by kieren

Quad9: keeping DNS slightly less terrible

Android Private DNS DNS over HTTPS DNS over TLS DNS security dns.quad9.net DNSSEC DoH DoT iOS encrypted DNS Linux DNS configuration malware blocking phishing protection public DNS Quad9 Quad9 DNS recursive DNS secure DNS threat blocking

Introduction

Quad9 is a public, and more importantly free, recursive DNS service that adds a layer of security. It uses threat-intelligence feeds to block domains used for malware, phishing, and C2 traffic, while also supporting encrypted DNS protocols and a privacy-first logging policy [1], [2].

Here we will cover:

  • what Quad9 actually is;
  • which addresses and hostnames you care about;
  • how to use it on Android, iOS, and Linux;
  • how to check that it is really working.

What is Quad9

Quad9 operates a global anycast recursive resolver network, with servers in hundreds of locations worldwide [2]. When you point your DNS at Quad9, so called Quad9 because the IP address is 9.9.9.9, your queries go to the nearest live node.

It then provides an extra security layer in your network stack:

  • threat blocking for malware, phishing, and botnet domains;
  • DNSSEC validation;
  • no logging of your source IP address;
  • encrypted transports such as DoT and DoH [1], [2].

The key secure-with-threat-blocking addresses are:

  • IPv4: 9.9.9.9 and 149.112.112.112
  • IPv6: 2620:fe::9 and 2620:fe::fe
  • DoT: dns.quad9.net on port 853
  • DoH: https://dns.quad9.net/dns-query [1], [2], [3]

There are also variants with EDNS Client Subnet and with no filtering at all, but for most end-user devices, the default secure profile is the right starting point [1], [3].

So why bother changing

Changing to Quad9 will not magically make everything safe. However, it does give you:

  • a first line of defence against known-bad domains;
  • some privacy against ISPs selling your DNS data;
  • a single policy you can apply across devices, if you are managing devices.

It is cheap defence-in-depth: one control at the network layer that quietly blocks entire classes of mistakes.

So how do we set it up

Let us go through each device type: Android, iOS, Windows, and Linux. I am afraid I do not have much experience with macOS, but there are other resources covering that use case.

Android

On Android 9 and later, you get system-wide DNS-over-TLS via the Private DNS feature. Quad9 publishes the DoT hostname dns.quad9.net, which maps to the secure resolver profile [3], [4].

The exact menu names vary slightly between vendors, but the flow is usually:

1. Open Settings. 2. Tap Network & Internet. 3. Tap Advanced. 4. Tap Private DNS. 5. Choose Private DNS provider hostname. 6. Enter:

dns.quad9.net

7. Save and back out.

If you mistype the hostname, Android will silently fall back to whatever DNS the network provides. To check that you are really using Quad9, install a terminal, for example Termux, and run: 


dig +short txt proto.on.quad9.net.

Quad9 will return a short string describing how your query arrived, such as plain UDP, DoT, or DoH [5]. If you see a DoT or DoH result and the resolver is reported as Quad9, you are in business.

iOS 14 and later

From iOS 14 onwards, Apple added a system-level Encrypted DNS feature. Instead of a toggle in Settings, it is controlled via configuration profiles (.mobileconfig files) which declare DoT or DoH settings [4], [6].

Quad9 provides profiles for iOS and macOS that:

  • use Quad9 resolvers;
  • request DoT or DoH to dns.quad9.net;
  • apply system-wide, including to apps that know nothing about encrypted DNS [4], [6].

The setup flow is:

1. On the device, in Safari, download the Quad9 encrypted DNS profile, for example their DoH or DoT profile for iOS 14 and later. 2. After download, open Settings. 3. At the top, you should see Profile Downloaded. 4. Tap it, then tap the Quad9 profile. 5. Review the contents, then tap Install. 6. Enter your device passcode and confirm.

Once installed, the Encrypted DNS setting is enforced by the profile. To remove it, delete the profile again from Settings > General > VPN & Device Management.

Linux (desktop and server)

Linux gives you more ways to hang yourself, so we will pick three common patterns:

  • simple resolv.conf or NetworkManager pointing at Quad9;
  • systemd-resolved with Quad9 upstreams;
  • optional encrypted DNS stubs if you want DoT or DoH.

