Quad9 DNS promises better privacy and security
Quad9 is a new endpoint DNS service by IBM, Packet Clearing House (PCH) and Global Cyber Alliance (GCA) that improves privacy and data protection.
While there are quite a few public DNS services out there, most Internet users probably don't use any of those but rely on the Internet Provider for all things DNS. That's comfortable as it works out of the box, but neither really secure nor beneficial to data privacy.
The provider knows any domain name to IP look up on the computer, and knows exactly what users do on the Internet. Even VPN solutions may not protect against this, depending on whether the VPN protects against DNS leaks or not.
Third-party services may improve security, privacy and the performance of DNS. Not all services do, and some services may use the accumulated traffic information internally or may sell it to marketing companies.
Related articles
- How to fix Resolving Host (DNS) issues on Windows
- How to configure DNSCrypt on Windows
- DNS Jumper 2.0 gets better automation options
- Verisign launches Public DNS service that respects user privacy
Quad9 DNS
Quad9 by IBM, PCH and GCA promises fast speeds, and improved security and privacy. The operators of Quad9 promise that the service does not "store, correlate or otherwise employ any personally identifiable information", and that data will never be shared with marketers or used for demographic analysis.
Security checks are performed on all DNS requests to identify malicious networks and sites prior to the loading of content from these sites and services.
Quad9 uses PCH's network of worldwide servers -- IBM states that services are available in over 160 locations around the world -- and that access and performance should be quite good regardless of location.
Setting up Quad9 is quite easy as well. All you need to do is set the DNS of the network adapter to 9.9.9.9 and 149.112.112.112 to do so . You find instructions on how to set this up for Windows and Mac devices on the Quad9 website.
Webmasters find options on the site to check whether domains are blocked by the service, and an option to request the unblocking if it is a false positive.
I ran Quad9 through a series of DNS benchmarks and the service did not disappoint.
While it is not the fastest service out there, it finished in the top 3 before popular services such as Google DNS, OpenDNS and many others.
Here is a video that highlights the basics of Quad9 and DNS
Closing words
It is always good to have more choice, and Quad9 is a promising new DNS service that is free, secure, not invasive to privacy, and quite fast .
Now You: Which DNS service do you use, and why?
20 months later after this article was published I’m keeping ‘Quad9 DNS’ but through DNScrypt-Proxy again with : server_names = [‘quad9-dnscrypt-ip4-filter-pri’] which corresponds to 9.9.9.9. Quand9 Offers a secondary DNS (‘quad9-dnscrypt-ip4-filter-alt’ tied to 149.112.112.112) but I’ve noted that it doesn’t change anything to Quad9 servers actually called when testing with ‘Perfect Privacy – DNS Leak Test’ at https://www.perfect-privacy.com/en/tests/dns-leaktest.
I use DNScrypt-proxy with the DNScrypt protocol but ‘Quad9 DNS’ as several others is accessible via other protocols. DNScrypt public resolvers’ list available at https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md
The Quad9 FAQ has not been updated recently, but https://twitter.com/Quad9DNS is a good source of current information.
If I read my DNS Benchmark results correctly, Quad9 DNS resolvers 9.9.9.9 and secondary 149.112.112.112 are the fastest public resolvers available for me (100 miles north of Boston MA US) out of 4849 resolvers tested.
What is better – Norton public DNS – Security option (malware, phishing sites and scam sites) or Quad9 DNS?
I been using DNSCrypt with fairly good results. However will put this in the routers primary. As always thanks for the info.
What we need is decentralized DNS.
Note that they also provide 9.9.9.10 without the blocking of malicious sites. See their FAQ for details.
Excellent article and very helpful to me! Cordial thank you, Martin!
One weird (or logical, is it?!) thing I’ve just noticed and I am wondering…- is it again an intentional trick by the failing Google.
What I mean:
When I search via google for “quad9 dns” (or even “quad9 dns homepage” –> I do not get a result (not a single one for pages on…) to point me to their homepage (www.quad9.net). I get only links to news articles (or reddit, etc.) announcing the launch of this dns service. Don’t you think this is bizarre?
That reminded me of the time when Google intentionally downgraded in their search results ProtonMail.
If that’s the sad case, – Oh, Quad9 DNS must be really good and mighty competitor to Google public DNS.
What do you think?
(see https://www.theguardian.com/technology/2016/nov/07/google-burying-webmail-service-search-results-protonmail; or https://protonmail.com/blog/search-risk-google/
This should not happen, but search engines are not very good at these things. They put a lot of value on a domain’s authority, so, anything that is posted to Reddit has a headstart when it comes to exposure over sites that don’t have it (for instance because they are new, or not popular).
@Tom Hawack
I need to keep that in mind for the next time I want to set a DNS client because Windows 10 keeps making things harder
Quad9 has added a secondary DNS address: 149.112.112.112. This was on Quad9’s Twitter feed and also Hacker News.
Thanks for the info, Arcionquad. Not as sexy as 9.9.9.9 but that’s far from being the point.
Those concerned about Quad9 log practice may be reassured by their statement at
https://www.quad9.net/#/policy . It makes sense to me.
Thanks Martin. Very nice article!
Thank you for bringing this to our attention Martin
Secure IPv6: 2620:fe::fe Blocklist, DNSSEC, No EDNS Client-Subnet
Gosh, the Metro interface is such a pain, I wanted to gain access to ‘Network Connection’ settings of the Control Panel by right-clicking the Windows Start Button and selecting ‘Network Connections’ from the list, rather than sending me the settings option found in the Control Panel it took me to the convoluted one located in the Metro interface, I could not even figure out how to change the DNS settings from there. Aside from that, Microsoft also took away the ‘Control Panel’ selection from the Windows Start Button right-click drop-down menu, now I have to scroll all the way down the Start Menu to the Windows System folder just to get to the Control Panel.
argh, what are they doing(!?)
