Best VPNs with Encrypted DNS

Most VPN providers advertise some form of DNS Leak Protection, but a select few go the extra mile to provide fully encrypted DNS servers and DNS requests. If you aren’t sure what these terms mean yet, don’t worry. We’ll teach you (and it’s not that complicated).

The bottom line is this: many VPN providers route your DNS lookups (website lookup requests) insecurely. We’ll show you which VPN providers offer DNS encryption to keep your web history completely private.

Below is a quick list of our recommended VPN services that use private, self-hosted DNS servers. Next up we’ll go in-depth into DNS privacy and why it matters.

RankCompanyDNS TypeBest OfferDetails

1

VPNacZero-knowledge DNS w/ DNS randomization & obfuscation$4.83/mVisit Site
Read Review

2

ExpressVPN Private DNSPrivate DNS on each server. No logs$8.32/mVisit Site
Read Review

3

VyprVPN VyprDNSPrivate DNS on each server. No logs.$4.08/mVisit Site
Read Review

4

PIA-45x125Private DNS shared w/ all servers. No logs.$3.33/mVisit Site
Read Review

5

purevpn-45x125Private DNS on each server. $4.99/mVisit Site
Read Review

What is a DNS Request/DNS Leak?

Every time you type a domain name (like google.com) into your web browser, your computer sends a request to a DNS server.

DNS is short for Domain Name System and the sole purpose of a DNS server is to translate domain names (google.com) into a numerical Internet Protcol Address (IP Address).

This IP address tells your computer the unique location of the website you’re requesting in the internet’s IP address space, so it knows which server to request the web page from.

Most internet users’ DNS requests are actually sent to their ISP’s (Internet Service Provider) DNS servers. This is fine if you’re not using an encrypted connection, but if you use a VPN for privacy, it’s an issue if your ISP can still see your entire web history.

What is a DNS Leak?

A DNS leak occurs anytime a DNS request is sent on your behalf to a DNS server other than the one you or your VPN provider intended.

This happens most often when your DNS requests are routed outside of the encrypted VPN tunnel (due to a security flaw in the way operating systems handle DNS requests). These unencrypted requests will then be forwarded to your ISP’s DNS servers, allowing them to monitor and log your complete web-browsing history, despite the fact that you’re using a VPN.

Fortunately, there are several ways VPN’s prevent DNS leaks including:

  • Building DNS leak protection technology into their software
  • Using private DNS servers (controlled by your VPN) instead of 3rd-party (OpenDNS, FreeDNS)

You can also specify your own preferred DNS servers on your PC or router as an added layer of protection in case your VPN’s DNS leak protection method fails.

See this stackexchange thread for more details on how DNS requests are processed when using a VPN.

Private & Encrypted DNS vs. DNS Leak Protection

Most major VPN providers have integrated DNS leak protection into their VPN client software, but just because your ISP’s servers aren’t handling your DNS lookups doesn’t mean your web history is secure.

Many VPN’s still use 3rd-party DNS servers like OpenDNS, FreeDNS, and ComodoDNS.

This means your private web-browsing history is still visible to someone besides just you and your VPN provider.

The solution is simple. Use a VPN provider that hosts their own private DNS servers that will keep your web history completely private. The entire goal of this article is to show you which VPN companies take this extra step toward complete privacy.

Advantages of Private DNS (Hosted by your VPN)

Choosing a VPN that hosts their own DNS servers has several advantages:

  • DNS requests can be encrypted (inside the VPN tunnel)
  • No 3rd-party has access to your web history
  • Prevent DNS hi-jacking, spoofing attacks
  • Additional privacy technology like DNS mixing/randomization is possible

Any VPN that uses 3rd-party DNS servers is forced to send your DNS requests in unencrypted form (there is no VPN between your provider and the DNS server) which means an active attacker can monitor and record your DNS request history. They could even theoretically spoof responses from the DNS server and redirect you to malicious websites designed to steal your data or de-anonymize you (a major security risk).

A VPN provider that hosts their own DNS servers, however, is able to keep all DNS requests in-network which means they can remain encrypted when sent to/from the DNS server. This is a MAJOR privacy/security benefit.

Some VPN providers choose to have a few dedicated DNS servers hosted in net-neutral countries (Canada, the Netherlands, etc). Others (like ExpressVPN) have a unique DNS server in every single VPN server location. Both these options provide the benefit of encrypted DNS requests, however ExpressVPN’s method has the added advantage of improved geo-location spoofing (websites you visit will think you’re in the exact location where the VPN server is located since the DNS server has the same IP-address block as you do).

The Best VPNs with Private, Encrypted DNS (intro)

In the rest of this article, we’re going to look at our top recommended VPN providers who take your DNS privacy to the next level. This includes self-hosted DNS servers, fully encrypted DNS requests, and DNS leak prevention.

Some of these providers even have intelligent geo-location spoofing (made possible by self-hosted DNS servers) as well as cool security technologies like DNS randomization (mixing your DNS queries with millions of other randomly generated requests) for maximum privacy and anonymity when browsing the web.

