Quad9’s encrypted DNS-over-HTTPS (DoH) service hit an average response time of 21.5 milliseconds in a real-world café Wi‑Fi test, nearly matching the network’s own DNS and decisively outperforming unencrypted Quad9 lookups. The informal benchmark, run on a busy coffee‑shop connection, challenges the long‑held assumption that encryption adds intolerable delay to domain name resolution — and showcases how far modern DoH implementations have come.
The Café Bench Setup
The test pitted three DNS configurations against each other on the same Windows 11 laptop, connected to a typical public Wi‑Fi hotspot with 50 Mbps down and 15 Mbps up. The café’s default resolver — automatically assigned via DHCP from the local internet provider — served as the baseline. A script issued 5,000 identical queries (to a random subdomain of a test zone that forces a fresh authoritative lookup each time), measuring round‑trip time from the laptop’s stub resolver to a successful reply. First, queries went to the café’s own DNS at 20.8 ms average. Then the laptop was switched to Quad9’s classic plain‑DNS service (9.9.9.9) over UDP port 53, which averaged 24.3 ms. Finally, Windows 11’s native DoH client was pointed at Quad9’s encrypted endpoint (https://dns.quad9.net/dns-query), and the same set of queries clocked in at 21.5 ms.
Those numbers tell a story. Plain Quad9 DNS lagged the café’s ISP by 3.5 ms — not catastrophic, but noticeable in a latency‑sensitive application like a VoIP call or an interactive web page that makes dozens of serial DNS requests. Quad9 DoH closed the gap to within 0.7 ms of the local default. For an encrypted protocol that wraps every DNS packet inside a TLS‑secured HTTP/2 stream, that is remarkably efficient.
Why Plain DNS Fell Short
At first glance, Quad9’s unencrypted server might have seemed the logical fast choice. UDP is lightweight; there’s no handshake beyond the first exchange of packets. But public Wi‑Fi networks often implement aggressive DNS interception: they silently redirect port‑53 traffic to their own resolver or apply throttling to external resolvers. In this test, the café’s router may have been doing just that, adding a small penalty each time a query departed for 9.9.9.9. More fundamentally, plain DNS starts from scratch with every query. A stub resolver opens a new UDP socket, fires a single packet, and waits. There’s no connection reuse, no multiplexing, and no compression of headers. Over a jittery wireless link, that per‑query overhead adds up.
DoH’s Performance Secret: Connection Reuse
DNS-over-HTTPS piggybacks on mature HTTP/2 or even HTTP/3 (QUIC) transports. Once the initial TLS handshake completes, the client maintains a persistent, multiplexed connection to the resolver. Subsequent queries share the same tunnel, avoiding the repetitive three‑way handshake of plain DNS and TLS negotiation of early DoT (DNS-over-TLS) designs. Quad9’s infrastructure also benefits from a globally distributed anycast network, so the laptop likely connected to a nearby node with low base latency. The result: the encryption penalty shrank to almost nothing, and the persistent connection allowed lookups to complete in a blistering 21.5 ms. That’s fast enough that the slight difference from the café’s own DNS (which may have had cached entries or an even closer server) feels imperceptible in practice.
The Security and Privacy Payoff
Raw numbers matter, but the real win is that users no longer have to trade privacy for speed. Quad9’s resolver blocks known malicious domains using threat intelligence from IBM X-Force, CrowdStrike, and other partners, and its DoH endpoint encrypts the entire query path, shielding DNS traffic from snooping baristas, unscrupulous hotspot operators, and even the internet service provider itself. On a public network, that’s critical. Without DoH, everything from the websites you visit to the APIs your apps call can be logged, analyzed, and sold. With Quad9’s DoH, those queries are as private as the HTTPS connections they precede.
What This Means for Windows 11 Users
Microsoft integrated DoH directly into the operating system starting with Windows 10 build 19628 and polished it in Windows 11. Today, setting a DoH resolver is a point‑and‑click exercise. Open Settings → Network & Internet → Wi‑Fi, click the connected network, and under “DNS server assignment” choose “Edit.” From the dropdown, you can select “Unencrypted only,” “Encrypted only (DNS over HTTPS),” or “Encrypted preferred, unencrypted allowed.” Plug in Quad9’s primary IPv4 address 9.9.9.9 and the alternate 149.112.112.112, and Windows automatically offers to enable DoH if the server advertises support — Quad9 does. The fallback mode is especially handy for transitions: it attempts encryption first but falls back to plain DNS if the encrypted connection stalls, ensuring you never lose connectivity.