“Nirsoft’s QuickSetDNS is a free portable application for all recent versions of the Microsoft Windows operating system that enables you to switch between the default DNS provider and alternate providers with two clicks.”
From Martin, four years ago.
It works.
https://www.ghacks.net/2013/10/29/use-quicksetdns-change-dns-configurations-heartbeat/
Changing the system’s DNS resolver is a breeze with the ‘Dns Jumper’ application:
[http://www.sordum.org/7952/dns-jumper-v2-1/]
“Supported operating systems: Windows 10 , Windows 8.1 , Windows 8 , Windows 7 , Windows Vista , Windows Xp – (x86 & x64)”
Thanks for the tip; it worked for me under Windows 10 x64 Home FCU current and Belarc correctly shows the DNS change which is 2 ms faster than OpenDNS which I have used for years.
I was unable to make this change with the Quad9 directions, using either control panel or settings.
3 cheers for http://www.sordum.org/7952/dns-jumper-v2-1/
Here is a quote from their privacy policy page: “We share anonymized data on specific domains (such as domain, timestamp, geolocation, number of hits, first seen, last seen) with our threat intelligence partners.” This means that some info is logged…
Quad9 looks ok, but I prefer using UncensoredDNS or other no logs dns: https://www.how-to-hide-ip.net/no-logs-dns-server-free-public/
Global Cyber Alliance (GCA)—an organization founded by law enforcement and research organizations to help reduce cyber-crime.
I’d rather Quad9 release the list of domains they block, so we can use them with any blocking solution and not just via DNS.
You can probably look them up yourself from their sources. They use a bunch of real-time threat feeds, most of which can be accessed by you, the end-user. IBM’s X-Force can be accessed for free if you sign up. Besides, the list would be so massive that you would never be able to read it all.
https://arstechnica.com/information-technology/2017/11/new-quad9-dns-service-blocks-malicious-domains-for-everyone/
Google, OpenDNS and more censor content. This too i assume. Would never trust any american corp to handle my internet in any way !
Because you believe the World is black & white, good & bad, big corporations (non-profit ones included) all crooks and small ones all angels, America a devil and Europe a saint, Russia led by intelligence services and the USA by the medias, etc etc etc?
Things are far more complex but nowadays maybe more than in the past people are invaded by tracking, by naughty entities and at the same time have never been as excited and tempted by what is offered to them simultaneously with the awareness that bad guys do exist. Consequence? The need of references and, should those lack, we tend to build our own with basic certitudes tied most often to our sociological, cultural and political environment. From there on for some the Good is on the West, for others it’s on the East, and for the ramaining it’s where they live.
I don’t know if Quad9 is worth confidence, I don’t know if I should not trust their assertions of privacy on the ground America is big and powerful and trust a small Danish or German DNS provider because it’d be small, home-made, friendly-like because of its modest dimension compared to those big bad guys on the other side of the Atlantic, right?
When you have no evidence either you avoid either you try. You can miss the best by avoiding and hurt yourself by trying. It’s called a risk. Calculate the risk, advance slowly, experience with method, avoid precipitation and quick conclusions, in other words remain yourself in a conflicting state of mind or abandon yourself to the laziness of certitudes remains everyone’s choice.
“Don’t confuse me with facts, I’ve already made up my mind!” ;)
Nice article. It’s slower than my ISP’s DNS (58 vs. 22ms) but worth a try.
If it does not support alternate DNS port then it’s useless. My country use DNS poisoning to prevent changing the DNS
I use my own local DNS tracking/ads blocker
using Acrylic DNS
http://mayakron.altervista.org/wikibase/show.php?id=AcrylicHome
and configure it to use hosts file
http://someonewhocares.org/hosts/
IBM is a big corporation and corporations always want money or your data. I’ll stick with DNS-Crypt servers.
I’m going to guess that Quad9 is based in Europe. Here in the “Wild West” of the U.S. of A Quad9 came in 28 out of 30 when using DNS Benchmark. I currently use Qwest and Internap, mostly because of the speed and because they are not Comcast which is my ISP. The two I use came in #1 and #3 with Comcast coming in #2. Average latency of 11ms.
DNSSEC support? DNSCrypt? No? Then thanks, but no thanks.
DNSSEC is supported by Quad9, which seems to bother you?! It’s a fundamental point! Otherwise nothing to do with DNSCrypt which I mentioned to illustrate my experience but not as a comparison in terms of functionality. This said, ‘DNSCrypt’ is not a bad word, I’ve used it for years (DNSCrypt-Proxy that is) and it is flawless, in my experience anyway.
It seems interesting enough for me to have switched from DNSCrypt-Proxy to this new endpoint DNS.
I’ve also read (translated) on Heise Online (heise.de) that “Quad9 is the first major resolver network ever to allow users to encrypt their DNS requests over TLS” : that, together with the fact it filters the accesses also with the help of “Threat Intelligence Partners” such as abuse.ch (which provides lists I previously had to download once a day to include them in my DNSCrypt-Proxy blacklists) led me to opt for Quad9.
Funny words : dnSQUAD9 :) and “Quad9” pronounced in French as “Quoi de neuf” which means “What’s up” [?]. What’s up, doc? Quad9!
Thanks for the article, Martin. No flattery but besides knowledge you definitely have the journalistic talent of exposing facts clearly and objectively. We all know that.