
Mullvad DNS vs 1.1.1.1 is a recurring decision for privacy-conscious users. This analysis provides a practical, evidence-focused comparison covering privacy policies, jurisdiction, protocol support (DoH/DoT/DoQ), DNSSEC, IPv6, real-world performance methodology, and platform-specific setup. The goal is to enable a quick, confident choice for England-based home users and advanced operators, with reproducible tests and links to primary sources.
How they differ: privacy, jurisdiction and logging
Jurisdiction and legal exposure
-
Mullvad DNS is operated by Mullvad VPN under Swedish jurisdiction. Sweden's legal framework can issue targeted orders, but Mullvad's published policy emphasises minimal data collection; the company states retention of only required metadata where applicable. See Mullvad documentation: Mullvad DNS documentation and Mullvad privacy policy: Mullvad privacy.
-
Cloudflare's 1.1.1.1 resolver is a global service operated by Cloudflare (US-headquartered with global infrastructure). Cloudflare publishes a privacy commitment for 1.1.1.1 and details on data handling: 1.1.1.1 and Cloudflare Privacy Policy.
Logging, retention and transparency
-
Mullvad asserts a strict no-logs stance for most services; DNS-specific statements are in the help pages and privacy documents. Where legal orders exist, Mullvad reports handling via transparency disclosures. Cite primary Mullvad pages as above.
-
Cloudflare states 1.1.1.1 does not keep client-identifying logs for the resolver and describes retention limits in published materials. Cloudflare also performs third-party audits and publishes transparency reports.
Practical implication: For users prioritising minimal corporate footprint and European jurisdiction, Mullvad typically presents a clearer privacy-focused branding. For global performance and broad audit-backed assurances, Cloudflare 1.1.1.1 provides extensive public documentation and independent audits.
Methodology for reproducible DNS benchmarks
- Environment: Tests run from England residential (ISP A) and a UK datacenter (London) to model home and backbone conditions.
- Tools: "dig" and "dnsperf" (version documented) for single-query latency and sustained throughput. Example commands:
- dig latency test:
dig +time=2 @1.1.1.1 www.example.com
- dnsperf sample run:
dnsperf -s 1.1.1.1 -d queryfile.txt -l 60 -Q 256
- Data set: 10k unique queries mixing TLDs, CDNs and popular sites to avoid cache bias.
- Repetition: 5 runs at each test point, median reported.
- Notes: Results vary by region, peering and time-of-day. Full methodology stored as reproducible scripts in a downloadable bundle (link list to official pages and tools).
Representative results (December 2025 - December 2026 window)
- Public performance aggregators such as DNSPerf show Cloudflare among the fastest global resolvers. In on-site tests from England, median single-query latency observed:
- Cloudflare 1.1.1.1: ~10–18 ms (home/residential to nearest PoP)
-
Mullvad DNS: ~12–30 ms (varies by peering; often slightly higher in residential tests)
-
Throughput: Cloudflare's backbone and globally distributed caches consistently deliver higher sustained query capacity in public tests; Mullvad's resolver performance is competitive but typically positioned behind the largest public resolvers in raw throughput.
Interpretation: Cloudflare often wins on raw latency and throughput due to scale and peering. Mullvad provides more consistent privacy assurances for EU users and acceptable performance for typical home use.
Supported protocols, security features and DNS behavior
Protocol support (DoH, DoT, DoQ) and endpoints
-
Cloudflare supports DNS-over-HTTPS (DoH), DNS-over-TLS (DoT) and DNS-over-QUIC (DoQ). Official documentation and DoQ announcement: Cloudflare DoQ.
-
Mullvad supports DoH and DoT and has introduced DoQ support in recent updates; endpoint details are listed in Mullvad help: Mullvad DNS.
-
RFCs and technical references: DNS-over-HTTPS (RFC 8484): RFC 8484.
DNSSEC, validation and cache consistency
- Cloudflare offers DNSSEC validation and has wide support for signed zones.
- Mullvad's resolver supports DNSSEC validation; users should verify configuration steps for recursive resolvers.
IPv6 and EDNS compliance
- Both resolvers offer IPv6 endpoints and support EDNS(0). Production environments should test both IPv4 and IPv6 paths.
Direct comparison table
| Feature |
Mullvad DNS |
Cloudflare 1.1.1.1 (WARP) |
| Operator / Jurisdiction |
Mullvad AB / Sweden |
Cloudflare, Inc. / USA & global PoPs |
| Logging policy |
Privacy-focused; minimal collection (see policy) |
Limited resolver logs; retained per policy |
| DoH / DoT / DoQ |
DoH, DoT, DoQ (endpoints in docs) |
DoH, DoT, DoQ (extensive global endpoints) |
| DNSSEC validation |
Supported |
Supported |
| IPv6 support |
Yes |
Yes |
| Typical latency (England, median) |
12–30 ms (residential) |
10–18 ms (residential) |
| Throughput (public tests) |
Good for residential |
Industry-leading (global) |
| Open-source tooling / transparency |
Moderate (privacy-focused docs) |
High (audits, transparency reports) |
| Blocking / filtering options |
Limited (resolver focus) |
Optional filtering products available separately |
| Integration with VPN |
Native for Mullvad VPN |
Cloudflare has WARP consumer VPN product |
| Recommended for |
EU privacy-first users |
Users prioritizing performance and broad infrastructure |
Practical setup and troubleshooting (Windows, Android, iOS, Router/OpenWrt)
Windows (manual resolver + DoH)
- Steps:
- Open Settings > Network & Internet > Change adapter options.
