Quad9 9.9.9.9 might be a good Google Public DNS 8.8.8.8 alternative, claims better privacy and features DNSSEC, DNS Benchmark indicates better speeds

Posted by Paul Braren on Nov 17 2017 (updated on Dec 8 2017) in
  • HowTo
  • Networking
  • "How DNS Works" published at "Quad9 DNS" on Nov 15, 2017.

    There's a new DNS on this planet's interwebs, see the big announcement made yesterday over at IBM:

    53388

    While I cannot seem to find a definitive list or map of locations quite yet, it does appear they have geared-up to serve the globe pretty well, with over 70 POPs already.

    • Quad9 Internet Security & Privacy In a Few Easy Steps

      Quad9-thumbnail--TinkerTry

      How Quad9 works
      Quad9 routes your DNS queries through a secure network of servers around the globe. The system uses threat intelligence from more than a dozen of the industry's leading cyber security companies to give a real-time perspective on what websites are safe and what sites are known to include malware or other threats. If the system detects that the site you want to reach is known to be infected, you'll automatically be blocked from entry - keeping your data and computer safe.

      In-Collaboration-With
      quad9_infographic
      Quad9 Infographic courtesy of Quad9.
    • Quad9 FAQ

      Will Quad9 filter content?
      No. Quad9 will not provide a censoring component and will limit its actions solely to the blocking of malicious domains around phishing, malware, and exploit kit domains.
      What does Quad9 log/store about the DNS queries?
      We store details of the DNS records queried, timestamp, and the city, state, and country from where the query came. We do not store source IP information of end user queries.

    and I've decided to give it a try, and will let you know how it goes.

    Disclosure: I used to work at IBM from 1995-2016, but I had nothing to do with this Quad9 team that apparently have been in beta since 2016, and I don't even know who they are. I also have no financial interest in IBM.

    Read many more Quad9 reviews and announcements on the internets here.

    Why try a new DNS?

    Privacy

    Well, my ISP is Cox Communications, but they tend to give me some strange Cox customized search page of theirs when I type a URL wrong, and they're apparently now free to do whatever they want with my browsing data.

    I've been using Google DNS 8.8.8.8 and 8.8.4.4 for years, and it has served me well, and has been pretty fast. But Google does hold on to some of that rich DNS data, see Google Public DNS's Privacy page. Perhaps Quad9 holds on a little less, see Quad9 Your Privacy Is Paramount page, and FAQ.

    DSLReports-Speed-test-25228672-TinkerTry-network-2017-11-17

    Stay tuned, as it may be possible to use DNSSEC with the Ubiquiti EdgeRouter's dnsmasq that I'm now using, as explained in detail above. For now, much more investigation and testing is needed, especially pertaining to reliable NTP sync after reboots. You can read more about Quad9 DNSSEC, and their full IPv6, in their FAQ. To be fair, Google Public DNS is validating DNSSEC and IPv6. Also worth noting that it's doubtful consumer routers and Wi-Fi routers will be offering DNSSEC anytime too soon.

    While this article applies to any network router, I'll just note that Ubiquiti continues to exceed my expectations for an approximately $100 USD device, along with solid peer support in the forums. And wow, just look at those speeds! Seen pictured at right, above, using this speed test tool on my 300Mbps down/30Mbps up Cox Communications Cox Internet Ultimate connection.

    How to test your speeds, at your location, on your internet connection?

    Turns out Quad9 DNS is maybe a tiny bit faster, at least for me. Any such test is very ISP and location dependent. Read onward for two simple ways I tested this from my home.

    Option 1 of 3: Use DNS Benchmark to measure speed, here's how

    DNS-Benchmark-results-zip-code-06109-on-Cox-Communications-2017-11-16--TinkerTry

    I measured my DNS performance for my home's network here in zip code 06109 by running Steve Gibson's ancient DNS Benchmark a few times. I'm not claiming it's a great idea to trust just any body executables, clearly it's not. But if you decide you trust Steve Gibson of Security Now fame, it's a portable, completely free application that needs no installation. Just download DNSBench.exe and run it to get started. If you don't fully trust the code, how about running it in a disposable VM like I did?

