Comparison Table of Public DNS Providers
| DNS Provider | Primary DNS IPs | Filters | DNSSEC | DNS over TLS (DoT) | DNS over HTTPS (DoH) | DNSCrypt |
|---|---|---|---|---|---|---|
| Google Public DNS | 8.8.8.8, 8.8.4.4 | No filtering | Yes | Yes | Yes | No |
| Cloudflare (1.1.1.1) | 1.1.1.1, 1.0.0.1 | Optional (malware/adult via 1.1.1.2, 1.1.1.3) | Yes | Yes | Yes | No |
| OpenDNS (Cisco) | 208.67.222.222, 208.67.220.220 | Yes (customizable, parental controls) | Yes | Yes | Yes | Yes |
| AdGuard DNS | 94.140.14.14, 94.140.15.15 | Yes (ads, trackers, malware) | Yes | Yes | Yes | Yes |
| Quad9 | 9.9.9.9, 149.112.112.112 | Yes (malware, phishing) | Yes | Yes | Yes | Yes |
| CleanBrowsing | 185.228.168.168, 185.228.169.168 | Yes (security, adult, family tiers) | Yes | Yes | Yes | Yes |
| NextDNS | Custom (via account) | Yes (customizable filters) | Yes | Yes | Yes | Yes |
| Verisign DNS | 64.6.64.6, 64.6.65.6 | No filtering | Yes | No | No | No |
What is DNS Filtering?
DNS filtering is a feature that blocks unwanted content—like ads, malware, phishing sites, or adult material—before it reaches your device. Providers like AdGuard DNS (94.140.14.14) and Quad9 (9.9.9.9) excel here, offering built-in protection against trackers and threats. OpenDNS (208.67.222.222) and CleanBrowsing (185.228.168.168) let you customize filters for family safety or workplace compliance, while Cloudflare (1.1.1.1) offers optional malware and adult content blocking via alternate IPs (1.1.1.2, 1.1.1.3). If you just want fast, unfiltered DNS, Google Public DNS (8.8.8.8) or Verisign DNS (64.6.64.6) skips filtering entirely. Choosing a DNS with filtering depends on your needs—security, ad-free browsing, or parental controls.
What is DNSSEC (Domain Name System Security Extensions)?
DNSSEC adds a layer of security to DNS by verifying that the website you’re visiting is legitimate, preventing “man-in-the-middle” attacks where hackers redirect you to fake sites. It uses digital signatures to ensure the DNS data hasn’t been tampered with. Good news: all providers in this table—Google Public DNS (8.8.8.8), Cloudflare (1.1.1.1), NextDNS, and more—support DNSSEC. This makes them reliable for secure browsing, whether you’re shopping online or accessing sensitive data. If you’re comparing DNS providers, DNSSEC support is a must-have for modern internet safety.
What is DNS over TLS (DoT)?
DNS over TLS (DoT) encrypts your DNS queries using the TLS protocol, keeping your browsing private from ISPs, hackers, or anyone snooping on public Wi-Fi. It runs on a dedicated port (853), making it easy for devices to prioritize security. Most providers here, like Quad9 (9.9.9.9), AdGuard DNS (94.140.14.14), and Cloudflare (1.1.1.1), support DoT, ensuring your data stays confidential. Verisign DNS (64.6.64.6) is the exception, lacking encrypted options. For privacy-focused users, picking a DNS with DoT—like NextDNS or CleanBrowsing (185.228.168.168)—is a smart move.
What is DNS over HTTPS (DoH)?
DNS over HTTPS (DoH) also encrypts DNS queries but wraps them in HTTPS traffic (port 443), blending them with regular web activity for extra stealth. This makes it harder for ISPs or firewalls to block DNS traffic. Providers like Google Public DNS (8.8.8.8), Cloudflare (1.1.1.1), and OpenDNS (208.67.222.222) support DoH, as do AdGuard DNS (94.140.14.14) and Quad9 (9.9.9.9). Again, Verisign DNS (64.6.64.6) skips this feature. DoH is ideal if you want privacy without changing your browser settings—many modern browsers (e.g., Chrome, Firefox) natively support it with these providers.
What is DNSCrypt?
DNSCrypt is an older encryption protocol that secures DNS queries between your device and the resolver, preventing eavesdropping or spoofing. While it’s less common today (replaced by DoT and DoH in many cases), it’s still supported by OpenDNS (208.67.222.222), AdGuard DNS (94.140.14.14), Quad9 (9.9.9.9), CleanBrowsing (185.228.168.168), and NextDNS. Big names like Google Public DNS (8.8.8.8) and Cloudflare (1.1.1.1) don’t use it, favoring newer standards. DNSCrypt is a solid choice if you’re using older software or need a lightweight encryption option, though DoT and DoH are more future-proof.