Why Use a Public DNS Resolver?
Your ISP assigns a DNS resolver automatically when you connect, but that default resolver is rarely the best option. ISP resolvers are often slow, poorly maintained, and in many jurisdictions ISPs are legally permitted — or even required — to log DNS queries, block certain domains, or redirect failed lookups to monetized search pages. Switching to a public resolver can improve lookup speed, protect your query privacy, and add security features your ISP does not offer.
The most common reasons to switch are speed, privacy, and filtering. Speed matters because every uncached DNS lookup adds latency before a page can load. Privacy matters because DNS queries reveal every domain you visit to whoever operates your resolver. Filtering matters for households with children or for users who want automatic protection against malware domains without installing additional software.
Cloudflare 1.1.1.1: Fastest Globally
Cloudflare launched 1.1.1.1 in 2018 with a focus on speed and privacy. In global benchmarks from DNSPerf, it consistently ranks as the fastest public resolver worldwide, with average query times around 11 ms for uncached lookups. Cloudflare's anycast network spans over 300 cities, which minimizes the geographic distance between your device and the nearest resolver node.
On privacy, Cloudflare commits to never writing querier IP addresses to disk and purging all logs within 24 hours. This policy has been independently audited by KPMG, making it one of the few DNS providers with third-party verification of its no-log claims. Cloudflare also supports both DNS over HTTPS and DNS over TLS for encrypted transport.
Cloudflare offers two filtering variants: 1.1.1.2 / 1.0.0.2 blocks known malware domains, and 1.1.1.3 / 1.0.0.3 additionally blocks adult content. These filtering addresses use the same infrastructure as 1.1.1.1, so performance is identical. Use the standard 1.1.1.1 / 1.0.0.1 addresses if you want unfiltered resolution.
Google 8.8.8.8: Reliable and Widely Supported
Google Public DNS at 8.8.8.8 and 8.8.4.4 was the first major public resolver, launched in 2009. It benefits from Google's global network infrastructure and is highly reliable, with effectively 100% uptime across its history. Average query latency is slightly higher than Cloudflare — typically 20–30 ms globally — but still far faster than many ISP resolvers.
Google anonymizes query logs by removing the last octet of the client IP address and rotating identifiers, but it does retain some anonymized log data for security and performance analysis. If query privacy is your top priority, Cloudflare or Quad9 have stronger commitments. Google DNS supports both DoH and DoT and handles DNSSEC validation.
Quad9 9.9.9.9: Threat-Blocking Non-Profit
Quad9 is operated by the Quad9 Foundation, a Swiss non-profit organization, and uses threat intelligence from more than 20 cybersecurity partners including IBM X-Force, Proofpoint, and Abuse.ch. When a query matches a known malicious domain, Quad9 returns no answer — blocking the connection before it starts. This protection is free, automatic, and requires no software installation.
Quad9 has a strict no-logging policy and is based in Switzerland, which has strong privacy laws. It does not sell user data or use queries for advertising. The primary address 9.9.9.9 / 149.112.112.112 includes threat blocking. An unfiltered variant is available at 9.9.9.10 / 149.112.112.10 for users who want Quad9's infrastructure without the filtering. Quad9 supports both DoH and DoT.
OpenDNS: Cisco's Customizable Resolver
OpenDNS, now owned by Cisco, was one of the first public DNS services and focuses on content filtering and parental controls. The free tier allows basic category-based filtering. Cisco Umbrella (the paid enterprise product) adds threat intelligence and security policies. OpenDNS Home (208.67.222.222 / 208.67.220.220) is suitable for households that want simple, browser-configurable content filtering.
OpenDNS Family Shield (208.67.222.123 / 208.67.220.123) is a pre-configured variant that automatically blocks adult content without any account setup. One limitation of OpenDNS is that logging is on by default, and the free tier requires creating an account to customize filtering settings. OpenDNS does not support DoH or DoT on its free tier.
NextDNS: Fully Customizable Filtering
NextDNS is a newer entrant that offers the most granular control of any public DNS service. Users can select from dozens of pre-built blocklists covering ads, trackers, malware, adult content, and social media, and create custom allow/deny rules for individual domains. The dashboard provides per-device query analytics, making it easy to see what every device on your network is querying.
The free tier allows 300,000 queries per month — sufficient for a single user but tight for a household. The paid plan at approximately $20 per year removes the cap and adds per-device profiles. NextDNS fully supports DoH and DoT and provides unique resolver hostnames per account so that your filtering configuration is applied even when using encrypted DNS. It is the best choice for technically inclined users who want maximum control.
AdGuard DNS: Ad Blocking at the DNS Layer
AdGuard DNS (94.140.14.14 / 94.140.14.15) focuses specifically on blocking advertising and tracking domains at the DNS level. It maintains its own curated blocklists and integrates with the AdGuard filtering ecosystem. The default servers block ads and trackers; family protection servers also block adult content. A non-filtering variant at 94.140.15.15 / 94.140.15.16 provides AdGuard's infrastructure without any blocking.
