Pick what matters to you, such as privacy, malware blocking, parental controls, speed, IPv6, or a specific jurisdiction, and the finder narrows 29 global public resolvers to the ones that fit. A full comparison table and research-backed decision notes follow.
29
16
DoH / DoT / DoQ
12
Find a resolver for your requirements
Check what matters to you. Transport, DNSSEC, IPv6, jurisdiction and operator type are hard filters. The priorities are scored and ranked.
All 29 global public resolvers
Click a column header to sort. Search by name, operator, jurisdiction, or feature. Filter-variant addresses (malware, family, unfiltered) are listed in the Filtering cell.
How to decide: what the research says
Findings from peer-reviewed DNS measurement studies that should shape the trade-offs above.
Speed: plain DNS has the lowest latency, but encrypted keeps up
Encrypted transports (DoH and DoT) add latency per query, yet whole-page load times are often close to plain DNS, and DoH's overhead is small in practice. On lossy or high-latency links, plain Do53 still wins. Performance also varies by provider and region, so the fastest resolver depends on where you are.
Hounsel et al., WWW 2020; Böttger et al., IMC 2019; Chhabra et al., IMC 2021.
Encrypted DNS resists tampering, not just snooping
The largest end-to-end study of encrypted DNS found queries are far less likely to be intercepted or altered in transit than plain DNS, with only minor overhead. Operator quality varies, though: about 25% of DoT providers in that study served invalid TLS certificates, so favour well-run providers.
Lu et al., IMC 2019.
Encryption hides queries from the network, not from the resolver
Whichever provider you choose still sees every domain you look up. If that worries you, prefer no-logging operators, or an oblivious design (ODoH) where a proxy separates your identity from your queries so no single party sees both. Cloudflare and Apple have deployed ODoH.
Schmitt, Edmundson & Feamster, PoPETS 2019; Singanamalla et al., 2021.
DNSSEC validation is what stops forged answers
Only a validating resolver protects you from spoofed records. Google, Cloudflare and Quad9 all validate, and they handled the first root-key (KSK) rollover without breaking users. If integrity matters, treat DNSSEC validation as a must.
Müller et al., IMC 2019.
ECS trades speed for privacy
EDNS Client Subnet sends part of your IP to CDNs for better geo-routing. Google and OpenDNS send it for sharper CDN mapping; Cloudflare and standard Quad9 leave it off for privacy. Pick based on which you value more.
"A Look at the ECS Behavior of DNS Resolvers", IMC 2019.
Jurisdiction and centralization matter too
The operator's legal home governs what can be compelled or logged, and a handful of providers now carry a large share of the world's recursive traffic. The U.S. NSA has also warned that external resolvers bypass internal DNS filtering and inspection, so weigh control against convenience.
Moura et al., IMC 2020; NSA guidance, 2021.
DNS-over-QUIC is now the fastest encrypted transport
A 2022 measurement of DoQ found it already beats both DoT and DoH on response time, though about 40% of handshakes were slowed by QUIC's address-validation limit. Where your client and resolver both support it (Quad9, AdGuard, NextDNS, Control D, Mullvad, UncensoredDNS, and the Chinese majors here), DoQ is the encrypted option to prefer.
Kosek et al., PAM 2022.
DNSCrypt: the oldest encrypted option, and the hardest to measure
DNSCrypt predates DoH, DoT, and DoQ (version 2 dates to 2013). It encrypts from the first packet using a resolver's pre-shared public key, so there is no plaintext hostname lookup and no dependency on certificate authorities, and its Anonymized DNS mode (2019) also hides client IPs. Among the resolvers here it is offered by Quad9, OpenDNS, AdGuard, NextDNS, Control D, and Yandex. Reliable usage numbers are scarce, though: population-scale measurements such as APNIC Labs track DoH and DoT but not DNSCrypt, so there is no trustworthy public figure for how many people use it.
DNSCrypt Project; APNIC Labs encrypted-DNS measurement.
Encryption does not hide which sites you visit
Even over DoH, traffic analysis can identify the domains you visit with high accuracy, and the standard EDNS padding does not fully prevent it. If that threat model applies to you, pair encrypted DNS with Tor or an oblivious design rather than relying on padding.
Siby et al., NDSS 2020.
Public resolvers do not behave the same way
A 2023 study of Extended DNS Errors across major resolvers found they disagreed on diagnostic error reporting in 94% of test cases, with Cloudflare the most precise. Implementation quality and standards compliance differ between providers, which affects troubleshooting and reliability.
Nosyk, Korczyński & Duda, IMC 2023.
- A. Hounsel et al., "Comparing the Effects of DNS, DoT, and DoH on Web Performance", WWW 2020 (arXiv:1907.08089).
- T. Böttger et al., "An Empirical Study of the Cost of DNS-over-HTTPS", ACM IMC 2019.
- R. Chhabra, P. Murley, D. Kumar, M. Bailey, G. Wang, "Measuring DNS-over-HTTPS Performance Around the World", ACM IMC 2021.
- C. Lu et al., "An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?", ACM IMC 2019.
- M. Kosek et al., "One to Rule Them All? A First Look at DNS over QUIC", PAM 2022 (arXiv:2202.02987).
- S. Siby et al., "Encrypted DNS => Privacy? A Traffic Analysis Perspective", NDSS 2020 (arXiv:1906.09682).
- P. Schmitt, A. Edmundson, N. Feamster, "Oblivious DNS: Practical Privacy for DNS Queries", PoPETS 2019 (arXiv:1806.00276).
- S. Singanamalla et al., "Oblivious DNS over HTTPS (ODoH)", arXiv:2011.10121.
- M. Müller et al., "Roll, Roll, Roll your Root: Analysis of the First Ever DNSSEC Root KSK Rollover", ACM IMC 2019.
- "A Look at the ECS Behavior of DNS Resolvers", ACM IMC 2019.
- G. Moura, S. Castro, W. Hardaker, M. Wullink, C. Hesselman, "Clouding up the Internet: how centralized is DNS traffic becoming?", ACM IMC 2020.
- Y. Nosyk, M. Korczyński, A. Duda, "Extended DNS Errors: Unlocking the Full Potential of DNS Troubleshooting", ACM IMC 2023.
Not peer-reviewed, but authoritative and continuously updated. Useful for checking the live state of the resolver ecosystem.
Niche, hobby, or single-operator services that are not in the comparison above. Worth knowing about, but check their current status and policies before relying on them.
- DNS4all (194.0.5.3): European resolver focused on neutrality and performance; unfiltered.
- BlahDNS: open-source hobby ad-blocking project with DoH, DoT, and DoQ, run on small regional servers.
- LibreDNS: community resolver by LibreOps with ad-blocking and a no-logging policy; DoH and DoT.
- Dismail.de: privacy-focused German community resolver with no logging; DoH and DoT.
- Legacy or discontinued services to avoid: Oracle Dyn, Level3 (4.2.2.x), Freenom World, dns0.eu (use DNS4EU or NextDNS instead), and Norton ConnectSafe appear in older lists but are legacy, unofficial, or discontinued.