Quad9 is a good Google Public DNS alternative with DNSSEC, better privacy, and faster DNS Benchmark speeds
There's a new DNS on this planet's interwebs, see the big announcement made yesterday over at IBM:
- IBM, Packet Clearing House and Global Cyber Alliance Collaborate to Protect Businesses and Consumers from Internet Threats
New Quad9 DNS Privacy and Security Service Designed to Protect Users from Millions of Malicious Websites
Quad9 has points of presence in over 70 locations across 40 countries at launch. Over the next 18 months, Quad9 points of presence are expected to double, further improving the speed, performance, privacy and security for users globally. Telemetry data on blocked domains from Quad9 will be shared with threat intelligence partners for the improvement of their threat intelligence responses for their customers and Quad9.
While I cannot seem to find a definitive list or map of locations quite yet, it does appear they have geared-up to serve the globe pretty well, with over 70 POPs already.
How Quad9 works
Quad9 routes your DNS queries through a secure network of servers around the globe. The system uses threat intelligence from more than a dozen of the industry's leading cyber security companies to give a real-time perspective on what websites are safe and what sites are known to include malware or other threats. If the system detects that the site you want to reach is known to be infected, you'll automatically be blocked from entry - keeping your data and computer safe.
- Quad9 FAQ
Will Quad9 filter content?
No. Quad9 will not provide a censoring component and will limit its actions solely to the blocking of malicious domains around phishing, malware, and exploit kit domains.
What does Quad9 log/store about the DNS queries?
We store details of the DNS records queried, timestamp, and the city, state, and country from where the query came. We do not store source IP information of end user queries.
and I've decided to give it a try, and will let you know how it goes.
Disclosure: I used to work at IBM from 1995-2016, but I had nothing to do with this Quad9 team that apparently have been in beta since 2016, and I don't even know who they are. I also have no financial interest in IBM.
Read many more Quad9 reviews and announcements on the internets here.
Why try a new DNS?
Well, my ISP is Cox Communications, but they tend to give me some strange Cox customized search page of theirs when I type a URL wrong, and they're apparently now free to do whatever they want with my browsing data.
I've been using Google DNS
184.108.40.206 for years, and it has served me well, and has been pretty fast. But Google does hold on to some of that rich DNS data, see Google Public DNS's Privacy page. Perhaps Quad9 holds on a little less, see Quad9 Your Privacy Is Paramount page, and FAQ.
Stay tuned, as it may be possible to use DNSSEC with the Ubiquiti EdgeRouter's dnsmasq that I'm now using, as explained in detail above. For now, much more investigation and testing is needed, especially pertaining to reliable NTP sync after reboots. You can read more about Quad9 DNSSEC, and their full IPv6, in their FAQ. To be fair, Google Public DNS is validating DNSSEC and IPv6. Also worth noting that it's doubtful consumer routers and Wi-Fi routers will be offering DNSSEC anytime too soon.
While this article applies to any network router, I'll just note that Ubiquiti continues to exceed my expectations for an approximately $100 USD device, along with solid peer support in the forums. And wow, just look at those speeds! Seen pictured at right, above, using this speed test tool on my 300Mbps down/30Mbps up Cox Communications Cox Internet Ultimate connection.
How to test your speeds, at your location, on your internet connection?
Turns out Quad9 DNS is maybe a tiny bit faster, at least for me. Any such test is very ISP and location dependent. Read onward for two simple ways I tested this from my home.
Option 1 of 3: Use DNS Benchmark to measure speed, here's how
I measured my DNS performance for my home's network here in zip code 06109 by running Steve Gibson's ancient DNS Benchmark a few times. I'm not claiming it's a great idea to trust just any body executables, clearly it's not. But if you decide you trust Steve Gibson of Security Now fame, it's a portable, completely free application that needs no installation. Just download DNSBench.exe and run it to get started. If you don't fully trust the code, how about running it in a disposable VM like I did?
Here's how to use DNS Benchmark:
- Let the initial calibration finish in a few seconds
- click on the Nameservers tab
- click on the Add/Remove button
- type in
220.127.116.11then click the Add button
- right-click, select Remove 8 Dead Nameservers
- click on Close
- click on Run Benchmark
- right-click on the graph, choose Set Graph Scale as needed
A few minutes it was later, it was auto-sorted with fastest DNS Servers at the top. I get pretty much the same list each time, pictured here.
