Local DNS filters on Android to stop trackers in email and other apps

  • Local DNS filters on Android allow you to block tracking domains, advertising, and malware at the system level without needing root access.
  • Services such as AdGuard DNS, NextDNS, RethinkDNS, or Mullvad combine encryption (DoH/DoT/DoQ) with customizable blocklists and detailed statistics.
  • DNS blocking reduces trackers in emails and websites, but it is very well complemented by specific anti-tracking extensions in the browser and email client.
  • Setting up a local DNS with Pi-hole, AdGuard Home or Technitium offers maximum control and centralizes filtering for mobiles, PCs, Smart TVs and more.
Joaquin Romero

17 minutes

DNS filters

Have you ever had the feeling that They spy on you even when you check your email on your mobile phone.It's not your imagination: a large portion of marketing emails and many Android apps carry invisible trackers that record what you open, when, from where, and with what device. The good news is that you can block much of that tracking. blocking tracking domains from within the system itself, without root and without setting up a circus of weird apps.

In this article we'll see how to use Local DNS filters on Android to block trackers in emails, apps, and web browsingWhich services are more interesting (AdGuard, NextDNS, RethinkDNS, Mullvad, etc.), how this combines with anti-tracking extensions in email, and what options you have if you want to set it up at home with your own DNS like Pi-hole, AdGuard Home or Technitium.

What is DNS and why does it help stop trackers and ads?

DNS is the system that It translates domain names like "example.com" into IP addresses.Every time an app, website, or your email client needs to load something (including email images, tracking pixels, or advertising scripts), it sends a DNS query to find out which server to connect to.

A normal DNS resolver responds with the correct IP address, and that's it. However, a DNS with content filtering first checks lists of domains marked as ads, trackers, or malware.If the domain is on those lists, the server may return a fake IP address, an empty internal address, or simply fail to resolve the request. The result: the tracking resource or the advertising banner. They never get downloaded.

This affects both browsing and many emails and apps because Email tracking pixels are typically loaded as external images from tracking domains.If your DNS blocks those domains, the pixel won't download, the sender won't receive the open notification, and much of the profiling they do about you will be cut off.

Create a secure hotspot with custom DNS
Related article:
How to create a secure hotspot with custom DNS on your mobile phone

In addition to filtering, many modern resolvers support encrypted protocols such as DoH (DNS-over-HTTPS), DoT (DNS-over-TLS) or DoQ (DNS-over-QUIC)With them, your Internet provider can no longer easily see all the websites and services you query via DNS, nor manipulate the responses to insert their own advertising or crudely block content.

Private DNS on Android: Block at the system level without root or unusual VPNs

Since Android 9 there is a setting called "Private DNS" that allows you to define an encrypted DNS server for the entire systemIt's the cleanest way to activate a local DNS filter: you don't need root access, you don't have to install a permanent VPN, and you don't have to rely exclusively on the browser.

When you enable private DNS, All Android apps stop using your carrier's or router's DNS They then begin resolving domains through the server you've configured (for example, AdGuard DNS or NextDNS). Whenever an email app, your Gmail client, or an ad-supported app tries to connect to an ad or tracking domain, the DNS provider cross-references it with its lists and blocks it if necessary.

This type of filtering is especially useful in modest or advertising-saturated mobile phoneswhere every extra banner noticeably impacts data consumption, battery life, and performance. By cutting ads and trackers at the network level, many free apps and games become much more manageable, and some web and email tracking is neutralized at once.

How to choose a DNS server for Android: AdGuard, Rethink, Mullvad, NextDNS and others

Many users wonder if it really matters whether they use AdGuard, RethinkDNS, Mullvad, Cloudflare, Quad9, or another provider, or if in the end They all block more or less the same thing.The answer is no: although they all resolve domains, they differ considerably in privacy, filtering, statistics, and customization capabilities.

Among the best-known providers for Android, the following services stand out: Public DNS with or without filtering:

  • AdGuard Public DNSIt resolves to plain text and supports DoH/3, DoT, DoQ, and DNSCrypt. It offers ad-blocking and tracker-blocking modes, as well as a family profile that adds an adult content filter. They claim anonymous registration.
  • Cloudflare (1.1.1.1)Focused on speed and privacy, with DoH/3 and DoT. It offers basic filtering options based on the chosen server (malware, adult content), but its strength lies not in granular control over ads in apps.
  • Control D FreeDNS with plaintext, DoH/3, DoT, and DoQ, with selectable filtering profiles. It focuses on offering different levels of blocking depending on the server you choose, with good overall performance.
  • Mullvad DNSDesigned to work seamlessly with your VPN, it supports DoH and DoT. It allows you to activate tracker and ad filters directly from Mullvad's settings, with documented public lists.
  • Quad9Public DNS with plaintext, DoH, DoT, and DNSCrypt. It offers built-in malware blocking and, depending on the server, additional filters. Its focus is more on security than on systematically blocking all advertising.

