Most people touch DNS only when something breaks. A site will not load, a smart TV refuses to connect, or a browser sits there half-awake while the page around it waits for a name lookup to finish. That narrow view hides what DNS has become. Your resolver is now part speed layer, part privacy decision, part security control, and sometimes part content filter. The choice between your ISP’s default DNS and a public resolver like Google, Cloudflare, Quad9, AdGuard, or Control D is not cosmetic. It changes who sees your queries, how your answers are cached, whether malware domains get blocked, and whether your browser quietly ignores the DNS settings you thought you had configured.
Table of Contents
A useful DNS guide has to do two jobs at once. It has to explain the old plumbing clearly, because the core DNS model still comes from RFCs written in the 1980s, and it has to show how that old model now sits under modern expectations around encrypted traffic, logging, parental controls, malware blocking, and anycast performance. The result is a system that looks simple from the outside and gets nuanced very quickly once you care about speed, privacy, or control.
DNS still runs on old ideas and new expectations
At the protocol level, DNS is a distributed naming system. A client asks for data about a name. A resolver finds the answer or fetches it from the right authority. That sounds plain enough, yet the chain behind one lookup has multiple roles: the stub resolver on your device, the recursive resolver that does the searching and caching, and the authoritative name server that holds the zone’s published records. Those terms matter because people often mix them together and then end up choosing a provider for the wrong reason. Google Public DNS, Cloudflare 1.1.1.1, Quad9, AdGuard DNS, and Control D are public recursive resolvers. They are not the servers that “host a domain” for the site you visit.
A cold lookup still follows the classic path. If the recursive resolver does not already have the answer cached, it may start at the root, move to the top-level domain, and then query the authoritative server for the domain you want. IANA describes the root as 13 named authorities implemented by hundreds of server instances in many countries, which is a good reminder that DNS looks centralized on diagrams and distributed in real operation. That distributed design is one reason DNS has stayed standing for so long. It scales because answers can be cached all over the network, and the resolver does not need to rebuild the whole world from scratch for every request.
Caching is where daily experience changes. Every DNS record carries a TTL, the time a cached answer may be kept before it needs fresh validation. That single field shapes both speed and weirdness. A long TTL can make repeated visits feel instant. A stale or incorrect cached answer can make a problem linger after the origin has already fixed it. The standards also describe negative caching, which lets resolvers remember that something did not exist, reducing needless repeat traffic for the same failed name. Later work on “serving stale” recognized another reality: when an authoritative server is briefly unreachable, a resolver may improve resilience by answering from expired cache under controlled conditions rather than failing hard.
That older design was never built around privacy. DNS queries were traditionally sent in clear text over UDP or TCP. A network operator, access provider, or anyone sitting on the path could often see the names being requested even if the site itself later loaded over HTTPS. The privacy RFCs are blunt about this: DNS traffic exposes a lot about user behavior. That is one reason modern DNS discussions now mix protocol mechanics with policy questions. Once you understand that a resolver sees every domain request from your device or network, “Which DNS should I use?” stops sounding like a niche hobby question and starts sounding like a normal part of choosing infrastructure you trust.
The resolver in front of you matters more than most people think
Resolvers are not interchangeable. Two services can answer the same domain correctly and still feel different in real use because the work around the answer differs. Some run very large anycast networks, which steer you to a nearby site and reduce round-trip time. Some keep hot caches for popular names. Some support EDNS Client Subnet, which can help a CDN return a server closer to the user rather than closer to the resolver. Some refuse ECS by default because the privacy cost is not worth it for their model. Some focus on a clean, unfiltered answer path. Others treat DNS as a control layer and intentionally block or redirect categories of domains.
The easiest mistake is to treat “fast DNS” as a single number. Resolver speed has a few moving parts. There is network distance between you and the resolver. There is cache hit rate inside the resolver. There is the quality of the resolver’s outbound behavior toward authoritative servers. There is the geographic logic behind CDN-related answers. Google explicitly describes performance benefits from large-scale caching and ECS support for location-sensitive responses. Control D’s free DNS documentation highlights global anycast and periodic blocklist refreshes for its public endpoints. Those are different levers, but they all touch what people casually call “speed.”