Also make sure to check out our full reviews of each of these VPN providers for an in-depth look at the advantages of each.

#1 – VPN.AC (Editor’s Choice)

VPNAC secure encrypted DNS servers
VPN.AC’s DNS Privacy Technology

VPN.ac really impressed us with their attention to detail when it comes to security and privacy. Their self-hosted DNS servers are no exception, and they offer true zero-knowledge DNS with no logging. All DNS requests on their network are encrypted with 128-bit encryption in addition to your VPN tunnel encryption.

The coolest feature is the randomization/mixing of DNS queries that combines your unique DNS requests with millions of spoofed DNS requests to make it virtually impossible for anyone (even an active attacker with server access) to identify your web history. They are the only VPN provider we’re aware of with this level of technology, which is why they ranked #1 on our list.

You’ll also find VPN.ac’s software extremely powerful and easy to use, and they have a highly-rated VPN app in the Android play store as well.

Check out our full VPNac review for a fcomplete walkthrough of their software and features, along with speedtests, analysis, and recommended uses.

VPN.ac is net-neutral, torrent friendly, and does not monitor or log any VPN activity. Prices start under $5/month (1 year subscription) and includes unlimited bandwith/speeds and up to 6 simultaneous connections.

#2 – ExpressVPN (Private DNS on every server)

ExpressVPN is a premium VPN service that takes DNS privacy seriously. They listed to their customers’ concern about DNS leakage, and in response rolled out private DNS servers on every single ExpressVPN server location.

ExpressVPN zero-knowledge DNS

This means that not only are all of ExpressVPN’s DNS requests fully encrypted, but your DNS requests will also originate from the same country geo-location as your IP-address, which makes it much harder for services like Netflix, Hulu, BBC iPlayer, and spotify to block you based on your real location (or VPN usage).

The DNS servers are zero-knowledge and non-logging, meaning even ExpressVPN doesn’t know what you’re searching for online.

ExpressVPN has some of the best software in the industry (we love the ‘favorite servers’ feature). Their speeds are fast, and they are torrent-friendly. Check out our complete ExpressVPN Review for full details.

The one caveat is that ExpressVPN is a premium service with premium pricing. Their annual plans start at $8.32/month (which is about 40% higher than the industry average) but you get unlimited bandwidth and excellent speeds. And don’t forget their legendary 30-day refund policy.

#3 VyprVPN w/ VyprDNS (Private, every server)

Much like ExpressVPN, VyprVPN (owned by GoldenFrog) has their own private DNS service known as ‘VyprDNS’.

VyprDNS is a self-hosted, private DNS service with a unique DNS server in every VPN server location (to prevent VPN detection and geo-location errors).

To better visualize the advantages of private DNS servers vs. public 3rd-pary servers, Vypr has built a handy comparison chart on their website:

VyprDNS comparison chart
Private DNS vs. Public DNS (Source: https://www.goldenfrog.com/vyprvpn/features/vyprdns)

And best of all, VyprDNS is a Zero-knowledge, zero-log DNS service, meaning your web history will stay safe and private. All DNS requests will be encrypted inside your VPN tunnel, and should be difficult or impossible for 3rd-parties to monitor.

Beyond their private DNS, VyprVPN has a number of extremely impressive features, our favorite of which is their outstanding desktop and mobile VPN software (Mac, Windows, iOS, Android). Their VPN client is far and away the best we’ve tested, and includes ‘smart’ features like the ability to auto-connect to the VPN on untrusted wifi networks. It also has an phenomenal ‘Favorite Servers’ feature and truly intuitive server selection.

Read our VyprVPN review for a closer look.

We also have an exclusive offer through VyprVPN that will save you 50% on your 1st month of service (just use the link below).

Private DNS vs. 3rd-party Public DNS

Let’s take a quick look at how invasive 3rd-party DNS servers can really be (and this isn’t even counting your ISP, who likely logs everything).

Google’s public DNS service publicly discloses their full list of records kept, which includes things like:

  • Website you visited
  • Your ISP’s name
  • Geo-location data, including city & country.

Your ISP’s DNS servers will likely add additional data points, including:

  • full URL of page visited
  • records of all assets and files downloaded
  • your IP address
  • Timestamp of request

and most Internet Providers keep these logs for 3-6 months (at least here in the USA). It’s no wonder so many people have turned to non-logging VPN services to take back their privacy.

Summary

RankCompanyDNS TypeBest OfferDetails

1

VPNacZero-knowledge DNS w/ DNS randomization & obfuscation$4.83/mVisit Site
Read Review

2

ExpressVPN Private DNSPrivate DNS on each server. No logs$8.32/mVisit Site
Read Review

3

VyprVPN VyprDNSPrivate DNS on each server. No logs.$4.08/mVisit Site
Read Review

4

PIA-45x125Private DNS shared w/ all servers. No logs.$3.33/mVisit Site
Read Review

5

purevpn-45x125Private DNS on each server. $4.99/mVisit Site
Read Review

Leave a Comment