I’ve been in conversations where people assume privacy starts with apps, browsers, or VPNs, and I wonder why DNS is not thrown into these conversations.
It’s a system that constantly runs in the background to translate web addresses into IP addresses, and changing it is my first suggestion when it comes to privacy. By changing it, especially to a privacy-focused option like Quad9, you change a major default behavior, altering what the network can expose even before other components load.
I stopped using browser VPNs after this—and you should too
You should avoid browser VPNs for security and performance reasons.
DNS is the invisible layer shaping everything you do online
Why every website you open starts with a request you don’t see
When you open a website, one of the first things your device does is query a DNS server to determine the site’s IP address. This seemingly routine task has one of the most consistent metadata trails. But it’s different from most other forms of tracking because it happens even before a page loads.
Intent is an element people don’t always bother to protect. Even though you rely on HTTPS for content protection, ISPs and default DNS providers may be able to build a picture of your searches, website visits, and what you read. This still holds even if the page is encrypted. This isn’t pointing to an exotic surveillance scheme, but just the default structure of the internet.
Visibility typically sits on these three layers:
|
Layer |
What is exposed |
|---|---|
|
HTTPS |
Page content is encrypted and hidden from third parties |
|
DNS query |
The domain name (e.g., mentalhealth.org) is visible to your DNS resolver |
|
IP connection |
The destination server address remains visible to your ISP |
While DNS doesn’t expose everything, it can consistently point to the destination even if it’s not seeing actual content. This becomes more significant on public Wi-Fi, where DNS requests may not be encrypted and are passed through public default resolvers. This gives the network provider visibility into domain lookups you make in real time. Quad9 helps mitigate this default behavior.
Quad9 replaces your default DNS with a security-first resolver
A nonprofit structure built so there’s nothing to monetize
The main idea of Quad9 is to stop your DNS traffic from being used for profiling or commercial gain. It’s different from Google and Cloudflare in the sense that it’s not affiliated with any advertising business or adjacent businesses that may benefit from knowing your browsing habits.
Quad9’s privacy policy is also more tangible than most of the competition. Quad9 does not log IP addresses for DNS queries. Architecturally, this information is dropped at the network edge. However, it retains city-level aggregate geographic information for network capacity planning. Quad9 DNS is stripped of any mechanism that can store or collect personally identifiable DNS data.
Functionally, it operates differently from standard resolvers. It ensures any connection with flagged domains is never completed. This is possible due to its security partners and blocked domains that host malware, phishing pages, or botnet infrastructure. This is an important security point because many phishing attacks succeed after an accidental click.
But it runs deeper. In 2021, when Sony Music tried to use a Hamburg court injunction to compel Quad9 to block domains globally, Quad9 fought back and won the case. The fact that a DNS company was willing to go to court and defend its operational neutrality is a significant credibility signal. The core of Quad9 is to change the defaults of what internet connections allow through.
Switching to Quad9 takes minutes and covers your entire network
Router-level setup is the only step most people actually need
The primary addresses are:
- 9.9.9.9 – secure, malware-blocking (recommended default)
- 149.112.112.112 – secondary
For best results, set up Quad9 on your router. This ensures devices connected to that network automatically use Quad9 without needing individual tweaks. However, you will have to fall back to a device-level setup if you need to use devices outside your home network. This could be Windows’ manual DNS, macOS’ network settings, Android’s Private DNS mode, or iOS’ per-network Wi-Fi DNS settings.
With Quad9, you may choose between three distinct service options:
|
Address |
What it does |
When to use it |
|---|---|---|
|
9.9.9.9 |
Secure DNS with malware and phishing blocking |
Default choice for most users |
|
9.9.9.10 |
Unfiltered DNS, no blocking of any kind |
Use for debugging or when you want pure DNS resolution |
|
9.9.9.11 |
Secure DNS with ECS enabled for CDN optimization |
If you notice slower loading on major streaming or CDN-heavy sites |
Some routers require HTTP/2 to use DNS-over-HTTPS with Quad9; if your router only supports HTTP/1.1 the connection may fail without error messages. If this happens, switching to DNS-over-TLS will fix it. Confirm the fix by running a leak test and checking for Quad9 IP addresses.
Quad9 compared to mainstream DNS providers
Google Public DNS and Cloudflare 1.1.1.1 are the more common alternatives to Quad9. These are core differences I noticed when using them:
|
Quad9 |
Cloudflare 1.1.1.1 |
Google 8.8.8.8 |
|
|---|---|---|---|
|
Organization type |
Nonprofit foundation |
Commercial CDN company |
Commercial advertising company |
|
Malware blocking |
Yes, on by default |
Optional — requires switching to 1.1.1.2 |
No |
|
IP address logging |
Never stored |
Deleted within 24 hours, KPMG-audited |
Anonymized after two weeks |
|
Legal jurisdiction |
Switzerland |
United States |
United States |
|
Primary purpose |
Security and privacy |
Speed and reliability |
Ecosystem performance |
There are structural differences between these options. Cloudflare is also a good privacy option and a favorite for anyone who prioritizes raw speed. However, the position of Quad9 is narrower. It resolves DNS, blocks known threats, and has no commercial incentive to monetize DNS data.
Even though it doesn’t anonymize browsing or encrypt your full traffic, it can significantly reduce phishing and malware exposure.