There is another reason resolver choice feels bigger than it used to: the recursive resolver is now where many people first apply policy. Malware blocking, family filtering, tracker blocking, restricted YouTube modes, safe search enforcement, analytics, and per-device profiles all ride on the same basic mechanism. The resolver receives a domain lookup, checks local policy, and either resolves it, blocks it, or redirects it. That is powerful because it works across many devices with little effort. It is also blunt, because DNS mostly operates at the domain level. A resolver can stop your device from reaching a known ad or malware host. It cannot surgically edit page content the way a browser extension can. That last point is an inference from the way resolver-based blocking works in AdGuard and Control D’s own documentation, which revolves around handling or refusing domain requests rather than rewriting page elements.
Negative caching and stale serving add a final wrinkle. A good resolver is not just fast when everything is healthy. It is also graceful under failure. Negative caching cuts repeated waste for nonexistent names. Serving stale data can keep a domain reachable during short authoritative outages. Those features rarely appear in consumer marketing, yet they shape whether a resolver feels calm or brittle when the Internet has a bad day. Many users blame “the DNS” for every delay, but the deeper truth is that resolver behavior during edge cases often matters more than the baseline answer time you see in a benchmark screenshot.
Privacy, authenticity, and blocking are separate jobs
DNS conversations go sideways when three separate features get mashed together. Encrypted DNS, DNSSEC, and DNS filtering solve different problems. You need that distinction clear before comparing providers.
DNS over TLS and DNS over HTTPS encrypt the path between your device and the recursive resolver. RFC 7858 defines DoT. RFC 8484 defines DoH. Cloudflare’s docs describe DoH as DNS wrapped inside HTTPS on port 443, while Google’s secure transport docs describe both DoH and DoT as ways to reduce tampering, eavesdropping, and spoofing between client and resolver. That is privacy on the first hop. It is not a promise that nobody sees anything. The resolver still sees the query, and the resolver’s own upstream traffic toward authoritative servers may still reveal parts of the lookup path depending on the architecture and the destination.
DNSSEC is different. It is about authenticity and integrity, not confidentiality. RFC 4033 and RFC 4035 define the security extensions that let validating resolvers check signed DNS data and detect forged or modified answers. A DNSSEC-validating resolver can catch a bad signature chain. It cannot hide your lookup from the resolver operator or from a passive observer on an unencrypted client-to-resolver path. That is why Google’s own docs present encrypted transport and DNSSEC as complementary rather than interchangeable. One proves the answer is authentic for signed zones. The other hides the transport from local observers.
Filtering is different again. Quad9 blocks known malicious domains on its standard 9.9.9.9 service. AdGuard’s default public resolver blocks ads and trackers. Control D exposes multiple public endpoints, including unfiltered, malware, ads-and-tracking, social, and family presets. Google Public DNS is not sold as a filtering resolver and says it does not perform blocking as a general service aside from narrow security or legal cases. These are policy decisions layered on top of resolution, not protocol properties. A resolver can support DoH and still be unfiltered. A resolver can block malware and still not offer the privacy stance you want. A resolver can validate DNSSEC and still keep logs that make you uncomfortable.
EDNS Client Subnet sits in a gray zone because it touches both performance and privacy. RFC 7871 defines ECS as a way for a resolver to include a truncated part of the client network so authoritative servers, especially CDN infrastructure, can return a better-localized answer. Google supports ECS and publishes guidelines for authoritative operators. Quad9 separates the trade-off by offering its main malware-blocking service without ECS and a separate ECS-enabled secured variant. Privacy guidance later pointed out the obvious downside: sharing part of the client network leaks more about the user than a fully resolver-based lookup would. If you want the shortest path to a streaming CDN node, ECS may help. If you want the cleanest privacy posture, you may prefer a resolver that keeps it off by default.
Public resolver options at a glance
The public DNS field looks crowded until you separate general-purpose resolvers from filtering-first resolvers. The first group tries to answer cleanly, quickly, and with a defined privacy posture. The second group uses DNS as a control layer for ads, trackers, malware, or family rules. The tables below use current official addresses and provider documentation, and they also correct two common copy-paste mistakes that show up in roundups: AdGuard’s 94.140.14.140 / 94.140.14.141 pair is non-filtering, not its default blocking service, and Control D’s 76.76.2.0 / 76.76.10.0 pair is unfiltered, while its malware preset is 76.76.2.1 / 76.76.10.1.
General-purpose public resolvers
| Provider | Primary DNS | Secondary DNS | What stands out |
|---|---|---|---|
| Google Public DNS | 8.8.8.8 | 8.8.4.4 | Global resolver with strong caching, DNSSEC validation, DoH/DoT support, and ECS support for location-sensitive answers |
| Cloudflare 1.1.1.1 | 1.1.1.1 | 1.0.0.1 | Privacy-focused positioning, encrypted DNS support, and optional family-filtering variants |
| Quad9 | 9.9.9.9 | 149.112.112.112 | Malware blocking by default, DNSSEC validation, and a strong privacy stance with no IP logging in normal use |
These three are often mentioned in the same breath, but they are not chasing the exact same outcome. Google is the cleanest “fast public resolver” choice, Cloudflare has built its public brand around privacy and encrypted transport, and Quad9 starts from security blocking. If all you want is a reliable, unfiltered answer path, Google and Cloudflare are the natural first comparison. If you want malicious domains refused without having to manage your own lists, Quad9 belongs in the conversation immediately.
Google, Cloudflare, and Quad9 through a practical lens
Google Public DNS still makes sense for people who want a straightforward, highly available resolver and do not need built-in content filtering. Google presents it as a free, global recursive resolver and publishes extensive documentation on performance, troubleshooting, privacy, ECS, DNS64, DoT, and DoH. That breadth matters. It tells you the service is mature, and it also tells you what kind of user it expects: someone who wants solid public DNS and enough documentation to understand the corner cases. Google’s privacy page is also more explicit than many consumer-facing services. It says temporary logs may include the full IP address and are deleted within 24 to 48 hours, while permanent logs store aggregated and anonymized data. For some users, that transparency is reassuring. For others, it is exactly why they choose a different resolver.
Cloudflare’s 1.1.1.1 became famous partly because the address is memorable and partly because the company pushed a privacy-first story around it from the start. The official docs frame 1.1.1.1 as a fast public resolver with encrypted service through DoH and DoT, and Cloudflare maintains a dedicated privacy page for the public resolver. It also published the results of a privacy examination of its commitments. If you care about audited public claims and you want a resolver that strongly signals “privacy” as part of the product identity, Cloudflare is hard to ignore. It also offers 1.1.1.1 for Families for users who want malware or adult-content filtering without leaving the Cloudflare ecosystem.
Quad9 occupies a different lane. Its standard service at 9.9.9.9 pairs recursive resolution with threat blocking, and the service-address documentation is unusually clear about feature variants. The recommended configuration includes malware blocking and DNSSEC validation. Quad9 also documents a separate ECS-enabled secured variant, which is useful because it shows the service understands the privacy-versus-localization trade-off rather than pretending it does not exist. On privacy, Quad9 states that under normal use no data containing your IP address is logged, and its privacy policy applies that principle to the DNS service itself. If your priority is to reduce exposure to known malicious domains with almost no maintenance, Quad9 remains one of the easiest answers.
None of these three is “best” in a vacuum. Google is a strong fit for users who want plain resolution, broad protocol support, and little friction. Cloudflare is compelling for users who care about encrypted DNS and a public privacy posture backed by external review. Quad9 is the obvious pick for people who want DNS-level malware blocking with a serious privacy story. The trick is not to pick a winner in the abstract. The trick is to match the resolver to the problem you are actually trying to solve.
