 194.242.2.2
doh.mullvad.net has IPv6 address 2a07:e340::2

With ad blocking

adblock.doh.mullvad.net has address 194.242.2.3
adblock.doh.mullvad.net has IPv6 address 2a07:e340::3

DNS server locations

The nearest DNS server will be used. If one server is down, the next-closest will be used and so on.
Keep in mind that nearest is in terms of networking hops, this can differ between your ISP and their
connectivity to our hosting providers.

Our servers are located in

  • Australia
  • Germany
  • Singapore
  • Sweden
  • Switzerland
  • United Kingdom
  • United States (NYC, DAL and LAX).

How the ad blocking works

The ad blocking DNS uses filter lists which contain domains that serve ads. The DNS server is instructed to not resolve these domains to their IP-addresses and so the ads cannot be loaded.

The lists we use are published at our GitHub. There are many public filter lists available and we may consider adding more lists in the future.

We still recommend that you use the extensions uBlock Origin and Privacy Badger in your web browser. See our guide Privacy tools for your browser.