DNS Speed Test

What Is Quad9 DNS

Quad9 is a free, nonprofit public DNS resolver operated by the Quad9 Foundation, headquartered in Zurich, Switzerland. It launched in 2017 as a collaborative effort involving IBM Security, Packet Clearing House, and the Global Cyber Alliance. The service uses the IP addresses 9.9.9.9 and 149.112.112.112 and provides three core features out of the box: DNS resolution, threat blocking, and DNSSEC validation.

Unlike most public DNS resolvers, Quad9 was designed from the start with a security-first philosophy. Rather than focusing solely on speed, the organization built a resolver that automatically blocks domains tied to malware, exploits, and command-and-control infrastructure. This approach means that every DNS query routed through 9.9.9.9 is checked against a constantly updated threat intelligence feed before a response is returned.

The Quad9 Foundation operates as an independent nonprofit under Swiss law. This matters for privacy because Switzerland has some of the strongest data protection regulations in the world. The country is not part of the Five Eyes or Fourteen Eyes intelligence-sharing alliances, and Swiss law requires explicit legal authority before any entity can be compelled to hand over user data. Quad9's privacy policy states that it does not log source IP addresses and does not store personally identifiable information.

The resolver uses an anycast network with points of presence in over 200 locations across more than 100 countries. When you send a DNS query to 9.9.9.9, the internet's BGP routing system directs your request to the nearest data center. Quad9 partners with Packet Clearing House for physical infrastructure, which provides deep reach into Internet Exchange Points worldwide. This partnership gives Quad9 a network footprint that punches above its weight for a nonprofit operation.

Quad9 offers two resolver configurations. The default service at 9.9.9.9 applies threat blocking and DNSSEC validation. The alternative at 9.9.9.10 skips threat blocking and DNSSEC filtering, providing raw DNS resolution for networks where those features cause operational issues. Both share the same privacy policy and resolver infrastructure.

Speed Analysis and Benchmarks

To evaluate Quad9's performance, we tested it against six other major public resolvers using DNS-over-HTTPS queries from eight geographic locations. Each test sent 50 queries per resolver and measured the time from request to valid response. The results below represent median response times in milliseconds.

The numbers show a clear pattern. Quad9 excels in Europe, particularly in Frankfurt where it clocked 6 ms — the fastest result of any resolver in that location. London and Johannesburg also showed strong results. In Asia-Pacific and South America, the gaps widen. Cloudflare and Google consistently beat Quad9 in Tokyo, Sydney, and Mumbai because they operate more densely interconnected anycast networks in those regions.

Quad9's European speed advantage comes from its infrastructure concentration. The foundation's partnerships with European Internet Exchange Points give it short routing paths across the continent. For users in Germany, the Netherlands, France, or the Nordics, Quad9 is among the fastest options available — often matching or beating Cloudflare.

The picture changes for users in North America and Asia. In New York, Quad9 averaged 12 ms compared to Cloudflare's 8 ms. In Tokyo, the gap widened to 20 ms versus 12 ms. These differences stem from Quad9's smaller anycast footprint outside Europe. While the resolver has nodes in over 100 countries, the density of those nodes is lower in Asia-Pacific and Latin America compared to Cloudflare's 300+ city network.

For everyday browsing, the practical impact of these differences is modest. A 4-8 millisecond gap per DNS query translates to roughly 80-320 milliseconds across a typical webpage load with 20-40 DNS lookups. Most users will not notice this difference in isolation. The decision between Quad9 and faster alternatives often comes down to whether security and privacy outweigh a marginal speed reduction.

One factor that affects Quad9's perceived speed is the threat blocking layer. Every query passes through a filtering engine before resolution. This adds a small processing overhead — typically less than 1 ms — that is negligible in practice but measurable in benchmarks. Users who prefer raw resolution without filtering can switch to 9.9.9.10, which skips the threat intelligence check entirely.

Threat Intelligence and Blocking

Quad9's distinguishing feature is its automatic blocking of domains associated with malicious activity. When your device sends a DNS query for a domain that Quad9's threat intelligence identifies as dangerous, the resolver returns a block response instead of the real IP address. This prevents your device from ever connecting to the malicious server.