AdGuard and Control D when filtering is the point
Filtering-first resolvers deserve their own lane because they answer a different need. You are not choosing them just to resolve names quickly. You are choosing them because you want DNS to block something, simplify policy, or clean up a home or office network without installing software everywhere.
Filtering-focused public resolvers
| Provider | Primary DNS | Secondary DNS | What stands out |
|---|---|---|---|
| AdGuard DNS default | 94.140.14.14 | 94.140.15.15 | Blocks ads and trackers by default |
| AdGuard DNS non-filtering | 94.140.14.140 | 94.140.14.141 | Same provider, no ad or tracker blocking |
| Control D unfiltered | 76.76.2.0 | 76.76.10.0 | Clean public resolver with secure DNS support |
| Control D malware | 76.76.2.1 | 76.76.10.1 | Malware-focused preset |
| Control D ads and tracking | 76.76.2.2 | 76.76.10.2 | Blocks ad and tracking domains |
This is where bad comparison charts often fall apart. AdGuard and Control D are not single-endpoint products. They expose multiple modes, and the address you copy determines what kind of DNS you are actually using. AdGuard’s public documentation lists the default blocking pair at 94.140.14.14 and 94.140.15.15, the family pair at 94.140.14.15 and 94.140.15.16, and the non-filtering pair at 94.140.14.140 and 94.140.14.141. Control D’s free resolver documentation goes even further by publishing separate endpoints for unfiltered, malware, ads and tracking, social, family, uncensored, and many third-party blocklist variants.
AdGuard is the simpler of the two to explain. Its default public resolver blocks ads and trackers, its family mode adds adult-content restrictions and safe-search behavior where possible, and its non-filtering mode gives you plain resolution. The Knowledge Base describes AdGuard DNS as a privacy-oriented DNS service that supports DoH, DoT, and DoQ, and it can either work as a normal resolver or provide DNS-level content blocking. That dual identity matters. AdGuard is not just a public pair of IP addresses; it is a bigger DNS platform with profiles, private DNS features, and dashboard-style visibility in managed setups.
Control D is more configurable and, for some users, more confusing at first glance. The docs describe it as a customizable DNS filtering and traffic-redirection platform. Its free public resolvers are backed by anycast, support encrypted DNS, and the free-DNS page says they do not store logs such as individual browsing history, timestamps, or query logs. Separate documentation and blog material also make clear that in managed account-based setups, analytics and more detailed data storage are optional features you can enable. That distinction matters. The public free resolver story and the account-based analytics story are not the same thing. If you want fine-grained DNS policy, Control D offers much more headroom than a basic public resolver. If you just want a clean, low-maintenance public DNS choice, you need to pick the right preset and leave the rest alone.
Filtering DNS is useful, but it has hard limits. It sees domain lookups, not full page logic. A DNS filter can block ads.example.net. It cannot peel a sponsored tile out of a page served from the same main host unless that host is blocked entirely. That is why DNS filtering and browser-based content blocking are complements, not substitutes. DNS is excellent at broad network-wide control and first-pass blocking. It is not a precision instrument for everything a browser renders. That conclusion follows directly from the domain-based blocking model in AdGuard and Control D’s own resolver documentation.
Setup choices that decide whether DNS works as planned
A good resolver can still give you a bad result if you place it at the wrong layer. Router-level DNS changes are neat because they affect many devices at once. They are also easy to overestimate. A browser that uses its own DoH provider may ignore the network DNS you set on the router. Mozilla’s support documentation says this plainly: when Firefox enables DoH, it can bypass the local DNS resolver and defeat local policies such as malware blocking or parental controls. Control D’s own troubleshooting docs say the same thing in blunt terms and suggest disabling browser DoH if you want the browser to use the secure DNS already configured at the operating system or network level.
That does not make browser-level DoH bad. It just changes the trust boundary. If you set Cloudflare or Google directly inside a browser, you get encrypted DNS for that browser even on a network you do not trust. The trade-off is that the browser may stop respecting local filtering or network policy. For a personal laptop on hotel Wi-Fi, that may be exactly what you want. For a family network or a managed office environment, it can be the reason your carefully chosen DNS policy appears to “stop working.”
The cleanest mental model is this: device DNS controls the device, browser DNS controls the browser, and router DNS controls the network only until a device or app decides otherwise. Once you understand that, configuration stops feeling mysterious. If your goal is broad family filtering across TVs, tablets, game consoles, and laptops, router-level DNS or encrypted DNS profiles at the OS level make sense. If your goal is private lookups from one browser and you do not care about shared policy, browser-level DoH is perfectly reasonable. If your goal is per-device analytics, category rules, or named clients, a service like Control D with account-based profiles starts to earn its complexity.
Encryption choices matter too. Traditional port-53 DNS is still everywhere because it is simple and widely supported. DoT uses port 853. DoH rides over HTTPS on 443 and tends to blend into normal web traffic more easily. AdGuard’s KB adds DoQ to its menu as well. You do not need to chase every protocol acronym. You do need to recognize the basic rule: if privacy against the local network matters, use an encrypted transport to a resolver you trust. If all you change is the IP address of a port-53 resolver, you may improve speed or filtering, but your DNS requests are still exposed on the local path.
DNS problems that get blamed on the wrong thing
A surprising amount of “DNS trouble” is not a resolver failure at all. The site itself may be down. The browser may have stale connection state. A captive portal may intercept traffic before normal DNS behavior resumes. A CDN may return an odd edge node because of geolocation logic. A family filter may block a shared domain and break something adjacent to it. And when DNSSEC is involved, a broken signature or delegation issue can produce a hard SERVFAIL that looks to a normal user like the site vanished off the earth. Google’s domain troubleshooting documentation explicitly points users toward DNSSEC-validation problems, delegation errors, and oversized responses as common causes of failure.
The worst habit is to change three things at once. People switch resolver, browser, router, and VPN, then run one test page and try to guess which layer won. Work in a straight line instead. Confirm which resolver you are actually using. Control D’s status tooling is one example of a resolver-specific check. Google’s dns.google interface is another practical diagnostic surface for raw lookup results. Once you know the active resolver, test a plain domain, a blocked domain if you expect filtering, and a DNSSEC-signed domain if validation is part of the goal. You want evidence, not vibes.
Caching also fools people. A resolver change does not erase every DNS answer already sitting in operating-system caches, browser caches, applications, or upstream devices. TTL exists for a reason, and stale-serving behavior exists for a reason too. If you switch resolvers and a site still behaves strangely for ten minutes, you may be looking at the old answer hanging around, not proof that the new resolver is broken. The same goes for negative answers. A domain that was absent a moment ago can stay absent briefly because the miss was cached.
Privacy testing has its own traps. A DNS leak test that shows your browser using Cloudflare may be working exactly as designed because the browser itself is using DoH. A network policy that seems inconsistent may be getting bypassed by Firefox or Chrome secure DNS settings. A VPN may change the effective DNS path again. DNS is simple at the protocol layer and messy at the user layer because modern stacks have many places where a lookup can be intercepted, encrypted, redirected, or overridden. The fix is not more guesswork. The fix is knowing which layer owns the lookup.
A resolver choice that fits the network you actually have
The best DNS choice is not the one with the loudest brand. It is the one that solves the right problem with the fewest surprises.
If you want a plain, dependable, unfiltered public resolver, Google Public DNS and Cloudflare 1.1.1.1 are the obvious starting points. Google gives you deep documentation, DNSSEC validation, encrypted transport, and a very mature public resolver. Cloudflare gives you an equally strong public presence around encrypted DNS and privacy, with a memorable setup path and optional family variants. Your own location and network conditions may decide which one feels quicker, but the bigger difference usually sits in trust posture and feature emphasis, not in a magical universal speed crown.
If you want malware blocking without fiddling, Quad9 is still one of the clearest recommendations. That is its core identity, not an afterthought bolted onto a generic resolver. If you want ad and tracker blocking at the DNS layer for a household, AdGuard’s default public resolver is easy to recommend, provided you use the correct addresses rather than the commonly miscopied non-filtering pair. If you want more knobs than most people need—multiple presets, per-device policy, analytics choices, traffic redirection, named clients, secure endpoints, and a clean path from free resolver to managed service—Control D is the most flexible name in this group.