Simple resolver settings

On a minimal server without NetworkManager or systemd-resolved, you can point /etc/resolv.conf straight at Quad9: 


nameserver 9.9.9.9
nameserver 149.112.112.112

This assumes that resolv.conf is not being overwritten by another tool, such as a DHCP client. If it is, configure the DHCP client or your network stack to hand out Quad9 instead.

On a NetworkManager-managed desktop:

  • open your connection editor, for example nm-connection-editor;
  • edit your active connection, wired or Wi-Fi;
  • in the IPv4 tab, set Automatic (DHCP) addresses only;
  • set DNS servers to 9.9.9.9, 149.112.112.112;
  • repeat in the IPv6 tab with 2620:fe::9, 2620:fe::fe;
  • save and reconnect.

You can then run: 


dig +short txt test.quad9.net.
dig +short txt proto.on.quad9.net.

to confirm that Quad9 is answering, and which protocol it sees for your queries [5].

systemd-resolved

On modern distributions, systemd-resolved is often the real resolver, with /etc/resolv.conf pointing at 127.0.0.53.

In that case, configure Quad9 as an upstream in /etc/systemd/resolved.conf: 


[Resolve]
DNS=9.9.9.9 149.112.112.112
DNS=2620:fe::9 2620:fe::fe
DNSSEC=yes

Then run: 


systemctl restart systemd-resolved

You can check with: 


resolvectl status

to ensure that Quad9 is listed as the current DNS server, and again confirm via: 


dig +short txt proto.on.quad9.net.

If you want DoT with systemd-resolved, newer versions support DNSOverTLS=yes and DNS= pointing at DoT-capable servers. Quad9 publishes dns.quad9.net as its DoT endpoint [1], [3], but mapping that cleanly into systemd-resolved still depends on your distro and version, so testing is mandatory.

Encrypted stubs (DoT / DoH)

If you prefer explicit stubs for encrypted DNS, tools like stubby or dnscrypt-proxy can speak DoT or DoH directly to Quad9 [2], [7]. The high-level steps look like this:

1. Install a stub resolver, for example stubby. 2. Configure it with:

`text upstream_recursive_servers: - address_data: 9.9.9.9 tls_auth_name: "dns.quad9.net" - address_data: 149.112.112.112 tls_auth_name: "dns.quad9.net" `

3. Point your system resolver at 127.0.0.1.

The details differ per stub implementation, but the principle is always the same: a local daemon on 127.0.0.1 speaks DoT or DoH to Quad9 using the documented hostnames and URLs [1], [3], [7].

Overview

Remember that Quad9 is one control in a stack. It will not block everything, but it will quietly stop a whole class of “clicked the wrong thing” incidents, and it costs you almost nothing to deploy.

References

[1] Quad9, "Recursive DNS Server Addresses and Features," Quad9, online documentation. [Online]. Available: https://quad9.net/service/service-addresses-and-features/ [Accessed: 05-Dec-2025].

[2] "Quad9," Wikipedia, the free encyclopedia. [Online]. Available: https://en.wikipedia.org/wiki/Quad9 [Accessed: 05-Dec-2025].

[3] Quad9, "9.9.9.9 (Secure with Threat Blocking)," Quad9 Documentation Services. [Online]. Available: https://quad9dns.github.io/documentation/services/ [Accessed: 05-Dec-2025].

[4] Quad9, "Android 9+ (Encrypted)," Setup Guides Android, Sep. 2018. [Online]. Available: https://quad9dns.github.io/documentation/Setup_Guides/Android/Android_9%2B_%28Encrypted%29/ [Accessed: 05-Dec-2025].

[5] Quad9, "FAQs Protocol Test," Quad9 Documentation. [Online]. Available: https://quad9dns.github.io/documentation/FAQs/ [Accessed: 05-Dec-2025].

[6] Quad9, "iOS and MacOS Mobile Provisioning Profiles Are Here!," Quad9 Blog, Mar. 2022. [Online]. Available: https://quad9.net/news/blog/ios-mobile-provisioning-profiles/ [Accessed: 05-Dec-2025].

[7] DNS Privacy Project, "Public Resolvers," dnsprivacy.org. [Online]. Available: https://dnsprivacy.org/public_resolvers/ [Accessed: 05-Dec-2025].