Quad9 is a good Google Public DNS alternative with DNSSEC, better privacy, and faster DNS Benchmark speeds

Posted by Paul Braren on Nov 17 2017 (updated on May 17 2018) in
  • HowTo
  • Network
  • Review
  • "How DNS Works" published at "Quad9 DNS" on Nov 15, 2017.

    There's a new DNS on this planet's interwebs, see the big announcement made yesterday over at IBM:

    53388

    While I cannot seem to find a definitive list or map of locations quite yet, it does appear they have geared-up to serve the globe pretty well, with over 70 POPs already.

    • Quad9 Internet Security & Privacy In a Few Easy Steps

      Quad9-thumbnail--TinkerTry

      How Quad9 works
      Quad9 routes your DNS queries through a secure network of servers around the globe. The system uses threat intelligence from more than a dozen of the industry's leading cyber security companies to give a real-time perspective on what websites are safe and what sites are known to include malware or other threats. If the system detects that the site you want to reach is known to be infected, you'll automatically be blocked from entry - keeping your data and computer safe.

      In-Collaboration-With
      quad9_infographic
      Quad9 Infographic courtesy of Quad9.
    • Quad9 FAQ

      Will Quad9 filter content?
      No. Quad9 will not provide a censoring component and will limit its actions solely to the blocking of malicious domains around phishing, malware, and exploit kit domains.
      What does Quad9 log/store about the DNS queries?
      We store details of the DNS records queried, timestamp, and the city, state, and country from where the query came. We do not store source IP information of end user queries.

    and I've decided to give it a try, and will let you know how it goes.

    Disclosure: I used to work at IBM from 1995-2016, but I had nothing to do with this Quad9 team that apparently have been in beta since 2016, and I don't even know who they are. I also have no financial interest in IBM.

    Read many more Quad9 reviews and announcements on the internets here.

    Why try a new DNS?

    Privacy

    Well, my ISP is Cox Communications, but they tend to give me some strange Cox customized search page of theirs when I type a URL wrong, and they're apparently now free to do whatever they want with my browsing data.

    I've been using Google DNS 8.8.8.8 and 8.8.4.4 for years, and it has served me well, and has been pretty fast. But Google does hold on to some of that rich DNS data, see Google Public DNS's Privacy page. Perhaps Quad9 holds on a little less, see Quad9 Your Privacy Is Paramount page, and FAQ.

    DSLReports-Speed-test-25228672-TinkerTry-network-2017-11-17

    Stay tuned, as it may be possible to use DNSSEC with the Ubiquiti EdgeRouter's dnsmasq that I'm now using, as explained in detail above. For now, much more investigation and testing is needed, especially pertaining to reliable NTP sync after reboots. You can read more about Quad9 DNSSEC, and their full IPv6, in their FAQ. To be fair, Google Public DNS is validating DNSSEC and IPv6. Also worth noting that it's doubtful consumer routers and Wi-Fi routers will be offering DNSSEC anytime too soon.

    While this article applies to any network router, I'll just note that Ubiquiti continues to exceed my expectations for an approximately $100 USD device, along with solid peer support in the forums. And wow, just look at those speeds! Seen pictured at right, above, using this speed test tool on my 300Mbps down/30Mbps up Cox Communications Cox Internet Ultimate connection.

    How to test your speeds, at your location, on your internet connection?

    Turns out Quad9 DNS is maybe a tiny bit faster, at least for me. Any such test is very ISP and location dependent. Read onward for two simple ways I tested this from my home.

    Option 1 of 3: Use DNS Benchmark to measure speed, here's how

    DNS-Benchmark-results-zip-code-06109-on-Cox-Communications-2017-11-16--TinkerTry

    I measured my DNS performance for my home's network here in zip code 06109 by running Steve Gibson's ancient DNS Benchmark a few times. I'm not claiming it's a great idea to trust just any body executables, clearly it's not. But if you decide you trust Steve Gibson of Security Now fame, it's a portable, completely free application that needs no installation. Just download DNSBench.exe and run it to get started. If you don't fully trust the code, how about running it in a disposable VM like I did?

