Quad9 is a good Google Public DNS alternative with DNSSEC, better privacy, and faster DNS Benchmark speeds
There's a new DNS on this planet's interwebs, see the big announcement made yesterday over at IBM:
- IBM, Packet Clearing House and Global Cyber Alliance Collaborate to Protect Businesses and Consumers from Internet Threats
New Quad9 DNS Privacy and Security Service Designed to Protect Users from Millions of Malicious WebsitesQuad9 has points of presence in over 70 locations across 40 countries at launch. Over the next 18 months, Quad9 points of presence are expected to double, further improving the speed, performance, privacy and security for users globally. Telemetry data on blocked domains from Quad9 will be shared with threat intelligence partners for the improvement of their threat intelligence responses for their customers and Quad9.
While I cannot seem to find a definitive list or map of locations quite yet, it does appear they have geared-up to serve the globe pretty well, with over 70 POPs already.
-
Quad9 Internet Security & Privacy In a Few Easy Steps
How Quad9 works
Quad9 routes your DNS queries through a secure network of servers around the globe. The system uses threat intelligence from more than a dozen of the industry's leading cyber security companies to give a real-time perspective on what websites are safe and what sites are known to include malware or other threats. If the system detects that the site you want to reach is known to be infected, you'll automatically be blocked from entry - keeping your data and computer safe. - Quad9 FAQ
Will Quad9 filter content?
No. Quad9 will not provide a censoring component and will limit its actions solely to the blocking of malicious domains around phishing, malware, and exploit kit domains.
What does Quad9 log/store about the DNS queries?
We store details of the DNS records queried, timestamp, and the city, state, and country from where the query came. We do not store source IP information of end user queries.
and I've decided to give it a try, and will let you know how it goes.
Disclosure: I used to work at IBM from 1995-2016, but I had nothing to do with this Quad9 team that apparently have been in beta since 2016, and I don't even know who they are. I also have no financial interest in IBM.
Read many more Quad9 reviews and announcements on the internets here.
Why try a new DNS?
Privacy
Well, my ISP is Cox Communications, but they tend to give me some strange Cox customized search page of theirs when I type a URL wrong, and they're apparently now free to do whatever they want with my browsing data.
I've been using Google DNS 8.8.8.8
and 8.8.4.4
for years, and it has served me well, and has been pretty fast. But Google does hold on to some of that rich DNS data, see Google Public DNS's Privacy page. Perhaps Quad9 holds on a little less, see Quad9 Your Privacy Is Paramount page, and FAQ.
Stay tuned, as it may be possible to use DNSSEC with the Ubiquiti EdgeRouter's dnsmasq that I'm now using, as explained in detail above. For now, much more investigation and testing is needed, especially pertaining to reliable NTP sync after reboots. You can read more about Quad9 DNSSEC, and their full IPv6, in their FAQ. To be fair, Google Public DNS is validating DNSSEC and IPv6. Also worth noting that it's doubtful consumer routers and Wi-Fi routers will be offering DNSSEC anytime too soon.
While this article applies to any network router, I'll just note that Ubiquiti continues to exceed my expectations for an approximately $100 USD device, along with solid peer support in the forums. And wow, just look at those speeds! Seen pictured at right, above, using this speed test tool on my 300Mbps down/30Mbps up Cox Communications Cox Internet Ultimate connection.
How to test your speeds, at your location, on your internet connection?
Turns out Quad9 DNS is maybe a tiny bit faster, at least for me. Any such test is very ISP and location dependent. Read onward for two simple ways I tested this from my home.
Option 1 of 3: Use DNS Benchmark to measure speed, here's how
I measured my DNS performance for my home's network here in zip code 06109 by running Steve Gibson's ancient DNS Benchmark a few times. I'm not claiming it's a great idea to trust just any body executables, clearly it's not. But if you decide you trust Steve Gibson of Security Now fame, it's a portable, completely free application that needs no installation. Just download DNSBench.exe and run it to get started. If you don't fully trust the code, how about running it in a disposable VM like I did?
Here's how to use DNS Benchmark:
- Let the initial calibration finish in a few seconds
- click on the Nameservers tab
- click on the Add/Remove button
- type in
9.9.9.9
then click the Add button - right-click, select Remove 8 Dead Nameservers
- click on Close
- click on Run Benchmark
- right-click on the graph, choose Set Graph Scale as needed
A few minutes it was later, it was auto-sorted with fastest DNS Servers at the top. I get pretty much the same list each time, pictured here.
