Switching your DNS server is one of the fastest, free performance upgrades you can make to your home network. Your default ISP-assigned DNS resolvers are often slow, unencrypted, and log your browsing data. This guide ranks every major free public DNS resolver by speed, privacy, and security — with exact IP addresses, IPv6 support, DoH/DoT endpoints, and step-by-step setup instructions for routers, Windows, macOS, Android, and iOS.
| Provider | Primary IPv4 | Secondary IPv4 | Avg Speed | Best For |
|---|---|---|---|---|
| Cloudflare DNS | 1.1.1.1 | 1.0.0.1 | 11ms | Fastest + Privacy |
| Google Public DNS | 8.8.8.8 | 8.8.4.4 | 20ms | Most Reliable |
| Quad9 | 9.9.9.9 | 149.112.112.112 | 15ms | Best Security |
| OpenDNS | 208.67.222.222 | 208.67.220.220 | 25ms | Best Filtering |
| CleanBrowsing | 185.228.168.9 | 185.228.169.9 | 30ms | Best for Families |
| AdGuard DNS | 94.140.14.14 | 94.140.15.15 | 18ms | Blocks Ads at DNS |
Speed benchmarks based on global averages from DNSPerf. Individual performance varies by location and ISP.
Each resolver below includes exact IPv4/IPv6 addresses, DoH and DoT endpoints for encrypted DNS, speed data, privacy policy summary, and recommended use cases.
Operated by Cloudflare, Inc. (USA)
Cloudflare launched 1.1.1.1 on April 1, 2018 and rapidly became the world's fastest public DNS resolver. Its Anycast network spans 300+ data centers across every continent, routing each query to the nearest edge node. Cloudflare's privacy policy is market-leading: all transaction logs are purged within 24 hours and independently audited annually by KPMG. For families, Cloudflare also offers 1.1.1.2 (blocks malware) and 1.1.1.3 (blocks malware and adult content).
Operated by Google LLC (USA)
Google Public DNS, launched in December 2009, is the most widely used DNS resolver in the world by query volume. It maintains a massive global cache, giving it extremely high cache hit rates for popular domains. Google DNS supports EDNS Client Subnet (ECS), which shares a portion of your IP with content delivery networks (CDNs) to route media streams from Netflix, YouTube, and Spotify to the nearest caching nodes — improving streaming quality. Logs are anonymized within 48 hours.
Operated by Quad9 Foundation (Switzerland)
Quad9 is operated by the Quad9 Foundation, a Swiss non-profit cybersecurity organization. It automatically blocks DNS queries to known malicious domains using threat intelligence aggregated from over 20 cybersecurity partners including IBM X-Force, Proofpoint, and Secureworks. If your device attempts to resolve a phishing site or malware distribution domain, Quad9 blocks the resolution before any connection is made — providing a transparent security layer with no software installation required. Swiss jurisdiction provides GDPR compliance by default.
Operated by Cisco Systems (USA)
OpenDNS, now owned by Cisco, was one of the first public DNS providers and pioneered customizable content filtering. By creating a free OpenDNS account and linking it to your home IP address, you can configure category-based filtering (blocking adult content, gambling, social media, etc.) across your entire network. This makes OpenDNS particularly popular for family home networks and schools. Cisco Umbrella (enterprise version) offers advanced threat intelligence used by Fortune 500 companies.
Operated by CleanBrowsing (USA)
CleanBrowsing specializes in family-safe DNS filtering with three free tiers: Security Filter (blocks malware and phishing), Adult Filter (blocks adult content), and Family Filter (blocks adult content, mixed content, and proxies). Unlike OpenDNS, CleanBrowsing's basic filtering tiers require no account — just point your router to their DNS IPs and content filtering is immediately active. Particularly popular for schools, libraries, and homes with children.
Operated by AdGuard Software Ltd. (Cyprus)
AdGuard DNS is the only major free public DNS resolver that blocks advertising networks and tracking domains at the DNS level — network-wide, without any browser extension required. By resolving ad server and tracker domains to null responses, it removes ads from websites, apps, and Smart TVs across every device on your network. AdGuard DNS does not log any personal data and is GDPR compliant. The free default servers block ads and trackers; a paid plan allows custom allowlists and block lists.