    Here's how to use DNS Benchmark:

    1. Let the initial calibration finish in a few seconds
    2. click on the Nameservers tab
    3. click on the Add/Remove button
    4. type in 9.9.9.9 then click the Add button
    5. right-click, select Remove 8 Dead Nameservers
    6. click on Close
    7. click on Run Benchmark
    8. right-click on the graph, choose Set Graph Scale as needed
      A few minutes it was later, it was auto-sorted with fastest DNS Servers at the top. I get pretty much the same list each time, pictured here.

    Option 2 of 3: Use Windows Command Prompt and ping to measure speed, here's how

    ping-tests--TinkerTry
    Imperfect-but-easy speed test, from the Windows Command line. Compare the averages for "time=18ms" results for `9.9.9.9` versus `8.8.8.8` DNS servers round-trips.

    Option 3 of 3: Use Linux dnsdiag to measure speed, here's how

    Obtain dnsdiag from DNSDiag.org

    Ever been wondering if your ISP is hijacking your DNS traffic? Ever observed any misbehavior with your DNS responses? Ever been redirected to wrong address and suspected something is wrong with your DNS? Here we have a set of tools to perform basic audits on your DNS requests and responses to make sure your DNS is working as you expect.

    Specific usage example with complete syntax is detailed in the tweet below.

    931137366227603457
    Johannes Weber @webernetz in Frankfurt, Germany.

    C'mon, change DNS once on your router, not on all your PCs and client devices!

    Remember, as described earlier in this article, I use locally resolved names for my home network's systems. This means my EdgeRouter Lite's Google DNS of 8.8.8.8 and 8.8.4.4 is only used for resolving external systems that aren't found in the local DNS. I'm now changing that to 9.9.9.9, as in quad nines. Certainly easy to remember.

    Up at the top, Quad9's DNS how to guides tell you to change DNS on the client device. Maybe just because explaining how to do this on a router is considerably tougher, especially in this day and age where many are stuck with the Wi-Fi router their ISP provides them with. Such hard-coding is not always a great idea, especially for portable devices like laptops that travel, even if they have a VPN for some protection. When that device is away from home, captive portals may require that the local DNS server be told to you by DHCP, before you'll be able to surf the web at all. If you hard-coded your IP as Quad9 suggests, you'll be out of luck getting on line. For this reason, along with the fact that I like local computer names that I've given DHCP reservations to have their DNS names fed to all my local Windows, Linux, and VMware VMs, I'd much prefer having my home's DHCP server/router dole out IP address leases. In Windows Command Prompt, issuing ipconfig /all will show the lease is pointing to the DHCP server/router itself for routing and DNS. The configured-in-the-router settings that handle the forwarding magic cause a seamless hand-off of non-local DNS lookups. Those lookups go to the DNS forwarding target you configure, which for me is now set to 9.9.9.9 at Quad9. Further down their page, Quad9 goes on to say:

    • Who Should Set Up Quad9?

      Setting up DNS filtering requires just a simple configuration change. Most organizations or home users can update in minutes by changing the DNS settings in the central DHCP server which will update all clients in a few minutes with no action needed at end devices at all. The service is and will remain freely available to anyone wishing to use it.

    How to change your router's DNS configuration

    The DNS IP you set up here will be automatically doled out to all DHCP connected devices on your home's network, or, your router tells connected client to use the router's own IP address, forwarding to 9.9.9.9 when needed. Either way, the advantage to this one change is that the DNS change is instantly in effective for all connected devices, and relatively easy to do. Only works if you have access to login to your home's network's router, however.

    While I cannot possibly support folks who try and fail to get into their routers and change their WAN connections DNS setting for any number of reasons, Quad9 apparently somehow does! I can also get folks pointed in the right direct with this vendor list of how to guides that I created here.

    Ubiquiti

    I wrote this step-by-step guide on configuring DNS forwarding on EdgeRouter EdgeOS:

    edge-router-lite-update#how-to-change-your-edgerouter-dns-forwarding

    Nov 18 2017 Update

    Addendum/clarifications.

    1) DNS sinkholes, DNS hijacking, and NXDOMAIN

    Read up on DNS sinkholes, DNS hijacking, and NXDOMAIN, terms that eluded me when I originally published the article above. When a subscriber (ISP customer) types an invalid URLs into their browser which results in a ERR_NAME_NOT_RESOLVED, their browser may be steered to a landing page by their ISPs DNS, rather than what you'd expect the browser to do, display an error warning like Chrome's "This site can’t be reached" and "server DNS address could not be found."

    Here's how the Google Public DNS FAQ describes their proper non-existent domain handling:

    How does Google Public DNS handle non-existent domains?

    If you issue a query for a domain name that does not exist, Google Public DNS always returns an NXDOMAIN record, as per the DNS protocol standards. The browser should show this response as a DNS error. If, instead, you receive any response other than an error message (for example, you are redirected to another page), this could be the result of the following:

    A client-side application such as a browser plug-in is displaying an alternate page for a non-existent domain.
    Some ISPs may intercept and replace all NXDOMAIN responses with responses that lead to their own servers. If you are concerned that your ISP is intercepting Google Public DNS requests or responses, you should contact your ISP.

    Here's how Quad9, as reported by arstechnica, handles non-existent domains:

    If a domain name is in the block list, the service simply responds to the query with an "NXDOMAIN" (non-existant domain) message. "It will break DNS queries," Rettinger said, "but it tends to work better than sinkholing"—the practice of forwarding bad domains to a host controlled by the service, as has been done with some seized botnet domains in the past—"because if you sinkhole, you can break other things."

    So both Google Public DNS and Quad9 handle NXDOMAIN properly.

    Here's a simple test to see for yourself, using an invalid, non-existent (sub)domain that nobody has apparently registered:
    [REMOVED - 11:42am Nov 18 2017]
    Potentially a bad idea, explained below.

    In a test VM only that you can delete when done testing, you can try hard-coding a system or a VM to an ISP's DNS versus 8.8.8.8 and 9.9.9.9, to compare/contrast browser behavior for each, depending upon test sites that you choose to visit, at your own risk. You may need to issue an ipconfig /flushdns at the Windows command prompt between DNS changes, to avoid the possibility of caching effects. Your router may also have DNS caching, easiest to power cycle it, only if necessary.

    2) Government funding?

    Let's be watchful over time of ongoing sources of funding that keep Quad9 going, and note what Ars Technica says:

    The Quad9 service is free, but it does need to be continually funded. GCA is a non-profit—so the long-term growth of the service is based largely on government and industry continuing to fund it. GCA itself was funded initially with $25 million in criminal asset forfeiture directed to the organization by Manhattan District Attorney Cyrus Vance Jr.

    3) Class A Network

    Knowing first-hand that IBM owns an early, Class A network that starts in 9, it's no surprise that they were able to capitalize on this when creating such an easy to remember service. Never really thought I'd see a 9 address in public. Well played!


    Nov 18 2017 Update 11:42am ET

    In response to this tweet, the non-existent domain example has also been completely removed, to avoid the chance anybody visits an unscrupulous future buyer of this domain name. My link example shouldn't have ever been a live link, my apologies for this brief lapse in good judgment. Spelling and awkward grammar errors also corrected, as well as clarification on DNS sinkhole and DNS hijacking added.

    Next up, working on a simple and secure visit-this-URL way to confirm that 9.9.9.9 is your active DNS provider, and testing NTP setting-by-IP so it functions correctly during boot up, prepping for DNSSEC testing. Stay tuned!


    Nov 22 2017 Update

    Detailed discussion about Quad9 now available here:

    • SECURITY NOW 638: QUAD NINE
      Nov 21 2017 by Steve Gibson on Security Now 638 "Quad 9 is the New DNS Hotness":
      Security-Now-638
      Click the image to jump to the right spot in the podcast audio.

      And thanks to the Packet Clearing House (PCH) which maintains a globe-spanning infrastructure, the service is screamingly fast:
      Using “Anycast” routing to automatically use the nearest DNS server, at this launch the service offers 70 points of presence in 40 countries… growing to 160 during 2018.
      Quad9 is a free, recursive, anycast DNS platform that provides end users robust security protections, high-performance, and privacy.