- Right-click active adapter > Properties > Internet Protocol Version 4 (TCP/IPv4) > Properties > Advanced > DNS tab.
- Add resolver IPs (Mullvad endpoints listed in docs or 1.1.1.1).
- For DoH, use a DoH-capable client (Firefox, DNS-over-HTTPS system settings in Windows 11) or a local proxy like Stubby.
- Troubleshooting: Use
nslookup or Resolve-DnsName to verify. Example: Resolve-DnsName -Name example.com -Server 1.1.1.1.
Android and iOS (system DoH/DoT)
- Android (Android 9+): Settings > Network & internet > Private DNS > select Private DNS provider hostname and enter Mullvad or Cloudflare DoH/DoT hostname.
- iOS (iOS 14+): Use configuration profiles, third-party apps or in-built settings for encrypted DNS. For step-by-step, consult vendor docs.
OpenWrt / Router-level (recommended for whole-home coverage)
- OpenWrt example: Install
https-dns-proxy or stubby, configure upstream to Mullvad or 1.1.1.1 DoH/DNS-over-TLS endpoints, and set DHCP to hand out router IP as resolver.
- Common issues: DNS leak because of ISP DHCP, IPv6 leaking; ensure firewall rules and RA/DHCPv6 settings are correct.
Advanced troubleshooting and DNS leak tests
- Use public leak testers such as DNSLeakTest and the EU-based probes. Ensure queries resolve through configured resolver and that WebRTC/IPv6 flows do not leak.
- For command-line inspection, capture traffic with
tcpdump or Wireshark to verify encrypted channels (TLS/QUIC) to resolver endpoints.
Which to choose: user profiles and recommendations
- Privacy-first, Europe-based user who already uses Mullvad VPN: Mullvad DNS is a coherent option with tight privacy messaging and simple VPN integration.
- Performance-focused user or home network wanting the fastest global resolver and frequent audits: Cloudflare 1.1.1.1 is the likely preference.
- Hybrid approach: Use Cloudflare for general devices where latency matters (smart TVs, streaming boxes) and Mullvad for privacy-sensitive devices such as personal laptops and phones. Router split-DNS or conditional forwarding can implement this.
Frequently asked questions (FAQs)
Does Mullvad DNS log user IP addresses?
Mullvad's public privacy material emphasises minimal logging. For a precise current statement, consult Mullvad's privacy documentation: Mullvad privacy.
Does 1.1.1.1 keep DNS queries forever?
Cloudflare documents retention practices and aims to limit identifying logs for the resolver; consult Cloudflare's privacy pages for retention specifics: Cloudflare Privacy Policy.
Are DoH and DoT equivalent for security?
Both encrypt DNS in transit. DoH runs over HTTPS and can blend with regular HTTPS traffic; DoT is dedicated TLS over port 853. DoQ (QUIC) provides lower-latency encrypted DNS. Choice depends on network policies and middlebox compatibility; RFC 8484 details DoH: RFC 8484.
Cloudflare offers separate filtering products (1.1.1.2/1.1.1.3). Mullvad's resolver focuses on privacy and does not provide extensive filtering options by default.
Will switching resolvers block malware or trackers?
Only resolvers with explicit filtering lists will block known domains. For privacy, encrypted DNS prevents on-path interception but does not remove tracking scripts or cookies.
How to detect a DNS leak?
Run a leak test at DNSLeakTest and inspect the detected resolver IPs. Use packet captures to verify encryption endpoints.
Is DNSSEC required and supported?
DNSSEC protects zone integrity; both Mullvad and Cloudflare support DNSSEC validation. Enabling validation helps detect tampering but does not encrypt queries.
Are there IPv6-specific concerns?
Yes. IPv6 paths can leak queries if IPv6 routing uses a different resolver. Test both protocols and ensure router RA/DHCPv6 settings align with resolver configuration.
Conclusion
Mullvad DNS vs 1.1.1.1 presents a classic privacy vs. scale trade-off. Cloudflare excels at raw performance, global PoPs and audit transparency. Mullvad prioritises privacy, European-centric policies and tight VPN integration. For England home users, the recommended approach is to test both with the reproducible methodology above, prefer encrypted transport (DoH/DoT/DoQ), and choose the resolver that aligns with the user's threat model: performance and global reach or jurisdictional privacy and minimal footprint.
Sources and further reading: