For users who want a free public DNS resolver and do not need configurable filtering, two products dominate: Cloudflare’s 1.1.1.1 and Quad9’s 9.9.9.9. Both are encrypted (DoH and DoT supported), both are fast, both have reasonable privacy stories. They differ in some specific ways that matter for some users.
What each one is
Cloudflare’s 1.1.1.1 is operated by Cloudflare Inc., the US-based CDN and edge infrastructure company. Launched in 2018 with the explicit pitch of “fast and private.” Cloudflare publishes a privacy policy specifically for the DNS service stating queries are not retained beyond 24 hours and are not used for advertising. The service is audited annually by KPMG.
Quad9 is operated by the Quad9 Foundation, a nonprofit organization based in Switzerland (since 2022). Originally launched in 2017 as a project of IBM, PCH, and the Global Cyber Alliance. The service includes optional malware-domain blocking by default; queries to known-malicious domains return as if the domain does not exist.
Both services run distributed Anycast networks with hundreds of points of presence globally. Both are free and require no signup.
What each one does well
Cloudflare 1.1.1.1:
- Excellent latency in most regions (Cloudflare’s network is genuinely vast)
- Multiple variants: 1.1.1.1 (standard), 1.1.1.2 (malware blocking), 1.1.1.3 (malware + adult content blocking)
- Browser DoH support requires no setup beyond enabling
- Audit history is solid (KPMG)
- Brand stability extremely high
Quad9:
- Nonprofit, mission-aligned with privacy and security
- Swiss jurisdiction with GDPR-style protections
- Default malware blocking that does not require choosing a specific variant
- IBM, PCH, Global Cyber Alliance origins lend technical credibility
- DNSSEC validation enabled by default
What each one does less well
Cloudflare 1.1.1.1:
- Cloudflare’s broader corporate position (US company with significant US-government interactions, increasingly concentrated edge infrastructure) makes some users uncomfortable
- The “we will not log” promise depends on Cloudflare continuing to honor it; corporate continuity over decades is uncertain
- The malware blocking variants (1.1.1.2 and 1.1.1.3) are less granular than dedicated services
- No options for adding custom blocklists
Quad9:
- The latency is generally good but not always as good as Cloudflare in all regions
- The default malware blocking can occasionally false-positive on legitimate sites
- The brand recognition is lower than Cloudflare; some non-technical users do not recognize 9.9.9.9 as a legitimate service
- The IBM/PCH historical involvement gives some users pause about who is involved
Side by side
| Feature | Cloudflare 1.1.1.1 | Quad9 |
|---|---|---|
| Cost | Free | Free |
| Account required | No | No |
| Encrypted (DoH/DoT) | Yes | Yes |
| Latency | Excellent globally | Good globally |
| Malware blocking | Optional (1.1.1.2 / 1.1.1.3) | Yes (default) |
| Adult content blocking | Optional (1.1.1.3) | Optional (9.9.9.10) |
| DNSSEC | Yes | Yes (enforced) |
| Audit history | Annual by KPMG | Periodic |
| Jurisdiction | US (Cloudflare HQ) | Switzerland (Foundation) |
| Corporate structure | For-profit corporation | Nonprofit foundation |
| Logging policy | 24-hour retention, not for advertising | Minimal logging |
For users who specifically want a nonprofit-operated DNS service: Quad9.
For users who want maximum performance and the largest corporate-stability backing: Cloudflare 1.1.1.1.
For users with no specific preference: either is a reasonable default.
Specific use cases
For default DNS on personal devices where you trust whoever is operating: either works.
For DNS at a company or school where malware blocking is desired by default: Quad9 (default malware blocking) or Cloudflare 1.1.1.2 (explicit choice).
For DNS in a household where parental controls matter: Cloudflare 1.1.1.3 (malware + adult content) or Quad9 (malware) plus a separate parental control DNS service.
For users who specifically need configurable blocking, custom lists, per-device profiles, query logs: neither. Pay for NextDNS, ControlD, or AdGuard DNS Premium.
A specific recommendation
For most users wanting free encrypted DNS without configuration: Cloudflare 1.1.1.1. The latency is excellent and the setup is one IP address.
For users who want the nonprofit-aligned alternative: Quad9 9.9.9.9. Same simplicity, different corporate model.
For users who want anything more configurable: pay for NextDNS or ControlD ($20/year). The functionality gap from free public DNS to configurable hosted DNS is meaningful.
For users who want to self-host DNS: Pi-hole or AdGuard Home on a Raspberry Pi.
Related: Encrypted DNS friendly guide, NextDNS deep review after a year