There is also a broader perspective worth keeping. DNS is important, but it is not the whole security or privacy story. DNS filtering will not replace endpoint protection. Encrypted DNS will not hide the rest of your traffic from every observer. DNSSEC will not fix a malicious application on your laptop. A resolver is one layer, and it is a useful one, because it touches everything early. That is exactly why it deserves a deliberate choice rather than the ISP default you never examined. Pick the resolver that fits your network, set it at the right layer, verify that the layer is actually in use, and DNS stops being mysterious. It becomes what it should be: quiet infrastructure you can trust.
FAQ
DNS maps names to resource data such as IP addresses so devices can find services by name rather than by memorized numeric addresses. Recursive resolvers do the lookup work and cache the result, while authoritative servers publish the records for a domain.
A recursive resolver is the server that receives your device’s DNS request, checks cache, and if needed queries other DNS servers until it can return an answer or an error. Public DNS services such as Google Public DNS, Cloudflare 1.1.1.1, Quad9, AdGuard DNS, and Control D operate in this role.
Sometimes, yes. A closer anycast site, better cache hit rate, or better CDN localization can reduce lookup delay. The effect is usually modest but real, and it is most noticeable when the old resolver was slow or inconsistent.
No. DoH encrypts traffic between your device and the resolver. DNSSEC validates signed DNS data so forged or altered answers can be detected. They solve different problems and work well together.
No. Encrypted DNS hides the client-to-resolver hop from local observers, but the resolver itself still sees your queries and its privacy policy still matters.
There is no single universal answer, but Cloudflare and Quad9 are the two names most strongly associated with privacy-first positioning in this group, while Google publishes a more explicit logging description that some users appreciate and others avoid. Your choice depends on whose data practices you trust.
Quad9 is the cleanest default choice if malware blocking is the main goal. Control D also offers malware-focused endpoints, and AdGuard offers threat-related filtering within its broader blocking model.
AdGuard’s default public DNS is designed for ad and tracker blocking, while Control D also offers public ads-and-tracking endpoints. DNS-based ad blocking is broad and convenient, though it is not as precise as browser-level content blocking.
No. Those are AdGuard’s non-filtering public servers. AdGuard’s default blocking pair is 94.140.14.14 and 94.140.15.15.
No. Those addresses are the unfiltered Control D public resolver. The malware preset is 76.76.2.1 and 76.76.10.1.
Yes. Mozilla and Control D documentation both note that browser-level DoH can bypass local resolver settings and local filtering policies.
Router-level DNS is simpler for whole-network coverage. Device or browser-level DNS gives more control to that one device or app. The right layer depends on whether you want shared policy or per-device privacy.
ECS is a DNS extension that lets a resolver include part of the client network so authoritative servers can return more location-aware answers. It may improve CDN routing, but it also carries privacy trade-offs.
Its recommended default service does not use ECS. Quad9 documents a separate secured ECS-enabled variant for users who want that trade-off.
Because cached answers can linger according to TTL rules in operating systems, browsers, devices, and resolvers. Negative answers may also be cached.
If signatures, DS records, or delegation details are wrong, a validating resolver may return SERVFAIL rather than accept bad data. Google’s troubleshooting docs call out DNSSEC and delegation issues as common causes.
No. It is a useful first layer because it can stop access to known malicious or unwanted domains early, but it does not replace endpoint security, browser protections, or safe operating practices.
If you want the least maintenance with real security value, Quad9 is a strong starting point. If ads and trackers are the bigger annoyance, AdGuard default is a strong household choice. If you want granular filtering and profiles, Control D is the better fit.
Author:
Jan Bielik
CEO & Founder of Webiano Digital & Marketing Agency
This article is an original analysis supported by the sources cited below
RFC 1034 Domain names concepts and facilities
Foundational DNS standard describing the overall naming model, delegation, and caching concepts.