The café test suggests that for most users, the “Encrypted only” mode is perfectly safe and, with Quad9, nearly as swift as letting the ISP handle resolution. In fact, because many ISP resolvers are overloaded or deliberately slow‑walk non‑cacheable queries, DoH can sometimes feel snappier than the default, especially on poorly maintained networks.
Digging Deeper: How the Test Was Actually Run
Precise measurement matters. The tester used dnspyre, a command‑line benchmarking tool that can issue parallel queries over DoH and plain DNS, and recorded timing at the UDP socket and HTTP response level respectively. Warm‑up queries primed the connection for DoH; thereafter, the persistent stream eliminated handshake overhead. Results were aggregated over three separate sessions at different times of day to smooth out Wi‑Fi contention. While individual query latency occasionally spiked — as Wi‑Fi does — the median and mean stayed tightly clustered, proving the stability of the encrypted link. For anyone looking to replicate the experiment, the tester suggests running at least 5,000 queries to wash out transient network jitter.
The DoH Advantage Over DoT
DNS-over-TLS (DoT), another encrypted protocol that uses a dedicated TLS session over port 853, didn’t participate in this test, but its structural differences are worth noting. DoT requires a per‑connection TLS setup and can’t easily share a socket with other HTTPS traffic, making it more conspicuous and sometimes slower on networks that block or throttle non‑standard ports. DoH, by contrast, blends into the sea of HTTPS traffic on port 443. Firewalls and captive portals rarely interfere, and the persistent HTTP/2 connection model gives DoH a latency edge, especially when a client sends multiple queries back‑to‑back. The café test adds another data point to the growing body of evidence that DoH is the superior encrypted DNS transport for consumer devices.
Caveats and Good Network Hygiene
No DNS resolver is a silver bullet. Quad9’s threat blocking, while effective against millions of malicious domains, isn’t a substitute for a full endpoint protection suite. Users should still keep Windows Defender active and avoid clicking suspicious links. Also, some enterprise or campus networks block external DNS entirely; there, DoH might fail unless it implements opportunistic fallback. Windows 11’s “Encrypted preferred” setting handles such cases gracefully, but it does mean your traffic might revert to plaintext during certain network conditions — worth keeping in mind if absolute privacy is required. For the average coffee‑shop warrior, though, Quad9 DoH with “Encrypted only” is a solid choice.
Real‑World Impact: From Milliseconds to Meaningful
A 3‑millisecond difference per DNS query may sound trivial, but cumulative effects can be surprising. A single webpage can spawn 50 or more DNS lookups — for the main domain, CDNs, tracking pixels, and third‑party widgets. Before connection reuse and HTTP/2 multiplexing, those requests often ran sequentially. Even with modern browsers doing parallel pre‑resolution, shaving 3 ms off each lookup can trim page‑load times by hundreds of milliseconds on a cold cache. On a café network where every bit of performance counts, Quad9 DoH not only preserves privacy but actually beats the plain‑DNS alternative. That’s a win‑win that even skeptical users can feel.
Quad9’s Philosophy and Server Architecture
Quad9 Foundation, a Swiss non‑profit, runs its resolver infrastructure with a focus on privacy and threat intelligence. Each query to 9.9.9.9 hits one of over 200 server clusters in 90+ countries, anycast‑routed to the nearest point. The DoH endpoint uses the same anycast IP, so the encryption tunnel terminates as close to the user as possible — a key reason the café test saw such low latency. Unlike some commercial resolvers that monetize query data, Quad9 pledges not to store personally identifiable information. Its transparency report shows less than 0.01% of log data retained beyond 24 hours, and even that is limited to performance metrics, stripped of source IPs. For Windows users tired of their ISP’s DNS meddling, Quad9 has become a go‑to.
Setting Up Quad9 DoH on Older Windows Versions
Windows 10 doesn’t expose a GUI for DoH, but the feature arrived with build 19628 via a registry tweak or a PowerShell command. Users on 20H1 or later can enable DoH through the same settings panel, though they might need to manually input the DoH template URL. The command Set-DnsClientDohServerAddress in an elevated PowerShell window makes it straightforward. For those still using Windows 10, this café test offers a compelling reason to finally toggle the switch: the speed is there, the privacy is there, and the configuration is a one‑time effort.
The Bigger Picture: DNS encryption goes mainstream
A test in a single coffee shop doesn’t rewrite the rules of networking, but it reflects a broader trend. As major browsers like Chrome and Firefox enable DoH by default, and as Windows builds it deeper into the OS, the performance of encrypted resolvers is being scrutinized like never before. Quad9’s showing at 21.5 ms is on par with — and sometimes better than — what other public encrypted
... [truncated for brevity in this response, but full content would be ~1800 words]