메인 콘텐츠로 건너뛰기
 

DNS over HTTPS and DNS over TLS

Privacy Security 

마지막 업데이트:

Our encrypted public DNS service uses DNS over HTTPS (DoH) and DNS over TLS (DoT). This protects your DNS queries from being snooped on by third parties when not connected to our VPN service as your DNS queries are encrypted between your device and our DNS server.

This service is primarily meant to be used when you are disconnected from our VPN service, or on devices where it's not possible or desirable to connect to the VPN. When you are already connected to our VPN service the security benefits of using encrypted DNS is negligible and it will always be slower than using the DNS resolver on the VPN server that you are connected to.

You can use this privacy-enhancing service even if you are not a Mullvad customer.

What this guide covers

Mullvad encrypted DNS service features

This service provides encrypted DNS queries with the following features:

  • Content blocking: We provide basic content blocking options to block ads, trackers, malware, adult content, gambling and social media.
  • QNAME minimization: This enables our DNS servers to resolve your queries while giving it as little information as possible about the queries to other DNS servers involved in the resolving process.
  • Anycasted service: Multiple Mullvad servers in different locations are configured to provide the same DNS service. Your DNS queries are meant to be routed to the geographically closest server, although peering and routing between Internet providers might affect this. Should the server closest to you be completely offline your queries will be routed to the second-closest and so on.

A limited DNS resolver is listening on port UDP/TCP 53 only to aid with resolving hostnames related to this service (dns.mullvad.net, adblock.mullvad.net and so on) so that clients can first resolve the IP of the resolver before querying it over encrypted DNS.

To learn more about the technologies in the service see the links below.

Specifications

Hostnames and content blockers

The table below shows the different hostname options and their content blockers. Refer to this when configuring the DNS with the instructions below.

Hostname Ads Trackers Malware Adult Gambling Social media
dns.mullvad.net            
adblock.dns.mullvad.net        
base.dns.mullvad.net      
extended.dns.mullvad.net    
family.dns.mullvad.net  
all.dns.mullvad.net

IP-addresses and ports

The table below shows the IP-addresses that you need to configure some DNS resolvers.

Hostname IPv4 address IPv6 address DoH port DoT port
dns.mullvad.net 194.242.2.2 2a07:e340::2 443 853
adblock.dns.mullvad.net 194.242.2.3 2a07:e340::3 443 853
base.dns.mullvad.net 194.242.2.4 2a07:e340::4 443 853
extended.dns.mullvad.net 194.242.2.5 2a07:e340::5 443 853
family.dns.mullvad.net 194.242.2.6 2a07:e340::6 443 853
all.dns.mullvad.net 194.242.2.9 2a07:e340::9 443 853

These IPs can only be used with DNS resolvers that support DoH or DoT, not with DNS over UDP/53 or TCP/53.

How to use this service

Web browsers

Below you can find configuration instructions for different web browsers and operating systems.

Mullvad Browser

The Mullvad Browser uses the Mullvad DNS service (without content blockers) by default.
We recommend that you use our encrypted DNS service only when you are not connected to Mullvad VPN. When you are connected to Mullvad VPN the DNS queries will be sent through the encrypted VPN tunnel to the DNS server on the Mullvad VPN server that you are connected to, and that is faster.

Turning off DNS over HTTPS (when using Mullvad VPN)

  1. Click on the menu button in the top right corner and select Settings.
  2. Click on Privacy & Security in the left column.
  3. Scroll down to the bottom.
  4. Under Enable secure DNS using select Off.

