Android has a built-in setting that blocks ads across every app, browser, and game on your phone, system-wide, without root access and without installing a single third-party app. You just swap your DNS server to dns.adguard.com via the Private DNS option in your network settings, and the blocking starts immediately. The whole setup takes about 30 seconds.
This trick went viral on X with over 319,000 views because most people assume ad blocking on Android requires rooting the device or installing something like AdGuard or Blokada. It does not. Android 9 (Pie) added Private DNS support natively, and every phone released since 2018 has it, including every Samsung Galaxy, Google Pixel, OnePlus, Xiaomi, and Motorola device. The feature was designed for privacy and security, but it doubles as a surprisingly effective ad filter when pointed at the right DNS resolver.
Here is exactly how to set it up, what it blocks, where it falls short, and how to go further if the basic setup is not enough.
What Private DNS Actually Does (and Why It Blocks Ads)
Every time you open an app or load a website, your phone sends a DNS query to look up IP addresses for the domains being contacted. Most phones use your carrier’s DNS by default, which resolves everything without filtering anything.
Private DNS on Android routes all those queries through a DNS-over-TLS (DoT) resolver instead. When you point it at dns.adguard.com, AdGuard’s DNS resolver checks each domain query against its blocklist. If the domain is known to serve ads, trackers, or malware, the resolver returns NXDOMAIN (a non-existent domain response) instead of the real IP address. The app or browser receives no valid address, so the ad request fails silently. No ad loads.
Because this happens at the DNS layer, it works across your entire phone. Browser-based ad blockers only cover the browser. DNS-level blocking covers every app that makes network requests, including games, streaming apps, utility apps, and system-level ad SDKs. If you have ever wondered how to fix DNS errors when a site stops loading, you already understand the mechanism in reverse: DNS failure means the content never arrives.
The connection between your phone and the DNS resolver is encrypted via TLS, which also prevents your carrier or network operator from seeing what domains you are looking up. That is the privacy angle the feature was built for. The ad blocking is a side effect of choosing a resolver that filters by domain.
Step-by-Step Setup on Any Android Phone
The path to Private DNS settings varies slightly by manufacturer, but the option exists on every Android 9 or newer device. Here is how to find it on the most common phones.
Samsung Galaxy (Android 9+)
- Open Settings
- Tap Connections
- Tap More connection settings
- Tap Private DNS
- Select Private DNS provider hostname
- Enter:
dns.adguard.com - Tap Save
Google Pixel (Stock Android)
- Open Settings
- Tap Network & internet
- Tap Private DNS
- Select Private DNS provider hostname
- Enter:
dns.adguard.com - Tap Save
OnePlus / OxygenOS
- Open Settings
- Tap Wi-Fi & network
- Tap Private DNS
- Select Private DNS provider hostname
- Enter:
dns.adguard.com - Tap Save
Xiaomi / MIUI or HyperOS
- Open Settings
- Tap Connection & sharing (or More connection settings on older MIUI)
- Tap Private DNS
- Select Private DNS provider hostname
- Enter:
dns.adguard.com - Tap Save
After saving, Android tests the connection immediately. If it succeeds, you will see a confirmation that Private DNS is active. No reboot is needed. Open any app with ads to test it.
One thing worth knowing: Private DNS applies to both Wi-Fi and mobile data simultaneously. You do not need to configure it separately for each network. The setting is phone-wide.
Which DNS Providers Actually Work for Ad Blocking
AdGuard DNS is the most widely tested option and a reasonable default, but it is not the only choice. Here are the four providers worth considering, with honest notes on each.
AdGuard DNS
Hostname: dns.adguard.com
AdGuard DNS maintains one of the larger public ad-blocking DNS blocklists. The default blocklist targets ad networks, tracking domains, and some malware. A secondary mode at family.adguard.com adds adult content filtering. The free tier imposes no device limit and no query cap. For most users, this is the correct starting point. The full service overview is at adguard.com/adguard-dns.
NextDNS
Hostname: varies by account (format: xxxxx.dns.nextdns.io)
NextDNS is the most configurable of the free options. You create an account, get a unique hostname, and then manage your blocklists through a web dashboard. You can add specific blocklist sources (EasyList, Steven Black, OISD, uBlock filters), whitelist domains your apps need, and see query logs to identify exactly what your phone is contacting. The free tier allows 300,000 queries per month, which is roughly 2 to 3 months of normal usage for a single device. After that, blocking continues but logging stops until the next billing period.
