Quad9 DNS promises better privacy and security

Martin Brinkmann
Nov 19, 2017
Updated • Jun 28, 2019
Internet
|
32

Quad9 is a new endpoint DNS service by IBM, Packet Clearing House (PCH) and Global Cyber Alliance (GCA) that improves privacy and data protection.

While there are quite a few public DNS services out there, most Internet users probably don't use any of those but rely on the Internet Provider for all things DNS. That's comfortable as it works out of the box, but neither really secure nor beneficial to data privacy.

The provider knows any domain name to IP look up on the computer, and knows exactly what users do on the Internet. Even VPN solutions may not protect against this, depending on whether the VPN protects against DNS leaks or not.

Third-party services may improve security, privacy and the performance of DNS. Not all services do, and some services may use the accumulated traffic information internally or may sell it to marketing companies.

Related articles

Quad9 DNS

quad9 dns service

Quad9 by IBM, PCH and GCA promises fast speeds, and improved security and privacy. The operators of Quad9 promise that the service does not "store, correlate or otherwise employ any personally identifiable information", and that data will never be shared with marketers or used for demographic analysis.

Security checks are performed on all DNS requests to identify malicious networks and sites prior to the loading of content from these sites and services.

Quad9 uses PCH's network of worldwide servers -- IBM states that services are available in over 160 locations around the world -- and that access and performance should be quite good regardless of location.

Setting up Quad9 is quite easy as well. All you need to do is set the DNS of the network adapter to 9.9.9.9 and 149.112.112.112 to do so . You find instructions on how to set this up for Windows and Mac devices on the Quad9 website.

Webmasters find options on the site to check whether domains are blocked by the service, and an option to request the unblocking if it is a false positive.

I ran Quad9 through a series of DNS benchmarks and the service did not disappoint.

quad9 benchmark

While it is not the fastest service out there, it finished in the top 3 before popular services such as Google DNS, OpenDNS and many others.

Here is a video that highlights the basics of Quad9 and DNS

Closing words

It is always good to have more choice, and Quad9 is a promising new DNS service that is free, secure, not invasive to privacy, and quite fast .

Now You: Which DNS service do you use, and why?

Summary
Quad9 DNS promises better privacy and security
Article Name
Quad9 DNS promises better privacy and security
Description
Quad9 is a new endpoint DNS service by IBM, Packet Clearing House (PCH) and Global Cyber Alliance (GCA) that improves privacy and data protection.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Tom Hawack said on June 30, 2019 at 4:58 pm
    Reply

    20 months later after this article was published I’m keeping ‘Quad9 DNS’ but through DNScrypt-Proxy again with : server_names = [‘quad9-dnscrypt-ip4-filter-pri’] which corresponds to 9.9.9.9. Quand9 Offers a secondary DNS (‘quad9-dnscrypt-ip4-filter-alt’ tied to 149.112.112.112) but I’ve noted that it doesn’t change anything to Quad9 servers actually called when testing with ‘Perfect Privacy – DNS Leak Test’ at https://www.perfect-privacy.com/en/tests/dns-leaktest.

    I use DNScrypt-proxy with the DNScrypt protocol but ‘Quad9 DNS’ as several others is accessible via other protocols. DNScrypt public resolvers’ list available at https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md

  2. chesscanoe said on December 10, 2017 at 5:48 pm
    Reply

    The Quad9 FAQ has not been updated recently, but https://twitter.com/Quad9DNS is a good source of current information.

    If I read my DNS Benchmark results correctly, Quad9 DNS resolvers 9.9.9.9 and secondary 149.112.112.112 are the fastest public resolvers available for me (100 miles north of Boston MA US) out of 4849 resolvers tested.

  3. Andrew said on November 22, 2017 at 3:59 pm
    Reply

    What is better – Norton public DNS – Security option (malware, phishing sites and scam sites) or Quad9 DNS?

  4. leanon said on November 21, 2017 at 12:59 pm
    Reply

    I been using DNSCrypt with fairly good results. However will put this in the routers primary. As always thanks for the info.

  5. dark said on November 21, 2017 at 1:45 am
    Reply

    What we need is decentralized DNS.

  6. Ninveh said on November 21, 2017 at 12:56 am
    Reply

    Note that they also provide 9.9.9.10 without the blocking of malicious sites. See their FAQ for details.

  7. Zombo Rinn said on November 21, 2017 at 12:08 am
    Reply

    Excellent article and very helpful to me! Cordial thank you, Martin!

    One weird (or logical, is it?!) thing I’ve just noticed and I am wondering…- is it again an intentional trick by the failing Google.

