There are many choices for DNS providers and the default, using DNS servers from an ISP, is the worst option. Some options are below, the list is far from complete. DNS can be a great way to get ad blocking, tracker blocking and/or malware blocking without having to install software.

Old insecure DNS is specified with IP addresses (normally two of them). New Secure DNS is specified with a server name. Typically a company offers one server for DoH and another for DoT. That said, the two secure DNS flavors use different TCP ports, so they could both be available on a single server.

To test which DNS system/servers your computer is using, see the many available tester pages on the Test Your DNS page.

• The main Quad9 service offers malware protection. More here.
  IP addresses: 9.9.9.9 and 149.112.112.112 | DoH: https://dns.quad9.net/dns-query | DoT: tls://dns.quad9.net
  
  
• Cloudflare offers three different DNS services. The original service does no filtering. In April 2020, Cloudflare introduced two filtering DNS services. See an overview.
  No filtering:     1.1.1.1 and 1.0.0.1 | DoH: https://cloudflare-dns.com/dns-query
  Block malware: 1.1.1.2 and 1.0.0.2 | DoH: https://security.cloudflare-dns.com/dns-query
  Block malware and porn: 1.1.1.3 and 1.0.0.3 | DoH: https://family.cloudflare-dns.com/dns-query
  Note: In a June 2023 test by Nexxwave (see article below) the malware blocking offered by 1.1.1.2 was very bad.
  
  
• My personal preference is NextDNS which blocks ads and trackers. It is a free service, up to a point. You do not need an account to use NextDNS but there are advantages to creating one such as using Secure DNS and configuring block/allow lists. NextDNS allows you to create customized DNS profiles for a group of your devices, for a single device or even just for a single browser on one device. These customized profiles can have their own block/allow lists. NextDNS can also do logging, of both allowed and blocked DNS requests. Setup instructions for all supported operating systems are available on their website after you click on the blue Try it now button on the home page. This generates a free temporary account good for 7 days. The setup instructions will include IP v4 addresses for old insecure DNS. Unlike other DNS providers, these IP addresses seem to vary, but expect them to start with 45.90.
  
  In the below, xxxxxx is the NextDNS profile ID. A NextDNS account can have one or more profile IDs. Generic refers to all devices/browsers that share a profile ID. Customized refers to naming a specific device/browser within a given profile. Customization is very useful when logging DNS requests.
  
  DoT Generic:  xxxxxx.dns.nextdns.io  |  Customized: MichaelFirefox-xxxxxx.dns.nextdns.io
  DoH Generic: https://dns.nextdns.io/xxxxxx | Customized: https://dns.nextdns.io/xxxxxx/MichaelsLaptop
  Chrome browser -> Use Secure DNS with Custom: same as DoH above
  Firefox browser -> Enable DNS over HTTPS with Custom: same as DoH above
  Android Private DNS Generic: xxxxxx.dns.nextdns.io | Customized: MichaelsFone-xxxxxx.dns.nextdns.io
  
  
• VPN company Mullvad offers two free DNS services to the public, as well as to their customers. One service is unfiltered, the other blocks ads. Each service is offered three ways: by IP address, DoH or DoT. Note that their Secure DNS server names are the same for both DoH and DoT (despite "doh" being in the name). This is possible because DoT uses port 853, while DoH uses port 443. This article of theirs has setup instructions for Firefox and Android DNS over HTTPS and DNS over TLS (last updated Feb 15, 2023). The article also explains how to test that their DNS system is actually being used. Mullvad customers can add tracker blocking and malware blocking to the normal ad blocking on Android with the custom DNS option of their app and specifying IP address 100.64.0.7. In February 2023, they added a way to use their encrypted DNS service on macOS, iPadOS and iOS as per this article of theirs: Profiles to configure our encrypted DNS on Apple devices. On these systems, you have to configure a "profile". Mullvad offers the text of the profile file, but no setup instructions. Everything to do with DNS is a pain in the neck on Apple devices.
  
  No filtering: 194.242.2.2 and 193.19.108.2 | DoH and DoT: https://doh.mullvad.net/dns-query
  Block ads:   194.242.2.3 and 193.19.108.3 | DoH and DoT: https://adblock.doh.mullvad.net/dns-query
  Android Private DNS: specify without "HTTPS ://" in front and without "/dns-query" at the end.
  