The blocking engine aggregates threat data from multiple sources. IBM Security X-Force provides intelligence on malware distribution, exploit kits, and botnet command-and-control servers. CrowdStrike contributes endpoint threat data and adversarial tracking. PhishTank supplies verified phishing URLs. Cisco Umbrella contributes domain reputation data from its massive DNS observation network. These feeds are merged, deduplicated, and updated continuously.

The categories Quad9 blocks include malware distribution sites, phishing pages, exploit kits, cryptojacking domains, botnet command-and-control servers, and domains linked to ransomware campaigns. The service does not block advertising domains, adult content, or social media — those categories are outside Quad9's mission. Users who need ad blocking would need to combine Quad9 with a client-side solution like Pi-hole or a browser extension.

A common concern with DNS-based blocking is false positives. If Quad9 incorrectly flags a legitimate domain as malicious, users lose access to that domain until the block is resolved. Quad9 handles this through a multi-stage verification process. Newly detected threats are flagged with confidence scores before they enter the blocking list. Domains that score below a threshold are excluded even if they appear in a single threat feed. The organization also maintains a remediation process where domain owners can request review of blocked domains through its website.

The blocking granularity is at the domain level, not the URL level. This means Quad9 can block example.com but cannot block example.com/malicious-page while leaving example.com/safe-page accessible. This is a fundamental limitation of DNS-based filtering. For most threat categories — malware, botnets, phishing — domain-level blocking is sufficient because malicious content typically lives on dedicated domains. Legitimate websites that have been compromised and serve malware from a subdomain can be individually blocked without affecting the main domain.

Quad9 publishes a transparency report detailing the number of blocked domains, remediation requests, and false positive rates. The most recent report shows approximately 2 million blocked domains across all threat feeds, with a false positive rate below 0.01%. The remediation process averages 48 hours from request to resolution.

DNSSEC Validation

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records. These signatures allow resolvers to verify that the DNS response they received was generated by the legitimate authoritative server and has not been tampered with during transit. Without DNSSEC, a network attacker can forge DNS responses and redirect your traffic to a malicious server — a technique called DNS spoofing or cache poisoning.

Quad9 enforces DNSSEC validation by default on 9.9.9.9. When you query a domain that is DNSSEC-signed, Quad9 validates the entire signature chain from the root zone down to the authoritative server. If the signature is valid, the response is returned normally. If the signature is invalid, missing, or expired for a domain that requires DNSSEC, Quad9 returns a SERVFAIL error rather than a potentially forged response.

This matters in practice because DNSSEC adoption has grown substantially. As of 2026, roughly 40% of all .com domains and over 80% of .gov domains are DNSSEC-signed. When you visit a banking site, a government portal, or a major e-commerce platform, there is a strong chance that DNSSEC validation is protecting your connection. Without a validating resolver, you would receive the same response even if an attacker intercepted and modified the DNS reply.

Quad9's approach to DNSSEC is more aggressive than some competitors. Google Public DNS (8.8.8.8) validates DNSSEC but does not enforce it as strictly — in some failure scenarios, Google returns a cached response rather than a SERVFAIL. Cloudflare validates DNSSEC but allows certain edge cases that Quad9 rejects. Quad9 takes the harder line: if DNSSEC validation fails, the query fails. This protects users more thoroughly but can occasionally break access to misconfigured domains.

The 9.9.9.10 resolver disables DNSSEC validation for networks where strict enforcement causes operational problems. This is common in corporate environments where internal DNS infrastructure is not DNSSEC-signed, or in regions where ISP-level DNS manipulation conflicts with DNSSEC signatures. For home users, the standard 9.9.9.9 resolver with DNSSEC enabled is the recommended configuration.

DNSSEC does not encrypt DNS queries — it only ensures authenticity and integrity. A network observer can still see which domains you are querying. For encryption, you need DoH or DoT in addition to DNSSEC. Quad9 supports both, and using them together gives you encrypted, authenticated DNS resolution.

Privacy and Swiss Jurisdiction

Quad9's privacy posture is built on two pillars: a restrictive data retention policy and Swiss legal jurisdiction. The organization does not log source IP addresses of DNS queries, does not store personally identifiable information, and does not sell or share query data with third parties. This applies to both 9.9.9.9 and 9.9.9.10.