RFC 1035 Domain names implementation and specification
Core protocol specification for DNS message formats, records, and server behavior.
RFC 8499 DNS terminology
Current terminology reference for common DNS roles and concepts.
RFC 2308 Negative caching of DNS queries
Explains how resolvers cache negative answers and why that matters.
RFC 8767 Serving stale data to improve DNS resiliency
Describes controlled use of expired cache data to keep resolution working during outages.
RFC 4033 DNS Security Introduction and Requirements
Introduces DNSSEC and its security goals.
RFC 4035 Protocol modifications for the DNS Security Extensions
Technical specification for DNSSEC validation behavior.
RFC 9076 DNS Privacy Considerations
Current privacy analysis of DNS data exposure and related trade-offs.
RFC 7858 Specification for DNS over Transport Layer Security
Defines DNS over TLS and its privacy properties.
RFC 8484 DNS Queries over HTTPS
Defines DNS over HTTPS and how DNS is carried over HTTPS exchanges.
RFC 7871 Client Subnet in DNS Queries
Specification for EDNS Client Subnet and its operational trade-offs.
Root Servers
IANA reference for the root server system and its global deployment model.
DNSSEC Trust Anchors and Rollovers
IANA resource for root trust anchors used by DNSSEC-validating software.
Introduction to Google Public DNS
Google’s overview of its public recursive resolver and feature set.
Get Started with Google Public DNS
Official Google setup page with current public resolver addresses.
Secure transports for DNS
Google documentation for DoH and DoT support.
Your Privacy
Google Public DNS logging and retention details.
EDNS Client Subnet Guidelines
Google guidance on ECS behavior and authoritative-server support.
Performance Benefits
Google explanation of caching and location-sensitive response behavior.
Frequently Asked Questions
Official answers on filtering, service scope, and common Public DNS questions.
Troubleshooting
Google guidance for diagnosing resolver and reachability problems.
Domain Troubleshooting
Google documentation on DNSSEC failures, delegation errors, and other domain-level issues.
1.1.1.1 DNS Resolver
Cloudflare overview of its public resolver and family-filtering variants.
DNS over HTTPS
Cloudflare documentation describing DoH transport behavior for 1.1.1.1.
IP addresses
Cloudflare reference page for current 1.1.1.1 public resolver addresses.
1.1.1.1 Public DNS Resolver
Cloudflare’s privacy commitments for the public resolver.
Announcing the results of the 1.1.1.1 public DNS resolver privacy examination
Cloudflare post on external review of its resolver privacy commitments.
Service Addresses and Features
Quad9 reference for public resolver addresses, blocking modes, DNSSEC, and ECS variants.
Data and Privacy Policy
Quad9’s DNS-service privacy policy.
Quad9 home page
Quad9’s public summary of service behavior and privacy stance.
Connect to public AdGuard DNS server
AdGuard’s official public DNS setup page with current addresses and modes.
The official release of AdGuard DNS
AdGuard article documenting default, family, and non-filtering server pairs.
Overview
AdGuard DNS Knowledge Base overview of encryption support and DNS-level blocking.
Statistics and Query log
AdGuard documentation showing the visibility and logging features in managed DNS setups.
AdGuard DNS Privacy Policy
AdGuard’s privacy-policy page for its DNS service.
Free DNS Resolvers
Control D documentation for public resolver endpoints, filtering presets, and free-resolver logging posture.
Introduction
Control D overview describing its customizable DNS filtering model.
Malware Filter Modes
Control D documentation on its malware-focused filtering behavior.
Privacy
Control D’s current privacy policy page.
Does Control D Collect or Store Your Data
Control D explanation of analytics-related data storage in managed setups.
Browser not using OS DNS
Control D troubleshooting guide on browser DoH bypassing local DNS settings.
Firefox DNS over HTTPS
Mozilla support page explaining Firefox DoH behavior and its effect on local policies.
Check if DNS is working
Control D documentation for verifying whether a configured resolver is actually in use.