Option 2 of 3: Use Windows Command Prompt and ping to measure speed, here's how
Option 3 of 3: Use Linux dnsdiag
to measure speed, here's how
Obtain dnsdiag
from DNSDiag.org
Ever been wondering if your ISP is hijacking your DNS traffic? Ever observed any misbehavior with your DNS responses? Ever been redirected to wrong address and suspected something is wrong with your DNS? Here we have a set of tools to perform basic audits on your DNS requests and responses to make sure your DNS is working as you expect.
Specific usage example with complete syntax is detailed in the tweet below.
C'mon, change DNS once on your router, not on all your PCs and client devices!
Remember, as described earlier in this article, I use locally resolved names for my home network's systems. This means my EdgeRouter Lite's Google DNS of 8.8.8.8
and 8.8.4.4
is only used for resolving external systems that aren't found in the local DNS. I'm now changing that to 9.9.9.9
, as in quad nines. Certainly easy to remember.
Up at the top, Quad9's DNS how to guides tell you to change DNS on the client device. Maybe just because explaining how to do this on a router is considerably tougher, especially in this day and age where many are stuck with the Wi-Fi router their ISP provides them with. Such hard-coding is not always a great idea, especially for portable devices like laptops that travel, even if they have a VPN for some protection. When that device is away from home, captive portals may require that the local DNS server be told to you by DHCP, before you'll be able to surf the web at all. If you hard-coded your IP as Quad9 suggests, you'll be out of luck getting on line. For this reason, along with the fact that I like local computer names that I've given DHCP reservations to have their DNS names fed to all my local Windows, Linux, and VMware VMs, I'd much prefer having my home's DHCP server/router dole out IP address leases. In Windows Command Prompt, issuing ipconfig /all
will show the lease is pointing to the DHCP server/router itself for routing and DNS. The configured-in-the-router settings that handle the forwarding magic cause a seamless hand-off of non-local DNS lookups. Those lookups go to the DNS forwarding target you configure, which for me is now set to 9.9.9.9 at Quad9. Further down their page, Quad9 goes on to say:
- Who Should Set Up Quad9?
Setting up DNS filtering requires just a simple configuration change. Most organizations or home users can update in minutes by changing the DNS settings in the central DHCP server which will update all clients in a few minutes with no action needed at end devices at all. The service is and will remain freely available to anyone wishing to use it.
How to change your router's DNS configuration
The DNS IP you set up here will be automatically doled out to all DHCP connected devices on your home's network, or, your router tells connected client to use the router's own IP address, forwarding to 9.9.9.9 when needed. Either way, the advantage to this one change is that the DNS change is instantly in effective for all connected devices, and relatively easy to do. Only works if you have access to login to your home's network's router, however.
While I cannot possibly support folks who try and fail to get into their routers and change their WAN connections DNS setting for any number of reasons, Quad9 apparently somehow does! I can also get folks pointed in the right direct with this vendor list of how to guides that I created here.
Ubiquiti
I wrote this step-by-step guide on configuring DNS forwarding on EdgeRouter EdgeOS:
- Ubiquiti EdgeRouter Lite (UBNT ERLite-3) Update - still works great for my family, and for my VMware vSphere, Windows, and Linux home lab
Nov 16 2017
Not having a GUI to do DNS Forwarding address change is no doubt a weakness with Ubiquiti, as I openly lamented here. I sure hope this changes, some day.
Nov 18 2017 Update
Addendum/clarifications.
1) DNS sinkholes, DNS hijacking, and NXDOMAIN
Read up on DNS sinkholes, DNS hijacking, and NXDOMAIN, terms that eluded me when I originally published the article above. When a subscriber (ISP customer) types an invalid URLs into their browser which results in a ERR_NAME_NOT_RESOLVED
, their browser may be steered to a landing page by their ISPs DNS, rather than what you'd expect the browser to do, display an error warning like Chrome's "This site can’t be reached" and "server DNS address could not be found."
Here's how the Google Public DNS FAQ describes their proper non-existent domain handling:
How does Google Public DNS handle non-existent domains?
If you issue a query for a domain name that does not exist, Google Public DNS always returns an NXDOMAIN record, as per the DNS protocol standards. The browser should show this response as a DNS error. If, instead, you receive any response other than an error message (for example, you are redirected to another page), this could be the result of the following:
A client-side application such as a browser plug-in is displaying an alternate page for a non-existent domain.