    Here's the exact spot where Steve talks about Quad9, and detailed shownotes.


    Nov 29 2017 Update

    JTr1oes
    Click the image to jump to the right spot in the podcast audio.

    Have a listen to Steve Gibson's updates on Quad9 in his Security Now podcast 639, with things seemingly going well overall so far. Full shownotes here.

    933396483428118528

    It sure matters where you live, in relation to the nearest Quad9 POP. But with a rapid roll-out of new POPs coming soon, reports of odd tracert-confirmed hops at some geographical locations (like Seattle WA re-routed through Palo Alto CA) seem likely to subside in 2018.

    933491091692593158

    Dec 06 2017 Update

    Tenta DNS

    dns-over-tls-vs-dnscrypt
    Click to visit Tenta

    I've received word of open source Tenta DNS, passing it along:

    I read your article on Quad9 and think you'll be interested in Tenta DNS with DNS over TLS and DNSSEC. It's open source, written in Golang and already gained over 1200 followers on github within the first week. We support OpenNIC root servers, so users can load special TLDs based on the bitcoin protocol such as .bit. Source: github.com/tenta-browser/tenta-dns

    One of the most popular questions we get is how DNS over TLS compares to DNSCrypt, so we just published a post explaining the key differences that I think you'll also appreciate: tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt.

    Quad 9 Secondary DNS?

    As mentioned on Security Now Episode 640 at around 1 hour 44 minutes, turns out there is a secondary DNS for Quad9 as well, it's:

        149.112.112.112

    I have not tested it, and since I've had no outages since configuring my router to use Quad9 for all my home's systems, I might not bother.

    Quad9 also now has a video for Windows 10 users wishing to change just that one PC. Note that they don't mention the secondary DNS:

    Quad9 How To Setup Quad9 with Windows

    Dec 07 2017 Update

    As found on page 24 of the just-published Security Now 640 shownotes:

    I wanted to tell people that there is now a points-of-presence
    map for the service. It's at pch.net/about/pops, P-O-P-S, which is short for Points of
    Presences. So www.pch.net/about/pops, which people can look at and also follow over
    time because these guys will be more than doubling their points of presences over 2018,
    which means for people who are not currently near a Quad 9 DNS server, there's a good
    hope that'll change in the future.

    pops-as-of-2017-12-07_20-11-34

    Dec 08 2017 Update

    939211944359161856

    I really appreciate that PCH has informed me that some clarification on the POP map seen above is needed, here's the tweet:

    This is very specifically a map of @PCHglobal anycast nodes.

    @Quad9DNS is available at a subset of these nodes and has plans to publish their own PoPs map very soon.


    Jan 22 2018 Update

    It sure is nice to have Bill Woodcock, Executive Director at Packet Clearing House, clarify a few fundamentals about the way Quad9/PCH operates. His feedback appeared in the comments below this article:

    Bill at PCH (Packet Clearing House):

    3719068133-narrow

    Howdy. I'm on Quad9's board of directors, and I'm PCH's executive director, so, happy to answer questions about Quad9.

    GCA's donors don't really have any bearing on this... There's no relationship between Quad9 and any of Quad9's donors' donors... And in any event, GCA is less than 1% of Quad9's funding. IBM and NTT are something like 40%, and there are hundreds of other donors in-between. So that's tinfoil-hat grasping at straws. Fundamentally, Quad9 is funded by the portion of the Internet industry that agrees that personal privacy is worthy of protection, and that it's both technically and economically feasible to be in complete compliance with the General Data Protection Regulation.

    So, in so far as there's alignment between Quad9 and some sector of government, it's with privacy regulators, rather than law enforcement.

    Though law enforcement was generally pretty pleased with the 30,000,000 malware events that were prevented during the pilot, and that rate has increased dramatically as we've gone into full public use.

    Paul at TinkerTry:

    I really appreciate you leaving this clarification here, thank you!

    Bill at PCH:

    Sure, happy to answer any questions people may have.