Turning on DNS over HTTPS (when not using Mullvad VPN)

The first two DNS options above are included in the browser settings. To change it to one of the other options, follow these instructions:

  1. Click on the menu button in the top right corner and select Settings.
  2. Click on Privacy & Security in the left column.
  3. Scroll down to the bottom.
  4. Under Enable secure DNS using select Max Protection.
  5. Under Choose provider click on the drop down list and select Custom.
  6. In the text field that appears, paste one of the following, then press Enter on your keyboard to set it.
    • https://dns.mullvad.net/dns-query
    • https://adblock.dns.mullvad.net/dns-query
    • https://base.dns.mullvad.net/dns-query
    • https://extended.dns.mullvad.net/dns-query
    • https://family.dns.mullvad.net/dns-query
    • https://all.dns.mullvad.net/dns-query

Firefox (desktop version)

  1. Click on the menu button in the top right corner and select Settings.
  2. Click on Privacy & Security in the left column.
  3. Scroll down to the bottom.
  4. Under Enable secure DNS using select Max Protection.
  5. Under Choose provider click on the drop down list and select Custom.
  6. In the text field that appears, paste one of the following, then press Enter on your keyboard to set it.
    • https://dns.mullvad.net/dns-query
    • https://adblock.dns.mullvad.net/dns-query
    • https://base.dns.mullvad.net/dns-query
    • https://extended.dns.mullvad.net/dns-query
    • https://family.dns.mullvad.net/dns-query
    • https://all.dns.mullvad.net/dns-query

Chrome / Brave / Edge

  1. Open the Settings.
  2. Click on Privacy and security (in Chrome, Brave) or Privacy, search, and services (in Edge).
  3. Click on Security (in Chrome, Brave).
  4. Enable Use secure DNS.
  5. Select With: Custom (in Chrome, Brave) or Choose a service provider (in Edge).
  6. Enter one of the following and press Tab on the keyboard:
    • https://dns.mullvad.net/dns-query
    • https://adblock.dns.mullvad.net/dns-query
    • https://base.dns.mullvad.net/dns-query
    • https://extended.dns.mullvad.net/dns-query
    • https://family.dns.mullvad.net/dns-query
    • https://all.dns.mullvad.net/dns-query
  7. If it says "Please verify that this is a valid provider or try again later" then wait a moment.

Mobile device operating systems

Android 9 and later

Follow these steps to use DNS over TLS:

  1. Open the Android Settings app.
  2. Tap on Network & internet.
  3. Tap on Private DNS.
  4. Select Private DNS provider hostname.
  5. On the input line, enter one of these:
    • dns.mullvad.net
    • adblock.dns.mullvad.net
    • base.dns.mullvad.net
    • extended.dns.mullvad.net
    • all.dns.mullvad.net
  6. Tap on Save.

If Android is unable to connect to the DNS then the DNS server that you are routed to is likely too far away and the latency is prohibitive. In this case it will not work.

iOS / iPadOS

We provide DNS configuration profiles for Apple devices.

  1. Open Safari and go to our GitHub repository.
  2. Tap on View code.
  3. Tap on for example base.
  4. The profiles are available in two versions (DoH and DoT). Tap on either one.
  5. Tap on View raw.
  6. Tap on Allow to download the profile.
  7. Tap on Close.
  8. Open the Settings app.
  9. Scroll to the top and tap on Profile Downloaded.
  10. Tap on Install.
  11. Enter your iPhone/iPad passcode.
  12. Tap on Install.
  13. Tap on Install.
  14. Tap on Done.

You can then view, change and remove installed configuration profiles in the Settings app in General > VPN, DNS & Device Management.

Desktop operating systems

Windows 11

Note: This is not available in Windows 10.

