Ads are not a minor annoyance sitting on top of your data plan; research from Enders Analysis found ad content accounted for 18% to 79% of the mobile data a web page transferred, depending on the site, with advertising responsible for roughly half of all data loaded by publisher pages on mobile networks. The cost is not only measured in megabytes either.

A widely cited Purdue University and Microsoft Research study found that 65% to 75% of a free app's energy use goes toward advertising-related functions, not the app itself. In the Angry Birds case the researchers examined, only about 18% to 25% of power actually went to running the game. Rooting a phone used to be the only real fix for this, but it is not anymore.

Three no-root methods now handle most of it: Android's built-in Private DNS setting pointed at an ad-blocking resolver, a local-VPN filter app running entirely on the device, or a browser with ad blocking built in. Each works differently and blocks a different slice of the problem, which is exactly what trips people up when they pick one, get partial results, and assume ad blocking on Android does not really work without root. It does, once you know which method covers which type of ad.

The Real Challenges With No-Root Ad Blocking

  • DNS blocking cannot reach first-party ads. Ads served from the same domain as the app's own content, such as YouTube or Instagram's in-feed ads, share the same servers as the content itself, so blocking that domain would break the app.
  • Android only supports one Private DNS hostname at a time. You cannot layer two DNS resolvers, so switching providers means replacing the setting, not adding to it.
  • Local-VPN apps occupy Android's single VPN slot. Since Android only allows one active VPN connection, a local-VPN ad blocker cannot run alongside a real VPN app unless one supports being layered through the other.
  • Free tiers cap out. Cloud DNS filtering services like NextDNS meter usage, and exceeding the free quota quietly turns off filtering instead of blocking your connection.
  • Browser-based blocking only protects that one browser. Installing Brave or adding uBlock Origin to Firefox does nothing for ads inside other apps or a different browser on the same phone.

Quick Comparison

Here is how the three no-root methods stack up before the step-by-step instructions for each.

MethodBlocks In-App Ads?Setup DifficultyFree?Battery/Speed Impact
Private DNS (NextDNS, AdGuard DNS, ControlD)Partial: third-party ad networks only, not first-party adsEasy: one native Android setting, no app installYes: public resolvers and free tiers availableMinimal to positive: no local process, less data to render
Local-VPN filter apps (RethinkDNS, AdGuard, Blokada, personalDNSfilter)Partial to good: some add HTTPS filtering for deeper blockingModerate: install app, grant VPN permissionYes: RethinkDNS and personalDNSfilter are fully free and open sourceSmall: a background VPN service runs, though blocked ad scripts often offset it
Ad-blocking browsers (Brave, Firefox + uBlock Origin)No: only filters within that one browserEasy: install app or add-onYes: both are freePositive within the browser: pages load faster with fewer scripts running

Method 1: Private DNS With an Ad-Blocking Resolver

Android has shipped a native Private DNS setting since Android 9, letting the whole device route DNS-over-TLS queries through a resolver you choose, ad-blocking or not. Google's own Android Help documentation covers the setting under Network & internet > Private DNS, and Android currently only supports the DNS-over-TLS protocol for this field. Pointing it at a resolver that filters ad and tracker domains blocks most third-party ad requests device-wide, across every app and browser, before they ever load.

Setting it up

  1. Open Settings, go to Network & internet, then Advanced (some phones skip straight to the setting).
  2. Tap Private DNS.
  3. Select “Private DNS provider hostname.”
  4. Enter the resolver hostname (see below) and tap Save.

AdGuard DNS

AdGuard DNS's own setup documentation lists a free public hostname, dns.adguard.com, that needs no account and starts filtering ads and trackers immediately. Users who want per-device stats and custom rules can instead create a free account and use a personal hostname in the format {device-id}.d.adguard-dns.com, found on their AdGuard DNS dashboard.

NextDNS

NextDNS requires a free account first. Sign up at my.nextdns.io, and per NextDNS's own help center instructions, your Private DNS hostname will be your Configuration ID followed by .dns.nextdns.io, for example abcd1234.dns.nextdns.io. Enable one of NextDNS's ad-blocking blocklists (such as OISD or AdGuard's list) from the dashboard before saving the hostname. The free tier covers 300,000 DNS queries per month; going over that limit does not cut off your connection, it just stops filtering until the next month.

ControlD

Per ControlD's own Android documentation, the recommended route is the same native Private DNS field: open Settings, find Private DNS, choose the hostname option, and paste in your unique DNS-over-TLS hostname from the ControlD dashboard. ControlD also publishes free public resolvers you can enter directly with no account for basic filtering, though custom blocklists and per-device profiles sit behind its paid plans starting around $3 a month with a 14-day free trial. For devices too old to expose the Private DNS setting, ControlD's Quick Setup app routes only DNS traffic through a local VPN instead.