    One other note: I'd say that the most useful "secondary" IP address for Quad9 is 2620:FE:FE*, rather than 149.112.112.112, in the sense that the 149.112.112.112 address doesn't really get you anything very different than the 9.9.9.9 address in terms of network reachability, whereas the IPv6 path may be quite different than the IPv4 path.

    * Note that there's is a typo above, the suggested ipv6 secondary address is actually 2620:fe::fe as explained in Quad9's FAQ. Thanks to Steve for noticing then reporting this to me!

    Another update

    Based on 2+ months of experience, and feedback that my original title was way too long and confusing, I have changed this article's title from:
    Quad9 9.9.9.9 might be a good Google Public DNS 8.8.8.8 alternative, claims better privacy and features DNSSEC, DNS Benchmark indicates better speeds
    to:
    Quad9 is a good Google Public DNS alternative with DNSSEC, better privacy, and faster DNS Benchmark speeds


    Jan 31 2018 Update

    2018-01-31_10-47-26

    If you simply want to search a domain to see if Quad9 is blocking it, easy, the checker is right on the home page!


    Apr 01 2018 Update

    There's a new DNS that arrived today, see details at TinkerTry at:

    cloudflare-dns-service-1-1-1-1-slug
    • Cloudflare launches 1.1.1.1 DNS service that will speed up your internet
      Apr 01 2018 by Tom Warren at The Verge

      ...
      The service is using https://1.1.1.1, and it’s not a joke but an actual DNS resolver that anyone can use. Cloudflare claims it will be “the Internet’s fastest, privacy-first consumer DNS service.” While OpenDNS and Google DNS both exist, Cloudflare is focusing heavily on the privacy aspect of its own DNS service with a promise to wipe all logs of DNS queries within 24 hours.
      ...


    Apr 04 2018 Update

    A closely-related new article has just been published at TinkerTry.

    how-to-use-new-grc-dns-benchmark-released-apr-04-2018

    Apr 08 2018 Update

    983116371688148992big

    I seem to be having some intermittent Quad9 performance issues these last couple of days, and I've reached out to @Quad9 for comment, and left a comment here. I'll have around 6 minutes of excellent performance, followed by 3 minutes of poor performance. The duration and frequency of this happening varies widely.

    This has been happening for the past 2 to 3 days, and I first reported it yesterday.

    2018-04-08_19-07-23
    My `tracert` from my Cox Communications connection in zip code 06109 to Quad9's IP.

    Apr 09 2018 Update

    @Quad9 has responded with a request for details, and one other person chiming in with a similar anecdotal report. Given I don't see any widespread chatter on Twitter or elsewhere about any ongoing issues, it's likely just something unique to my geography, with a lot more testing we can do to narrow this down. I also did some tracert and ping tests, nothing. I did a more interesting dig test shown in my Ubuntu screenshot below, and it doesn't seem to be revealing anything obvious either, even when left running for hours.

    In hindsight, it appears that instead of the web form at quad9.net/contact, I probably should have just emailed support@quad9.net instead.

    I plan to update this post with whatever troubleshooting steps I try, and whether a path to resolution of this issue is found. Based on the anti-malware protection of Quad9, I'm motivated personally to fix this anyway, even with the recent announcement of a newcomer to public DNS, with my related look at DNS Benchmark here.

    2018-04-09_9-54-08
    I've disabled IPv6, and hard-coded the DNS IP to 9.9.9.9, to ensure this Ubuntu system is doing all DNS lookups through Quad9's 9.9.9.9 IP address. Most results are 0 ms, and even the outliers aren't that long, such as the 36 ms shown here.

    Apr 14 2018 Update

    Quad9 support did reach out to me via email, asking me to issue the two commands shown below.

    Microsoft Windows [Version 10.0.16299.371]
    (c) 2017 Microsoft Corporation. All rights reserved.
    
