🌐 DNS Deep Dive
7 menit baca
Public DNS Comparison: Google, Cloudflare, Quad9
Compare the major public DNS resolvers on speed, privacy, security features, and DNSSEC validation.
Why Use a Public DNS Resolver?
Your ISP provides a DNS resolver by default, but public DNS resolvers often offer better performance, privacy, and security features. Switching to a public resolver is one of the simplest network improvements you can make.
The Major Public DNS Resolvers
| Provider | Primary | Secondary | DoH | DoT | DNSSEC | Filtering |
|---|---|---|---|---|---|---|
| Cloudflare | 1.1.1.1 | 1.0.0.1 | Yes | Yes | Yes | Optional (1.1.1.2, 1.1.1.3) |
| 8.8.8.8 | 8.8.4.4 | Yes | Yes | Yes | No | |
| Quad9 | 9.9.9.9 | 149.112.112.112 | Yes | Yes | Yes | Malware blocking (default) |
| OpenDNS | 208.67.222.222 | 208.67.220.220 | Yes | No | Yes | Customizable categories |
| AdGuard | 94.140.14.14 | 94.140.15.15 | Yes | Yes | Yes | Ads + trackers blocked |
| NextDNS | Custom | Custom | Yes | Yes | Yes | Highly customizable |
Speed Comparison
DNS resolver speed depends on your geographic location, but independent benchmarks consistently show:
- Cloudflare 1.1.1.1 -- Fastest globally, with the most extensive anycast network.
- Google 8.8.8.8 -- Fast and reliable, strong caching infrastructure.
- Quad9 9.9.9.9 -- Slightly slower due to threat intelligence processing.
# Benchmark DNS resolvers from your location
# Using dig (measure query time)
dig @1.1.1.1 example.com | grep "Query time"
dig @8.8.8.8 example.com | grep "Query time"
dig @9.9.9.9 example.com | grep "Query time"
# Using DNS benchmark tools
# dnsperf, namebench, or GRC DNS Benchmark
Privacy Policies
| Provider | Logs IP | Data Retention | Third-Party Sharing |
|---|---|---|---|
| Cloudflare | No (purged in 24h) | Anonymized logs only | Independent audit (KPMG) |
| Yes (temporary) | 24-48 hours for full logs | Used for service improvement | |
| Quad9 | No | No PII stored | Swiss jurisdiction, audited |
| OpenDNS | Yes | Used for product features | Owned by Cisco |
Security Features
DNSSEC Validation
All major public resolvers validate DNSSEC signatures, protecting against DNS cache poisoning. If a domain's DNSSEC signatures are invalid, the resolver returns an error rather than a potentially poisoned result.
Threat Blocking
- Quad9 blocks known malicious domains by default using threat intelligence from 40+ security vendors.
- Cloudflare 1.1.1.2 (Malware) and 1.1.1.3 (Malware + Adult Content) offer optional filtering.
- NextDNS provides the most granular control with custom blocklists.
How to Switch DNS
# Linux (systemd-resolved)
sudo nano /etc/systemd/resolved.conf
# Add: DNS=1.1.1.1 1.0.0.1
sudo systemctl restart systemd-resolved
# macOS
# System Settings -> Network -> Wi-Fi -> Details -> DNS
# Add 1.1.1.1 and 1.0.0.1
# Windows
# Settings -> Network -> Change adapter options
# -> IPv4 Properties -> Use the following DNS servers
# 1.1.1.1 and 1.0.0.1
Choosing the Right Resolver
- Maximum speed -- Cloudflare 1.1.1.1.
- Security focus -- Quad9 9.9.9.9 (blocks malware by default).
- Customizable filtering -- NextDNS (per-device profiles, analytics).
- Privacy with audits -- Cloudflare (KPMG-audited) or Quad9 (Swiss non-profit).