Choosing a Public DNS Resolver: 1.1.1.1 vs 8.8.8.8 vs Quad9

Every time you open a website, send an email, or load an app, your device first asks a DNS resolver to translate a name like example.com into the numeric IP address machines actually route to. By default that resolver belongs to your internet provider. It works, but it is rarely the fastest option, it usually logs your browsing, and it offers little security filtering. A public DNS resolver is a free, internet-wide alternative you can switch to in a couple of minutes, and the right one can make your connection feel snappier while quietly blocking malware and ads.

This guide compares the five most popular public resolvers, Cloudflare's 1.1.1.1, Google's 8.8.8.8, Quad9, OpenDNS and AdGuard DNS, on privacy policy, security filtering, speed, and features like encrypted DNS and family-safe variants, then covers how to change your DNS on Windows, macOS, and your router and confirm it took effect.

A public DNS resolver is a recursive resolver operated by a third party and made freely available to anyone on the internet. Instead of your ISP's resolver answering your lookups, you point your device or router at a well-known set of IP addresses and that provider answers instead. The address never changes, the service is global, and it is almost always free for personal use.

People switch for four main reasons. Speed: large providers run servers in hundreds of cities and use anycast routing, so your query reaches a nearby cache faster than a congested ISP resolver might manage. Privacy: the major public resolvers publish clear policies promising not to sell your browsing data or build advertising profiles, which many ISPs do. Filtering: some resolvers refuse to answer for domains known to host malware, phishing, or adult content, a security layer with no software to install. Reliability: a global provider with redundant infrastructure tends to stay up when a single ISP resolver has a bad day.

You can confirm which IP your traffic appears to come from with the What Is My IP tool, and inspect what answers a name resolves to with the DNS Lookup lookup tool before and after you switch.

Cloudflare's resolver, reachable at 1.1.1.1 and 1.0.0.1 (IPv6: 2606:4700:4700::1111 and 2606:4700:4700::1001), is built around speed and a privacy-first stance. Cloudflare has stated it does not write the querying IP address to disk and purges logs within 24 hours, backed by independent audits, and it consistently ranks at or near the top of global latency benchmarks.

By default 1.1.1.1 does no content filtering, it simply resolves names quickly. If you want filtering, Cloudflare offers two alternate sets: 1.1.1.2 / 1.0.0.2 blocks malware, and 1.1.1.3 / 1.0.0.3 blocks malware plus adult content. It supports DNS over HTTPS (DoH) and DNS over TLS (DoT), and validates DNSSEC. It is an excellent default for anyone who wants fast, unfiltered, privacy-respecting resolution.

Google Public DNS, at 8.8.8.8 and 8.8.4.4 (IPv6: 2001:4860:4860::8888 and 2001:4860:4860::8844), is the most widely used public resolver and a reliability baseline for network engineers. It is fast almost everywhere, fully supports DoH, DoT, and DNSSEC validation, and keeps only temporary logs for abuse prevention while permanent logs are anonymized. Its privacy policy is solid, though as a Google service some users prefer not to route all their lookups through it. It does no content filtering by design.

Quad9, at 9.9.9.9 and 149.112.112.112 (IPv6: 2620:fe::fe and 2620:fe::9), is run by a Swiss non-profit and leads on security. Its signature feature is built-in threat blocking: it cross-references queries against multiple threat-intelligence feeds and refuses to resolve domains tied to malware, phishing, and botnet command-and-control. It does not store the source IP of queries, supports DoH and DoT, and validates DNSSEC. If you want a single setting that protects every device from known-bad domains, Quad9 is the strongest pick, with a 9.9.9.10 endpoint available without blocking.

OpenDNS, now part of Cisco, lives at 208.67.222.222 and 208.67.220.220. Its strength is configurable filtering and parental controls. With a free account you can choose category-based filtering, force SafeSearch, and view query statistics, which makes it popular with families and small offices that want a dashboard rather than a fixed policy. It also offers FamilyShield endpoints (208.67.222.123 / 208.67.220.123) that block adult content with no setup. OpenDNS supports DNSSEC and DoH.