    C:\Users\pbraren>nslookup -q=txt -class=chaos id.server 9.9.9.9
    Server:  dns.quad9.net
    Address:  9.9.9.9
    
    Non-authoritative answer:
    id.server       text =
    
            "res200.lga.rrdns.pch.net"
    
    C:\Users\pbraren>tracert 9.9.9.9
    
    Tracing route to dns.quad9.net [9.9.9.9]
    over a maximum of 30 hops:
    
      1     6 ms     5 ms     6 ms  ubnt.lab.local [10.10.1.1]
      2     9 ms    12 ms    11 ms  10.4.144.1
      3    29 ms    13 ms    26 ms  100.120.244.56
      4    22 ms    19 ms    19 ms  100.120.244.218
      5    19 ms    21 ms    22 ms  dllsdsrc01-gex03010999.rd.dl.cox.net [68.1.1.73]
      6    21 ms    21 ms    20 ms  ae-15.a01.nycmny01.us.bb.gin.ntt.net [129.250.194.153]
      7    21 ms    21 ms    36 ms  xe-0-0-6-3.a01.nycmny01.us.ce.gin.ntt.net [129.250.198.150]
      8    22 ms    22 ms    22 ms  dns.quad9.net [9.9.9.9]
    
    Trace complete.

    C:\Users\pbraren>


    Apr 16 2018

    I've been working with Quad9 technical support over email lately, and this quickly led to a conversation I had earlier today with none other than John Todd, Executive Director of Cloud9. In summary, here's the points he made during our conversation, paraphrased:

    • Quad9 plans for a public status page
    • In addition to the 116 POPs globally so far, getting more POPs online this year is a priority, with a dynamic map showing those POPs as part of the status page plan
    • Quad9 plans for DNS over HTTPS support, which is in Mozilla already but is not standards-based yet
    • DNS over TLS is already supported (Android probably first, maybe IoT too)
    • DNSSEC is already support, and offers protection against domain spoofing, learn more at the FAQ
    • Malware protection and not-for-profit status are the big differentiators Quad9 has over all the others

    Rather than bailing and going over to something with less malware protection, I decided to give troubleshooting a go, and I'm sure glad I took the time to write up a detailed report (and demonstration) of the problem. I'm glad that Quad9 is apparently finding my efforts to be helpful in narrowing down this geo-specific problem.

    986083657822720001

    May 17 2018 Update

    Whatever the transient issue with DNS that affected Quad9 for about a week last month appears to be entirely over. I've experienced an entire month now of zero incidences of recurrence. This is good!

    I also did some more DNS Benchmark testing. Here's 2 tests, 6 weeks apart.

    dns-benchmark-results-cloudflare-google-quad9-opendns-nortonconnectsafe-2018-04-01-test001-tinkertry-596x1096
    Apr 01 2018 - DNS Benchmarks at zip code 06109 on Cox Communications Internet testing Cloudflare, Google, Quad9, OpenDNS, and Norton ConnectSafe.
    dns-benchmark-results-cloudflare-google-quad9-opendns-nortonconnectsafe-2018-05-17-test001-TinkerTry
    May 17 2018 - DNS Benchmarks at zip code 06109 on Cox Communications Internet testing Cloudflare, Google, Quad9, OpenDNS, and Norton ConnectSafe.

    See also at TinkerTry

    how-to-use-new-grc-dns-benchmark-released-apr-04-2018

    cloudflare-1-1-1-1-may-be-a-google-public-dns-alternative-to-try-for-more-speed

    edge-router-lite-update

    replaced-linksys-with-eero-after-also-testing-luma

    dslreports-speedtest

    See also

    • Free and Public DNS Servers
      Updated list of the best publicly available and completely free DNS servers
      free-and-public-dns-servers-2626062

      Nov 17 2017 by Tim Fisher at Lifewire. Excerpt:

      Quad9 uses real time information about what websites are malicious and blocks them completely. No content is filtered - only domains that are phishing, contain malware, and exploit kit domains will be blocked. No personal data is stored. An unsecure pubic DNS is also available from Quad9 at 9.9.9.10 but they do not recommend using that as a secondary domain in your router or computer setup. See more in the Quad9 FAQ.

    is-your-isp-hijacking-your-dns-traffic
    • Is Your ISP Hijacking Your DNS Traffic?
      Jul 06 2016 by Babak Farrokhi at RIPE NETWORK COORDINATION CENTRE. Excerpt:

      You might not have noticed, but there are chances that your ISP is playing nasty tricks with your DNS traffic.