Quad9 DNS
Secure Upstream
Quad9 is a public DNS resolver focused on security and privacy. It can block access to known malicious domains and can validate DNSSEC, depending on which Quad9 service address you use.
Important Clarification & Service Endpoints
Official website: https://quad9.net/
Not every Quad9 IP address has the same function.
Recommended Secure Service
For normal secure use, use the recommended Quad9 service with malware blocking and DNSSEC validation:
9.9.9.9
149.112.112.112
IPv6:
2620:fe::fe
2620:fe::9
DNS-over-HTTPS:
https://dns.quad9.net/dns-query
DNS-over-TLS:
tls://dns.quad9.net
Unfiltered / Unsecured Service
The following Quad9 addresses are the unfiltered / unsecured family and should not be confused with the recommended secure service:
9.9.9.10
149.112.112.10
IPv6:
2620:fe::10
2620:fe::fe:10
DNS-over-HTTPS:
https://dns10.quad9.net/dns-query
DNS-over-TLS:
tls://dns10.quad9.net
Recommended Setup & Bootstrap DNS
Recommended Quad9 configuration
For a normal home network, router, NAS, AdGuard Home, Linux server or workstation, the recommended Quad9 DNS addresses are:
149.112.112.112
2620:fe::fe
2620:fe::9
If you use encrypted DNS, prefer:
https://dns.quad9.net/dns-query
DNS-over-TLS:
tls://dns.quad9.net
Do not mix the secure Quad9 endpoint and the unsecured Quad9 endpoint in the same DNS configuration. If you mix them, some DNS queries may bypass malware blocking.
What is bootstrap DNS?
Bootstrap DNS is used when your DNS upstream server is written as a hostname instead of a plain IP address.
Example:
Before AdGuard Home or another DNS client can connect to dns.quad9.net, it must first resolve the hostname dns.quad9.net to an IP address. Bootstrap DNS is used for this initial lookup.
In short:
Upstream DNS resolves normal client DNS queries.
If your upstream DNS server is already configured directly as an IP address, bootstrap DNS is usually not important.
AdGuard Home & Alternative Setups
Quad9 as bootstrap DNS for AdGuard Home
Quad9 can be used as bootstrap DNS in AdGuard Home. For secure Quad9 upstreams, a practical bootstrap configuration is:
149.112.112.112
2620:fe::fe
2620:fe::9
Then use Quad9 as encrypted upstream DNS:
# or:
tls://dns.quad9.net
This is a cleaner configuration than using the unfiltered 9.9.9.10 family as the main resolver when your goal is security filtering.
Example AdGuard Home setup
Upstream DNS servers:
Bootstrap DNS servers:
149.112.112.112
2620:fe::fe
2620:fe::9
This means AdGuard Home uses Quad9 to resolve the Quad9 upstream hostname and then sends normal DNS queries through the secure Quad9 DoH endpoint.
Alternative: plain DNS without DoH / DoT
If you do not want encrypted DNS upstreams and only want normal DNS over port 53, use:
149.112.112.112
2620:fe::fe
2620:fe::9
This still gives you Quad9 threat blocking and DNSSEC validation, but the DNS traffic between your device and Quad9 is not encrypted unless another encrypted transport is used.
Why use Quad9 & Testing Commands
Why use Quad9?
- Malware domain blocking
- Phishing domain blocking
- DNSSEC validation
- Privacy-focused policy
- Anycast global DNS infrastructure
- IPv4 and IPv6 support
- DNS-over-HTTPS support
- DNS-over-TLS support
- Useful for routers, servers, NAS, AdGuard Home and workstations
Security benefits
Quad9 can block known malicious domains before your device connects to them. This can help reduce the risk from malware, phishing links, infected advertising chains and known command-and-control domains.
This does not replace antivirus software, browser security, firewall rules, system updates or safe user behavior. DNS filtering is one layer of protection.
Privacy notes
DNS queries can reveal a lot about user activity because every domain lookup shows which domains a device is trying to reach.
Quad9 is designed as a privacy-focused DNS resolver. However, encrypted DNS such as DoH or DoT protects the path between you and the DNS resolver; the resolver itself still has to process the DNS query.
For better privacy against local network observers or ISP-level DNS interception, use:
https://dns.quad9.net/dns-query
DNS-over-TLS:
tls://dns.quad9.net
Testing Quad9
To test whether your system is using Quad9, open: https://on.quad9.net/
You can also test DNS from Linux terminal:
Test DNSSEC validation behavior:
Check which DNS server your system is using:
# or:
cat /etc/resolv.conf
Router / LAN Usage & Practical Setup
For whole-network use, set Quad9 or your local AdGuard Home server as DNS in the router DHCP settings.
Example 1: router sends Quad9 directly to clients:
Secondary DNS: 149.112.112.112
Example 2: router sends local AdGuard Home to clients:
Router DHCP DNS: 192.168.1.10
AdGuard upstream: https://dns.quad9.net/dns-query
AdGuard bootstrap: 9.9.9.9, 149.112.112.112
The second option is usually better for home networks because AdGuard Home can provide local filtering, logs, client identification and custom rules, while Quad9 works as the secure upstream resolver.
Common mistake
Do not configure this combination when you expect full Quad9 malware blocking:
9.9.9.10
The first address is the secure malware-blocking endpoint. The second address is the no-threat-blocking endpoint. Mixing them can produce inconsistent behavior.
Recommended practical setup
+
AdGuard Home as LAN DNS filter
+
Quad9 secure DoH/DoT as upstream
+
Quad9 secure IPs as bootstrap
+
regular OS and router updates
Quick Commands & Final Summary
Quick summary
9.9.9.9
149.112.112.112
Recommended secure Quad9 IPv6:
2620:fe::fe
2620:fe::9
Recommended Quad9 DoH:
https://dns.quad9.net/dns-query
Recommended Quad9 DoT:
tls://dns.quad9.net
Unfiltered Quad9 IPv4:
9.9.9.10
149.112.112.10
Unfiltered Quad9 IPv6:
2620:fe::10
2620:fe::fe:10
Final summary
Quad9 is a good choice when you want a privacy-focused DNS resolver with security filtering. For normal protection, use the 9.9.9.9 service family, not the 9.9.9.10 family.
As bootstrap DNS, Quad9 is useful for resolving encrypted upstream hostnames such as dns.quad9.net. As upstream DNS, Quad9 can provide malware-domain blocking and DNSSEC validation.
For AdGuard Home, a clean setup is:
https://dns.quad9.net/dns-query
Bootstrap:
9.9.9.9
149.112.112.112
2620:fe::fe
2620:fe::9