Use these settings with any public DNS provider above. Replace the IPs with your chosen resolver's addresses.
Encrypts DNS queries inside standard HTTPS traffic. ISPs and attackers cannot see which domains you query. Supported by Chrome, Firefox, Edge, and Windows 11 natively.
Wraps DNS queries in TLS encryption on a dedicated port. Easier to block than DoH but provides stronger privacy when allowed. Used by Android Private DNS and router firmware.
Cryptographically signs DNS records so clients can verify the response came from the legitimate authoritative server. Prevents DNS cache poisoning and man-in-the-middle attacks on DNS.
Default ISP-assigned DNS servers are often congested and slow, adding unnecessary latency to every website lookup.
Standard ISP DNS uses unencrypted UDP port 53, exposing browsing queries to third-party monitoring and hijacking.
ISP DNS resolvers do not block queries to known malicious or phishing domains, leaving devices vulnerable.
Many ISPs log DNS queries for advertising profiling and data monetization, compromising user privacy.
Before switching, know which DNS you are currently using. On Windows, open Command Prompt and run ipconfig /all — look for 'DNS Servers' under your active network adapter. On macOS or Linux run: cat /etc/resolv.conf. If you see your router's IP (like 192.168.1.1), you're using your router's default DNS forwarding.
Different DNS resolvers are optimized for different priorities. Cloudflare 1.1.1.1 is the fastest globally. Google 8.8.8.8 has the widest cache. Quad9 9.9.9.9 blocks malware. OpenDNS offers parental controls. AdGuard DNS blocks ads. CleanBrowsing filters adult content. Match the resolver to your needs.
You can change DNS at two levels: individual device (affects only that device) or router (affects your entire network). Router-level configuration is recommended for households with many devices. Log in to your router admin panel (e.g. 192.168.1.1), find the DNS settings under WAN or DHCP, and enter the primary and secondary addresses.
After changing DNS settings, flush your OS DNS cache and verify the change. On Windows: ipconfig /flushdns then nslookup google.com. On macOS: sudo killall -HUP mDNSResponder then dig google.com. The response server should now match your new DNS provider's IP.
Cloudflare DNS (1.1.1.1) is consistently the fastest public DNS resolver globally, with an average query response time of 11–13ms according to DNSPerf benchmarks. Google DNS (8.8.8.8) is a close second at around 20ms. Both are significantly faster than most ISP-provided DNS servers, which average 50–100ms.
Yes, changing your DNS server to a reputable public resolver is completely safe. Companies like Cloudflare, Google, and Quad9 operate DNS infrastructure with enterprise-grade security. In fact, it is often safer than using your ISP's DNS, which may log your queries and lack protection against DNS hijacking.
Changing DNS does not increase your download bandwidth, but it reduces DNS lookup latency — the time your browser takes to resolve a domain before loading it. On sites that pull resources from many domains, this can make browsing noticeably snappier. Cloudflare (1.1.1.1) can reduce lookup times by 50–80% compared to slow ISP DNS.
Cloudflare (1.1.1.1) is the top privacy-focused public resolver. It deletes all transaction logs within 24 hours and supports DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) by default. Quad9 (9.9.9.9) is operated by a Swiss non-profit and never logs personal data. AdGuard DNS and CleanBrowsing also have strict no-logs policies.
The primary DNS server is queried first for every lookup. The secondary DNS is only queried if the primary fails to respond within the timeout period. Having both configured provides automatic failover, ensuring DNS resolution continues even if one server experiences an outage. Always configure both.
Yes. You can configure DNS per-device in network adapter settings (Windows, macOS, Linux, Android, iOS) or configure DNS at the router level to apply to all devices on your home network. Router-level DNS settings override per-device settings unless the device has its own DNS configured.
DNS-over-HTTPS (DoH) encrypts your DNS queries by wrapping them inside standard HTTPS traffic on port 443. This prevents ISPs, network admins, and attackers from seeing which websites you are looking up. Most modern browsers (Chrome, Firefox, Edge) support DoH. All major public DNS providers support DoH endpoints.
Changing DNS at the router level is more efficient — it applies to every device on your home network without individual configuration. This is the recommended approach for families. However, if your ISP's router restricts DNS changes, configure DNS on each device individually. Mobile devices benefit from per-device DNS when on cellular networks.