The Swiss jurisdiction is the strongest differentiator in Quad9's privacy story. Switzerland is not a member of the Five Eyes, Nine Eyes, or Fourteen Eyes intelligence-sharing alliances. Swiss Federal Act on Data Protection (FADP) requires explicit legal authority before any entity can be compelled to hand over personal data. The bar for obtaining such authority is higher than in the United States, where National Security Letters and FISA orders can compel data disclosure with gag orders preventing the company from notifying users.

For Quad9 to be compelled to log or hand over DNS data, a Swiss court would need to issue a specific order tied to a criminal investigation. The organization has stated publicly that it would challenge any such order that conflicts with its privacy policy. Because the resolver does not store source IP addresses by design, there is minimal data to hand over even if an order were granted.

Compare this to Google Public DNS, which is subject to US law. Google retains anonymized query logs for 24 to 48 hours. While Google strips IP addresses during that window, the data exists in a recognizable form temporarily. Cloudflare purges query logs within 24 hours and engages KPMG for annual privacy audits — a strong practice, but still under US jurisdiction.

Quad9 has not engaged a third-party auditor to the same extent as Cloudflare's KPMG audits. The organization does publish transparency reports and undergoes periodic independent reviews, but the scope and frequency are narrower. For users who require verified privacy guarantees rather than policy-based ones, this is a legitimate consideration.

The practical implication of Quad9's privacy model is that your DNS queries flow through a resolver that is legally structured to minimize data collection and geographically positioned in a jurisdiction that protects data sovereignty. If DNS privacy is your primary concern — more so than raw speed — Quad9 offers a combination of policy and jurisdiction that no US-based competitor can match.

DoH, DoT, and Encrypted DNS Support

Quad9 supports every major encrypted DNS protocol. Encrypting DNS queries prevents network-level surveillance, ISP DNS manipulation, and man-in-the-middle attacks on your browsing activity.

DNS-over-HTTPS (DoH)

Quad9's DoH endpoint is https://dns.quad9.net/dns-query. DoH wraps DNS queries inside standard HTTPS traffic on port 443, making them indistinguishable from regular web browsing. Most modern browsers — Chrome, Firefox, Edge, Brave — support DoH natively and can be configured to use Quad9's endpoint. This is the most firewall-friendly encrypted DNS option because port 443 is rarely blocked.

DNS-over-TLS (DoT)

Quad9's DoT hostname is dns.quad9.net, running on port 853. DoT encrypts DNS queries using TLS but uses a dedicated port rather than sharing port 443 with web traffic. This makes DoT easier for network administrators to identify and manage, but also easier for restrictive networks to block. Android's Private DNS feature uses DoT natively.

DNS-over-QUIC (DoQ)

Quad9 supports DoQ, which uses the QUIC transport protocol for lower latency than DoT. QUIC combines the transport and cryptographic handshakes into a single round trip, reducing connection setup overhead. Browser support for DoQ is still developing, but Android 14 and later support it natively.

Standard DNS (Port 53)

For networks or devices that do not support encrypted DNS, Quad9 accepts traditional unencrypted queries on port 53 at 9.9.9.9 and 149.112.112.112. This provides the same speed, threat blocking, and DNSSEC validation but without encryption. Use encrypted protocols whenever your device and network support them.

Setup Guide for All Platforms

Switching to Quad9 takes under two minutes on any device. For the most consistent experience across all devices on your network, change the DNS settings at the router level.

Windows 11

Open Settings and navigate to Network & Internet. Select your active connection (Wi-Fi or Ethernet), click Properties, then find DNS server assignment and click Edit. Choose Manual, enable IPv4, and enter 9.9.9.9 as the Preferred DNS and 149.112.112.112 as the Alternate DNS. If you want encrypted DNS, select Encrypted only (DNS over HTTPS) from the dropdown and choose Custom. Enter https://dns.quad9.net/dns-query. Click Save. The change takes effect immediately.

macOS

Open System Settings, go to Network, and select your active connection. Click Details, then navigate to the DNS tab. Click the plus button under DNS Servers and add 9.9.9.9, then add 149.112.112.112. Click OK to apply. For DoH on macOS Ventura and later, configure it in your browser settings, as the system-level DoH support varies by macOS version.