  1. Open the Settings app.
  2. Click on Network & internet in the left side.
  3. Click on Wi-Fi or Ethernet depending on which one you use. You can tell by the icon in the top which says "🌐 Connected".
  4. If you clicked on Wi-Fi then click on Hardware properties and proceed to the next step. If you clicked on Ethernet then just proceed to the next step.
  5. Click on the Edit button next to DNS server assignment.
  6. Select Manual in the drop-down list.
  7. Enable IPv4.
  8. In the Preferred DNS field, enter the IP address for the DNS option that you want to use, for example 194.242.2.4.
    • 194.242.2.2 - https://dns.mullvad.net/dns-query
    • 194.242.2.3 - https://adblock.dns.mullvad.net/dns-query
    • 194.242.2.4 - https://base.dns.mullvad.net/dns-query
    • 194.242.2.5 - https://extended.dns.mullvad.net/dns-query
    • 194.242.2.6 - https://family.dns.mullvad.net/dns-query
    • 194.242.2.9 - https://all.dns.mullvad.net/dns-query
  9. Under DNS over HTTPS, select On (manual template) in the drop-down list.
  10. Under DNS over HTTPS template enter the address next to the IP that you selected before, for example https://base.dns.mullvad.net/dns-query.
  11. Click on Save.
  12. Check in the network details in the same window if you get an IPv6 address from your Internet provider. In that case click on the Edit button next to DNS server assignment again.
  13. Scroll down to the bottom and enable IPv6.
  14. Scroll down again and in the Preferred DNS field, enter the IPv6 address for the DNS option that you want to use, for example 2a07:e340::4.
    • 2a07:e340::2 - https://dns.mullvad.net/dns-query
    • 2a07:e340::3 - https://adblock.dns.mullvad.net/dns-query
    • 2a07:e340::4 - https://base.dns.mullvad.net/dns-query
    • 2a07:e340::5 - https://extended.dns.mullvad.net/dns-query
    • 2a07:e340::6 - https://family.dns.mullvad.net/dns-query
    • 2a07:e340::9 - https://all.dns.mullvad.net/dns-query
  15. Under DNS over HTTPS, select On (manual template) in the drop-down list.
  16. Under DNS over HTTPS template enter the address next to the IP that you selected, for example https://base.dns.mullvad.net/dns-query.
  17. Click on Save.
  18. If you sometimes use Wi-Fi and sometimes use Ethernet then go back to step 1 and add the same settings for the other network. Otherwise make sure that the other network is disconnected completely to prevent Windows from using the DNS from that.

macOS

This applies to macOS 13 Ventura and newer. For older versions, refer to the macOS User Guide.

  1. Open Safari and go to our GitHub repository.
  2. Click on for example base.
  3. The profiles are available in two versions (DoH and DoT). Click on either one.
  4. Click on View raw.
  5. Click on Allow to download the profile.
  6. Open the System Settings app.
  7. In the left column, click on Privacy & Security.
  8. On the right side, scroll to the bottom and click on Profiles.
  9. Double-click on the Mullvad Encrypted DNS profile that you downloaded.
  10. In the bottom left corner, click on Install...
  11. Enter your macOS login password and click on OK.

You can view and remove installed configuration profiles in the System Settings app in Privacy & Security > Profiles.
In macOS 14 Sonoma you can select DNS profiles in the System Settings app in Network > VPN & Filters in the Filters & Proxies section. In earlier versions of macOS it's recommended to only install one profile since having multiple profiles does not work well.

Make sure to turn off Secure DNS in your web browser.

Chrome / Brave / Edge :

The DNS profile works right away in Safari and Firefox, however if you are using Chromium based browsers such as Chrome, Brave or Edge then they will not use the DNS profile unless you disable the built in browser DNS client. Open the Terminal and run the following commands:

defaults write com.google.Chrome BuiltInDnsClientEnabled -bool false

defaults write com.brave.Browser BuiltInDnsClientEnabled -bool false

defaults write com.microsoft.Edge BuiltInDnsClientEnabled -bool false

Linux (Ubuntu and Fedora)

These instructions use systemd-resolved.

