Already set up DNS filtering on your router? Great. If you dropped in 1.1.1.3 and moved on, here’s the thing: in 2026, picking a DNS server isn’t just “fast vs slow.” It’s a decision about who gets to see every question your household asks the internet.

DNS is the first step of every connection — your phone asks “where is youtube.com?” before anything loads. Whoever answers those questions sees a complete behavioral profile: which sites, at what time, from which device. DNS operators can log that, sell it, share it with governments, or throw it away in real time. Each of the 11 options below handles this differently.

What we’re grading on

For a parent with kids, five things matter — and you usually can’t have all of them at once:

  1. Adult content filtering — does the resolver block porn/gambling/drugs by default, or do you have to configure it?
  2. Malware and phishing blocking — first line of defense before your antivirus wakes up.
  3. Privacy — does the operator log queries and who do they share them with?
  4. Jurisdiction — which country’s law has power over those logs. Five Eyes (US, UK, Canada, Australia, NZ) share intelligence without warrants.
  5. Speed and setup simplicity — because a router that doesn’t work gets reverted fast.

🇺🇸 Big Tech / US (Five Eyes)

Cloudflare 1.1.1.3 (Family)

The most popular “family” pick and my default in the internet safety guide. Blocks adult content and malware. Cloudflare commits to no data sale and has a KPMG audit confirming the 25-hour log retention policy.

  • Plus: Fastest in the world (per DNSPerf), Family mode out-of-the-box, zero config.
  • Minus: US, Five Eyes, CLOUD Act — US government can demand data without notifying users.
  • For whom: You want something that just works, and you treat DNS as one tool among many, not the foundation of your privacy.

Google 8.8.8.8 / 8.8.4.4

The oldest public DNS. Does not block adult content or malware — it’s a pure resolver. Logs kept 24-48h in full form, permanent in anonymized form.

  • Plus: Fast, always works, easy to remember.
  • Minus: Google already knows a lot about you — handing over DNS voluntarily widens that profile. Zero family filtering.
  • For whom: Not for a family with kids. A fallback or debug tool at best.

OpenDNS Family Shield (208.67.222.123)

DNS filtering pioneer, now owned by Cisco. Family Shield preset has adult/gambling/proxy categories blocked out of the gate.

  • Plus: Proven, stable, free for home use.
  • Minus: Cisco is a US corporation under Five Eyes. Logs exist, policy less transparent than Cloudflare’s.
  • For whom: Reasonable pick if you don’t trust Cloudflare (too big) or Google (knows too much).

🇨🇭🇸🇪 Neutral / Privacy-first

Quad9 9.9.9.9

Swiss non-profit foundation backed by IBM and Global Cyber Alliance among others. Blocks malware and phishing via threat intelligence from ~20 sources. Logs anonymized, Swiss jurisdiction — a country known for strong data protection.

  • Plus: Best privacy + malware compromise. Non-profit, audited, outside Five Eyes.
  • Minus: Does not block adult content. If you need a kids’ filter, you have to combine this with something else.
  • For whom: Parents who want privacy and malware protection, and solve kids’ content filtering via device (Family Link, Screen Time) or a second DNS layer.

Mullvad DNS (194.242.2.2)

Swedish VPN operator known for radical privacy (no email required at signup). Declares zero logs.

  • Plus: Strongest privacy declaration in the lineup. Variants that block ads/malware.
  • Minus: No adult content blocking. Sweden joined NATO in 2024 — less jurisdictionally neutral than it used to be.
  • For whom: If DNS is part of a bigger privacy stack (VPN, Signal, Proton).

🇪🇺 Europe / GDPR-first

This category exploded in the last two years — and for European parents it’s the most interesting one.

DNS4EU

Funded by the European Commission as part of the EU cybersecurity strategy. Launched publicly in June 2025. Servers exclusively in the EU, query IPs anonymized, full GDPR compliance.

Offers several profiles for different needs:

  • Protective (86.54.11.1 / 86.54.11.201) — malware and phishing only, no content filtering.
  • Child Protection (86.54.11.10 / 86.54.11.210) — malware + adult content + gambling.
  • Child Protection + Ad Blocking (86.54.11.11 / 86.54.11.211) — the above plus ad and tracker blocking. For a parent with kids, the most complete preset from a single resolver.

⚠️ Note from the official DNS4EU docs: the ad-blocking variant can cause issues on sites that detect adblockers (some media portals, certain VOD services). If something stops working — the culprit is ad blocking, not child filtering. Switch to a profile without Ad Blocking or add the specific site to exceptions.

  • Plus: European jurisdiction at institutional level (not a single company — a consortium of telecom operators under EC oversight). GDPR here is law, not a promise.
  • Minus: New, less battle-tested than Cloudflare. Documentation is rough in places.
  • For whom: The parent for whom “where does my kids’ data end up” is a serious question, and who wants the answer to be “in Europe, under GDPR.”

dns0.eu

French non-profit. The kids.dns0.eu subdomain is a dedicated kids’ filter (adult content, gambling, malware). A separate zero.dns0.eu aggressively blocks trackers.

