Not to be a conspiracy theorist – but isn’t there some connection between Quad9 and the NSA or other government (usually 3 letter) agencies?
1 Like
Hi! Just saw the video. Thanks for the review! I’m the Executive Director of Quad9. I’ve got a few answers and comments based on the video.
First: We’re a very small 501( c )3 non-profit, but we punch well above our weight in a lot of ways despite having only a fraction the capitalized size of any of the other services you put in the list. We’re always looking for sponsors, both individual and corporate - see our webpage for the big friendly “donate” button.
Second: We’re a really great security service, but we also aren’t selling personal data, nor do we have some hidden plan by giving away our service for free. We’re not upselling you to a paid plan, nor are we promoting our other hosting or DNS or marketing, nor are we selling or digesting your private data. In fact, we never even transmit your IP address out of the cluster of systems in each city where we receive it, nor do we ever write it to any sort of storage. Furthermore, we have no accounts, no signup, and no way of tracking who are users are - it’s entirely free, and we really don’t even want to know who are users are. The downside of that is that there isn’t any customization or reporting, because that would imply tracking information and storage. We’re explicitly designed not to be able to retain personal data from the ground up. This is actually a very appealing part of our project for schools, public networks, and of course everyone in the areas covered by GDPR regulations, and I think we’re the only service in the world operated by a non-profit with these goals.
To the person who references rumors that we are part of a vast government conspiracy: No. Our staff, and board, and sponsors are all working towards making Quad9 the most private service available. Specifically, everyone working here would depart if anything nefarious like that were the case, and I’m sorry that our reputations for privacy fanaticism can’t easily be represented in a clickable format. We find that some of our goals may align with certain law enforcement organizations who focus on financial crimes (stopping cyber-crime is fundamental to both of our missions) but that’s the only place where the Venn diagrams cross. We are currently funded only by private donations, mostly by cyber-security companies who value our work, individuals, and quite a bit of in-kind donations from other non-profits and service providers for network capacity.
Third: Our security coverage is pretty great, and I’m pleased to see your numbers bear that out. The reason we’re so awesome is because of our threat intelligence partners. We don’t actually evaluate threats and figure out who is doing what - we ingest lists from around 19 different companies, and some open lists and then our job is to relay/apply that data via our DNS servers. This is very different than everyone else, who may be building the lists themselves, or who have only a limited number of providers. The companies that give us these lists of malicious/phishing/command&control/etc. hosts is because we give them some insights as to the volumes of “hits” happening on the domains they give us. We don’t tell them anything about your personal data (no IP addresses) but they find the volume data to be super-useful with our many millions of end users giving immediate validation to growing or falling trends in malicious domains. Also, you can find out who provided us with any domain that is blocked by going to our web page - there’s a search bar right on the front. We don’t have any “hidden” suppliers of threat data - everything is public about individual domains, though we don’t publish the list itself.
I suspect the SANS list is being ingested by one or more of our TI providers and analyzed for false positives, and then re-bundled and sent to us in part. We don’t (yet) take that list directly. This is actually quite common - finding false positives is a science all to itself, and we are extremely sensitive to FP entries. Many of the public lists are more prone to FP data, so we constantly are looking for issues in the data and working with both open and closed list providers to keep false positives low or nonexistent.
Fourth: We’re in more than 150 cities and 90 countries now, and still growing, so there’s probably a server close to you, and you get routed there automatically. Anycast is fantastic.
Fifth: We support DNS-over-TLS, DNS-over-HTTPS, and DNSCrypt protocols for extra interception-proofing. The newest Chrome being rolled out & Android =>Pie will auto-upgrade to encrypt DNS connections to Quad9, and the very early beta versions of Windows as well. Encryption is good!
Sixth: We have multiple “flavors” of the service. There is 9.9.9.10, which provides “vanilla” DNS with no blocklist similar to CF and Google’s service, and in fact there is even no DNSSEC on that address to make it even more able to resolve everything, even things it shouldn’t (user beware!) There’s also 9.9.9.11, which has blocking + ECS, which is a whole different story but the summary is that some CDNs will work better to get you to the closest server at the cost of some privacy leakage (the ECS protocol sends some parts of your IP address to the remote DNS server during the lookup.) Also, we try to encourage everyone to set up their “secondary” server as well as the backups to minimize effects of routing issues or maintenance windows.
9.9.9.9
149.112.112.112
2620:fe::fe
Thanks again for the review - I’ll try to keep my eye on this thread to answer any questions.
16 Likes
No. But once a rumor like that gets started, it’s hard to kill. But no, absolutely not. For SO many reasons. We’re privacy fanatics.
7 Likes
I’m in Thailand. Latency on 9.9.9.9 is 188ms whereas latency on 1.1.1.1 is 32 ms. On your website it indicates where you do not have a server, the DNS request will be forwarded to your nearest server. Geographically Cambodia seems to be that, but Singapore is closest latency wise. What is the basis of calculating nearest server and should things improve?
2 Likes
Thank you very much @quad9dns for taking the time to post in the forums and also thank you for such a great service!
8 Likes
There were quite a few YouTube comments asking about NextDNS. I setup an account and then I ran the query against their services. While they did better than DNS Filter, Umbrella, and Cloudflare Filtered, Quad9 is still by far the winner in this test.