  1. Open a Terminal.
  2. Make sure that systemd-resolved is enabled by running this command:
    sudo systemctl enable systemd-resolved
  3. Open the Settings app and go to Network. Click on the settings icon for your connected network. On the IPv4 and IPv6 tabs, turn off Automatic next to DNS, and leave the DNS field blank, then click on Apply.  Disable and enable the network using the on/off button to make sure it takes effect.
  4. Edit the following file with nano or your favorite text editor:
    sudo nano /etc/systemd/resolved.conf
    Add the following lines in the bottom under [Resolve]. Select a DNS option by removing the first # in front of the one you want to use:
    #DNS=194.242.2.2#dns.mullvad.net
    #DNS=194.242.2.3#adblock.dns.mullvad.net
    #DNS=194.242.2.4#base.dns.mullvad.net
    #DNS=194.242.2.5#extended.dns.mullvad.net
    #DNS=194.242.2.9#all.dns.mullvad.net
    DNSSEC=no
    DNSOverTLS=yes
    Domains=~.
  5. Save the file by pressing Ctrl + O and then Enter, and then Ctrl +X on your keyboard.
  6. Create a symbolic link to the file using the following command in the Terminal:
    sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
  7. Restart systemd-resolved by running this command:
    sudo systemctl restart systemd-resolved
  8. Restart NetworkManager with this command:
    sudo systemctl restart NetworkManager
  9. Verify the DNS settings with:
    resolvectl status

In case it doesn't work, change to this setting in/etc/systemd/resolved.conf:

DNSOverTLS=opportunistic

Note that you can enable DNSSEC if you want, however some websites with incorrect DNSSEC information will not be able to load and the web browser will not tell you why.

How do I know it’s working?

After you have followed the instructions above, go to https://mullvad.net/check. You should have no DNS leaks. Click on “No DNS leaks” for details; the server that is listed should have “dns” in its name, for example “se-mma-dns-001.mullvad.net”.

DNS server locations

We use anycast routing which means that ideally the nearest DNS server should be used. If one server is down, the next-closest should be used and so on. Keep in mind that nearest is in terms of networking hops, this can differ between your ISP and their connectivity to our hosting providers. You can check which DNS server you are using by expanding the DNS box in our Connection check.

Using a specific DNS server

If you do not require any DNS content blocker, just an unfiltered DNS, then you can use one of the server names below.

Server Country City
https://de-fra-dns-001.mullvad.net/dns-query Germany Frankfurt
https://gb-lon-dns-001.mullvad.net/dns-query UK London
https://gb-lon-dns-301.mullvad.net/dns-query UK London
https://se-got-dns-001.mullvad.net/dns-query Sweden Göteborg
https://se-mma-dns-001.mullvad.net/dns-query Sweden Malmö
https://se-sto-dns-001.mullvad.net/dns-query Sweden Stockholm
https://sg-sin-dns-101.mullvad.net/dns-query Singapore Singapore
https://us-dal-dns-001.mullvad.net/dns-query USA Dallas
https://us-lax-dns-401.mullvad.net/dns-query USA Los Angeles
https://us-nyc-dns-601.mullvad.net/dns-query USA New York

How the content blocking works

Mullvad curates a collection of "theme" lists whose content is sourced from publicly available block lists.
When the client queries for a hostname that matches an item in the block list our resolver simply lies to the client and says that the hostname does not exist.

This means that whatever content was attempted to be loaded by the browser is not loaded and is therefore not shown on the screen.

For more information on which domains are blocked by which lists and which community lists make up the curated Mullvad lists please see our GitHub.

DNS content blocking can not block all ads and trackers. For example it can not block YouTube ads. To block more ads and trackers in your web browser we recommend using the uBlock Origin extension. This is included in the Mullvad Browser.

Notes

Earlier versions of this guide contained references to doh.mullvad.net and dot.mullvad.net. These hostnames has been replaced with the common dns.mullvad.net hostname and are subject to future deprecation. We urge all users to use the new hostnames that include dns.mullvad.net.

The following IPs are not used anymore: 193.19.108.2 and 193.19.108.3.

SOCKS5 proxy

If you enable the use of our SOCKS5 proxy in Firefox and enable the setting Proxy DNS when using SOCKS v5 then the DNS queries will not use the public encrypted DNS service and the DNS content blockers won't work. Our SOCKS5 proxy only works when you are connected to Mullvad, and we recommend that you don't use the the public DNS service when you are connected to Mullvad, for reasons stated above. Instead you can enable the DNS content blockers in the Mullvad app settings.