  • Plus: Simpler and older than DNS4EU, proven. Non-profit, EU-based servers.
  • Minus: Smaller scale than Cloudflare — in edge cases, slightly slower responses.
  • For whom: If DNS4EU feels too new/bureaucratic and Cloudflare too American — this is the middle ground.

DNS.SB (185.222.222.222)

Run by a private individual, servers in Germany, zero logs, open source. No content filtering — pure privacy resolver.

  • For whom: Geeks who love code transparency. Not suitable as the only DNS in a house with kids.

Foundation for Applied Privacy (146.255.56.98)

Austrian non-profit, servers in Austria and Germany. Zero filtering, zero logs, tight European legal framing.

  • For whom: Very niche — activists, journalists, people with professionally justified paranoia.

🛠️ Advanced / Paid

NextDNS

The most configurable DNS on the market. Free tier gives 300k queries/month (enough for a 2-3 person family), paid $2/month removes the limit. Custom dashboard, per-device profiles, blocklists (over 100 categories), logs can be switched off with one toggle.

  • Plus: Level of control nobody else offers. You can block TikTok for kids but keep it for yourself. French jurisdiction.
  • Minus: Setup takes an hour to get going. Overkill for “set and forget” users.
  • For whom: A technical parent who treats DNS as the central tool of household digital policy.

Control D

Similar to NextDNS, owned by Windscribe (Canada). Rich profile set, but Five Eyes jurisdiction is a disqualifier for a tool like this, in my view.

AdGuard DNS

Free Family Protection tier blocks ads + adult content + malware. Cyprus-based company, Russian origins — worth a conscious decision.

  • For whom: If your priority is ad blocking (because family uses YouTube/mobile heavily) and you accept the company’s origin.

Recommendation — what to pick

After all that, the question is: which one. My answer depends on what matters more to you.

If you want it to just work (90% of families):1.1.1.3 Cloudflare Family. Fastest, family filter by default, zero config — the internet safety guide shows how to set it up in a few minutes.

If you care about data not leaving Europe:DNS4EU (Child Protection profile). Closest thing to “GDPR-first + kids’ filter + institutional credibility” we have in 2026. If DNS4EU documentation puts you off — pick kids.dns0.eu as a simpler European alternative.

If you’re tech-aware and want control:NextDNS. Per-device profiles, togglable logs, $2/month for full control over what kids see and zero privacy compromises.

If you and your kids have different needs: → Two-layer: Quad9 on the router (malware + privacy for everyone), plus Family Link / Screen Time with per-device filtering on the kids’ phones. Adult router doesn’t filter, kids’ devices filter themselves.

The process — how to actually set it up

Whichever DNS you pick, the process boils down to the same thing: open your router settings and swap two addresses. The gap between “done in 10 minutes” and “I gave up” is rarely technical knowledge — it’s familiarity with your specific router’s UI.

The classic path — browser:

  1. Type 192.168.1.1 or 192.168.0.1 into your address bar. Login and password are on the sticker underneath the router.
  2. Find the DNS section — usually under “Network,” “WAN,” “Internet,” or “Advanced.”
  3. Enter the two addresses of your chosen resolver (primary + secondary).
  4. Save and restart the router.

Concrete example — ASUS:

  1. 192.168.1.1WANWAN DNS Setting.
  2. Click Assign (manual mode) — or disable auto-DNS in the WAN section.
  3. Enter your chosen DNS addresses, e.g. DNS4EU Child+Ads: 86.54.11.11 and 86.54.11.211.
  4. Apply → router restarts.

The modern path — ISP app:

Most ISPs now ship mobile apps where you can set DNS without a cable, without typing 192.168.1.1, without logging into the router admin panel. Look for a “Network” or “Advanced” tab. Usually faster than the classic path, especially when your router sits in a cabinet and your laptop isn’t handy.

The minimal path — DNS in your browser:

If your router is locked down (rented apartment, ISP-locked panel, you don’t know the password), you can set DNS directly in your browser. This won’t protect other devices or other apps — only this one browser on this one computer. But it’s 30 seconds and zero risk of breaking anything.

  • Chrome / Edge / Brave / Comet: Settings → Privacy and security → Security → “Use secure DNS” → pick from the list (Cloudflare, Google, OpenDNS, DNS4EU Protective, CleanBrowsing Family Filter) or add a custom provider.
  • Firefox: Settings → Privacy & Security → DNS over HTTPS → enable + pick a provider.
  • Safari: no per-browser setting — uses system DNS (macOS/iOS), so change it in Wi-Fi settings instead.