Option 2 of 3: Use Windows Command Prompt and ping to measure speed, here's how
Option 3 of 3: Use Linux
dnsdiag to measure speed, here's how
dnsdiag from DNSDiag.org
Ever been wondering if your ISP is hijacking your DNS traffic? Ever observed any misbehavior with your DNS responses? Ever been redirected to wrong address and suspected something is wrong with your DNS? Here we have a set of tools to perform basic audits on your DNS requests and responses to make sure your DNS is working as you expect.
Specific usage example with complete syntax is detailed in the tweet below.
C'mon, change DNS once on your router, not on all your PCs and client devices!
Remember, as described earlier in this article, I use locally resolved names for my home network's systems. This means my EdgeRouter Lite's Google DNS of
18.104.22.168 is only used for resolving external systems that aren't found in the local DNS. I'm now changing that to
22.214.171.124, as in quad nines. Certainly easy to remember.
Up at the top, Quad9's DNS how to guides tell you to change DNS on the client device. Maybe just because explaining how to do this on a router is considerably tougher, especially in this day and age where many are stuck with the Wi-Fi router their ISP provides them with. Such hard-coding is not always a great idea, especially for portable devices like laptops that travel, even if they have a VPN for some protection. When that device is away from home, captive portals may require that the local DNS server be told to you by DHCP, before you'll be able to surf the web at all. If you hard-coded your IP as Quad9 suggests, you'll be out of luck getting on line. For this reason, along with the fact that I like local computer names that I've given DHCP reservations to have their DNS names fed to all my local Windows, Linux, and VMware VMs, I'd much prefer having my home's DHCP server/router dole out IP address leases. In Windows Command Prompt, issuing
ipconfig /all will show the lease is pointing to the DHCP server/router itself for routing and DNS. The configured-in-the-router settings that handle the forwarding magic cause a seamless hand-off of non-local DNS lookups. Those lookups go to the DNS forwarding target you configure, which for me is now set to 126.96.36.199 at Quad9. Further down their page, Quad9 goes on to say:
- Who Should Set Up Quad9?
Setting up DNS filtering requires just a simple configuration change. Most organizations or home users can update in minutes by changing the DNS settings in the central DHCP server which will update all clients in a few minutes with no action needed at end devices at all. The service is and will remain freely available to anyone wishing to use it.
The DNS IP you set up here will be automatically doled out to all DHCP connected devices on your home's network, or, your router tells connected client to use the router's own IP address, forwarding to 188.8.131.52 when needed. Either way, the advantage to this one change is that the DNS change is instantly in effective for all connected devices, and relatively easy to do. Only works if you have access to login to your home's network's router, however.
While I cannot possibly support folks who try and fail to get into their routers and change their WAN connections DNS setting for any number of reasons, Quad9 apparently somehow does! I can also get folks pointed in the right direct with this vendor-vendor list of how to guides that I just created:
- D-Link Router Configuration
- Configuring LAN IP Settings
- Linksys Router Configuration: General
- How to set up Smart DNS on TP-Link Router
I wrote this step-by-step guide on configuring DNS forwarding on EdgeRouter EdgeOS:
- Ubiquiti EdgeRouter Lite (UBNT ERLite-3) Update - still works great for my family, and for my VMware vSphere, Windows, and Linux home lab
Nov 16 2017
Not having a GUI to do DNS Forwarding address change is no doubt a weakness here, as I openly lamented here. I sure hope this changes, some day.
1) DNS sinkholes, DNS hijacking, and NXDOMAIN
Read up on DNS sinkholes, DNS hijacking, and NXDOMAIN, terms that eluded me when I originally published the article above. When a subscriber (ISP customer) types an invalid URLs into their browser which results in a
ERR_NAME_NOT_RESOLVED, their browser may be steered to a landing page by their ISPs DNS, rather than what you'd expect the browser to do, display an error warning like Chrome's "This site can’t be reached" and "server DNS address could not be found."