In parallel, there are services for Cloud DNS filtering with control paneldesigned to customize what is blocked, create profiles per device, and view statistics:

  • NextDNSIt acts as a Pi-hole in the cloud. It allows you to activate anti-ad and anti-tracking lists, block entire categories (social networks, gambling, etc.), apply safe mode to search engines, and restrict YouTube. It supports DoH, DoT, and DoQ, logs queries (with configurable retention), and offers a free plan with approximately 300.000 DNS requests per month per account.
  • Control D (payment): advanced version with web console, highly detailed profiles, scheduling and very fine filtering possibilities for homes and businesses.

If you're coming from using AdGuard as an app or DNS on Android and are unsure whether to choose RethinkDNS, Mullvad, or stick with AdGuard, the key is to see What do you prioritize: strict privacy, statistics, VPN integration, or granular controlMullvad, for example, shines if You already use their VPNAdGuard has an ecosystem focused on ad blocking; RethinkDNS stands out as an encrypted DNS proxy on Android that coexists with other configured VPNs (WireGuard, Orbot, etc.).

How to set up an ad-blocking DNS on Android step by step

DNS filters

To take advantage of local DNS filtering on Android 9 or higher, you can use the option to Private DNS with a provider that includes ad and tracker blockingThe exact steps may vary slightly depending on the brand and customization layer, but the general idea is:

    • OPEN Settings of the System.
    • Enter the section Connections o Network and Internet.
    • Find the option Private DNS (Use the internal search engine if you don't see it at first).
    • Choose "Private DNS provider hostname".
    • Enter the host of the DNS service you want to use.

>

  • Save the changes and test the connection.

A commonly used example for Android is AdGuard DNS. For standard ad filtering and tracking, the host is used. dns.adguard-dns.comIf you also want adult content filters and some child protection, you can use the host family.dns.adguard.com, which adds blocking of categories related to adult content.

In the case of NextDNS or Control D, the web panel generates a specific hostname linked to your configurationCopy that name (it usually ends in "dns.nextdns.io" or something similar) and paste it into the Android private DNS settings. From that moment on, your phone will use your custom rules for all system traffic, including email apps, browsers, and third-party applications.

If a public WiFi network with a captive portal (airports, hotels, cafes…) doesn't let you open the login page, it may be because the Encrypted private DNS prevents the redirects used by the portal.In those cases, the most practical thing to do is to temporarily disable private DNS, authenticate, and then re-enable it.

Use secure DNS only in the browser: Chrome and DoH

You might want to DNS filtering only affects web browsing and not all appsIn that scenario, Chrome for Android allows you to configure a secure DNS (DoH) directly in the browser, without touching the system's private DNS setting.

The typical procedure in Chrome is:

  1. open the menu Configuration.
  2. Ir a Privacy & Security.
  3. Enter the option Use secure DNS.
  4. Choose "Select another provider" or an equivalent field.
  5. Enter the DoH URL of the filtering service (for example, the AdGuard or NextDNS HTTPS endpoint).

In the case of AdGuard, Chrome requires a DoH-compliant specific URL (The hostname you use for DoT is not enough.) If you make a mistake in a character, the browser may ignore the configuration or give intermittent errors when resolving domains.

It's worth noting that when Chrome has its own secure DNS configured, That configuration takes precedence over the system configuration for requests made by the browser.For example, if on Android you use a DNS that also blocks adult content, but in Chrome you select one that only filters ads, you may be able to access adult content from the browser while other apps remain filtered.

Block email trackers: DNS + specific extensions

DNS filtering helps a lot in stopping email trackers, but on its own It doesn't always stop all tracking pixels and scripts embedded in webmail platformsThat's why it's highly recommended to combine it with dedicated browser extensions when accessing email from a PC or Android device using compatible browsers.