    Here's how to use DNS Benchmark:

    1. Let the initial calibration finish in a few seconds
    2. click on the Nameservers tab
    3. click on the Add/Remove button
    4. type in 9.9.9.9 then click the Add button
    5. right-click, select Remove 8 Dead Nameservers
    6. click on Close
    7. click on Run Benchmark
    8. right-click on the graph, choose Set Graph Scale as needed
      A few minutes it was later, it was auto-sorted with fastest DNS Servers at the top. I get pretty much the same list each time, pictured here.

    Option 2 of 3: Use Windows Command Prompt and ping to measure speed, here's how

    ping-tests--TinkerTry
    Imperfect-but-easy speed test, from the Windows Command line. Compare the averages for "time=18ms" results for `9.9.9.9` versus `8.8.8.8` DNS servers round-trips.

    Option 3 of 3: Use Linux dnsdiag to measure speed, here's how

    Obtain dnsdiag from DNSDiag.org

    Ever been wondering if your ISP is hijacking your DNS traffic? Ever observed any misbehavior with your DNS responses? Ever been redirected to wrong address and suspected something is wrong with your DNS? Here we have a set of tools to perform basic audits on your DNS requests and responses to make sure your DNS is working as you expect.

    Specific usage example with complete syntax is detailed in the tweet below.

    931137366227603457
    Johannes Weber @webernetz in Frankfurt, Germany.

    C'mon, change DNS once on your router, not on all your PCs and client devices!

    Remember, as described earlier in this article, I use locally resolved names for my home network's systems. This means my EdgeRouter Lite's Google DNS of 8.8.8.8 and 8.8.4.4 is only used for resolving external systems that aren't found in the local DNS. I'm now changing that to 9.9.9.9, as in quad nines. Certainly easy to remember.

    Up at the top, Quad9's DNS how to guides tell you to change DNS on the client device. Maybe just because explaining how to do this on a router is considerably tougher, especially in this day and age where many are stuck with the Wi-Fi router their ISP provides them with. Such hard-coding is not always a great idea, especially for portable devices like laptops that travel, even if they have a VPN for some protection. When that device is away from home, captive portals may require that the local DNS server be told to you by DHCP, before you'll be able to surf the web at all. If you hard-coded your IP as Quad9 suggests, you'll be out of luck getting on line. For this reason, along with the fact that I like local computer names that I've given DHCP reservations to have their DNS names fed to all my local Windows, Linux, and VMware VMs, I'd much prefer having my home's DHCP server/router dole out IP address leases. In Windows Command Prompt, issuing ipconfig /all will show the lease is pointing to the DHCP server/router itself for routing and DNS. The configured-in-the-router settings that handle the forwarding magic cause a seamless hand-off of non-local DNS lookups. Those lookups go to the DNS forwarding target you configure, which for me is now set to 9.9.9.9 at Quad9. Further down their page, Quad9 goes on to say:

    • Who Should Set Up Quad9?

      Setting up DNS filtering requires just a simple configuration change. Most organizations or home users can update in minutes by changing the DNS settings in the central DHCP server which will update all clients in a few minutes with no action needed at end devices at all. The service is and will remain freely available to anyone wishing to use it.

    How to change your router's DNS configuration

    The DNS IP you set up here will be automatically doled out to all DHCP connected devices on your home's network, or, your router tells connected client to use the router's own IP address, forwarding to 9.9.9.9 when needed. Either way, the advantage to this one change is that the DNS change is instantly in effective for all connected devices, and relatively easy to do. Only works if you have access to login to your home's network's router, however.

    While I cannot possibly support folks who try and fail to get into their routers and change their WAN connections DNS setting for any number of reasons, Quad9 apparently somehow does! I can also get folks pointed in the right direct with this vendor-vendor list of how to guides that I just created:

    D-Link

    Netgear

    Linksys

    TP-Link

    Ubiquiti

    I wrote this step-by-step guide on configuring DNS forwarding on EdgeRouter EdgeOS:

    edge-router-lite-update#how-to-change-your-edgerouter-dns-forwarding

    Not having a GUI to do DNS Forwarding address change is no doubt a weakness here, as I openly lamented here. I sure hope this changes, some day.


