What Is Zero-Log DNS and Why Does It Actually Matter?

TL;DR — Zero-log DNS means the server that resolves your domain names never writes those queries to disk. It answers your question in memory, forgets it, and moves on. The alternative — standard ISP DNS — quietly records a lifelong diary of everywhere you and your family have ever been online.

The diary you didn't know you were writing

Imagine if every time you opened a door in your house, someone wrote it down. Bedroom at 7:04. Bathroom at 7:11. Kitchen at 7:22. Front door at 7:58 with a bag.

Now imagine that diary is sitting on a server in a data center owned by a company that sells advertising — and that it's been running for the entire time you've owned the house.

That's what standard DNS is. Every google.com, every pornhub.com, every alcoholics-anonymous.org, every whattexpect.com your family's phones and laptops ever looked up — it's written down somewhere. Usually by your ISP. Sometimes by "free" DNS providers who monetize the stream.

Zero-log DNS is the opposite promise. The resolver sees the question, answers it, and immediately forgets it. There is no diary. There is nothing to subpoena, sell, leak, or re-identify.

This post explains what a DNS log actually contains, why it's more revealing than people realize, and how a zero-log architecture works in practice.

What is zero-log DNS?

Zero-log DNS is a DNS resolver architecture in which queries are processed entirely in volatile memory and never written to persistent storage. No query log, no client IP log, no access log tied to individual lookups. When the CPU is done answering your question, the memory holding it is reused for someone else's question — and your question is gone forever.

Contrast that with a "privacy-friendly" DNS service that aggregates or anonymizes logs. Those services still write the data to disk first and then try to scrub it afterward. Scrubbing is fallible. Aggregation can be reversed with cross-referencing. A breach of the raw logs exposes everyone who used the service before the scrub ran.

Zero-log is stronger because the weakest link — the disk — is never involved.

What a DNS log actually contains

A standard DNS log entry looks roughly like this:

2026-04-19T14:22:17Z  203.0.113.42  A  pornhub.com   NOERROR
2026-04-19T14:22:19Z  203.0.113.42  A  instagram.com NOERROR
2026-04-19T14:23:01Z  203.0.113.42  A  bankofamerica.com NOERROR

Four fields: time, your IP address, the record type, the domain, the result.

String enough of these together and you have:

• Every news site someone in the house reads
• Every brand they shop
• Every medical symptom they Googled
• Every dating app, porn site, or religious organization they visit
• The exact time each family member wakes up, leaves for school, and comes home (because phones start resolving)

This is not theoretical. This is what's in your ISP's logs right now, for the past 6 to 24 months depending on your country's retention law. And it's what's in the logs of "free" DNS services that haven't published a clear no-retention policy.

DNS logs are, pound for pound, one of the most revealing surveillance datasets that exist. More revealing than location history, in many ways — because location tells you where, but DNS tells you what you were thinking about when you got there.

How zero-log actually works (briefly)

A zero-log resolver is engineered so that:

1. Queries arrive over DoH/DoT (encrypted transport) and are decrypted into RAM.
2. The blocklist lookup and cache check happen in RAM.
3. The upstream query (if needed) and response happen in RAM.
4. The answer is sent back.
5. The memory page is reused, overwriting the data within microseconds.
6. No write to disk, S3, Kinesis, Kafka, Splunk, Datadog, or anywhere else.

Metrics can still be collected — but only as aggregate counters (total queries per second, cache hit rate, error rate). No per-query data ever leaves the process.

That's the engineering. The harder part is cultural: you have to resist every product manager who wants "just a tiny sample log for debugging." Once you start logging, you are no longer zero-log.

Why it matters for families

Most parents think of DNS as a technical detail. It is — right up until the moment it's not.

Your teenager researched something they're scared to ask you about. Maybe it's sexual health. Maybe it's an eating disorder helpline. Maybe it's a support group for kids of immigrants. That search — the specific domain they visited — is in a log somewhere, tied to your home IP. How long does it stay? Who has access?

Your spouse is going through something private. Grief, addiction recovery, a medical diagnosis, job hunting in secret. Every one of those is a trail of DNS queries. If those logs are kept, they're part of your household's permanent record.

You're using parental controls to protect your kids. It would be deeply ironic if the tool that blocks adult content also kept a forever-log of every site your kids tried to visit. That log becomes a liability the moment it exists — a breach, a subpoena, or a curious employee is all it takes.

Zero-log solves all three problems the same way: by not having the data in the first place.

Common misconceptions

Myth 1: "If you have nothing to hide, logs don't matter." Privacy is not about hiding — it's about proportionality. Your family does not owe a tech company a minute-by-minute record of their inner life in exchange for DNS service.

Myth 2: "Logs are needed for security." They help detect attacks, yes. But aggregate counters (how many queries per second to a suspicious domain) are enough for abuse detection — you don't need per-user logs to know a DDoS is happening.

Myth 3: "Zero-log is just a marketing term." It can be — which is why the gold standard is a SOC 2 Type II audit that examines actual data retention practices, plus a jurisdiction (Wyoming, Switzerland, Iceland) with strong data protection law.

Myth 4: "My ISP doesn't keep logs." Call and ask. In the US, UK, EU, Turkey, and most developed countries, ISPs are legally required to retain connection metadata — often for 12 to 24 months. "Not keeping logs" is not on the menu.

Myth 5: "Filtering requires logging." No. A blocklist decision is made in microseconds from RAM. Logging the decision afterward is a separate choice — one zero-log providers explicitly refuse to make.

How Guardino does it

Guardino AI is built on a zero-log DNS architecture from the kernel up. Our resolvers run in 32 regions on an anycast network that answers in under 15 milliseconds. Queries arrive encrypted via DoH (dns.guardino.ai/dns-query/{token}), the blocklist lookup happens in RAM, and the response goes out the door — no write to disk, no sampling, no "diagnostic sample" log. Each family gets a per-user token so filtering rules follow the device onto cellular data, and QR-code setup covers iPhone, Android, Windows, macOS, and routers in about sixty seconds. Guardino is registered in Wyoming, USA — a jurisdiction chosen specifically for its privacy law — and is GDPR and COPPA compliant, with SOC 2 Type II in progress. Free tier covers 300,000 queries per month. Pro is $6.99/month with a 7-day trial.

Frequently asked questions

What is a DNS log? A DNS log records every domain name your devices asked about — along with your IP, device identifier, and timestamp. Over time it reveals where you live, what you buy, what you read, what you believe.

Does my ISP log my DNS queries? Almost certainly yes. In many countries ISPs are legally required to retain DNS and connection metadata for 6 to 24 months.

Can a DNS filter block content without logging? Yes. Filtering is a microsecond decision made in memory and does not require storing anything afterward.

How is zero-log different from anonymized logs? Anonymized logs still exist on disk — they just have your IP truncated. Zero-log means the record is never persisted in the first place.

How can I verify a provider is really zero-log? Public privacy policy, independent audits (SOC 2 Type II, ISO 27701), a privacy-friendly jurisdiction, and transparency reports.

Further reading

• How DNS Filtering Works: A Parent's Guide in Plain English
• DoH vs DoT vs Classic DNS: What Your Router Should Use in 2026
• Product: Privacy Policy · Security

External references:

• EFF: DNS Security
• Mozilla: DNS over HTTPS trusted resolvers
• RFC 8484 — DNS Queries over HTTPS (DoH)
• GDPR Article 5 — data minimization principles

Ready for a DNS that forgets?

The best diary is the one that was never written. Start Guardino free — scan one QR code, pick your protections, and let your family's queries be answered and forgotten, one after another, forever.

Start Free — Zero Logs, Ever →