Some ISPs may intercept and replace all NXDOMAIN responses with responses that lead to their own servers. If you are concerned that your ISP is intercepting Google Public DNS requests or responses, you should contact your ISP.
Here's how Quad9, as reported by arstechnica, handles non-existent domains:
If a domain name is in the block list, the service simply responds to the query with an "NXDOMAIN" (non-existant domain) message. "It will break DNS queries," Rettinger said, "but it tends to work better than sinkholing"—the practice of forwarding bad domains to a host controlled by the service, as has been done with some seized botnet domains in the past—"because if you sinkhole, you can break other things."
So both Google Public DNS and Quad9 handle NXDOMAIN properly.
Here's a simple test to see for yourself, using an invalid, non-existent (sub)domain that nobody has apparently registered:
[REMOVED - 11:42am Nov 18 2017]
Potentially a bad idea, explained below.
In a test VM only that you can delete when done testing, you can try hard-coding a system or a VM to an ISP's DNS versus 8.8.8.8
and 9.9.9.9
, to compare/contrast browser behavior for each, depending upon test sites that you choose to visit, at your own risk. You may need to issue an ipconfig /flushdns
at the Windows command prompt between DNS changes, to avoid the possibility of caching effects. Your router may also have DNS caching, easiest to power cycle it, only if necessary.
2) Government funding?
Let's be watchful over time of ongoing sources of funding that keep Quad9 going, and note what Ars Technica says:
The Quad9 service is free, but it does need to be continually funded. GCA is a non-profit—so the long-term growth of the service is based largely on government and industry continuing to fund it. GCA itself was funded initially with $25 million in criminal asset forfeiture directed to the organization by Manhattan District Attorney Cyrus Vance Jr.
3) Class A Network
Knowing first-hand that IBM owns an early, Class A network that starts in 9, it's no surprise that they were able to capitalize on this when creating such an easy to remember service. Never really thought I'd see a 9 address in public. Well played!
Nov 18 2017 Update 11:42am ET
In response to this tweet, the non-existent domain example has also been completely removed, to avoid the chance anybody visits an unscrupulous future buyer of this domain name. My link example shouldn't have ever been a live link, my apologies for this brief lapse in good judgment. Spelling and awkward grammar errors also corrected, as well as clarification on DNS sinkhole and DNS hijacking added.
Next up, working on a simple and secure visit-this-URL way to confirm that 9.9.9.9 is your active DNS provider, and testing NTP setting-by-IP so it functions correctly during boot up, prepping for DNSSEC testing. Stay tuned!
Nov 22 2017 Update
Detailed discussion about Quad9 now available here:
- SECURITY NOW 638: QUAD NINE
Nov 21 2017 by Steve Gibson on Security Now 638 "Quad 9 is the New DNS Hotness":And thanks to the Packet Clearing House (PCH) which maintains a globe-spanning infrastructure, the service is screamingly fast:
Using “Anycast” routing to automatically use the nearest DNS server, at this launch the service offers 70 points of presence in 40 countries… growing to 160 during 2018.
Quad9 is a free, recursive, anycast DNS platform that provides end users robust security protections, high-performance, and privacy.
Here's the exact spot where Steve talks about Quad9, and detailed shownotes.
Nov 29 2017 Update
Have a listen to Steve Gibson's updates on Quad9 in his Security Now podcast 639, with things seemingly going well overall so far. Full shownotes here.
It sure matters where you live, in relation to the nearest Quad9 POP. But with a rapid roll-out of new POPs coming soon, reports of odd tracert-confirmed hops at some geographical locations (like Seattle WA re-routed through Palo Alto CA) seem likely to subside in 2018.
Dec 06 2017 Update
Tenta DNS
I've received word of open source Tenta DNS, passing it along:
I read your article on Quad9 and think you'll be interested in Tenta DNS with DNS over TLS and DNSSEC. It's open source, written in Golang and already gained over 1200 followers on github within the first week. We support OpenNIC root servers, so users can load special TLDs based on the bitcoin protocol such as .bit. Source: github.com/tenta-browser/tenta-dns
One of the most popular questions we get is how DNS over TLS compares to DNSCrypt, so we just published a post explaining the key differences that I think you'll also appreciate: tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt.
Quad 9 Secondary DNS?