4 Likes
@Deku In the pfSense menu under System / General Setup, clear the checkbox ‘Allow DNS server list to be overridden by DHCP/PPP on WAN’ in the ‘DNS Server Settings section’
1 Like
Don’t need to wait to switch over to QUAD9 methinks
1 Like
Put a screenshot up of your System / General Setup.
1 Like
Thank you for taking time to address the issue. It’s nice to here information from the company directly.
2 Likes
LTS_Tom Yeoman’s work on this thanks. Used OpenDNS but switched when they were acquired by Cisco, primary 9999 with the secondary set to 1111 now as of moments ago all Quad9. Was surprised at the results of OpenDNS seems Cisco isn’t putting much except marketing into Umbrella.
You got some attention with this video including Quad9. The response from them was the kind of response we in the biz like.
SANS has some great free data sources but their course offerings are a bit expensive.
2 Likes
I had been using Quad9, but switched to 1.1.1.2 because of the lower ping times from Cloudflare, but after this video I’m switching back. A slight speed difference isn’t enough to give up effective filtering.
2 Likes
Most DNS providers do have two IP’s for their service so you can use them as primary and secondary. Quad9’s other IP is 149.112.112.112
2 Likes
Really interesting, thanks for the comparison.
I went ahead and ran the script against pfBlockerNG. Slightly better than Quad9, but still let a few through.
2 Likes
That box was already unchecked but still wasn’t about to see the Quad9 or openDNS when running a DNS leak test. Though I was able to fix it by going to Services / DNS Resolver / General Settings and checking the DNS Query Forwarding box and then it immediately grabbed the DNS I set back in system settings. Not sure if it’s the right way but it is what worked.
1 Like
Is there some way to monitor what Quad9 is filtering ? I am using Open dns with an account and i can see stats and what is going on. Does Quad9 offer this too ? ( or am i missing this feature because my google skills failed ) sips coffee
I ran your script with just 10 hosts, column E always returns 45.32.196.109 Why is that?
Domainname,1.1.1.1,9.9.9.9,1.1.1.2,103.247.36.36,208.67.222.222
hmora.fred-build.tk,195.20.46.190,,0.0.0.0,45.32.196.109,195.20.46.190
borat.elticket.com.ar,,,,45.32.196.109,
pave.elisecries.com,35.235.101.253,,35.235.101.253,45.32.196.109,35.235.101.253
lay.elticket.com.ar,,,,45.32.196.109,
peeg.fronterarq.cl,,,,45.32.196.109,
lexu.goggendorf.at,127.0.0.2,,127.0.0.2,45.32.196.109,127.0.0.2
malibu.websitewelcome.com,192.185.179.134,192.185.179.134,192.185.179.134,45.32.196.109,192.185.179.134
msw67.cafe24.com,116.120.57.94,,116.120.57.94,45.32.196.109,116.120.57.94
ktechi.com,176.9.166.34,176.9.166.34,176.9.166.34,45.32.196.109,176.9.166.34
walfab.com,198.185.159.145,198.49.23.144,198.185.159.145,45.32.196.109,198.49.23.144Hi - you had asked about a management interface for Quad9. There is no way to monitor Quad9’s filtering via a web interface at Quad9, since we do not have the concept of an “account” due to privacy and data collection issues. However, if you are willing to do a bit of hackery, then it is possible to see which queries are being blocked by our filter versus which queries are being naturally given an NXDOMAIN. We flag our blocked queries with the RD bit in the reply. If you’re using Quad9 as a forwarder, Pi-Hole automatically recognizes this and will flag the blocks appropriately, but it’s possible to just capture the packets manually as well.
If you’re a user of tshark (the command-line version of wireshark for Linux) then you could run a command like this constantly to get a list of blocked hosts. Of course, change the ethernet interface for your local installation, and that interface would need to be able to “see” all the query replies coming from Quad9 towards your host(s). This loops to prevent disk exhaustion since tshark keeps temp files. Use “dig @9.9.9.9 +short A blocked.test.on.quad9.net” to trigger a block result.
while true; do tshark -np -i ens32 -q -c 100000 -E separator=, -E quote=d -T fields -e frame.time_epoch -e dns.qry.name -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -Y “dns.flags.rcode eq 3 && dns.flags.recavail eq 0” “src net 9.9.9.0/24 or src net 149.112.112.0/24 or src net 149.112.149.0/24 or src net 2620:fe::0/48” 2>/dev/null; done
3 Likes
Hi BangkokBob - We actually have a system in Bangkok at a local IX (Inter-eXchange) called BKNIX (https://www.peeringdb.com/ix/1025) in our Packet Clearing House space (they’re another non-profit that is the primary way we get distributed worldwide.) If your provider doesn’t peer (exchange packets) with us there, then they take the packets wherever they see fit. PCH has an open interconnect policy, meaning they’ll interconnect with any network at no cost as long as they’re on the IX. However, many telcos (they always seem to be telcos) have a somewhat antiquated view of the world and think that interconnecting for better performance is a negative (that is a much longer myth than can be explained here) so they may decide that taking your traffic to an entirely different nation or even continent is the “best” thing to do. Apply pressure locally for your ISP/telco to connect to open exchanges and your performance will improve, not just to Quad9 but to everything. Other organizations may choose to pay or otherwise compensate the ISP/telco to interconnect, but we feel that is a bad precedent for an open and robust Internet, and rewards poor architectural decisions.
2 Likes