The upside here: the browser list is a ready-made dropdown — no retyping 1.1.1.3 from a sticky note. It’s also telling that DNS4EU and OpenDNS now sit as presets next to Cloudflare and Google — a signal that European alternatives are going mainstream.

Limitation: this only protects one browser. Your kid’s tablet, Xbox, smart TV, mobile apps, Spotify, YouTube app — all bypass the filter. So it’s a good first layer or emergency fallback, but not a substitute for router-level DNS. If you control your router — do it there.

When you get stuck — ask an AI.

Router UIs are notoriously unintuitive and ISP documentation is often outdated. Instead of fighting the manual:

  • Check the router model on the sticker (TP-Link Archer C6, Asus RT-AX58U, your ISP’s branded box, etc.).
  • Ask ChatGPT/Gemini/Claude: “How do I change DNS servers on a [model] router? I need step-by-step instructions.”
  • You’ll get a guide tailored to your exact hardware, often with explanations of where to click and what the English labels mean.

This is one of those tasks where an LLM beats Google — because a synthesis for your specific router model usually doesn’t exist as a ready article, but the AI will build one from fragments.

How to verify DNS is actually working

After changing settings, don’t take it on faith — test it. Three levels of verification, fastest first:

1. Operator-specific test (the best).

  • DNS4EU: go to test.joindns4.eu — the page instantly shows whether your queries really go through DNS4EU servers, and which profile is active (Protective / Child / Child+Ads).
  • Cloudflare: 1.1.1.1/help — shows if you’re using Cloudflare and whether DoH/DoT is on.
  • Quad9: on.quad9.net — a clean yes/no answer.

2. Content filter test (did blocking kick in).

Open a browser on a device in your home network and try visiting:

3. System-level test (what the system actually sees).

  • Windows: PowerShell → Resolve-DnsName tatai.pl — the bottom of the output shows which server answered.
  • macOS/Linux: Terminal → dig tatai.pl or nslookup tatai.pl — check the “Server” field.
  • If you see your router’s address (192.168.x.x) — that means the router forwards DNS, but to see where, check the router panel or use test #1.

Troubleshooting — test says DNS is not active

Classic scenario: you configured DNS4EU on the router, but test.joindns4.eu still says “not active.” Walk through these in order:

  1. Check the settings actually saved in the router. Go back to 192.168.1.1 → WAN → make sure the DNS fields hold the addresses for your chosen DNS4EU profile (Protective: 86.54.11.1 / 86.54.11.201; Child Protection: 86.54.11.10 / 86.54.11.210; Child + Ad Blocking: 86.54.11.11 / 86.54.11.211), not still auto-DNS from your ISP.
  2. Flush the DNS cache on your computer. The OS keeps DNS answers locally and may serve stale ones before asking the router.
    • macOS: sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
    • Windows: ipconfig /flushdns
    • Linux (systemd-resolved): sudo resolvectl flush-caches
  3. Disconnect and reconnect Wi-Fi. Your computer needs to grab fresh DHCP config from the router — otherwise it still uses what it got at session start.
  4. Disable DoH in your browser. This is the most common false-negative culprit. Chrome and Firefox have their own Secure DNS / DNS over HTTPS which bypasses router settings — the browser asks Cloudflare/Google directly, regardless of what you configured. In Chrome: chrome://settings/security → “Use secure DNS” → set to “Automatic” or off. In Firefox: Settings → Privacy → DNS over HTTPS → disable. After this the browser falls back to system DNS (i.e. the router).
  5. Restart the router. Some routers (especially ISP-branded ones) need a full power cycle for DNS changes to take effect. Unplug for 30 seconds.

Re-run test.joindns4.eu after each step — usually the problem clears on step 2 or 4.

Bonus check: a device may have DNS manually configured (Windows: Control Panel → Network → Adapter Properties) that overrides router settings. Set to “automatic” or enter the same addresses.

Terminal investigation — when the test still lies

You’ve done all 5 steps and test.joindns4.eu still says “not active.” Before giving up — the terminal gives an unambiguous answer that bypasses middlemen.

Step 1 — see what the system actually uses as DNS:

# macOS
scutil --dns | grep nameserver

# Linux
resolvectl status | grep "DNS Servers"

# Windows (PowerShell)
Get-DnsClientServerAddress

If you see your router’s address (192.168.x.x, e.g. 192.168.1.1 or 192.168.0.1) — this is fine. The router forwards queries: the system asks the router, the router asks DNS4EU. That’s the expected setup.

Step 2 — check whether DNS4EU itself responds (bypass the router):

# macOS / Linux
nslookup google.com 86.54.11.11

# Linux — native alternative (cleaner output)
dig @86.54.11.11 google.com

# Windows (PowerShell)
Resolve-DnsName google.com -Server 86.54.11.11
# or cmd:
nslookup google.com 86.54.11.11

If you get a response and see forcesafesearch.google.com in the output — DNS4EU Child Protection is working. That’s the signature baked into this profile: DNS4EU forces Google SafeSearch by rewriting answers for google.com to the restricted version. If you see this signal — the server is answering correctly.