Android

Go to Settings, then Network & Internet (or Connections), then Private DNS. Select Private DNS provider hostname and enter dns.quad9.net. This enables DNS over TLS system-wide. The setting applies to all Wi-Fi and cellular connections on the device.

iOS

iOS does not have a system-wide DoH setting built in. Install a configuration profile from Quad9's website or use the DNS override feature in iOS 14 and later: go to Settings, tap Wi-Fi, tap the info icon next to your network, tap Configure DNS, select Manual, and enter 9.9.9.9 and 149.112.112.112. For DoH, enable it in your browser (Safari via the Private DNS setting in iOS 15+, or Firefox/Chrome settings).

Linux (systemd-resolved)

Edit /etc/systemd/resolved.conf and set DNS=9.9.9.9 and FallbackDNS=149.112.112.112 under the [Resolve] section. For DoT, set DNSOverTLS=yes. Restart the service with sudo systemctl restart systemd-resolved. On distributions that do not use systemd-resolved, edit /etc/resolv.conf directly and replace existing nameserver lines with nameserver 9.9.9.9 and nameserver 149.112.112.112.

Routers

Log in to your router's admin interface (typically 192.168.1.1 or 192.168.0.1). Locate the DNS settings — usually under WAN, Internet, or DHCP settings. Replace the existing DNS servers with 9.9.9.9 (primary) and 149.112.112.112 (secondary). Save the configuration and restart the router. Every device on your network will now use Quad9 automatically.

Google Chrome

Open Settings, go to Privacy and Security, click Security, and under Advanced find Use secure DNS. Toggle it on, select Custom, and enter https://dns.quad9.net/dns-query. Chrome will route all DNS queries through Quad9 DoH regardless of your system DNS settings.

Mozilla Firefox

Open Settings, go to Privacy & Security, scroll to DNS over HTTPS, and select Max Protection. Choose Custom from the provider dropdown and enter https://dns.quad9.net/dns-query. Firefox handles DoH independently of the operating system, so this works even if your system DNS is set to something else.

Quad9 vs Other Resolvers

Choosing a DNS resolver involves tradeoffs between speed, security, privacy, and jurisdiction. Here is how Quad9 compares across those dimensions.

Quad9 vs Cloudflare (1.1.1.1)

Cloudflare is faster in most locations outside Europe, with denser anycast coverage and a larger network. Cloudflare also publishes KPMG-audited privacy reports annually, which gives third-party verification of its data practices. Quad9 counters with Swiss jurisdiction, mandatory DNSSEC, and threat blocking included by default. If speed is your priority, Cloudflare wins. If you want built-in security filtering and Swiss data protection, Quad9 is the stronger choice.

Quad9 vs Google (8.8.8.8)

Google has the largest anycast network and consistently delivers fast results worldwide. However, Google retains anonymized query logs for 24 to 48 hours and is subject to US surveillance laws. Google's DNS does not include threat blocking. Quad9 offers stricter privacy, built-in security, and DNSSEC enforcement, but at the cost of speed in regions where Google's infrastructure is denser.

Quad9 vs OpenDNS (208.67.222.222)

OpenDNS, owned by Cisco, has offered threat blocking and content filtering for longer than Quad9. The difference is that OpenDNS is a commercial product with optional paid tiers, while Quad9 is a nonprofit offering threat blocking for free. OpenDNS has broader content filtering categories (adult content, social media, etc.) that Quad9 does not provide. For pure security and privacy without content filtering, Quad9 is the simpler option.

Quad9 vs AdGuard DNS

AdGuard DNS focuses on ad and tracker blocking, which Quad9 does not do. AdGuard also offers threat blocking and DNSSEC, similar to Quad9. The choice between them depends on whether you want ad blocking at the DNS level. AdGuard has free and paid tiers, with the free tier limited to 300,000 queries per month. Quad9 has no usage limits.

Frequently Asked Questions

Related Reading

• DNS Speed Test — Benchmark 17+ Resolvers
• Fastest DNS Servers — Global Benchmarks
• DNS Providers Comparison
• Best DNS for Security — Malware Blocking
• Best DNS for Privacy — No-Logs Resolvers

Test Your DNS Speed

Find out whether Quad9 is the fastest resolver from your network. Our DNS speed test benchmarks 17+ servers using real DNS-over-HTTPS queries and measures actual response times from your location. The results will show you exactly how 9.9.9.9 compares to other resolvers on your specific connection.

Run DNS Speed Test