    What I mean:
    When I search via google for “quad9 dns” (or even “quad9 dns homepage” –> I do not get a result (not a single one for pages on…) to point me to their homepage (www.quad9.net). I get only links to news articles (or reddit, etc.) announcing the launch of this dns service. Don’t you think this is bizarre?

    That reminded me of the time when Google intentionally downgraded in their search results ProtonMail.
    If that’s the sad case, – Oh, Quad9 DNS must be really good and mighty competitor to Google public DNS.
    What do you think?

    (see https://www.theguardian.com/technology/2016/nov/07/google-burying-webmail-service-search-results-protonmail; or https://protonmail.com/blog/search-risk-google/

    1. Martin Brinkmann said on November 21, 2017 at 7:11 am
      Reply

      This should not happen, but search engines are not very good at these things. They put a lot of value on a domain’s authority, so, anything that is posted to Reddit has a headstart when it comes to exposure over sites that don’t have it (for instance because they are new, or not popular).

  8. XenoSilvano said on November 20, 2017 at 10:36 pm
    Reply

    @Tom Hawack

    I need to keep that in mind for the next time I want to set a DNS client because Windows 10 keeps making things harder

  9. Arcionquad said on November 20, 2017 at 10:31 pm
    Reply

    Quad9 has added a secondary DNS address: 149.112.112.112. This was on Quad9’s Twitter feed and also Hacker News.

    1. Tom Hawack said on November 20, 2017 at 10:46 pm
      Reply

      Thanks for the info, Arcionquad. Not as sexy as 9.9.9.9 but that’s far from being the point.

  10. chesscanoe said on November 20, 2017 at 4:40 pm
    Reply

    Those concerned about Quad9 log practice may be reassured by their statement at
    https://www.quad9.net/#/policy . It makes sense to me.

  11. The Dude said on November 20, 2017 at 4:08 pm
    Reply

    Thanks Martin. Very nice article!

  12. XenoSilvano said on November 20, 2017 at 12:53 pm
    Reply

    Thank you for bringing this to our attention Martin

    Secure IPv6: 2620:fe::fe Blocklist, DNSSEC, No EDNS Client-Subnet

    Gosh, the Metro interface is such a pain, I wanted to gain access to ‘Network Connection’ settings of the Control Panel by right-clicking the Windows Start Button and selecting ‘Network Connections’ from the list, rather than sending me the settings option found in the Control Panel it took me to the convoluted one located in the Metro interface, I could not even figure out how to change the DNS settings from there. Aside from that, Microsoft also took away the ‘Control Panel’ selection from the Windows Start Button right-click drop-down menu, now I have to scroll all the way down the Start Menu to the Windows System folder just to get to the Control Panel.

    argh, what are they doing(!?)

    1. Arcionquad said on November 20, 2017 at 3:33 pm
      Reply

      “Nirsoft’s QuickSetDNS is a free portable application for all recent versions of the Microsoft Windows operating system that enables you to switch between the default DNS provider and alternate providers with two clicks.”

      From Martin, four years ago.

      It works.

      https://www.ghacks.net/2013/10/29/use-quicksetdns-change-dns-configurations-heartbeat/

    2. Tom Hawack said on November 20, 2017 at 1:13 pm
      Reply

      Changing the system’s DNS resolver is a breeze with the ‘Dns Jumper’ application:
      [http://www.sordum.org/7952/dns-jumper-v2-1/]
      “Supported operating systems: Windows 10 , Windows 8.1 , Windows 8 , Windows 7 , Windows Vista , Windows Xp – (x86 & x64)”

      1. chesscanoe said on November 20, 2017 at 2:29 pm
        Reply

        Thanks for the tip; it worked for me under Windows 10 x64 Home FCU current and Belarc correctly shows the DNS change which is 2 ms faster than OpenDNS which I have used for years.
        I was unable to make this change with the Quad9 directions, using either control panel or settings.
        3 cheers for http://www.sordum.org/7952/dns-jumper-v2-1/

  13. Asr said on November 20, 2017 at 9:53 am
    Reply

    Here is a quote from their privacy policy page: “We share anonymized data on specific domains (such as domain, timestamp, geolocation, number of hits, first seen, last seen) with our threat intelligence partners.” This means that some info is logged…

    Quad9 looks ok, but I prefer using UncensoredDNS or other no logs dns: https://www.how-to-hide-ip.net/no-logs-dns-server-free-public/

  14. Rick said on November 20, 2017 at 5:48 am
    Reply

    Global Cyber Alliance (GCA)—an organization founded by law enforcement and research organizations to help reduce cyber-crime.

  15. Ray said on November 20, 2017 at 4:10 am
    Reply

    I’d rather Quad9 release the list of domains they block, so we can use them with any blocking solution and not just via DNS.

