What actually matters in a resolver
Almost every "fastest DNS server" ranking online is measuring something that barely matters day to day. The gap between resolvers is typically a handful of milliseconds, invisible in normal browsing, and mostly a function of which provider happens to run a server physically closer to you rather than anything about the service itself. Your browser and OS also cache lookups aggressively, so most page loads don't even trigger a fresh query.
What's actually worth comparing is the logging policy (does the resolver keep a record tying queries to your IP, and for how long), whether it blocks known-malicious domains automatically, whether it supports encrypted DNS transport, and — for anyone outside the handful of well-known names — whether the company behind it is one you'd trust with a real-time list of every domain you visit. We cover the underlying mechanics of how DNS and encrypted DNS actually work in our DNS explained guide; this one is specifically about choosing who to send those queries to.
The comparison
| Provider | Primary address | Logs tied to IP | Blocks malware by default | DNSSEC | DoH / DoT / DoQ |
|---|---|---|---|---|---|
| Cloudflare | 1.1.1.1 | No | No (separate 1.1.1.2 endpoint does) | Yes | All three |
| Google Public DNS | 8.8.8.8 | Temporarily, anonymized after 24–48h | No | Yes | DoH, DoT |
| Quad9 | 9.9.9.9 | No | Yes | Yes | All three |
| NextDNS | Custom per account | Optional, on by default in dashboard | Yes, configurable | Yes | All three |
| OpenDNS (Cisco) | 208.67.222.222 | Used for security telemetry | Yes | Yes | DoH only |
| AdGuard DNS | 94.140.14.14 | No, per published policy | Yes, plus ad/tracker blocking | Yes | All three |
| Control D | Custom per account | Optional, configurable per profile | Yes, configurable | Yes | All three |
The providers, one by one
Cloudflare (1.1.1.1)
Cloudflare built 1.1.1.1 specifically to make a public, no-logging resolver the default rather than the exception, and backs the no-logging claim with a recurring third-party audit rather than just a policy statement. It's also usually one of the fastest resolvers to reach for most people, simply because Cloudflare's network footprint is one of the largest in the world. The one caveat worth knowing: malware blocking isn't on by default on 1.1.1.1 itself; it lives on a separate address, 1.1.1.2, that has to be entered manually if that's something you want.
Google Public DNS (8.8.8.8)
The most recognized resolver by address alone, backed by arguably the largest anycast network of any option here. Google's own documentation states that personally identifiable log data is deleted or anonymized within 24 to 48 hours rather than kept indefinitely, which is a real, published commitment. But it's a shorter retention window, not a true no-logging policy, which is the meaningful distinction from Cloudflare or Quad9 for anyone specifically trying to avoid adding to the amount of data a company like Google already has about them.
Quad9 (9.9.9.9)
Run by a Swiss nonprofit rather than an advertising or cloud company, which changes the incentive structure entirely: there's no ad business a query log could ever feed into. Quad9 automatically blocks domains matched against multiple threat-intelligence feeds without needing any configuration, and it's one of the resolvers that doesn't forward the EDNS Client Subnet data, which matters specifically if you're trying to avoid leaking your approximate location even through encrypted DNS.
NextDNS
The most configurable option in the well-known tier: per-device profiles, granular block lists, and a live analytics dashboard showing exactly what's being queried and blocked in real time. That dashboard is also the trade-off worth knowing about — showing your own query history back to you means NextDNS is storing it somewhere by default, even though logging can be turned off in settings. It's the right pick for anyone who wants to actively tune their own blocking rather than accept one provider's defaults, less so for someone who wants an install-and-forget option with no dashboard to think about.
OpenDNS (Cisco)
The oldest name on this list, now owned by Cisco and positioned more as a security and family-filtering product than a privacy-first resolver. Its content filtering, blocking specific site categories like adult content, is genuinely more mature than most competitors here, since it's been iterating on exactly that for close to two decades. Query data feeds into Cisco's broader threat-intelligence and security telemetry, which is a reasonable trade if you're choosing it specifically for its filtering, less so if minimizing what any one company logs is the priority.
AdGuard DNS
Functionally closer to a network-wide ad and tracker blocker than a plain resolver: domains known to serve ads or trackers get blocked at the DNS level before your device even requests them, which works across every app on a device, not just your browser. That's a meaningfully different value proposition from the others on this list, since it's solving a different problem than logging or malware. The trade-off is that aggressive ad blocking at the DNS level occasionally breaks a site that depends on an ad script to function, which some users find worth troubleshooting and others find annoying enough to disable.
Control D
A newer entrant built around the same configurable, per-profile idea as NextDNS, with a particularly strong free tier and granular controls down to individual domain rules. It's a reasonable alternative if NextDNS's free-tier query limits are the specific thing pushing you elsewhere, though it has a shorter public track record than the providers above it, which is worth factoring in if a long history of scrutiny matters to you.
Running your own resolver instead
Every option above involves trusting a third party with your query log, however good their stated policy is. The alternative most "best DNS" comparisons skip entirely is running the resolver yourself. Tools like Pi-hole and AdGuard Home run on a Raspberry Pi or any always-on machine on your home network, acting as your DNS server for every device on that network, blocking ad and tracker domains at the network level, and keeping the query log exactly where you can see it and nowhere else — because there is no third party in this version of the setup at all.
The trade-off is real: you're now the one responsible for keeping the software updated, and your self-hosted resolver still needs to forward unresolved queries somewhere upstream, typically to one of the public resolvers above, so you haven't fully removed a third party from the picture, just moved where in the chain it sits. It's the right choice for anyone comfortable maintaining a small always-on device in exchange for the most direct control over their own DNS traffic available; it's overkill for someone who just wants a reasonable default without any ongoing maintenance.