Here's how the Google Public DNS FAQ describes their proper non-existent domain handling:
How does Google Public DNS handle non-existent domains?
If you issue a query for a domain name that does not exist, Google Public DNS always returns an NXDOMAIN record, as per the DNS protocol standards. The browser should show this response as a DNS error. If, instead, you receive any response other than an error message (for example, you are redirected to another page), this could be the result of the following:
A client-side application such as a browser plug-in is displaying an alternate page for a non-existent domain.
Some ISPs may intercept and replace all NXDOMAIN responses with responses that lead to their own servers. If you are concerned that your ISP is intercepting Google Public DNS requests or responses, you should contact your ISP.
Here's how Quad9, as reported by arstechnica, handles non-existent domains:
If a domain name is in the block list, the service simply responds to the query with an "NXDOMAIN" (non-existant domain) message. "It will break DNS queries," Rettinger said, "but it tends to work better than sinkholing"—the practice of forwarding bad domains to a host controlled by the service, as has been done with some seized botnet domains in the past—"because if you sinkhole, you can break other things."
So both Google Public DNS and Quad9 handle NXDOMAIN properly.
Here's a simple test to see for yourself, using an invalid, non-existent (sub)domain that nobody has apparently registered:
[REMOVED - 11:42am Nov 18 2017]
Potentially a bad idea, explained below.
In a test VM only that you can delete when done testing, you can try hard-coding a system or a VM to an ISP's DNS versus
184.108.40.206, to compare/contrast browser behavior for each, depending upon test sites that you choose to visit, at your own risk. You may need to issue an
ipconfig /flushdns at the Windows command prompt between DNS changes, to avoid the possibility of caching effects. Your router may also have DNS caching, easiest to power cycle it, only if necessary.
2) Government funding?
Let's be watchful over time of ongoing sources of funding that keep Quad9 going, and note what Ars Technica says:
The Quad9 service is free, but it does need to be continually funded. GCA is a non-profit—so the long-term growth of the service is based largely on government and industry continuing to fund it. GCA itself was funded initially with $25 million in criminal asset forfeiture directed to the organization by Manhattan District Attorney Cyrus Vance Jr.
3) Class A Network
Knowing first-hand that IBM owns an early, Class A network that starts in 9, it's no surprise that they were able to capitalize on this when creating such an easy to remember service. Never really thought I'd see a 9 address in public. Well played!
In response to this tweet, the non-existent domain example has also been completely removed, to avoid the chance anybody visits an unscrupulous future buyer of this domain name. My link example shouldn't have ever been a live link, my apologies for this brief lapse in good judgment. Spelling and awkward grammar errors also corrected, as well as clarification on DNS sinkhole and DNS hijacking added.
Next up, working on a simple and secure visit-this-URL way to confirm that 220.127.116.11 is your active DNS provider, and testing NTP setting-by-IP so it functions correctly during boot up, prepping for DNSSEC testing. Stay tuned!
Detailed discussion about Quad9 now available here:
- SECURITY NOW 638: QUAD NINE
Nov 21 2017 by Steve Gibson on Security Now 638 "Quad 9 is the New DNS Hotness":
And thanks to the Packet Clearing House (PCH) which maintains a globe-spanning infrastructure, the service is screamingly fast:
Using “Anycast” routing to automatically use the nearest DNS server, at this launch the service offers 70 points of presence in 40 countries… growing to 160 during 2018.
Quad9 is a free, recursive, anycast DNS platform that provides end users robust security protections, high-performance, and privacy.
Have a listen to Steve Gibson's updates on Quad9 in his Security Now podcast 639, with things seemingly going well overall so far. Full shownotes here.
It sure matters where you live, in relation to the nearest Quad9 POP. But with a rapid roll-out of new POPs coming soon, reports of odd tracert-confirmed hops at some geographical locations (like Seattle WA re-routed through Palo Alto CA) seem likely to subside in 2018.
I've received word of open source Tenta DNS, passing it along:
I read your article on Quad9 and think you'll be interested in Tenta DNS with DNS over TLS and DNSSEC. It's open source, written in Golang and already gained over 1200 followers on github within the first week. We support OpenNIC root servers, so users can load special TLDs based on the bitcoin protocol such as .bit. Source: github.com/tenta-browser/tenta-dns
One of the most popular questions we get is how DNS over TLS compares to DNSCrypt, so we just published a post explaining the key differences that I think you'll also appreciate: tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt.
