Quad9: more security and privacy in the DNS

It is thanks to the Domain Name System (DNS) that we don’t have to know IP addresses by heart in order to browse the web. Instead, we simply enter the website address into a browser. In other words, the DNS is responsible for what’s known as “name resolution” – using a name server, it converts the URL into the correct IP address.

Most people use the DNS service of their network provider. However, it is possible to access a different DNS server. In recent years, more and more providers have been publishing public servers that are free to use for anybody. The best-known has to be Google’s DNS resolver, but if you’re worried about the security of your data in the hands of the internet giant, you can use a smaller service like Quad9. Rather than a commercial company, Quad9 is a non-profit organization.

What is Quad9?

The organization behind the Quad9 service also goes by the same name and is a consortium that includes IBM, Packet Clearing House (PCH) and the Global Cyber Alliance (GCA). Both, PCH and GCA are advocates for online security and privacy. They share the same aim, namely, to provide a DNS resolver that is both independent from commercial interests and available to users free of charge.

As well as being free to access, Quad9 is specifically focused on security and privacy. The team behind the DNS resolver promises that no user data is collected. Indeed, Quad9’s pioneering role is largely down to its emphasis on security. The service supports both DNS over TLS (DoT) and DNS over HTTPS (DoH). In recent years, it has become increasingly clear that traditional DNS has big security gaps due to a lack of encryption. This makes it more vulnerable to DNS hijacking. The new technologies effectively protect users from cyber criminals and also from government censorship.

Furthermore, Quad9 uses DNSSEC, which ensures that the delivered results are accurate. It also uses blacklists supplied by various security providers to filter out websites that have been classified as harmful. To avoid becoming censorship bodies themselves – after all, in theory, anyone could simply blacklist a website they didn’t like – the different organizations in the consortium check each other’s lists. This prevents any single party from pursuing its own individual interests. Censorship requests from local prosecutors are only applied after a definitive decision has been made in court, and even then, the censorship is only local.

Where can you find Quad9?

The name itself is a giveaway – the IP address is 9.9.9.9. Perhaps it’s also a nod to Google’s service, which you can reach via 8.8.8.8. However, the Quad9 DNS service can also be accessed via other IP addresses (both IPv4 and IPv6):

IP version Address DNSSEC Security filters EDNS
IPv4 9.9.9.9      
IPv4 149.112.112.112      
IPv4 9.9.9.10      
IPv4 149.112.112.10      
IPv4 9.9.9.11      
IPv6 2620:fe::fe      
IPv6 2620:fe::9      
IPv6 2620:fe::10      
IPv6 2620:fe::fe:10      
IPv6 2620:fe::11      

As you can see, Quad9 provides both secure and non-secure access. Of course, the provider recommends using secure connections, which apply DNSSEC and blacklist filters. However, if you’re looking for an entirely unfiltered browsing experience (along with the danger of exposing yourself to risks), you can access the non-secure IP addresses. Quad9 provides two IP addresses, both of which can be entered in your operating system settings. In the event that one of the communication channels is temporarily unavailable, the system can, therefore, switch directly to the other address.

Quad9 also provides an EDNS Client Subnet. This is primarily designed for Content Delivery Networks (CDNs). This type of network is used to make media files available on websites without overloading the central server. The EDNS performs load balancing and can answer CDN requests more rapidly. IoT providers are also involved in order to ensure secure DNS access for smart objects.

If you want to use one of the two encrypted connections, you have to use specific ports. For DoT, you need to use Port 853 and for DoH you need to use the standard HTTP port 443.

Quad9 doesn’t use just one DNS server. If you choose to use the service, your request will be forwarded by Anycast to one of more than 100 servers located all around the globe. With Anycast, multiple servers have the same address, but the system always selects the shortest path.

Note

Fancy giving Quad9 a go? Check out our tutorial to find out how to change your DNS server. Switching to a different provider can be a good option if you often get the “DNS server not responding” message.

Quad9 at a glance

What advantages does switching to Quad9 DNS provide?

  • Available free of charge
  • User data is not recorded
  • Secure connections
  • No government censorship
  • DNS over TLS and DNS over HTTPS
  • DNSSEC
  • Blacklist filters
  • Over 100 servers
  • Run by a non-profit organization

Wait! We’ve got something for you!
Have a look at our great prices for different domain extensions.


Enter the web address of your choice in the search bar to check its availability.
.club
$1/1st year
then $15/year
.com
$1/1st year
then $15/year
.info
$1/1st year
then $20/year
.me
$1/1st year
then $20/year