NextDNS is the better choice if the basic AdGuard setup breaks apps you rely on, because the dashboard lets you whitelist specific domains without disabling blocking entirely.
Mullvad DNS
Hostname: dns.mullvad.net (ad blocking variant: adblock.dns.mullvad.net)
Mullvad DNS operates a no-logging DNS resolver out of Sweden. The ad-blocking hostname filters ads and trackers while Mullvad retains a strong privacy-first stance: no accounts, no usage data, no analytics. If you already use Mullvad VPN, the DNS is already integrated. As a standalone Public DNS, it is a credible alternative if you prefer a provider that has undergone independent privacy audits. Mullvad does not offer the query dashboard or custom blocklist configuration that NextDNS does.
Cloudflare 1.1.1.1 for Families
Hostname: family.cloudflare-dns.com
Cloudflare offers a filtered DNS resolver that blocks malware and adult content but is not specifically an ad blocker. It is listed here because many guides recommend it, but it will not block most ad networks. Do not use it if ad blocking is your primary goal. Use it if you want Cloudflare’s reliability with basic malware domain filtering.
What This Method Blocks and What It Misses
DNS-level blocking is effective for a large category of ads, but it has structural limits worth understanding before you rely on it as your only defense.
What it blocks reliably: standard display ads served from third-party ad networks (Google Ads domains, Meta Audience Network, ironSource, AppLovin), most pre-roll video ads in apps that call out to external ad servers, tracker SDKs that ping analytics domains in the background, and banner ads in free mobile games that load from external ad platforms.
What it does not block: ads served from the same domain as the content. YouTube’s ads are the clearest example. YouTube serves ads from Google’s own infrastructure (youtube.com, googlevideo.com), which are the same domains the actual video content comes from. Blocking those domains at DNS level would break the whole app, not just the ads. Spotify’s in-app ads work similarly: they come from Spotify’s own servers. DNS blocking cannot distinguish between the audio stream and the ad audio.
Some social media apps that serve first-party ads (Facebook, Instagram, TikTok) are partially affected. The social feed itself loads, but third-party tracking pixels and analytics calls from ad partners get blocked. The experience improves but ads do not disappear entirely.
HTTPS ads in certain apps may also bypass DNS filtering if the app implements DNS-over-HTTPS (DoH) directly in its networking stack, bypassing the system DNS setting. This is rare on consumer apps but is theoretically possible. Standard Private DNS (DoT at the OS level) controls DNS for all apps that use the system resolver, which is the vast majority.
If you rely on Android System Intelligence features or other Google services, those will continue working normally since their domains are not on ad-blocking blocklists.
Troubleshooting When Apps Break
The most common complaint after enabling Private DNS with an ad-blocking resolver is that a specific app stops working correctly. Here is how to diagnose and fix it without turning off blocking entirely.
If an app fails to load content, crashes on launch, or shows error messages after you switch DNS: the resolver is probably blocking a domain the app legitimately needs. This happens most often with banking apps, government apps, and some regional streaming services that use third-party CDNs or authentication services that share infrastructure with known ad networks.
The fastest fix is to temporarily switch Private DNS back to Automatic in your settings. If the app works again immediately, DNS was the cause. To fix it properly without disabling blocking, use NextDNS instead of AdGuard DNS, sign into the NextDNS dashboard, check your query log to find the blocked domain, and whitelist it. AdGuard DNS does not offer this granular control on its free tier.
If the app you are using has a built-in report or feedback option and you are confident the blocked domain is legitimate (not an ad), AdGuard maintains a public GitHub issues tracker for false positives on its DNS filter list. Reporting it there gets the whitelist updated for all users.
Some VPN apps conflict with Private DNS because VPNs typically override the phone’s DNS configuration entirely. If you use a VPN regularly, check whether it has its own ad blocking or DNS filtering built in. Many audited free VPNs with no-log policies now include DNS-based tracker blocking, which means you may not need Private DNS configured separately at all when the VPN is active.