As mentioned on Security Now Episode 640 at around 1 hour 44 minutes, turns out there is a secondary DNS for Quad9 as well, it's:
149.112.112.112
I have not tested it, and since I've had no outages since configuring my router to use Quad9 for all my home's systems, I might not bother.
Quad9 also now has a video for Windows 10 users wishing to change just that one PC. Note that they don't mention the secondary DNS:
Dec 07 2017 Update
As found on page 24 of the just-published Security Now 640 shownotes:
I wanted to tell people that there is now a points-of-presence
map for the service. It's at pch.net/about/pops, P-O-P-S, which is short for Points of
Presences. So www.pch.net/about/pops, which people can look at and also follow over
time because these guys will be more than doubling their points of presences over 2018,
which means for people who are not currently near a Quad 9 DNS server, there's a good
hope that'll change in the future.
Dec 08 2017 Update
I really appreciate that PCH has informed me that some clarification on the POP map seen above is needed, here's the tweet:
This is very specifically a map of @PCHglobal anycast nodes.
@Quad9DNS is available at a subset of these nodes and has plans to publish their own PoPs map very soon.
Jan 22 2018 Update
It sure is nice to have Bill Woodcock, Executive Director at Packet Clearing House, clarify a few fundamentals about the way Quad9/PCH operates. His feedback appeared in the comments below this article:
Bill at PCH (Packet Clearing House):
Howdy. I'm on Quad9's board of directors, and I'm PCH's executive director, so, happy to answer questions about Quad9.
GCA's donors don't really have any bearing on this... There's no relationship between Quad9 and any of Quad9's donors' donors... And in any event, GCA is less than 1% of Quad9's funding. IBM and NTT are something like 40%, and there are hundreds of other donors in-between. So that's tinfoil-hat grasping at straws. Fundamentally, Quad9 is funded by the portion of the Internet industry that agrees that personal privacy is worthy of protection, and that it's both technically and economically feasible to be in complete compliance with the General Data Protection Regulation.
So, in so far as there's alignment between Quad9 and some sector of government, it's with privacy regulators, rather than law enforcement.
Though law enforcement was generally pretty pleased with the 30,000,000 malware events that were prevented during the pilot, and that rate has increased dramatically as we've gone into full public use.
Paul at TinkerTry:
I really appreciate you leaving this clarification here, thank you!
Bill at PCH:
Sure, happy to answer any questions people may have.
One other note: I'd say that the most useful "secondary" IP address for Quad9 is
2620:FE:FE
*
, rather than149.112.112.112
, in the sense that the149.112.112.112
address doesn't really get you anything very different than the9.9.9.9
address in terms of network reachability, whereas the IPv6 path may be quite different than the IPv4 path.
*
Note that there's is a typo above, the suggested ipv6 secondary address is actually 2620:fe::fe
as explained in Quad9's FAQ. Thanks to Steve for noticing then reporting this to me!
Another update
Based on 2+ months of experience, and feedback that my original title was way too long and confusing, I have changed this article's title from:
Quad9 9.9.9.9 might be a good Google Public DNS 8.8.8.8 alternative, claims better privacy and features DNSSEC, DNS Benchmark indicates better speeds
to:
Quad9 is a good Google Public DNS alternative with DNSSEC, better privacy, and faster DNS Benchmark speeds
Jan 31 2018 Update
If you simply want to search a domain to see if Quad9 is blocking it, easy, the checker is right on the home page!
Apr 01 2018 Update
There's a new DNS that arrived today, see details at TinkerTry at:
- Cloudflare launches 1.1.1.1 DNS service that will speed up your internet
Apr 01 2018 by Tom Warren at The Verge...
The service is using https://1.1.1.1, and it’s not a joke but an actual DNS resolver that anyone can use. Cloudflare claims it will be “the Internet’s fastest, privacy-first consumer DNS service.” While OpenDNS and Google DNS both exist, Cloudflare is focusing heavily on the privacy aspect of its own DNS service with a promise to wipe all logs of DNS queries within 24 hours.
...
Apr 04 2018 Update
A closely-related new article has just been published at TinkerTry.
Apr 08 2018 Update
I seem to be having some intermittent Quad9 performance issues these last couple of days, and I've reached out to @Quad9 for comment, and left a comment here. I'll have around 6 minutes of excellent performance, followed by 3 minutes of poor performance. The duration and frequency of this happening varies widely.
This has been happening for the past 2 to 3 days, and I first reported it yesterday.