AdGuard DNS is free, supports DoH and DoT, and does not require an account for the basic service. AdGuard DNS-over-HTTPS can be configured directly in browsers. For users who want DNS-level ad blocking without the complexity of NextDNS, AdGuard DNS is the simplest option.
How to Benchmark DNS for Your Location
Global averages do not tell the full story. The fastest resolver for a user in Tokyo differs from the fastest for a user in São Paulo or Frankfurt. To find the best resolver for your network, benchmark locally using the dig command or the nslookup utility. Run multiple queries to the same domain against different resolvers and compare response times. Tools like DNS Benchmark (Windows) and dnsperf (Linux) automate this process across dozens of resolvers simultaneously.
A simple test: run dig @1.1.1.1 example.com and compare the query time in the response to dig @8.8.8.8 example.com and dig @9.9.9.9 example.com. Repeat for several domains to average out caching effects.
Public DNS Provider Comparison
| Provider | Primary IP | Secondary IP | Avg Latency | Logging Policy | Threat Blocking | Ad Blocking | DoH / DoT | Cost |
|---|---|---|---|---|---|---|---|---|
| Cloudflare | 1.1.1.1 | 1.0.0.1 | ~11 ms | No logs (KPMG audited) | Optional (1.1.1.2) | No | Yes / Yes | Free |
| 8.8.8.8 | 8.8.4.4 | ~20 ms | Anonymized logs | No | No | Yes / Yes | Free | |
| Quad9 | 9.9.9.9 | 149.112.112.112 | ~19 ms | No logs | Yes (default) | No | Yes / Yes | Free |
| OpenDNS | 208.67.222.222 | 208.67.220.220 | ~25 ms | Logs with account | Optional | No | No (free) | Free / Paid |
| NextDNS | Varies per account | Varies per account | ~15 ms | Optional analytics | Yes (configurable) | Yes (configurable) | Yes / Yes | Free / $20/yr |
| AdGuard DNS | 94.140.14.14 | 94.140.14.15 | ~22 ms | No logs | Yes | Yes (default) | Yes / Yes | Free |
| ISP DNS | Assigned automatically | Assigned automatically | Varies widely | Typically logged | Rarely | No | Rarely | Free |
Frequently Asked Questions
Which public DNS server is fastest?
Cloudflare 1.1.1.1 consistently ranks as the fastest public DNS resolver in global benchmarks, averaging around 11 ms for uncached queries worldwide. However, the fastest resolver for you depends on your geographic location and your ISP's network topology. You should benchmark locally using tools like DNS Benchmark or the command-line dig utility to find the fastest resolver from your specific connection.
Does Quad9 block malicious websites?
Yes. Quad9 (9.9.9.9) uses threat intelligence feeds from over 20 cybersecurity partners to block domains associated with malware, phishing, and botnets at the DNS layer. When your device queries a known malicious domain, Quad9 returns no answer instead of the real IP, preventing the connection. Quad9 is operated by a Swiss non-profit and does not log or sell user query data.
Can DNS servers block ads?
Yes, DNS-level ad blocking works by returning empty or blocked responses for domains that serve advertisements. AdGuard DNS (94.140.14.14) and NextDNS are purpose-built for this. They maintain lists of advertising and tracking domains and refuse to resolve them. Unlike browser extensions, DNS-based ad blocking applies to all apps and devices on your network, including smart TVs and mobile apps that do not support browser extensions.
Is NextDNS worth paying for?
NextDNS is worth considering if you want customizable DNS-level filtering. The free tier allows up to 300,000 queries per month, which is enough for light use. The paid plan (around $20/year) removes the query cap and adds detailed analytics, per-device profiles, and more granular blocklist control. For families or small offices that want network-wide content filtering without a dedicated appliance, NextDNS offers exceptional value.
Does using a public DNS server improve privacy?
Using a public DNS server with a strong no-logging policy — like Cloudflare 1.1.1.1 or Quad9 — prevents your ISP from seeing your DNS queries, which ISPs sometimes use for traffic analysis and ad targeting. However, the DNS resolver you choose can still see all your queries. Cloudflare has had its no-log policy independently audited by KPMG. Combining a privacy-focused resolver with DNS over HTTPS or DNS over TLS provides the strongest DNS privacy posture.
What DNS server should I use for gaming?
For gaming, prioritize the lowest latency resolver from your location rather than one with filtering features, since filtering adds a small lookup overhead. Run a local benchmark first. Cloudflare 1.1.1.1 and Google 8.8.8.8 are the most common choices because of their large anycast networks, which minimize distance to the nearest resolver node. Avoid resolvers with aggressive blocking lists, as they occasionally block game update CDN domains.