Mullvad DNS review: a privacy company's free, no-log, encrypted-only resolver
An honest look at Mullvad's free public DNS — what 'no-log' and 'runs in RAM' actually mean, its four filtering endpoints, why it is encrypted by design, and where it falls short.
What is Mullvad DNS?
Mullvad DNS is a free public resolver from the Swedish VPN company Mullvad. Its base address, 194.242.2.2, resolves names with no filtering while keeping no logs, running its servers in RAM, and sending no EDNS Client Subnet. It is built around encrypted transport (DoH and DoT).
Addresses and endpoints
Mullvad doesn't ship one resolver with settings; it ships four separate endpoints, each with its own address and its own encrypted hostname. You choose your filtering level by which address you point at — there is nothing to configure afterwards. The base endpoint is the plain, unfiltered resolver; the others layer on progressively more blocking.
Default — no filtering
The plain resolver: no ad, tracker, malware, or content blocking.
194.242.2.2 2a07:e340::2 Ad blocking
Blocks ads and trackers (adblock.dns.mullvad.net).
194.242.2.3 Base (ads + trackers + malware)
base.dns.mullvad.net.
194.242.2.4 Family
Adds adult and gambling blocking (family.dns.mullvad.net).
194.242.2.6
Note the shape of this list: each endpoint has a single IPv4 address, and only the base publishes
an IPv6 address in this registry. There is no separate secondary IPv4 the way most resolvers give
you a two-address pair. If your setup expects a primary and a secondary, use the base IPv6
(2a07:e340::2) as the second address, or pair Mullvad with a different
resolver as a fallback.
For encrypted transport, the base resolver's DNS-over-TLS hostname is dns.mullvad.net
and its DNS-over-HTTPS endpoint is https://dns.mullvad.net/dns-query. Each filtering profile has
its own hostname — adblock.dns.mullvad.net, base.dns.mullvad.net, and
family.dns.mullvad.net — and Mullvad also documents DNS-over-QUIC for clients that
support it.
The no-log, RAM-only stance
The privacy claim most people care about here has two parts. First, Mullvad states it keeps no logs of your queries. Second — and this is the detail that sets it apart from a generic "we don't log" promise — its resolvers are described as running in RAM rather than writing to disk. If nothing is persisted to storage in the first place, there is no historical query database sitting on a server waiting to be seized, subpoenaed, or exposed in a breach. It is the same design reasoning Mullvad applies to its VPN infrastructure.
Mullvad also strips EDNS Client Subnet. ECS is the mechanism that would otherwise hand a truncated version of your network address to the authoritative servers a query touches, so that content delivery networks can route you to a nearby edge. Turning it off means your rough location isn't leaked for routing purposes — the classic privacy-versus-CDN-locality trade-off, and Mullvad picks privacy. None of this makes a stated policy automatically true, but it removes the commercial reason a resolver would want your data: Mullvad sells privacy, not advertising. You can read the details on Mullvad's own DNS page.
Encrypted transport, by design
Mullvad treats encrypted DNS as the point rather than an add-on. Plain, unencrypted DNS on
port 53 is the fallback nobody should rely on if they care about privacy, because it lets anyone
on the path read and tamper with your lookups. Mullvad's service is built for DNS-over-HTTPS and
DNS-over-TLS, with DNS-over-QUIC also documented, and it validates responses with DNSSEC so
forged records are rejected. On a modern operating system or browser that supports encrypted DNS
natively, you point it at dns.mullvad.net (or the profile hostname you want) and
your lookups are encrypted end to end without any extra software.
Who Mullvad DNS suits
Mullvad is a strong fit if your priority is a private, encrypted resolver from an operator with a credible track record on not retaining data, and you are comfortable choosing your filtering level up front. It suits people who already trust Mullvad's approach — existing VPN customers, or anyone who wants a no-log resolver without running their own — and who value the RAM-only, no-ECS design. It is a weaker fit if you want a dashboard, per-device profiles, custom blocklists, or query analytics; for that, a configurable service like NextDNS or Control D gives you far more control. And if malware blocking is your main goal, remember the base address does none — you would pick the base or ad-blocking endpoint, or compare against a security-first option like Quad9.
Pros and cons
Pros
- Comes from Mullvad, a VPN company whose entire reputation is built on not knowing who its users are — the same no-log philosophy is applied to the free DNS service, and there is no advertising business that would benefit from your query history.
