If you follow the Privacy Cookbook or decentralize.today regularly, you will probably have figured out by now that I am a big fan of DNS.

What many people, even some of those in my circle of close friends,  don't understand is how Google, Apple and many of the metadata and advertisement collection agencies are harvesting your data. Worst still, many of the apps you currently have on your phone do the same thing. So even if you deGoogle as much as you believe you can, you still have apps that do exactly that, ones that profile you.

Yet, even though I have mentioned (and explained) DNS many times before, there are still many who can't even be bothered to protect their privacy by just entering a DNS address into settings on Android, or download and install a profile on iOS. So let me try again!

The easy approach

The first approach is so easy that anyone, even the person who only knows how to make a phone call, can adopt it. Well maybe not, but it is dead simple.


On iOS, select a DNS provider you trust, perhaps AdGuard, dismail or dnsforge, click install profile and install it. After you've installed the profile jump over to:

Settings → General → VPN and Network → DNS

and select the newly installed profile as your DNS.

Wasn't that simple? You have now not only an encrypted DNS, but also an ad and malware blocker (depending on the DNS provider you've selected).


On Android, jump to:

Settings → Network & Internet → Private DNS → Private DNS provider hostname

Again, you can use any of the DNS providers you trust. Some good choices could include:


For Android, DeCloudUs is also an excellent solution to block nearly all Google domains. It's a really hard core solution with a simple execution.

This easy solution is a great fit for most people, you would regain a hell of a lot of your privacy and can even run some VPN services next to this setup if you'd like to. This only works on Android, as with iOS you would override the DNS by switching on a VPN service!

Middle ground approach

This is not super complicated, but gives you more options to block ads and malware. Here I would look at NextDNS, with an account attached. This means, sign up on NextDNS, select the servers and services you want to block and enter the domain or download the profile as you would have done with the easy approach.

The beauty of this setup is that you can block, deny and whitelist domains as you go. You have a login on NextDNS and can statistics on what you have blocked etc.

I am a big fan of NextDNS and think this approach is perfect for most users. You can achieve an almost perfect setup with this way of DNS.

The app approach

This is where you combine a firewall and DNS in one app.

Remember, this not about firewalls, but about DNS combined with firewalls. So, I am not putting up the usual suspects when it comes to great firewalls here.


On iOS, you have many great ad blockers, but only one that makes it easy to use and gives you a great user experience. Combined with DNS control, chose AdGuard Pro, here you can add a DNS and select block lists on the device. You can also select ads or objects on websites (within Safari) and block them permanently for your next visits. AdGuard Pro also allows blocking ads on YouTube as long you use the Safari browser and not the YouTube app. This is, however, a paid app!

AdGuard Pro also allows combining the VPN service they are offering with the AdGuard DNS and blocklist app. Note that both of those services are paid services. However, when it comes to iOS, it is probably your very best option, when you like to combine VPN and blocklists.

Of course, some VPN providers like iVPN, ProtonVPN and Mullvad now have these blocking services in their VPN apps.

AdGuard Pro — Adblock for iOS | Overview | AdGuard
AdGuard Pro offers a lot on top of ad blocking in Safari. By providing access to custom DNS settings, it can protect children from harmful websites and conserve data usage.

You have other options on iOS like DNSCloak, but it takes way more effort and a steep learning curve to get it as good as AdGuard Pro is.


Once again, you have better and easier options in Android. RethinkDNS, for example, can combine your favorite DNS service with a full-blown firewall. Here you can block total internet access also to System apps, but always download a local version of block lists.

AdGuard has the same functions as RethinkDNS and allows you to block and add domains to your local blocklist with just one click.

Both of those firewall apps let you add a DNS provider, so you really can combine a firewall and a DNS and a local blocklist in one app.

Even though this sounds like the best approach, it does have one drawback. Both of those apps will take a VPN slot away, this means you can't combine a VPN with your DNS firewall. A great way around this is  using Tor which has a built-in option on RethinkDNS and guides you on how to make that happen. On AdGuard, you can combine the VPN from AdGuard itself, but it's another paid service.

I'd also like to note that if you'd like to use the system-wide protection AdGuard, it lets you download a trust certificate. Not an approach I am a fan of, yet, you either trust AdGuard or you don't.

Just as with iOS you could use iVPN, ProtonVPN or Mullvad which all have blocklists in their apps. However, today's Privacy Cookbook was about DNS and DNS options to make you more private. On a VPN approach, you also assign trust to a 'middle man', which can log your DNS. Then again, so could every DNS provider! The chances here are way slimmer, so I would recommend everyone to use DNS protection.

Regardless of what you do, if you are a GrapheneOS user, or just a simple user of a Samsung or iPhone, there is hope when it comes to privacy, and so consider any of these 3 options that I've mentioned today would get you back to an excellent privacy setup.

You don't need to be totally paranoid and make your selection on a phone just to be private. You should and that's surely the best approach, because every little step counts...

Stay safe!

The Privacy Advocate

We publish a daily dose of decentralization here every day (UTC+8), for additional daily updates follow us on Mastodon, Twitter, Telegram or Element(Matrix). Please like & share all our output. We rely on User-Generated Content so why not write for us and since we try to avoid ads and sponsorship, why not donate to help us continue our work - all major cryptos accepted. You can contact us at decentralize.today and at blog@decentralize.today
Share this post