The best DNS for security is Quad9, which blocks malicious domains automatically using threat intelligence from over 25 partners. If you want network-wide protection without installing software on every device, switching to a filtered DNS provider is the fastest single change you can make.
What Is DNS Filtering and Why Does It Matter
DNS filtering works by checking every domain your devices request against a real-time database of known threats. When you type a URL or an app connects to a server, your DNS resolver looks up the address. A filtered DNS provider intercepts requests to domains flagged for phishing, malware, or command-and-control activity and returns a block page instead of the real IP address.
This happens before any connection is established, so the threat never reaches your device. It covers every device on your network, including IoT gadgets and guest phones that you cannot install security software on. If you have already secured your home WiFi at the router level, adding filtered DNS is the logical next step. For a deeper look at how this blocking mechanism works under the hood, read our guide on how DNS filtering blocks malware before it reaches your network.
Best DNS for Security: Ranked Comparison
| Provider | Primary DNS | Secondary DNS | Threat Blocking | Privacy Policy | Best For |
|---|---|---|---|---|---|
| Quad9 | 9.9.9.9 | 149.112.112.112 | Malware, phishing, exploits | No logging, Swiss jurisdiction | Overall security |
| Cloudflare for Families | 1.1.1.2 | 1.0.0.2 | Malware (1.1.1.2) or malware + adult (1.1.1.3) | No logging, audited | Speed + filtering |
| OpenDNS Home | 208.67.222.222 | 208.67.220.220 | Malware, phishing, custom categories | Cisco-owned, some logging | Custom filtering |
| CleanBrowsing Security | 185.228.168.9 | 185.228.169.9 | Malware, phishing, mixed content | No logging | Family networks |
| AdGuard DNS | 94.140.14.14 | 94.140.15.15 | Malware, phishing, ads, trackers | No logging | Ad blocking + security |
How to Set Up Filtered DNS on Your Network
Router-Level Configuration
Log into your router admin panel and navigate to DNS settings under WAN or Internet configuration. Replace the existing DNS addresses with your chosen provider. For Quad9, enter 9.9.9.9 as primary and 149.112.112.112 as secondary. Save and reboot. Every device using DHCP picks up the new settings within minutes.
Device-Level Configuration
On Windows, open Network settings and edit DNS assignment to manual. On macOS, go to System Settings, Network, then DNS. On Android and iOS, look for Private DNS under connection settings and enter the DNS-over-TLS hostname. Quad9 uses dns.quad9.net.
Pi-hole vs AdGuard Home: Self-Hosted DNS Filtering
If you want full control, you can run a self-hosted DNS filter on your own hardware. Pi-hole and AdGuard Home are the two leading options. Pi-hole uses blocklists and works well on a Raspberry Pi or Docker container. AdGuard Home offers a modern interface, built-in DNS-over-HTTPS support, and per-client filtering without additional setup.
Both let you add custom blocklists, whitelist domains, and monitor every query through a web dashboard. For most home users, a cloud provider like Quad9 is simpler. For power users who want granular control over every DNS query, self-hosted filtering is worth the extra configuration time.
Testing Your DNS Security Configuration
After switching providers, verify it is working. Visit the provider’s test page, such as on.quad9.net for Quad9 or 1.1.1.1/help for Cloudflare. You can also test threat blocking by visiting the EICAR test domain, which triggers blocks without delivering real malware. Check that DNS-over-HTTPS or DNS-over-TLS is active to prevent your ISP from intercepting queries.
Frequently Asked Questions
Does changing DNS slow down my internet connection?
Filtered DNS providers like Quad9 and Cloudflare operate global anycast networks with response times under 10 milliseconds from most UK locations. They often resolve queries faster than your ISP’s default servers. You will not notice any speed difference during normal browsing.
Can filtered DNS replace antivirus software?
No. Filtered DNS blocks connections to known malicious domains, but it cannot scan files, detect malware already on your device, or stop threats delivered through encrypted channels. Use it as one layer alongside endpoint protection and a properly configured firewall.
What happens if the filtered DNS provider goes down?
Always configure both a primary and secondary DNS server. If the primary fails, your device automatically queries the secondary. You can also set your router to fall back to a second provider, such as Cloudflare as backup for Quad9, to ensure uninterrupted resolution.