infrastructure
Public Resolvers
The major public DNS resolvers, how they compare, and why they matter
Your ISP is probably not the best option
Every device connected to the internet uses a recursive DNS resolver — the server that does the work of chasing referrals from root to TLD to authoritative server and returning the final answer. By default, your device uses whatever resolver your ISP assigns. That resolver is often slow, sometimes unreliable, and almost never encrypts your queries.
Public DNS resolvers changed that equation. Starting with Google Public DNS in 2009 and accelerating with Cloudflare’s 1.1.1.1 in 2018, anyone can point their device at a fast, well-maintained resolver operated by a major technology company — for free. Today, public resolvers collectively handle approximately 60% of all recursive DNS traffic globally, and ISP resolvers’ share continues to decline.
The major public resolvers
| Provider | Primary IP | Secondary IP | Avg Latency | Daily Queries |
|---|---|---|---|---|
| Cloudflare | 1.1.1.1 | 1.0.0.1 | 10.36 ms | ~1.9 trillion |
| 8.8.8.8 | 8.8.4.4 | 19.16 ms | ~1+ trillion | |
| Quad9 | 9.9.9.9 | 149.112.112.112 | 22 ms | Billions (est.) |
| OpenDNS (Cisco) | 208.67.222.222 | 208.67.220.220 | 25–35 ms | ~620 billion |
Cloudflare (1.1.1.1)
Launched on April 1, 2018 — a date chosen for the memorable 1.1.1.1 address — Cloudflare’s resolver immediately became the fastest public DNS service globally. It operates from 330+ cities worldwide and consistently ranks #1 in DNSPerf benchmarks with an average response time of 10.36 ms.
Cloudflare’s resolver is built on Knot Resolver, developed by CZ.NIC (the Czech domain registry). It supports DNS over HTTPS (DoH), DNS over TLS (DoT), and DNS over QUIC. Cloudflare committed to not logging querier IP addresses and engaged an independent auditor (KPMG) to verify compliance.
The 1.1.1.1 address was previously unused and had accumulated years of junk traffic from misconfigured networks. Cloudflare spent months working with APNIC (the address holder) to clean up the address space before launching the service.
Google Public DNS (8.8.8.8)
Google launched its public DNS on December 3, 2009, making it the oldest major public resolver. It runs on custom-built DNS software — not BIND or any other open-source implementation — across Google’s Core data centers and Edge PoPs globally.
Google Public DNS handles over 1 trillion queries per day (a figure from 2018; the actual number in 2025 is likely significantly higher) and accounts for roughly 30% of all public DNS traffic — the largest share of any single provider. It supports DoH and DoT.
Google’s resolver was originally built with a focus on speed and correctness. It pioneered several resolver optimizations including aggressive prefetching of popular records before they expire.
Quad9 (9.9.9.9)
Quad9 launched in November 2017 as a security-focused, non-profit resolver. It operates 259 server clusters in 106 countries across six continents, built on the global infrastructure of Packet Clearing House (PCH).
What sets Quad9 apart is threat blocking. It integrates threat intelligence feeds and blocks resolution of known malicious domains — currently stopping over 100 million malware and phishing attacks per day. This happens transparently; queries for malicious domains simply return NXDOMAIN.
Quad9’s performance varies dramatically by region. In Europe, it is exceptionally fast — 4.35 ms average — often faster than Cloudflare and Google. In North America, it averages 7.21 ms. In regions with less infrastructure coverage, latency increases.
OpenDNS / Cisco Umbrella (208.67.222.222)
The oldest public resolver on this list, OpenDNS launched in 2006 and was acquired by Cisco in 2015. It serves 620 billion queries per day to 85+ million end users and 30,000+ enterprise customers across 190+ countries.
OpenDNS pioneered the concept of DNS-based content filtering and security for consumers. Under Cisco’s ownership, it evolved into Cisco Umbrella, an enterprise security product that uses DNS as the first line of defense against threats.
Regional performance
Global average latency tells only part of the story. Resolver performance varies significantly by region because it depends on the proximity of resolver instances to the user:
| Region | Cloudflare | Quad9 | |
|---|---|---|---|
| Europe | ~8–12 ms | ~7 ms | 4.35 ms |
| North America | ~8–12 ms | ~8.5 ms | 7.21 ms |
| Asia-Pacific | ~15–25 ms | ~20–30 ms | ~25–40 ms |
| South America | ~20–30 ms | ~15–25 ms | ~25–40 ms |
| Africa | ~30–50 ms | ~40–60 ms | ~40–60 ms |
At the city level, performance can be dramatically better. Quad9 achieves 1.14 ms in Frankfurt and 1.50 ms in New York — latencies so low that DNS resolution adds virtually nothing to connection time.
Cloudflare outperforms Google DNS by 20–40% on average globally. Both outperform typical ISP resolvers by 300–500%.
Performance tiers
| Response Time | Rating | Context |
|---|---|---|
| Under 10 ms | Excellent | Local/regional, well-peered resolvers |
| 10–20 ms | Very Good | Most public DNS services |
| 20–50 ms | Good | Typical for most users worldwide |
| 50–100 ms | Acceptable | Remote regions, congested networks |
| Over 100 ms | Poor | Significant user-perceivable delay |
What to consider when choosing
Speed is the most measurable differentiator, but it is not the only one.
Privacy varies considerably. Cloudflare and Quad9 commit to minimal logging and independent audits. Google logs query data and retains it for 24–48 hours in full, then stores anonymized data longer. OpenDNS/Cisco Umbrella retains data for enterprise security features.
Security features differ too. Quad9 blocks malicious domains by default. Cloudflare offers optional malware blocking through its 1.1.1.2 and 1.1.1.3 addresses. Google does not block anything. OpenDNS offers configurable filtering.
Encrypted DNS support is now table stakes. All four major resolvers support DoH and DoT. Cloudflare also supports DNS over QUIC. Encrypted DNS prevents your ISP or anyone else on the network path from seeing your queries — a significant privacy improvement over traditional plaintext DNS.
EDNS Client Subnet (ECS) is a protocol extension that helps CDNs serve geographically optimal content. Google and OpenDNS support ECS; Cloudflare and Quad9 do not, citing privacy concerns. If you use a CDN-heavy service and care about content delivery optimization, a resolver that supports ECS may route you to closer CDN nodes.
Market share trends
| Provider | Estimated Share of Public DNS |
|---|---|
| Google (8.8.8.8) | ~30% |
| AWS (Route 53 Resolver) | ~16% |
| Cloudflare (1.1.1.1) | ~14–15% |
| ISP Resolvers (combined) | ~40% |
| Quad9 | ~2–4% |
| OpenDNS / Cisco Umbrella | ~2–3% |
The trend is clear: traffic is consolidating toward a handful of large public resolvers. A 2020 study found increasing concentration of recursive DNS traffic, raising concerns about centralizing a system that was designed to be distributed. If Google’s resolver experienced a prolonged outage, roughly 30% of the internet’s DNS lookups would fail — a concentration of risk that the original DNS architecture was explicitly designed to prevent.