Red flags on lesser-known providers
New DNS providers show up regularly, often marketed hard on speed or a specific niche feature, and not all of them deserve the same trust as the names above. A few things worth checking before switching to one you haven't heard of elsewhere:
- No published privacy policy, or one that's vague about retention. A resolver that won't say clearly how long it keeps logs and what's in them is asking for a level of trust it hasn't earned.
- Revenue model that isn't obvious. Running global DNS infrastructure costs real money. If a free service doesn't explain how it's funded, query log monetization is a reasonable thing to suspect.
- No independent audit or transparency report, on a service that's asking to be your default for every device. This isn't disqualifying on its own, since plenty of legitimate smaller providers haven't gone through a formal audit, but it does mean their no-logging claims are unverified rather than confirmed.
- Ownership that's hard to trace. Reasonable to be more cautious with a resolver whose parent company or jurisdiction isn't disclosed anywhere in their own documentation.
Which one to actually pick
- Minimizing logging is the only priority — Cloudflare or Quad9 are the cleanest picks, since neither ties queries to your IP at all.
- Malware blocking on by default, zero configuration — Quad9 does that out of the box where Cloudflare requires switching to its second address.
- Network-wide ad and tracker blocking without maintaining hardware — AdGuard DNS is built specifically for that.
- Actively managing what gets blocked per device — NextDNS or Control D, with the trade-off of a dashboard that stores query history unless it's turned off.
- Content filtering for a household rather than personal privacy — OpenDNS's filtering categories are still the most developed of the group.
- Not trusting any third party at all — self-hosting with Pi-hole or AdGuard Home is the only option here that removes that requirement entirely.
Verifying a provider's claims yourself
Every logging and blocking claim in the table above comes from each provider's own published policy, which is the honest limit of what a comparison article can tell you — none of it is independently re-verified by us on an ongoing basis, and you shouldn't take any provider's no-logging claim purely on faith either. A few things you can actually check yourself: run our DNS leak test with each candidate resolver configured, to confirm queries are actually going where you configured them to go rather than falling back to your ISP's default — worth repeating with our IPv6 leak test too, since that's the gap covered in the setup section below. Use a DNSSEC validation checker to confirm a resolver that claims DNSSEC support is actually validating signed responses rather than just passing them through. And where a provider claims an independent audit, look for the actual published audit report rather than just the claim — a specific, dated, named third-party report is a materially different level of evidence than a page that says "we don't log."
Setting it up
The actual configuration steps depend on whether you're setting it system-wide on a router, per-device, or per-browser, and whether you want the connection to the resolver itself encrypted rather than just choosing a different address. We cover exactly how to do that correctly on each major platform, including the IPv6 gap that catches most people who think they've switched resolvers but haven't fully, in our DNS explained guide.
Frequently asked questions
Is a faster DNS resolver actually noticeable in daily use?
Rarely. DNS lookups are cached aggressively by your device and browser, so most page loads don't trigger a fresh lookup at all. The difference matters more for people running a lot of first-time lookups quickly, like network administrators or automated tools, than for everyday browsing.
Does using a "no-log" DNS resolver mean my ISP can't see what sites I visit?
Only if the connection to that resolver is encrypted. Switching your DNS server address alone doesn't encrypt the query — your ISP can still see plain-text DNS traffic in transit unless you've specifically configured DNS over HTTPS or DNS over TLS to the resolver you chose.
Can I use more than one resolver at once?
Most setups let you configure a primary and a secondary resolver, used as a fallback if the primary doesn't respond. Worth knowing: mixing providers with different logging or filtering policies means your queries are subject to whichever one actually answers a given request, not a blend of both policies.
Is self-hosting with Pi-hole actually more private than just picking Cloudflare or Quad9?
It depends what you're protecting against. Self-hosting keeps your query log entirely on hardware you control, which no public resolver can offer. But your self-hosted setup still forwards unresolved queries somewhere upstream, so you're trusting a public resolver at that layer regardless — self-hosting mainly removes the third party from seeing your device-level query patterns and local network activity, not from the internet-facing DNS ecosystem entirely.
How much should I actually trust a smaller DNS provider I haven't heard of?
Treat it the way you'd treat any service asking to see every domain you visit. Worth checking before switching:
- Is there a specific, dated privacy policy, not just a general statement
- Has the no-logging or minimal-logging claim been independently audited, and can you find the actual report
- Is the company's ownership and revenue model disclosed anywhere
None of these guarantee good behavior on their own, but a provider missing all three is a meaningfully different risk than one that's transparent on all of them.
Does my VPN's own DNS override whatever resolver I've configured?
Usually, yes. Most VPN clients route DNS through their own resolver by default once connected, overriding your system or router-level DNS settings for the duration of the session. If you specifically want your chosen resolver active even through a VPN, check whether your VPN client has a setting to use custom DNS, since not all of them expose one.
Sources
- Cloudflare — 1.1.1.1 public resolver privacy policy
- Google — Public DNS privacy practices
- Quad9 — Privacy policy
- NextDNS — Privacy policy
- AdGuard DNS — Privacy policy
- Pi-hole — project documentation
Written by PrivacyTestLab
The comparison above reflects each provider's own currently published privacy policy and documentation rather than a benchmark we ran ourselves. Speed and uptime claims are excluded for that reason and are better verified against your own network directly.