The Case for Privacy
The Log Is
The Problem
Every domain you query is a word in a sentence about your life. DNS logs read those sentences.
The only honest answer isn't shorter retention — it's never writing them at all.
What They See
A Day in Your ISP's DNS Logs
When you use your ISP's default DNS — or any resolver that logs — every website you visit leaves a record.
Not just the page, the domain. That's enough to know your doctor, your bank, your politics,
your relationships, your mental health, what you watch at night. Below is a realistic sample of what
those logs look like. This is not hypothetical — this is the file that exists on a server somewhere.
isp-dns-query.log — readable by your ISP, data brokers, courts, hackers
2025-03-14 06:43:12
192.168.1.105
accounts.google.com
A
2025-03-14 06:44:01
192.168.1.105
plannedparenthood.org
A
2025-03-14 07:12:38
192.168.1.105
chase.com
A
2025-03-14 07:13:02
192.168.1.105
debtconsolidation.com
A
2025-03-14 08:55:44
192.168.1.105
psychiatrist-finder.com
A
2025-03-14 09:17:19
192.168.1.105
xvideos.com
A
2025-03-14 09:17:22
192.168.1.105
pornhub.com
A
2025-03-14 11:30:05
192.168.1.105
mayoclinic.org
A
2025-03-14 11:31:14
192.168.1.105
cancer.gov
A
2025-03-14 12:08:50
192.168.1.105
divorcelawyer-nyc.com
A
2025-03-14 13:22:31
192.168.1.105
claude.ai
A
2025-03-14 13:45:09
192.168.1.105
chatgpt.com
A
2025-03-14 14:10:22
192.168.1.105
aa.org
A
2025-03-14 15:33:47
192.168.1.105
protonmail.com
A
2025-03-14 16:02:15
192.168.1.105
gunbroker.com
A
2025-03-14 17:48:00
192.168.1.105
immigrationlawyer.com
A
2025-03-14 20:14:33
192.168.1.105
xvideos.com
A
2025-03-14 21:09:18
192.168.1.105
onlyfans.com
A
2025-03-14 22:55:04
192.168.1.105
suicidepreventionlifeline.org
A
Highlighted in red — domains your ISP, data brokers, or a subpoena could expose. One day. One person. Nineteen entries. A life laid bare.
That's a single day. Multiply it by 365. By every device in your household.
This is the file that exists. Right now. On servers you don't control,
operated by companies whose business model is your data.
The Retention Fiction
"We Only Keep Logs for 24 Hours"
You've seen the policies. "Anonymized after 24 hours." "Deleted within 48 hours." "Aggregated, not personal."
Here's the thing they don't say out loud:
The moment a log exists, it can be read. It can be copied. It can be subpoenaed.
It can be breached. It can be sold. A promise to delete it later is not a promise that it was never seen.
There is no such thing as a log that's simultaneously kept and private.
"Anonymized" data is routinely de-anonymized — researchers have done it repeatedly with far less
information than a DNS log provides. Your ISP seeing you hit cancer.gov, then mayoclinic.org,
then an oncologist's patient portal on the same IP address at the same timestamp is not anonymous.
It is a diagnosis.
Our position is simpler: we don't log. Not for 24 hours. Not for one second.
There is no file to subpoena. No database to breach. No record to sell.
You can't delete what was never written.
The Second Problem
Encryption Matters — But It's Not Enough Alone
Encrypting your DNS requests is important. Without it, anyone on your network path —
your router, a coffee shop's Wi-Fi, your ISP's infrastructure — can see exactly what domains
you're querying in plain text. DoH, DoT, and DoQ close that gap. But encryption only
protects the transit. Once your query arrives at the resolver, if that resolver logs,
you're right back where you started — just with better transport security.
Plain DNS (Port 53)
Queries travel unencrypted
Visible to anyone on the network path
ISP can read and log every query
Anyone doing a packet capture sees all
Default on most devices and routers
DoH / DoT / DoQ + No Logs
Queries encrypted in transit
Network path cannot see what you're querying
Resolver never writes to disk
Nothing to subpoena, breach, or sell
The only complete answer
This is why we offer DoH, DoT, and DoQ — and only those.
We don't offer plain DNS on port 53. If you're going to use our resolver,
you should get the full protection. Encrypted transit, zero logs. Both. Always.
The Interested Parties
Who Wants This Data — and Why
DNS logs are not abstract surveillance. They are commercially, legally, and politically valuable
to a long list of parties who would rather you didn't think about this:
Advertisers — your queries build a behavioral profile worth money.
Data brokers — who buy ISP data and resell it.
Law enforcement — subpoenas for DNS records are routine.
Employers — some ISPs sell data that eventually reaches background check companies.
Governments — mass surveillance programs operate at the DNS level.
Hackers — breaches of DNS providers expose historical query data.
Insurance companies — health-related queries are actuarially interesting.
None of these parties need to break in anywhere. They just need the log to exist.
Once it does, the question is only who gets access and when — not whether it's safe.
Common Questions
Frequently Asked
Answers to what people ask most about private DNS.
What is DNS and why does it matter for privacy?
DNS — the Domain Name System — translates human-readable domain names like "google.com" into IP addresses
your device can connect to. Every website visit, every app request, every software update starts with a
DNS query. By default, those queries go to your ISP's servers unencrypted, creating a complete record
of your online activity. Private DNS resolvers like ours handle those queries without logging them.
Is DNS over HTTPS (DoH) the same as a VPN?
No. DoH encrypts only your DNS queries — the part where your device asks "what's the IP for this domain?"
A VPN encrypts your entire connection, including the actual data you send and receive. They solve different
problems. DoH specifically prevents your ISP from logging which sites you look up. A VPN hides the actual
traffic. For most people, private encrypted DNS is the simpler, lower-friction first step.
Why not just use Google (8.8.8.8) or Cloudflare (1.1.1.1)?
Google and Cloudflare are better than your ISP in some ways — but they are large corporations with
business interests in your data. Google's entire revenue model is built on knowing what you do online.
Cloudflare retains logs for up to 25 hours. Both are subject to US law enforcement requests and
national security letters. A small, community-run resolver with a genuine no-log policy is a
fundamentally different trust model.
What is DNS over QUIC (DoQ) and should I use it?
DoQ is the newest encrypted DNS protocol, built on QUIC — the same transport layer that powers HTTP/3.
It offers lower latency than DoT, better performance on unreliable connections, and built-in encryption.
If your client supports it (AdGuard Home, some mobile apps, and newer resolvers do), DoQ is the best
option available today. Otherwise, DoH is the most universally supported.
How do I know you actually don't log?
Honestly — you're extending trust, same as you do with any resolver. What we can tell you is: our
resolver runs on Unbound, a well-audited open-source DNS resolver with no logging enabled. We have no
business model that benefits from your data. We are not subject to commercial pressures to retain logs.
And we will never lie to you about what we do. That's a different kind of assurance than a privacy
policy written by a legal team — it's a commitment from people who built this because they believe in it.
Can my ISP still see my traffic if I use private DNS?
Your ISP can no longer read your DNS queries when you use DoH, DoT, or DoQ — those are encrypted.
However, your ISP can still see the IP addresses you connect to after DNS resolution. They can also
see SNI (Server Name Indication) in unencrypted TLS handshakes, though Encrypted Client Hello (ECH)
is increasingly available to close that gap. Private DNS is a critical layer — not the only layer.
Ready to Disappear from the Log?
Set up encrypted, zero-log DNS in under two minutes.
Get the Endpoints