AdGuard DNS blocks ads and trackers at the DNS layer, filtering before requests leave your network and helping on devices where you cannot install an ad blocker. Its default servers are 94.140.14.14 and 94.140.15.15, with a family-protection set (94.140.14.15 / 94.140.15.16) that also blocks adult content, plus a non-filtering set. It has strong DoH and DoT support and a clear no-logging policy. The trade-off with any ad-blocking resolver is occasional over-blocking, where a legitimate site breaks because a needed domain sits on a filter list.

Start from what you want the resolver to do. For raw speed and clean, unfiltered resolution, choose Cloudflare 1.1.1.1 or Google 8.8.8.8. For a security net that blocks malicious domains on every device with zero configuration, choose Quad9. For a home network with kids that needs category filtering and a usage dashboard, OpenDNS is purpose-built. For fewer ads and trackers across phones, TVs, and consoles, AdGuard DNS is the natural fit.

Two practical notes. First, use a single provider's two addresses rather than mixing providers across the primary and secondary slots, since your device may fall back to the secondary at any time and you want consistent filtering. Second, none of these resolvers can protect traffic that bypasses them, so if a device uses its own hardcoded DNS or a VPN, the filter is skipped. For network-wide policy, configure DNS at the router and, where possible, block outbound DNS to other servers.

Plain DNS travels in cleartext over UDP port 53, so anyone between you and the resolver, including your ISP or someone on public Wi-Fi, can see and even tamper with your lookups. Encrypted DNS fixes the eavesdropping problem. DNS over HTTPS (DoH) wraps queries inside ordinary HTTPS on port 443 so they blend in with web traffic, while DNS over TLS (DoT) uses a dedicated encrypted channel on port 853. All five resolvers above support both, and modern browsers and operating systems can enable DoH directly, so you get encryption even without changing the system resolver.

Encryption and authentication are separate concerns, though. DNSSEC does not hide your queries, it cryptographically signs DNS records so a validating resolver can detect a forged or tampered answer. The major public resolvers validate DNSSEC for you, protecting you from cache-poisoning attacks on signed zones. If you manage your own domain, confirm its signatures and chain of trust are valid with the DNSSEC Check checker. For everyday browsing, the ideal combination is an encrypted transport (DoH or DoT) carrying DNSSEC-validated answers.

On Windows 11, open Settings, go to Network and internet, select your active connection, click Edit next to DNS server assignment, switch it to Manual, enable IPv4, and enter your preferred and alternate addresses (for example 1.1.1.1 and 1.0.0.1). Newer builds let you set DNS over HTTPS in the same dialog by choosing Encrypted (DoH) per server. Repeat for IPv6 if you use it.

On macOS, open System Settings, go to Network, select your connection, click Details, choose DNS, and use the plus button to add resolver addresses, removing the ISP-supplied ones so yours take priority, then click OK and Apply. For network-wide coverage, the best place to change DNS is your router: log into its admin page, find the DHCP or WAN DNS settings, and enter your chosen addresses there so every device inherits the new resolver automatically.

After any change, devices and the OS cache DNS answers, so flush the local cache or reconnect to the network to be sure you are using the new resolver rather than stale entries from before the switch.

Once you have switched, verify it worked. The simplest confirmation is to run a lookup and check the answer comes back correctly, the DNS Lookup tool lets you query A, AAAA, MX, TXT, and other record types and inspect the TTL on each answer. If you changed records on a domain you control, the DNS Propagation tool queries many public resolvers worldwide at once so you can see which providers, including the ones in this guide, have picked up the new value.

To judge speed, compare resolvers rather than trusting a single test. Time how long lookups take from each candidate, ideally for names you have not queried recently so you measure real recursive resolution rather than a warm cache, and test from your actual location since anycast performance is highly geographic, the fastest resolver in one country may not be fastest in another. Finally, confirm any filtering you expect is active with a known test domain, and check your public IP and network with the What Is My IP tool if you route through a VPN, since the VPN's own resolver can quietly override the one you configured.