The Best Public DNS Servers You Should Be Using
Your DNS resolver is the first step in every internet connection. It translates domain names into IP addresses, and the resolver you use affects page load speed, privacy, security, and even whether certain domains resolve at all. Most users default to the DNS servers assigned by their ISP, which are often slow, unencrypted, and subject to logging. Switching to a reputable public DNS resolver is one of the simplest upgrades you can make to your network.
This guide compares the four most widely used public DNS services and breaks down where each one excels.
Why Your DNS Server Matters
Every time your browser, mail client, or application connects to a domain, it issues a DNS query. If that query is slow, every connection feels sluggish. If the resolver is unreliable, lookups fail and connections time out. If the resolver logs your queries without safeguards, your browsing history is exposed to a third party.
For email administrators specifically, DNS is the backbone of every authentication check. SPF records, DKIM public keys, DMARC policies, and MX records all live in DNS. A fast, reliable resolver ensures that your diagnostics and monitoring tools return accurate, timely results. Test your DNS resolution with the InboxTooling DNS lookup tool.
The Top Public DNS Servers
Google Public DNS (8.8.8.8 / 8.8.4.4)
Google launched its public DNS service in 2009, and it remains the most widely used resolver globally.
Speed. Google operates one of the largest anycast networks in the world. DNS queries are routed to the nearest point of presence, resulting in consistently low latency from most locations. Google's infrastructure is built for scale, so performance remains stable even under heavy load.
Privacy. Google logs full IP addresses for 24-48 hours for diagnostic purposes, then replaces them with anonymized city/region-level location data. Permanent logs retain no personally identifiable information. Google does not correlate DNS queries with other Google services, per their published privacy policy.
DNSSEC. Fully supported. Google validates DNSSEC-signed domains and returns SERVFAIL for domains with invalid signatures, protecting against DNS cache poisoning.
DNS over HTTPS/TLS. Supported on dns.google (DoH) and port 853 (DoT).
Best for: General-purpose use, reliability at scale, organizations already in the Google ecosystem.
Cloudflare DNS (1.1.1.1 / 1.0.0.1)
Cloudflare launched its public resolver in 2018 with a focus on speed and privacy.
Speed. Cloudflare consistently ranks as one of the fastest public DNS resolvers in independent benchmarks. Their extensive CDN edge network means most queries are answered from a server geographically close to the user.
Privacy. Cloudflare commits to never selling user data and never logging the querying IP address to disk. Logs are purged within 24 hours. Cloudflare has engaged independent auditors (KPMG) to verify these commitments annually.
DNSSEC. Fully supported with automatic validation.
DNS over HTTPS/TLS. Fully supported. Cloudflare was an early proponent of encrypted DNS and provides configuration guides for all major platforms.
Filtering variants:
- 1.1.1.2 / 1.0.0.2 -- Blocks malware domains.
- 1.1.1.3 / 1.0.0.3 -- Blocks malware and adult content.
Best for: Users who prioritize speed and privacy, families (with filtering), and privacy-conscious organizations.
OpenDNS (208.67.222.222 / 208.67.220.220)
Now owned by Cisco, OpenDNS has been operating since 2006 and is one of the longest-running public DNS services.
Speed. Performance is solid, though typically slightly behind Google and Cloudflare in global benchmarks. OpenDNS uses a large anycast network operated by Cisco's Umbrella infrastructure.
Privacy. OpenDNS logs query data to power its security analytics platform. Users with free accounts can review their own query logs. For privacy-focused users, this is a trade-off worth considering.
DNSSEC. Supported.
DNS over HTTPS/TLS. Supported through the Cisco Umbrella platform.
Content filtering. OpenDNS has the most mature content filtering system of the four providers. The free OpenDNS Home tier provides customizable category-based filtering. The FamilyShield preset (208.67.222.123 / 208.67.220.123) blocks adult content without requiring an account.
Best for: Networks that need customizable content filtering, schools, libraries, and small businesses that want DNS-level security without deploying dedicated appliances.
Quad9 (9.9.9.9 / 149.112.112.112)
Quad9 is a nonprofit resolver launched in 2017 in partnership with IBM, Packet Clearing House, and the Global Cyber Alliance.
Speed. Quad9 operates over 200 points of presence worldwide. Latency is competitive, though it may be slightly higher than Cloudflare or Google in certain regions with fewer nodes.
Privacy. As a nonprofit based in Switzerland, Quad9 is subject to Swiss privacy law. They do not log source IP addresses and have published detailed privacy policies reviewed by Swiss data protection authorities.
DNSSEC. Fully supported and validated by default.
Threat blocking. Quad9's primary differentiator is built-in threat intelligence. The resolver blocks queries to known malicious domains using feeds from over 20 threat intelligence providers. An unfiltered variant is available at 9.9.9.10 for users who want Quad9's infrastructure without the blocking.
DNS over HTTPS/TLS. Fully supported.
Best for: Security-conscious users and organizations, European users who want a resolver under strong privacy jurisdiction, and networks that want passive malware protection at the DNS layer.
Comparison Table
| Feature | Cloudflare | OpenDNS | Quad9 | |
|---|---|---|---|---|
| Primary IPv4 | 8.8.8.8 | 1.1.1.1 | 208.67.222.222 | 9.9.9.9 |
| Typical latency | Very low | Lowest | Low | Low |
| DNSSEC validation | Yes | Yes | Yes | Yes |
| DoH / DoT | Yes | Yes | Yes | Yes |
| Malware blocking | No | Optional | Yes | Yes (default) |
| Content filtering | No | Optional | Yes (customizable) | No |
| IP logging | Temporary | No (audited) | Yes | No |
| Jurisdiction | USA | USA | USA | Switzerland |
How to Choose
If raw speed is the priority, start with Cloudflare 1.1.1.1. If you need maximum reliability and global reach, Google 8.8.8.8 is a proven choice. If built-in threat blocking matters, Quad9 provides it at the resolver level without requiring endpoint software. If you need customizable content filtering for a network, OpenDNS remains the most flexible option.
For email infrastructure work, any of these four resolvers will handle DNS lookups for MX, SPF, DKIM, and DMARC records reliably. You can verify your records resolve correctly from any of these resolvers using the InboxTooling DNS lookup tool.
Configuring Your Resolver
Switching DNS servers takes less than a minute on most devices. You can configure it at the device level (computer, phone) or at the router level to apply it to your entire network. See our detailed walkthrough on how to change DNS settings on any device.
Stay on top of your email infrastructure. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.