Among the most useful extensions for block email trackers include:

  • uBlock Origin / uBlock Origin LiteAdGuard is a well-known ad blocker that also filters out many of the trackers found in webmail. You can enhance its effectiveness by enabling lists like AdGuard Tracking Protection. It's available for Chrome, Firefox, and derivative browsers; the Lite version is compatible with the new extension restrictions (Manifest V3).
  • Trocker: a free and open-source extension that works with Gmail, Outlook, Yahoo and other web services. It detects tracking pixels, blocks them, and tells you how many were in each email., marking with a "T" the messages that include trackers.
  • Ugly EmailDesigned for Gmail users in a browser, this tool flags messages containing trackers with an eye icon and reveals which tracking tool is being used. Everything is processed locally, and its code is hosted on GitHub, ensuring transparency.
  • PixelBlockDesigned for Gmail on Chromium-based browsers (Chrome, Edge, Brave, etc.). It blocks tracking pixels and displays a red eye icon when it interferes. It requires no configuration but is limited to that specific environment.

In addition to extensions, it is advisable to adopt certain Basic habits to minimize mail trackingDo not open messages from suspicious senders, avoid clicking on suspicious links, use previews that do not load external images, regularly clean up unnecessary newsletters, and, when possible, resort to Temporary emails for registrations and specific promotions.

If you share devices or accounts with family members, it's also important explain what has been configured and why.so that no one accidentally disables protections or forwards suspicious emails that may contain malicious trackers and links.

DNS filtering apps on Android: personalDNSfilter, AdGuard, RethinkDNS

In addition to the system's private DNS, many people prefer to use dedicated Android apps that act as a local DNS filterOne of the most interesting is personalDNSfilter, which works as a lightweight DNS firewall with support for encrypted servers.

personalDNSfilter integrates into the device's DNS resolution and blocks access to domains included in filter lists (malware, phishing, trackers, ads, etc.). It's a completely local solution: the filtering is done on your own mobile device and, according to its developers, No data or statistics are sent to the app author, which reduces the exposed surface area.

How to configure DNS on Android
Related article:
Configure DNS on Android step by step: complete guide

Among its most outstanding features are:

  • Works like DNS filter on Android without root access in versions 4.2 and higher.
  • Allows you to choose any trusted DNS server as upstream, including resolvers encrypted using DoH (DNS-over-HTTPS) and DoT (DNS-over-TLS).
  • It can be executed in a local on the phone or as a central DNS server for a home network.
  • It includes a real-time logging of all DNS requests, very useful for seeing which domains your apps touch "behind the scenes".
  • It has a active community on Telegram for support and filtering lists (channel t.me/pDNSf).

There are some nuances to consider: personalDNSfilter It's not a real VPNTherefore, it doesn't hide your public IP address or location. The app whitelist only works in VPN-like filtering mode, not in root mode, and, as with most DNS filters, It cannot block ads served from the same domain as the main content., like many on YouTube or Facebook.

Apps like AdGuard for Androidwhich combine DNS blocking with deeper filtering (HTTP/HTTPS) and a firewall. The recent version, AdGuard v4.4, for example, improves the firewall options for Silence annoying connection notifications by app and adds support for real-time DoH connection filtering, so it can intercept and filter encrypted DNS used by the browser without degrading security.

RethinkDNS, for its part, acts as Encrypted DNS proxy taking up Android VPN spaceEven so, it allows you to continue using a VPN like WireGuard or tools like Orbot by configuring them as a proxy or through specific settings. It's a good option for those who want a highly flexible DNS filter compatible with multiple cloud services.

Set up your own local DNS: Pi-hole, AdGuard Home and Technitium

If you want maximum control and not to depend on third parties, you can always Set up a filtering DNS server on your own networkWith a miniPC, a NAS, or a Raspberry Pi (when your budget allows), you can build a central system that blocks ads, trackers, and malware for all your devices: Android phones, computers, Smart TVs, consoles, etc.

The most popular options in this field are:

  • Pi-hole: pioneer of network-level ad blocking in home environments. It acts as a recursive DNS that, before resolving, It applies blocklists to millions of advertising and tracking domains.Any device that uses Pi-hole as its DNS is protected without installing anything on it.
  • AdGuard HomeAn open-source solution focused on blocking ads, trackers, and inappropriate content, with a simple web interface and family-friendly profiles. It's very convenient for homes and small networks.
  • Technitium DNS ServerIt goes a step further by offering recursive and authoritative functions It also allows you to block ads and trackers, create internal domains for your LAN, supports DoH, DoT and DoQ, integrates DNSSEC and displays detailed real-time statistics.

In the case of Technitium, it's particularly convenient to deploy it via Docker, exposing the classic DNS ports (53 TCP/UDP) and the web console ports. From there you can Activate different blocklists, adjust which networks can use the server, enable DNS encryption, and review statistics for each device.

