DNS over HTTPS and DNS over TLS

PRIVACY SECURITY

Last updated: 7 July 2021


Our public DNS service offers DNS over HTTPS (DoH) and DNS over TLS (DoT), with QNAME minimization and basic ad blocking. It has been audited by the security experts at Assured. You can use this privacy-enhancing service even if you don’t use Mullvad.

Two different options

  • Ad-blocking version – adblock.doh.mullvad.net
  • Without ad blocking – doh.mullvad.net

Note that we also have ad-blocking and tracker-blocking in our Mullvad app for iOS and desktops (from version 2021.4). If you use that then it’s not necessary to enable DoH/DoT.

How to use our DNS service

Firefox

  1. In a Firefox browser window, click the menu button and choose Options or Preferences.
  2. In the search box, type “network”, then click on the Settings button in the results.
  3. At the bottom, check the box next to Enable DNS over HTTPS.
  4. Next to Use Provider, choose Custom.
  5. In the text box that appears, enter https://doh.mullvad.net/dns-query or https://adblock.doh.mullvad.net/dns-query
  6. Click OK.
  7. In the address bar of the browser, type in about:config and hit Enter.
  8. If a warning pops up, click “Accept the Risk and Continue”.
  9. In the search box, type network.trr.mode
  10. Change the value to 3 and press Enter. (this will disable the unencrypted fallback).

Android

Follow the steps to use DNS over TLS:

  1. Open your device’s Settings.
  2. Navigate to Network & internet > Advanced > Private DNS.
  3. Select Private DNS provider hostname.
  4. In the textbox, type in doh.mullvad.net or adblock.doh.mullvad.net
  5. Click Save.

How do I know it’s working?

After you’ve followed the instructions, go to https://mullvad.net/check. You should have no DNS leaks. Click on “No DNS leaks” for details; the server that is listed should have “dns” in its name, for example “se-mma-dns-001.mullvad.net”.

IP-addresses, ports and hostnames

Some manually configured DoH/DoT clients require additional server information.

Note that the hostname is the same for both DoH and DoT despite that the subdomain is “doh”.

DoT only uses port 853, while DoH uses port 443.

Without ad blocking

doh.mullvad.net has address 194.242.2.2
doh.mullvad.net has address 193.19.108.2
doh.mullvad.net has IPv6 address 2a07:e340::2

With ad blocking

adblock.doh.mullvad.net has address 194.242.2.3
adblock.doh.mullvad.net has address 193.19.108.3
adblock.doh.mullvad.net has IPv6 address 2a07:e340::3

DNS server locations

The nearest DNS server will be used. If one server is down, the next-closest will be used and so on.
Keep in mind that nearest is in terms of networking hops, this can differ between your ISP and their
connectivity to our hosting providers.

Our servers are located in

  • Australia
  • Germany
  • Singapore
  • Sweden
  • Switzerland
  • United Kingdom
  • United States (NYC, DAL and LAX).

How the ad blocking works

The ad blocking DNS uses filter lists which contain domains that serve ads. The DNS server is instructed to not resolve these domains to their IP-addresses and so the ads cannot be loaded.

The lists we use are published at our GitHub. There are many public filter lists available and we may concider adding more lists in the future.

We still recommend that you use the extensions uBlock Origin and Privacy Badger in your web browser. See our guide Plugins that block and protect.