If Private DNS Won't Connect

The Private DNS provider hostname option forces strict DNS-over-TLS, and Google's own DNS-over-TLS documentation notes that a failed secure connection is treated as a hard error in strict mode, unlike Android's default opportunistic behavior with a carrier or Wi-Fi network's own DNS server. Corporate networks, school Wi-Fi, and some hotel or airport captive portals block the port DoT needs, port 853, which can show up as “no internet” even while Wi-Fi shows connected. The Internet Society's writeup on Android 9's DNS privacy rollout flagged this port-blocking tradeoff as a known limitation from launch. On a network like that, switch Private DNS back to Automatic temporarily, or fall back to a local-VPN filter app from Method 2, since those do not depend on port 853 being open.

Method 2: Local-VPN DNS Filter Apps

These apps use Android's VPN API to intercept only DNS traffic (and in some cases HTTPS content) locally on the device, without sending your general browsing through a remote server the way a real VPN does. Because they run as an app rather than a system setting, they can add features Private DNS alone cannot, like a firewall or selective HTTPS filtering.

RethinkDNS

RethinkDNS is a free, open-source DNS-plus-firewall app available on F-Droid and Google Play. It lets you route DNS through any DNS-over-HTTPS, DNS-over-TLS, or DNSCrypt resolver of your choice, including ad-blocking ones, and its firewall mode can additionally block specific apps from reaching the internet at all, on top of DNS-level filtering.

AdGuard for Android

Rather than only filtering DNS, AdGuard's Android app runs a local VPN and can optionally install a local root certificate to filter HTTPS traffic on the device itself, catching ad content that pure DNS filtering would miss inside a single connection. AdGuard notes this local VPN does not turn on automatically after a reboot, a restriction set by Android, and it cannot run at the same time as a separate VPN app.

Blokada

Blokada combines a DNS-based ad and tracker blocker with an optional no-log VPN. The version distributed on Google Play carries fewer features due to Play Store policy restrictions; the full-featured build is available directly from Blokada's own site.

personalDNSfilter

personalDNSfilter is a fully open-source DNS filter proxy, hosted on GitHub and licensed under the GPL, that has worked without root since Android 4.2. It filters entirely on-device using a hosts-style blocklist and supports DNS-over-HTTPS and DNS-over-TLS upstreams, making it a lightweight option for older or lower-spec phones.

Method 3: Ad-Blocking Browsers

Browser-level blocking only protects pages loaded in that specific browser, but it goes further than DNS methods within that scope, since it can strip individual ad elements out of a page rather than just blocking the domain the request came from.

Brave

Brave's built-in Shields feature runs the browser's own Rust-based ad-blocking engine on every page by default, parsing the same EasyList and EasyPrivacy filter lists that dedicated extensions like uBlock Origin use, plus filter lists Brave maintains itself. No setup is required beyond installing the browser.

Firefox + uBlock Origin

Firefox for Android is one of the few mobile browsers that still supports full browser extensions. Installing uBlock Origin from the official Mozilla Add-ons site adds the same wide-spectrum content blocker used on desktop, filtering ads, trackers, and pop-ups using EasyList, EasyPrivacy, and other lists, and it stays free and open source.

Combining Methods for the Most Complete Coverage

Private DNS and a local-VPN filter both claim Android's DNS resolution, but a browser ad blocker works at a different layer. It strips ad elements and scripts out of a page after the page has already loaded, inside that one browser, rather than blocking a request before it leaves the device. That means whichever DNS-level method you pick and a browser blocker like Brave or Firefox with uBlock Origin can run at the same time without conflict, each catching content the other misses.

What does not combine is two DNS-level methods at once, or a local-VPN filter app running alongside a separate VPN app, since Android exposes only one Private DNS setting and one active VPN connection at a time. If you already rely on a different VPN app for other reasons, expect to choose between that VPN and a local-VPN ad blocker rather than running both, unless the VPN app itself offers a built-in ad-blocking DNS option.

The Verdict: Best No-Root Method

For most people, Private DNS with a public ad-blocking resolver is the best starting point. It takes under a minute to set up, needs no app, costs nothing, and filters every app on the device rather than just one browser. Layer a local-VPN app like RethinkDNS or AdGuard on top only if you need HTTPS-level filtering or a firewall, and add Brave or Firefox with uBlock Origin for the extra blocking a browser alone can do that DNS cannot.

Wins:

  • Device-wide coverage from a single native setting, no app required for the DNS method
  • Free public resolvers and free tiers exist for every option covered here
  • Lower data use and CPU load rather than a battery cost, since blocked ad scripts never load
  • Layering methods (Private DNS plus a browser blocker) closes more gaps than any single method alone

Watch-outs:

  • First-party ads inside apps like YouTube or Instagram will still get through any of these methods
  • Android allows only one Private DNS hostname and one active VPN slot at a time
  • Cloud DNS free tiers meter usage and silently stop filtering once you exceed the monthly quota
  • Local-VPN apps cannot run alongside a separate VPN app on the same device

DNS-level blocking is one piece of a broader privacy setup. Pair it with our real-world private-messaging test if you also want a messaging app that does not leak metadata, and if you plan on sideloading any of the apps mentioned here, see our guide to sideloading privacy tools safely first.

Blocking the ads is only half of keeping a phone safe. If you are also sideloading APKs from outside Google Play, our guide to installing APKs safely on Android covers the hash-verification and scanning steps worth doing before you tap install.