The great advantage of having your own DNS is that You centralize the filteringYou configure the router to use your local DNS server, and all devices on the network will then route their DNS through it. If you ever want to fine-tune rules, unblock a specific domain, or add a filter for email crawlers, you do it once, and it affects the entire house.

Recursive vs. authoritative DNS: why it matters when building your own filter

When discussing setting up a local DNS, it's important to understand the difference between recursive and authoritative serverssince many modern solutions, such as Technitium, combine both functions.

A recursive DNS server acts as intermediary who seeks the answer wherever it is neededIf your mobile phone asks for "email.example.com" and it doesn't have the IP address cached, it will query other servers (root, TLD, authoritative domain server) until it finds the correct answer, which it then returns and saves.

An authoritative server, on the other hand, is one that has the "official truth" about a specific domainIt maintains the records for that domain (A, MX, CNAME, etc.) and responds to queries from other resolvers that want to know where that service is located.

Pi-hole and AdGuard Home, in a domestic context, behave primarily as recursive filtersThey receive the request from your device, check if the domain is on their block lists, and if it isn't, they proceed recursively. If it is, they modify or deny the response to prevent the connection.

Technitium DNS combines both roles, so it can be recursive to the Internet for external domains and authoritative for internal names within your network (for example, nas.home, server.lan). This allows you to use the same software to manage self-hosted services while simultaneously filtering trackers, ads, and malware for your entire environment.

Other DNS filtering solutions geared towards businesses and families

In addition to the services already mentioned, there is a whole ecosystem of DNS filtering platforms more geared towards businesses, educational institutions, or public networksalthough many can also be adapted to homes that want very fine control.

Some examples are:

  • TitanHQ (WebTitan): cloud-based solution with predefined categories, anti-malware protection, Active Directory integration and real-time reporting dashboard, ideally suited for SMEs.
  • Clean BrowsingIt offers filters tailored for families, schools, and small organizations, with native support for DoH, DoT, and DNSCrypt, and the option to not log data or limit its retention.
  • Cloudflare Gateway: Cloudflare's enterprise version of DNS with advanced policies, HTTP(S) filtering, SAML/OIDC support, and highly granular controls based on geolocation, device, or user groups.
  • Perimeter81: Cybersecurity package with DNS filtering as part of a broader solution (corporate VPN, private tunnels, data loss prevention, etc.).
  • SafeDNSIt offers 66 filtering categories, anti-phishing and anti-malware protection, DoH/DoT support, and flexible licensing models for home, business, public WiFi, and education.
  • OpenDNS (Cisco)Cisco offers a classic, free service for personal use, with profiles like Family Shield (adult blocking by default) and Home (more configurable). For businesses, Cisco offers Umbrella, which includes many more layers of security.
  • DNSFilter: platform with a global network of servers, real-time AI-powered malware and phishing detection, Active Directory integration, and clients for Windows, macOS, iOS, Android, and Chrome.

Although these solutions may seem overkill for a single Android phone, This makes a lot of sense if you want the same filtering to be applied to PCs, Smart TVs, and other devices. without going one by one. By configuring the router with one of these services, all DNS traffic on your network will pass through its policies.

Advantages and limitations of DNS blocking on Android

Enabling a local DNS filter on Android offers several clear advantages. First, It significantly reduces intrusive advertising and trackers. on websites, emails, and apps that rely on external domains to serve ads and pixels. It also provides an additional layer of security against malicious sites, phishing, and malware that many specialized resolvers block by default.

Secondly, it is a solution very light and transparentIt doesn't require root access, doesn't drain the battery like some persistent VPNs, and is configured once to affect the entire system. In terms of privacy, using DoH, DoT, or DoQ prevents anyone controlling the network from seeing all your DNS queries in plain text.

However, DNS blocking has its limits. Ads and trackers served from the same domain as the main content (as part of many closed apps, social networks, or video platforms) cannot always be filtered without breaking functionality. In these cases, it remains essential to use browser-level blockers or dedicated apps like AdGuard for Android, along with anti-tracking extensions in email.

The ethical aspect should also be taken into account: Many free services are funded by advertising.Your decision to block it is perfectly legitimate, but if there are sites or creators you truly value, it might be worth supporting paid, ad-free versions or at least adding exceptions for them to your block lists.

DNS filters
Related article:
How to change your DNS to block ads without installing apps

With all of the above, it's clear that playing with the DNS settings of Android and your network is one of the most effective and simple ways to Cut email trackers, reduce ads in apps, improve security, and gain control over what goes in and out of your devicesWhether you use a cloud service or decide to set up your own local DNS filter with custom statistics and rules. Share this information and help other users learn about the topic.