    1. Kit said on November 22, 2017 at 7:35 pm
      Reply

      You can probably look them up yourself from their sources. They use a bunch of real-time threat feeds, most of which can be accessed by you, the end-user. IBM’s X-Force can be accessed for free if you sign up. Besides, the list would be so massive that you would never be able to read it all.

      https://arstechnica.com/information-technology/2017/11/new-quad9-dns-service-blocks-malicious-domains-for-everyone/

  16. Stefan said on November 19, 2017 at 10:30 pm
    Reply

    Google, OpenDNS and more censor content. This too i assume. Would never trust any american corp to handle my internet in any way !

    1. Tom Hawack said on November 20, 2017 at 11:32 am
      Reply

      Because you believe the World is black & white, good & bad, big corporations (non-profit ones included) all crooks and small ones all angels, America a devil and Europe a saint, Russia led by intelligence services and the USA by the medias, etc etc etc?

      Things are far more complex but nowadays maybe more than in the past people are invaded by tracking, by naughty entities and at the same time have never been as excited and tempted by what is offered to them simultaneously with the awareness that bad guys do exist. Consequence? The need of references and, should those lack, we tend to build our own with basic certitudes tied most often to our sociological, cultural and political environment. From there on for some the Good is on the West, for others it’s on the East, and for the ramaining it’s where they live.

      I don’t know if Quad9 is worth confidence, I don’t know if I should not trust their assertions of privacy on the ground America is big and powerful and trust a small Danish or German DNS provider because it’d be small, home-made, friendly-like because of its modest dimension compared to those big bad guys on the other side of the Atlantic, right?

      When you have no evidence either you avoid either you try. You can miss the best by avoiding and hurt yourself by trying. It’s called a risk. Calculate the risk, advance slowly, experience with method, avoid precipitation and quick conclusions, in other words remain yourself in a conflicting state of mind or abandon yourself to the laziness of certitudes remains everyone’s choice.

      1. Richard Allen said on November 20, 2017 at 1:12 pm
        Reply

        “Don’t confuse me with facts, I’ve already made up my mind!” ;)

  17. George said on November 19, 2017 at 9:08 pm
    Reply

    Nice article. It’s slower than my ISP’s DNS (58 vs. 22ms) but worth a try.

  18. Kul said on November 19, 2017 at 8:26 pm
    Reply

    If it does not support alternate DNS port then it’s useless. My country use DNS poisoning to prevent changing the DNS

  19. AhmedR said on November 19, 2017 at 7:58 pm
    Reply

    I use my own local DNS tracking/ads blocker
    using Acrylic DNS
    http://mayakron.altervista.org/wikibase/show.php?id=AcrylicHome

    and configure it to use hosts file
    http://someonewhocares.org/hosts/

  20. Thomas said on November 19, 2017 at 6:34 pm
    Reply

    IBM is a big corporation and corporations always want money or your data. I’ll stick with DNS-Crypt servers.

  21. Richard Allen said on November 19, 2017 at 6:10 pm
    Reply

    I’m going to guess that Quad9 is based in Europe. Here in the “Wild West” of the U.S. of A Quad9 came in 28 out of 30 when using DNS Benchmark. I currently use Qwest and Internap, mostly because of the speed and because they are not Comcast which is my ISP. The two I use came in #1 and #3 with Comcast coming in #2. Average latency of 11ms.

  22. Anonymous said on November 19, 2017 at 4:20 pm
    Reply

    DNSSEC support? DNSCrypt? No? Then thanks, but no thanks.

    1. Tom Hawack said on November 19, 2017 at 4:45 pm
      Reply

      DNSSEC is supported by Quad9, which seems to bother you?! It’s a fundamental point! Otherwise nothing to do with DNSCrypt which I mentioned to illustrate my experience but not as a comparison in terms of functionality. This said, ‘DNSCrypt’ is not a bad word, I’ve used it for years (DNSCrypt-Proxy that is) and it is flawless, in my experience anyway.

  23. Tom Hawack said on November 19, 2017 at 3:39 pm
    Reply

    It seems interesting enough for me to have switched from DNSCrypt-Proxy to this new endpoint DNS.
    I’ve also read (translated) on Heise Online (heise.de) that “Quad9 is the first major resolver network ever to allow users to encrypt their DNS requests over TLS” : that, together with the fact it filters the accesses also with the help of “Threat Intelligence Partners” such as abuse.ch (which provides lists I previously had to download once a day to include them in my DNSCrypt-Proxy blacklists) led me to opt for Quad9.

    Funny words : dnSQUAD9 :) and “Quad9” pronounced in French as “Quoi de neuf” which means “What’s up” [?]. What’s up, doc? Quad9!

    Thanks for the article, Martin. No flattery but besides knowledge you definitely have the journalistic talent of exposing facts clearly and objectively. We all know that.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.