Going Further: NextDNS Custom Lists and Advanced Blocking
NextDNS is the meaningful upgrade path from basic AdGuard DNS. The setup takes five extra minutes and gives you a level of control that the static AdGuard hostname cannot match.
After creating a NextDNS account, you get a unique hostname to paste into the Private DNS field. Then, in the NextDNS dashboard, you can stack multiple blocklists simultaneously. The most effective combination for Android is: AdGuard DNS filter (covers mobile ad networks), OISD Full (broad coverage, low false positives), and 1Hosts Lite (aggressive but stable). Together these block significantly more than AdGuard’s default DNS resolver, while the whitelist feature means you can recover any app that breaks without disabling everything.
NextDNS also shows you query logs in real time. Spend five minutes watching what your phone calls home to on a typical evening and the result is genuinely surprising. Background ad SDKs in apps you have not opened in weeks keep pinging analytics servers. DNS-level blocking terminates all of those calls silently. The phone does not slow down, the app still functions, and the data leaves your device without a destination.
For per-device control across multiple phones, NextDNS lets you create separate configurations for each device under the same account, each with its own blocklist profile and logs. That is useful for households where one device needs more permissive settings (a child’s tablet running specific educational apps) while others run the full blocking stack.
Private DNS vs Dedicated Ad Blocker Apps
The question that comes up immediately is whether this approach beats installing an actual ad blocker. The honest comparison:
AdGuard app (the full application, not just the DNS): installs a local VPN on your device and inspects HTTPS traffic, which means it can block ads inside YouTube, Spotify, and apps that serve first-party ads. It catches significantly more than DNS-level blocking. The downside is that running a local VPN drains battery faster, the app requires periodic updates, and it cannot run simultaneously with another VPN. The paid version costs $2.99/month or $17.99/year.
Blokada: similar local VPN approach to AdGuard. The free version has limitations on which blocklists you can use. The paid tier at around $4/month gives full list access and cloud-based filtering. Performance is comparable to AdGuard’s local filtering but requires the same local VPN infrastructure.
Private DNS (this method): no battery impact beyond slightly faster DNS resolution (encrypted DoT queries are marginally faster than unencrypted DNS because they often use persistent connections). No app to maintain. Works instantly after setup. Cannot block first-party ads (YouTube, Spotify). No HTTPS traffic inspection. Free with no account for AdGuard DNS; free up to 300,000 queries/month for NextDNS.
The practical recommendation: start with Private DNS. It handles the majority of mobile ads with zero maintenance and zero battery cost. If YouTube ads are a priority, you are looking at either the full AdGuard app, a YouTube Vanced successor like ReVanced, or a YouTube Premium subscription. Those are separate decisions with separate tradeoffs. Private DNS alone solves the problem for everything outside of Google and Spotify’s walled gardens.
Frequently Asked Questions
Does Private DNS block ads on mobile data, not just Wi-Fi?
Yes. Android’s Private DNS setting applies across all network connections, including mobile data (4G and 5G), Wi-Fi, and even USB tethering. You configure it once and it works everywhere. You do not need to set it up separately per network.
Will this slow down my internet connection?
No, and it can actually make DNS resolution slightly faster. AdGuard DNS and NextDNS both operate global server networks with points of presence across Europe, North America, and Asia. Their DNS-over-TLS resolvers use persistent connections that often respond faster than a carrier’s default DNS, which may be a single regional server. Real-world speed impact on browsing or streaming is negligible either way.
Does this work on Android tablets, not just phones?
Yes. The Private DNS setting is present on any Android device running Android 9 or later, including tablets, foldables, Android TV boxes that expose network settings, and Chromebooks running Android. The setup path is identical to a phone: Settings, network or connection settings, Private DNS, hostname.
What happens if the DNS provider has an outage?
If the Private DNS resolver goes down, Android falls back to the mode you had selected. If you set it to Private DNS provider hostname, a resolver outage will prevent DNS resolution entirely until the provider recovers, which means you lose internet access on affected apps. This is a real risk. NextDNS and AdGuard DNS both publish uptime histories and run redundant infrastructure, but if you are in an environment where internet reliability is critical, switching Private DNS back to Automatic during the outage is the correct response. NextDNS also offers a configuration option to specify a fallback DNS, which reduces this risk.