- The resolvers run in RAM rather than writing to disk, so there is no persistent local store of query data to seize, subpoena, or leak in a breach.
- Sends no EDNS Client Subnet, so the rough location of your network is never passed along to the authoritative servers your queries reach.
- Encrypted transport is the whole design: DNS-over-HTTPS and DNS-over-TLS are supported (with DNS-over-QUIC documented too), so lookups never travel in plaintext.
- Four ready-made endpoints — unfiltered, ad-and-tracker blocking, ads+trackers+malware, and a family profile — let you pick your filtering level with a single address change and no account.
- Validates responses with DNSSEC, rejecting DNS records that have been tampered with in transit.
Cons
- There is nothing to tune: no account, no dashboard, no query analytics, and no custom blocklists — you get the four fixed endpoints and that is the whole product.
- Its DoH endpoint doesn't send the permissive CORS headers a browser needs to time it directly, so Mullvad can't appear in this site's in-browser speed test — it is measurable only from the server-side edge test.
- Each endpoint publishes a single IPv4 address (plus one IPv6 on the base), so there is no built-in secondary IPv4 for the classic two-address fallback — you either use IPv6 as the backup or pair it with another resolver.
- The default base address does no filtering at all, so on its own it won't block malicious or ad-serving domains — you have to deliberately choose the ad-blocking or base endpoint for that protection.
How to set up Mullvad DNS
Setting Mullvad means entering one of its addresses in your device's or router's network settings, replacing whatever your ISP hands out automatically. For the plain resolver, use 194.242.2.2 as the IPv4 address and 2a07:e340::2 for IPv6; swap in 194.242.2.3, 194.242.2.4, or 194.242.2.6 instead if you want ad blocking, ads-plus-malware blocking, or the family profile. Because there is no secondary IPv4, use the IPv6 address as your backup where the OS asks for two. Step-by-step instructions for each platform:
- Change DNS on Windows
- Change DNS on macOS
- Change DNS on Android
- Change DNS on iPhone
- Change DNS on Linux
- Change DNS on your router
To get the full benefit of Mullvad's design, prefer an encrypted setup: configure DNS-over-TLS or
DNS-over-HTTPS with the dns.mullvad.net hostname rather than the plain IP where
your device supports it, so your lookups are actually encrypted rather than just pointed at a
private resolver.
Mullvad DNS — questions
What is Mullvad DNS?
Mullvad DNS is a free public DNS resolver operated by Mullvad, the Swedish VPN company. Its default address, 194.242.2.2, resolves domain names without any filtering, while stating that it keeps no logs, runs its servers in RAM, and sends no EDNS Client Subnet. It is encrypted-first, built around DNS-over-HTTPS and DNS-over-TLS.
Do I need a Mullvad VPN subscription to use it?
No. Mullvad's public DNS is free and open to anyone — you do not need a Mullvad VPN account or subscription to point your device or router at it. The VPN and the public resolver are separate offerings from the same company.
Is Mullvad DNS really no-log and private?
Mullvad states that it does not log queries, that its resolvers run in RAM rather than persisting data to disk, and that it strips EDNS Client Subnet. As with any resolver you are ultimately trusting the operator's stated policy, but Mullvad's business is selling privacy, so it has no advertising incentive to retain or monetise your query history.
What are the four Mullvad DNS endpoints?
194.242.2.2 is the base, unfiltered resolver. 194.242.2.3 adds ad and tracker blocking. 194.242.2.4 blocks ads, trackers, and malware. 194.242.2.6 is the family profile, which also blocks adult and gambling content. Each one has a matching encrypted hostname under dns.mullvad.net.
Why can't I test Mullvad in the browser speed test?
Mullvad's DNS-over-HTTPS endpoint doesn't return the cross-origin (CORS) headers a browser needs to time a request from client-side JavaScript, so it can't be measured in the browser. It can still be timed from a server-side edge test, which isn't bound by browser CORS rules — see the edge comparison on the speed test page.
Does Mullvad DNS block ads or malware by default?
The default base address (194.242.2.2) does no blocking of any kind. If you want ad and tracker filtering use 194.242.2.3, and for ads, trackers, and malware together use 194.242.2.4. You choose your protection level by which address you configure — there is no toggle after the fact.