The most useful reason to have two addresses is for client resolvers that often demand them, assuming the whole configuration is running anycast with multiple PoPs, the extra "redundancy" provided by Google DNS is essentially meaningless thanks to BGP route aggregation, a /24 is too small to be treated uniquely for internetwork routing in the general case, and in any case, both of Google's subnets are announced by the same AS 15169. The most likely use for Google's subnet is to make the backup address more memorable.

In both networks, those IP addresses are almost certainly treated identically, virtualized to all hell with multiple physical termination points leading to the same pools of machines. One extra /24 isn't going to help reliability much if at all, especially considering it is part of the same AS.

Perhaps I'm wrong and Google use the /24 somehow for the purposes of internal routing. If that's true, in the same scenario IBM may be content to have just these two /32s in their internal tables where route aggregation could be be made to not apply.

Having the backup in a separate /24 allows the option of steering BGP announcements differently at different peering points (even if they aren't announced differently in the everything is working case).

Is there a service that Quad9 offers that does not have the blocklist or other security?

The primary IP address for Quad9 is 9.9.9.9, which includes the blocklist, DNSSEC, and other security features. However, there are alternate IP addresses that the service operates which do not have these security features. These might be useful for testing validation, or to determine if there are false positives in the Quad9 system.

Secure IP: 9.9.9.9 Blocklist, DNSSEC, No EDNS Client-Subnet

Unsecure IP: 9.9.9.10 No blocklist, no DNSSEC, send EDNS Client-Subnet

Note: Use only one of these two addresses. Some networking software may include terminology such as “Secondary DNS Server” in configuration windows; this can be left blank. Putting both 9.9.9.9 and 9.9.9.10 into “primary” and “secondary” fields may result in unsecure results in rare circumstances.

Hey guys sorry for lag in response, a bit slammed right now on our side.

9.9.9.10 does not have blocking, it also has edns enabled (so assume less privacy than 9.9.9.9 given edns will be transmitted on 9.9.9.10)

We will make sure to push out some documentation on the different services on each ip. The launch we focused on 9.9.9.9. There will be a blocking +edns ip soon we just dodnt get it done in time. :(

It's not the secondary, it's a different kind of service. The faq explicitly says to not mix the two in the same configuration.