Step 3 — check that the router actually forwards to DNS4EU:

# macOS / Linux
nslookup google.com

# Linux
dig google.com

# Windows (PowerShell)
Resolve-DnsName google.com

Without the second argument the query takes the default path — through the router. If the answer again contains forcesafesearch.google.com and Server: (or the SERVER: field in dig) is your router’s IP (192.168.x.x) — it works. The router is correctly forwarding to DNS4EU.

Why test.joindns4.eu may still say “not active”:

The DNS4EU test checks the IP that queries arrive from. When your computer asks the router, the router asks DNS4EU, DNS4EU sees the router’s IP (your public IP) — and that IP isn’t on their “DNS4EU resolvers” list. The test returns “not active” because it looks for traffic from itself, not traffic through itself.

The real proof that Child Protection works: forcesafesearch.google.com in the output of nslookup google.com. If you see that — the filter is active, regardless of what the test page says.

The practical test — visit pornhub.com

The fastest no-terminal check: open a browser on a device on your home network and type pornhub.com (or any other adult content site). What should happen:

With DNS4EU (Child Protection): the browser tries to redirect to warning.joindns4.eu — a dedicated block domain. That domain itself doesn’t resolve publicly, so the browser shows the native error page:

This site can’t be reached Check if there is a typo in warning.joindns4.eu. Error code: DNS_PROBE_FINISHED_NXDOMAIN

This message — with warning.joindns4.eu in the address bar and the NXDOMAIN code — is the DNS4EU signature. The filter kicked in, the blocked domain was redirected to the block signaller, and the browser failed to load it. That’s exactly what “working” looks like.

Other operators show their own variants:

  • Cloudflare Family (1.1.1.3): a dedicated Cloudflare block page saying the content was blocked.
  • OpenDNS Family Shield: an OpenDNS page with the block category.
  • NextDNS: configurable — from a custom page to a silent refusal.

If the page loads normally — DNS isn’t filtering. Go back to the troubleshooting steps; the most common culprit is browser DoH (step 4).

This test is brutally unambiguous — if it works, you know in 5 seconds. If it doesn’t — you have a concrete symptom to debug.

What no DNS can change

DNS blocks at the name level — pornhub.com stops resolving. It doesn’t block:

  • Content on YouTube, TikTok, Discord (because the domain itself is “fine”)
  • Google Images search
  • Content in mobile apps that use their own DNS over DNS-over-HTTPS
  • A VPN your kid installs

A separate issue: VPN bypasses DNS entirely

VPN is the biggest gap in the “DNS as foundation” strategy, and it’s worth understanding the mechanism before you trust the router.

When your kid enables a VPN on their device, all traffic (including DNS queries) tunnels encrypted to a VPN server — say, in the Netherlands. That server resolves pornhub.com using its own DNS, and your router only sees a single encrypted stream to a single IP. DNS4EU, Cloudflare Family, NextDNS — all bypassed, because queries never reach them.

The barrier to entry is low:

  • ProtonVPN, Windscribe, TunnelBear have free tiers sufficient to unblock content.
  • App Store / Google Play install: 2 minutes, one click.
  • Opera and Brave have a built-in VPN requiring no install.
  • Chrome “Free VPN” extensions — even simpler.

What you can actually do about it:

  1. Block VPNs at the router — ASUS (AiProtection), MikroTik, and pfSense can block known VPN ports and server IPs. Effective for a few days, then the arms race with new servers kicks in.
  2. MDM / Family Link / Screen Time — block installation of VPN apps on the kid’s device. This is the only truly effective layer — no app, no VPN. Family Link lets you require your approval for every install.
  3. Traffic monitoring — NextDNS and similar show you when DNS traffic from a device suddenly stops (because it all moved to a VPN). Doesn’t block, but signals.
  4. Conversation and trust — for kids 13+ this is the only scalable strategy. A kid who wants to bypass the filter will bypass any; DNS protects against accidental exposure, not deliberate circumvention.

Practical takeaway: DNS effectively blocks “along-the-way” content — ads, phishing, malware, auto-served suspicious links. Against deliberate circumvention by an older kid, DNS alone won’t protect you. You need layers: DNS (foundation) + MDM on the device (app installs) + conversation (why).

Bottom line

DNS is foundation, not a complete strategy. On top of it you need conversations, rules, and per-device tools. But as foundation — one router entry genuinely changes what reaches your home.

If you don’t yet have DNS filtering on your router, start with the internet safety guide. If you want to think through a specific choice for your situation — subscribe to the newsletter, I write weekly about these privacy-vs-convenience tradeoffs.