    Nov 18 2017 Update

    Addendum/clarifications.

    1) DNS sinkholes, DNS hijacking, and NXDOMAIN

    Read up on DNS sinkholes, DNS hijacking, and NXDOMAIN, terms that eluded me when I originally published the article above. When a subscriber (ISP customer) types an invalid URLs into their browser which results in a ERR_NAME_NOT_RESOLVED, their browser may be steered to a landing page by their ISPs DNS, rather than what you'd expect the browser to do, display an error warning like Chrome's "This site can’t be reached" and "server DNS address could not be found."

    Here's how the Google Public DNS FAQ describes their proper non-existent domain handling:

    How does Google Public DNS handle non-existent domains?

    If you issue a query for a domain name that does not exist, Google Public DNS always returns an NXDOMAIN record, as per the DNS protocol standards. The browser should show this response as a DNS error. If, instead, you receive any response other than an error message (for example, you are redirected to another page), this could be the result of the following:

    A client-side application such as a browser plug-in is displaying an alternate page for a non-existent domain.
    Some ISPs may intercept and replace all NXDOMAIN responses with responses that lead to their own servers. If you are concerned that your ISP is intercepting Google Public DNS requests or responses, you should contact your ISP.

    Here's how Quad9, as reported by arstechnica, handles non-existent domains:

    If a domain name is in the block list, the service simply responds to the query with an "NXDOMAIN" (non-existant domain) message. "It will break DNS queries," Rettinger said, "but it tends to work better than sinkholing"—the practice of forwarding bad domains to a host controlled by the service, as has been done with some seized botnet domains in the past—"because if you sinkhole, you can break other things."

    So both Google Public DNS and Quad9 handle NXDOMAIN properly.

    Here's a simple test to see for yourself, using an invalid, non-existent (sub)domain that nobody has apparently registered:
    [REMOVED - 11:42am Nov 18 2017]
    Potentially a bad idea, explained below.

    In a test VM only that you can delete when done testing, you can try hard-coding a system or a VM to an ISP's DNS versus 8.8.8.8 and 9.9.9.9, to compare/contrast browser behavior for each, depending upon test sites that you choose to visit, at your own risk. You may need to issue an ipconfig /flushdns at the Windows command prompt between DNS changes, to avoid the possibility of caching effects. Your router may also have DNS caching, easiest to power cycle it, only if necessary.

    2) Government funding?

    Let's be watchful over time of ongoing sources of funding that keep Quad9 going, and note what Ars Technica says:

    The Quad9 service is free, but it does need to be continually funded. GCA is a non-profit—so the long-term growth of the service is based largely on government and industry continuing to fund it. GCA itself was funded initially with $25 million in criminal asset forfeiture directed to the organization by Manhattan District Attorney Cyrus Vance Jr.

    3) Class A Network

    Knowing first-hand that IBM owns an early, Class A network that starts in 9, it's no surprise that they were able to capitalize on this when creating such an easy to remember service. Never really thought I'd see a 9 address in public. Well played!


    Nov 18 2017 Update 11:42am ET

    In response to this tweet, the non-existent domain example has also been completely removed, to avoid the chance anybody visits an unscrupulous future buyer of this domain name. My link example shouldn't have ever been a live link, my apologies for this brief lapse in good judgment. Spelling and awkward grammar errors also corrected, as well as clarification on DNS sinkhole and DNS hijacking added.

    Next up, working on a simple and secure visit-this-URL way to confirm that 9.9.9.9 is your active DNS provider, and testing NTP setting-by-IP so it functions correctly during boot up, prepping for DNSSEC testing. Stay tuned!


    Nov 22 2017 Update

    Detailed discussion about Quad9 now available here:

    • SECURITY NOW 638: QUAD NINE
      Nov 21 2017 by Steve Gibson on Security Now 638 "Quad 9 is the New DNS Hotness":
      Security-Now-638
      Click the image to jump to the right spot in the podcast audio.