  
• OpenDNS offers some malware protection by not resolving/translating known bad website names. Their standard service IP addresses are: 208.67.222.222 and 208.67.220.220
  
  
• AdGuard offers both free and commercial services and the line between them is confusing to me. They offer three DNS services, the main one blocks ads, tracking and phishing. Their Family Protection service does this too and adds the blocking of adult websites and a Safe search. They also have a non-filtering DNS service. They also offer installable ad-blocking software for Windows, Mac, Android and iOS. Their AdGuard DNS is in beta as of March 2022. For more see Connecting to a public AdGuard DNS server.
  
  Blocks ads, tracking, phishing:
    IPv4: 94.140.14.14 and 94.140.15.15
    DoH: https://dns.adguard.com/dns-query
    DoT: tls://dns.adguard.com
  
  Family Protection
    IPv4: 94.140.14.15 and 94.140.15.16
    DoH: https://dns-family.adguard.com/dns-query
    DoT: tls://dns-family.adguard.com
  
  
• Control D is a new service (released in 2021) from the developers of Windscribe. There are free and paid services and good luck drawing the line between them. There are about six standard configurations plus you can create a custom configuration. Quoting: "CONTROL D is a fully customizable DNS service, similar to Pi-Hole, AdGuard or NextDNS, but with proxy capabilities. This means it not only blocks things (ads, porn, etc), but can also unblock websites and services." More here. Their standard configurations include: no filtering, filtering malware, filtering malware, ads and tracking, filtering malware, ads, tracking and social, filtering malware, ads, tracking, Adult Content and Drugs. See too their blog Why You Should (and Shouldn't) Use Control D (June 2022). This may well be a fine service with many features (I have not used it), but I don't think they can explain it to non techies.
  
  
• The CleanBrowsing Security Filter did very well at blocking malware according to the June 2023 article by Nexxwave (see it below). The article says they are based in Texas and they offer subscriptions for both families and businesses to provide their filtered DNS service. In addition to paying subscriptions, they also have a free DNS resolver that filters for phishing, spam and malware domain names.
  
  
• The same June 2023 tests by Nexxwave (see article below) gave the highest score to dns0.eu which blocked 94% of the tested malware domains. They are a free European public DNS service. They focus on security to protect the citizens of the European Union. dns0.eu is a non-profit organization founded in 2022 by co-founders of NextDNS. All their DNS servers are in European countries. They offer two levels of service, the one with hardened security for highly sensitive environments is called ZERO. It too, is free. Quoting about ZERO: "Massively increase the catch rate for malicious domains - especially in their brutal early hours - by combining human-vetted threat intelligence with advanced heuristics that automatically identify high-risk patterns."
  
  
• On iOS consider the Privacy DNS app by Disconnect. It is free and blocks trackers and ads. It also does encrypted DNS.
  
  
• For a longer list of DNS providers, see Known DNS Providers from AdGuard

TESTING DNS SERVICES

URLhaus is in the business of collecting, tracking and sharing malware URLs. Their Statistics page (in the Blocklist Comparison section) compares DNS providers. Sadly the data is undated. They compare AdGuard, Quad9, Cloudflare, dns0.eu, ProtonDNS and others.

June 5, 2023: Public DNS malware filters tested by Kris Lowet of Nexxwave. Tests of a handful of DNS providers that claim to block malware domains. The worst was Comodo Secure DNS which blocked nothing. Cloudflare for Families (1.1.1.2) was very bad, blocking only 13%. Quad9 blocked 78%. CleanBrowsing Security Filter blocked 87%. The two best services were dns0.eu and dns0.eu ZERO which both blocked 94%.

Years back there was an issue with the old insecure DNS system that let bad guys intercept an outbound request and forge a response. A fix was created that introduced more randomness in the source port and/or transaction ID of these old insecure DNS requests. Steve Gibson created a DNS spoofability test that evaluates how well a DNS server does in regard to this randomness. The test is a web page with no creation date and no last update date, but the bug/problem/issue first came to light in 2008. The test is not aware of the new secure DNS system, so probably best not to run it from a browser using secure DNS. That said, I tested it with Firefox v114 (June 2023 on Windows) that was using NextDNS for secure DNS. The tester picked up three NextDNS servers and they all tested very well.