Apr 09 2018 Update
@Quad9 has responded with a request for details, and one other person chiming in with a similar anecdotal report. Given I don't see any widespread chatter on Twitter or elsewhere about any ongoing issues, it's likely just something unique to my geography, with a lot more testing we can do to narrow this down. I also did some tracert
and ping
tests, nothing. I did a more interesting dig
test shown in my Ubuntu screenshot below, and it doesn't seem to be revealing anything obvious either, even when left running for hours.
In hindsight, it appears that instead of the web form at quad9.net/contact, I probably should have just emailed support@quad9.net instead.
I plan to update this post with whatever troubleshooting steps I try, and whether a path to resolution of this issue is found. Based on the anti-malware protection of Quad9, I'm motivated personally to fix this anyway, even with the recent announcement of a newcomer to public DNS, with my related look at DNS Benchmark here.
Apr 14 2018 Update
Quad9 support did reach out to me via email, asking me to issue the two commands shown below.
Microsoft Windows [Version 10.0.16299.371]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\Users\pbraren>nslookup -q=txt -class=chaos id.server 9.9.9.9
Server: dns.quad9.net
Address: 9.9.9.9
Non-authoritative answer:
id.server text =
"res200.lga.rrdns.pch.net"
C:\Users\pbraren>tracert 9.9.9.9
Tracing route to dns.quad9.net [9.9.9.9]
over a maximum of 30 hops:
1 6 ms 5 ms 6 ms ubnt.lab.local [10.10.1.1]
2 9 ms 12 ms 11 ms 10.4.144.1
3 29 ms 13 ms 26 ms 100.120.244.56
4 22 ms 19 ms 19 ms 100.120.244.218
5 19 ms 21 ms 22 ms dllsdsrc01-gex03010999.rd.dl.cox.net [68.1.1.73]
6 21 ms 21 ms 20 ms ae-15.a01.nycmny01.us.bb.gin.ntt.net [129.250.194.153]
7 21 ms 21 ms 36 ms xe-0-0-6-3.a01.nycmny01.us.ce.gin.ntt.net [129.250.198.150]
8 22 ms 22 ms 22 ms dns.quad9.net [9.9.9.9]
Trace complete.
C:\Users\pbraren>
Apr 16 2018
I've been working with Quad9 technical support over email lately, and this quickly led to a conversation I had earlier today with none other than John Todd, Executive Director of Cloud9. In summary, here's the points he made during our conversation, paraphrased:
- Quad9 plans for a public status page
- In addition to the 116 POPs globally so far, getting more POPs online this year is a priority, with a dynamic map showing those POPs as part of the status page plan
- Quad9 plans for DNS over HTTPS support, which is in Mozilla already but is not standards-based yet
- DNS over TLS is already supported (Android probably first, maybe IoT too)
- DNSSEC is already support, and offers protection against domain spoofing, learn more at the FAQ
- Malware protection and not-for-profit status are the big differentiators Quad9 has over all the others
Rather than bailing and going over to something with less malware protection, I decided to give troubleshooting a go, and I'm sure glad I took the time to write up a detailed report (and demonstration) of the problem. I'm glad that Quad9 is apparently finding my efforts to be helpful in narrowing down this geo-specific problem.
May 17 2018 Update
Whatever the transient issue with DNS that affected Quad9 for about a week last month appears to be entirely over. I've experienced an entire month now of zero incidences of recurrence. This is good!
I also did some more DNS Benchmark testing. Here's 2 tests, 6 weeks apart.
See also at TinkerTry
See also
-
All Networking articles at TinkerTry.
- Google search
for "Quad9" reviews between Nov 15 and Nov 17, 2017.
- Free and Public DNS Servers
Updated list of the best publicly available and completely free DNS serversNov 17 2017 by Tim Fisher at Lifewire. Excerpt:
Quad9 uses real time information about what websites are malicious and blocks them completely. No content is filtered - only domains that are phishing, contain malware, and exploit kit domains will be blocked. No personal data is stored. An unsecure pubic DNS is also available from Quad9 at 9.9.9.10 but they do not recommend using that as a secondary domain in your router or computer setup. See more in the Quad9 FAQ.
- Is Your ISP Hijacking Your DNS Traffic?
Jul 06 2016 by Babak Farrokhi at RIPE NETWORK COORDINATION CENTRE. Excerpt:You might not have noticed, but there are chances that your ISP is playing nasty tricks with your DNS traffic.