      And thanks to the Packet Clearing House (PCH) which maintains a globe-spanning infrastructure, the service is screamingly fast:
      Using “Anycast” routing to automatically use the nearest DNS server, at this launch the service offers 70 points of presence in 40 countries… growing to 160 during 2018.
      Quad9 is a free, recursive, anycast DNS platform that provides end users robust security protections, high-performance, and privacy.

    Here's the exact spot where Steve talks about Quad9, and detailed shownotes.


    Nov 29 2017 Update

    JTr1oes
    Click the image to jump to the right spot in the podcast audio.

    Have a listen to Steve Gibson's updates on Quad9 in his Security Now podcast 639, with things seemingly going well overall so far. Full shownotes here.

    933396483428118528

    It sure matters where you live, in relation to the nearest Quad9 POP. But with a rapid roll-out of new POPs coming soon, reports of odd tracert-confirmed hops at some geographical locations (like Seattle WA re-routed through Palo Alto CA) seem likely to subside in 2018.

    933491091692593158

    Dec 06 2017 Update

    Tenta DNS

    dns-over-tls-vs-dnscrypt
    Click to visit Tenta

    I've received word of open source Tenta DNS, passing it along:

    I read your article on Quad9 and think you'll be interested in Tenta DNS with DNS over TLS and DNSSEC. It's open source, written in Golang and already gained over 1200 followers on github within the first week. We support OpenNIC root servers, so users can load special TLDs based on the bitcoin protocol such as .bit. Source: github.com/tenta-browser/tenta-dns

    One of the most popular questions we get is how DNS over TLS compares to DNSCrypt, so we just published a post explaining the key differences that I think you'll also appreciate: tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt.

    Quad 9 Secondary DNS?

    As mentioned on Security Now Episode 640 at around 1 hour 44 minutes, turns out there is a secondary DNS for Quad9 as well, it's:

        149.112.112.112

    I have not tested it, and since I've had no outages since configuring my router to use Quad9 for all my home's systems, I might not bother.

    Quad9 also now has a video for Windows 10 users wishing to change just that one PC. Note that they don't mention the secondary DNS:

    Quad9 How To Setup Quad9 with Windows

    Dec 07 2017

    As found on page 24 of the just-published Security Now 640 shownotes:

    I wanted to tell people that there is now a points-of-presence
    map for the service. It's at pch.net/about/pops, P-O-P-S, which is short for Points of
    Presences. So www.pch.net/about/pops, which people can look at and also follow over
    time because these guys will be more than doubling their points of presences over 2018,
    which means for people who are not currently near a Quad 9 DNS server, there's a good
    hope that'll change in the future.

    pops-as-of-2017-12-07_20-11-34

    Dec 08 2017

    939211944359161856

    I really appreciate that PCH has informed me that some clarification on the POP map seen above is needed, here's the tweet:

    This is very specifically a map of @PCHglobal anycast nodes.

    @Quad9DNS is available at a subset of these nodes and has plans to publish their own PoPs map very soon.


    See also at TinkerTry

    replaced-linksys-with-eero-after-also-testing-luma

    dslreports-speedtest

    See also

    • Google search
      for "Quad9" reviews between Nov 15 and Nov 17, 2017.
      2017-11-17_13-03-01
      Screenshot of Google Search results made early on Nov 18 2017.

    • Free and Public DNS Servers
      Updated list of the best publicly available and completely free DNS servers
      free-and-public-dns-servers-2626062

      Nov 17 2017 by Tim Fisher at Lifewire. Excerpt:

      Quad9 uses real time information about what websites are malicious and blocks them completely. No content is filtered - only domains that are phishing, contain malware, and exploit kit domains will be blocked. No personal data is stored. An unsecure pubic DNS is also available from Quad9 at 9.9.9.10 but they do not recommend using that as a secondary domain in your router or computer setup. See more in the Quad9 FAQ.

    is-your-isp-hijacking-your-dns-traffic
    • Is Your ISP Hijacking Your DNS Traffic?
      Jul 06 2016 by Babak Farrokhi at RIPE NETWORK COORDINATION CENTRE. Excerpt:

      You might not have noticed, but there are chances that your ISP is playing nasty tricks with your DNS traffic.