Quad9 is a free DNS resolver operated by the Quad9 Foundation, a nonprofit based in Zürich, Switzerland, reachable at 9.9.9.9. Development began in 2016 with backing from IBM, Packet Clearing House, and the Global Cyber Alliance, with a public launch in November 2017. IBM's role has since narrowed to threat intelligence contribution, with full operational independence established under the Swiss foundation structure. The Swiss jurisdiction matters because Swiss privacy law is among the stricter frameworks globally, and the foundation is not subject to US surveillance demands or EU data retention directives.
DNS is the system that translates domain names into IP addresses. Every time you visit a website, your device asks a DNS resolver where that domain lives. Your ISP handles this by default, which means your ISP sees every domain you query. Switching to Quad9 moves that visibility away from your ISP and toward Quad9 instead. That is a meaningful change for some threat models and essentially irrelevant for others.
What Quad9 Actually Does
Quad9 runs on anycast routing, meaning the 9.9.9.9 address doesn't point to a single server. Your query automatically routes to the nearest node across more than 200 locations globally. The secondary resolver sits at 149.112.112.112 for redundancy. For DoH the endpoint is dns.quad9.net/dns-query, and for DoT the hostname is dns.quad9.net. Both encrypt your DNS queries in transit so they can't be read by anyone monitoring your network connection. Without one of those protocols enabled, DNS queries travel in plaintext and anyone between you and the resolver can see them.
Quad9 validates responses using DNSSEC, which cryptographically verifies that DNS answers haven't been tampered with between the authoritative nameserver and the resolver. It also deliberately strips EDNS Client Subnet data from queries it forwards upstream. ECS is a mechanism that passes a truncated version of your IP address to authoritative nameservers so CDNs can serve you geographically optimal content. Quad9 removes it, which improves privacy but can occasionally result in slightly suboptimal CDN routing.
The other main feature is domain blocking. Quad9 pulls threat intelligence from dozens of partners including IBM X-Force and Abuse.ch, and uses that data to block domains associated with malware, phishing, and exploit delivery. When your device queries a blocked domain, Quad9 returns NXDOMAIN instead of an IP address and the connection fails before it starts. There is an unfiltered version available at 9.9.9.10 for users who want the privacy features without the blocking, and a third variant at 9.9.9.11 that adds ECS back in for users who want better CDN performance and are willing to trade some subnet privacy for it.
Quad9 states it does not log user IP addresses. Aggregate query data is used for threat analysis but is not tied to individual users. That claim is not independently audited in the way some VPN providers have pursued third-party audits, so it rests on trust in the foundation and Swiss legal constraints.
Where It Falls Short
The blocking is only as good as the threat intelligence feeds behind it. Legitimate domains get caught occasionally, and when they do there is no user-facing explanation, the connection just fails. The blocklist sources are not fully public, so you cannot inspect exactly what criteria get a domain flagged. For most users the blocking is a net positive. For researchers, security professionals, or people running their own infrastructure, it can create problems that are annoying to diagnose. The unfiltered endpoint at 9.9.9.10 exists for exactly that reason.
The more fundamental limitation is that Quad9 is still a centralised resolver. You are moving trust away from your ISP and toward a Swiss nonprofit, which is a reasonable trade for most people. It does not make your DNS queries invisible. Quad9 can see what domains you are querying even if it does not log them against your IP. Encrypted DNS also does not hide your traffic at the IP level. Once you connect to a server, that connection is visible regardless of how your DNS query was handled.
Quad9 is a solid default choice for anyone who wants encrypted DNS with malware blocking and does not want to run their own resolver. It is not a complete privacy solution on its own. Pair it with a VPN and you shift the DNS query handling to the VPN provider entirely, which removes Quad9 from the picture and consolidates that trust into one place instead of two.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
What IP address does Quad9 use?
The primary address is 9.9.9.9, with a secondary at 149.112.112.112. An unfiltered variant runs at 9.9.9.10, and a version with ECS re-enabled runs at 9.9.9.11.
Does Quad9 log your DNS queries?
Quad9 states it does not log user IP addresses. Aggregate query data is collected for threat analysis but is not tied to individual users. This has not been independently audited.
What is EDNS Client Subnet and why does Quad9 strip it?
ECS passes a truncated version of your IP address to authoritative nameservers for CDN optimisation. Quad9 removes it by default to prevent your approximate location from being shared upstream.
Can Quad9 block legitimate websites?
Yes. False positives occur and the blocklist sources are not fully public. Users who need unfiltered DNS can use 9.9.9.10 instead.
Does using Quad9 replace a VPN?
No. Quad9 only handles DNS queries. Your actual network traffic, IP address, and connection metadata remain visible to your ISP and any server you connect to.