Quad 9 Secondary DNS?
I have not tested it, and since I've had no outages since configuring my router to use Quad9 for all my home's systems, I might not bother.
Quad9 also now has a video for Windows 10 users wishing to change just that one PC. Note that they don't mention the secondary DNS:
As found on page 24 of the just-published Security Now 640 shownotes:
I wanted to tell people that there is now a points-of-presence
map for the service. It's at pch.net/about/pops, P-O-P-S, which is short for Points of
Presences. So www.pch.net/about/pops, which people can look at and also follow over
time because these guys will be more than doubling their points of presences over 2018,
which means for people who are not currently near a Quad 9 DNS server, there's a good
hope that'll change in the future.
I really appreciate that PCH has informed me that some clarification on the POP map seen above is needed, here's the tweet:
This is very specifically a map of @PCHglobal anycast nodes.
@Quad9DNS is available at a subset of these nodes and has plans to publish their own PoPs map very soon.
It sure is nice to have Bill Woodcock, Executive Director at Packet Clearing House, clarify a few fundamentals about the way Quad9/PCH operates. His feedback appeared in the comments below this article:
Bill at PCH (Packet Clearing House):
Howdy. I'm on Quad9's board of directors, and I'm PCH's executive director, so, happy to answer questions about Quad9.
GCA's donors don't really have any bearing on this... There's no relationship between Quad9 and any of Quad9's donors' donors... And in any event, GCA is less than 1% of Quad9's funding. IBM and NTT are something like 40%, and there are hundreds of other donors in-between. So that's tinfoil-hat grasping at straws. Fundamentally, Quad9 is funded by the portion of the Internet industry that agrees that personal privacy is worthy of protection, and that it's both technically and economically feasible to be in complete compliance with the General Data Protection Regulation.
So, in so far as there's alignment between Quad9 and some sector of government, it's with privacy regulators, rather than law enforcement.
Though law enforcement was generally pretty pleased with the 30,000,000 malware events that were prevented during the pilot, and that rate has increased dramatically as we've gone into full public use.
Paul at TinkerTry:
I really appreciate you leaving this clarification here, thank you!
Bill at PCH:
Sure, happy to answer any questions people may have.
One other note: I'd say that the most useful "secondary" IP address for Quad9 is
2620:FE:FE, rather than
18.104.22.168, in the sense that the
22.214.171.124address doesn't really get you anything very different than the
126.96.36.199address in terms of network reachability, whereas the IPv6 path may be quite different than the IPv4 path.
Based on 2+ months of experience, and feedback that my original title was way too long and confusing, I have changed this article's title from:
Quad9 188.8.131.52 might be a good Google Public DNS 184.108.40.206 alternative, claims better privacy and features DNSSEC, DNS Benchmark indicates better speeds
Quad9 is a good Google Public DNS alternative with DNSSEC, better privacy, and faster DNS Benchmark speeds
- Replaced my Linksys router with an eero 3 pack after also testing Luma mesh surround Wi-Fi, faster wireless in every room has arrived!
Aug 21 2016
- Google search
for "Quad9" reviews between Nov 15 and Nov 17, 2017.
- Free and Public DNS Servers
Updated list of the best publicly available and completely free DNS servers
Nov 17 2017 by Tim Fisher at Lifewire. Excerpt:
Quad9 uses real time information about what websites are malicious and blocks them completely. No content is filtered - only domains that are phishing, contain malware, and exploit kit domains will be blocked. No personal data is stored. An unsecure pubic DNS is also available from Quad9 at 220.127.116.11 but they do not recommend using that as a secondary domain in your router or computer setup. See more in the Quad9 FAQ.
- Is Your ISP Hijacking Your DNS Traffic?
Jul 06 2016 by Babak Farrokhi at RIPE NETWORK COORDINATION CENTRE. Excerpt:
You might not have noticed, but there are chances that your ISP is playing nasty tricks with your DNS traffic.