IBM Quad9 – A free security solution using DNS to protect against cyber threats

Namebench says...<p><pre><code> Mean response (in milliseconds): -------------------------------- 8.8.8.8 ########### 71.90 192.168.1.1 ############# 85.92 9.9.9.9 ##################################################### 369.26 Mean response (in milliseconds): -------------------------------- 8.8.4.4 ################# 85.49 9.9.9.10 ################################################## 252.25 9.9.9.9 ##################################################### 268.93 </code></pre> ... give it some time.

Looks like an interesting alternative to Google DNS (8.8.8.8), and possibly a little more anonymous. Google logs your IP address for 24 - 48 hours[1], while Quad9 appears not to[2].<p>[1] <a href="https:&#x2F;&#x2F;developers.google.com&#x2F;speed&#x2F;public-dns&#x2F;privacy" rel="nofollow">https:&#x2F;&#x2F;developers.google.com&#x2F;speed&#x2F;public-dns&#x2F;privacy</a><p>[2] <a href="https:&#x2F;&#x2F;www.quad9.net&#x2F;#&#x2F;faq#does-quad9-collect-and-store-personal-data" rel="nofollow">https:&#x2F;&#x2F;www.quad9.net&#x2F;#&#x2F;faq#does-quad9-collect-and-store-per...</a>

You shouldn&#x27;t use it in Germany or Europe. It resolves www.google.de with an IP based in SFO, instead of a local Google server. Even 9.9.9.10 (which is said to support EDNS Client Subnet) doesn&#x27;t work.

There is something very funny about that service being immediately unavailable right after launch.<p>I think I&#x27;ll pass for now.

After recently setting up Pi-hole on my Turris Omnia I had to choose between using Google&#x27;s DNS (which supports DNSSEC) or sticking with OpenDNS (which does not...yet?), so I gave up using DNSSEC. The submitted IBM site is really slow to load but I did manage to grab a screenshot of the FAQ page[0] which confirms they do support it. And the privacy policy looks pretty good also[1].<p>I tried to archive the pages with archive.is but it did not appear to be loading for them either.<p>Hopefully the site comes back up soon but I have to say I expected to see yet another surveillance capitalism service and I was pleasantly surprised. I&#x27;ll try it out for a week and see how it goes.<p>[0]<a href="https:&#x2F;&#x2F;screenshots.firefox.com&#x2F;LiNdj97Ck3qaLXze&#x2F;www.quad9.net" rel="nofollow">https:&#x2F;&#x2F;screenshots.firefox.com&#x2F;LiNdj97Ck3qaLXze&#x2F;www.quad9.n...</a> [1]<a href="https:&#x2F;&#x2F;screenshots.firefox.com&#x2F;YEsWa5TwhGYQDZFZ&#x2F;www.quad9.net" rel="nofollow">https:&#x2F;&#x2F;screenshots.firefox.com&#x2F;YEsWa5TwhGYQDZFZ&#x2F;www.quad9.n...</a>

That&#x27;s funny the quad9.net website it down at the moment, I guess that answers if their DNS will be reliable.

It&#x27;s designed quite badly to be honest.<p>9.9.9.9 is allegedly with security features. 9.9.9.10 does not have any security features.<p>People will put 9.9.9.9 in the Primary DNS, 10 in the secondary in many of OSes.<p>Also What is Quad9 resolves to a video rather than a quick explanation. There is almost no information that this is a DNS server service on landing.<p>&gt;It&#x27;s easy to setup Quad9 on your Mac or PC. Watch the video for your operating system.<p>Where is Linux? I doubt people who are using those OSes will bother changing their dns.

Quick performance test comparing these 4 players:<p>* Google: 8.8.8.8 * Quad9.com: 9.9.9.9 * <a href="http:&#x2F;&#x2F;OpenDNS.com" rel="nofollow">http:&#x2F;&#x2F;OpenDNS.com</a>: 208.67.222.222 * <a href="https:&#x2F;&#x2F;CleanBrowsing.org" rel="nofollow">https:&#x2F;&#x2F;CleanBrowsing.org</a>: 185.228.168.168<p>Results:<p><pre><code> New York: 64 bytes from 8.8.8.8: icmp_seq=2 ttl=60 time=1.62 ms 64 bytes from 9.9.9.9: icmp_seq=2 ttl=60 time=0.924 ms 64 bytes from 208.67.222.222: icmp_seq=2 ttl=60 time=1.18 ms 64 bytes from 185.228.168.168: icmp_seq=2 ttl=57 time=1.93 ms Montreal: 64 bytes from 8.8.8.8: icmp_seq=2 ttl=55 time=13.0 ms 64 bytes from 9.9.9.9: icmp_seq=2 ttl=56 time=16.7 ms 64 bytes from 208.67.222.222: icmp_seq=2 ttl=56 time=16.5 ms 64 bytes from 185.228.168.168: icmp_seq=2 ttl=50 time=9.18 ms Dallas: 64 bytes from 8.8.8.8: icmp_seq=1 ttl=61 time=1.09 ms 64 bytes from 9.9.9.9: icmp_seq=1 ttl=59 time=29.8 ms 64 bytes from 208.67.222.222: icmp_seq=1 ttl=58 time=1.03 ms 64 bytes from 185.228.168.168: icmp_seq=1 ttl=57 time=1.29 ms Paris: 64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=4.61 ms 64 bytes from 9.9.9.9: icmp_seq=2 ttl=56 time=6.71 ms 64 bytes from 208.67.222.222: icmp_seq=2 ttl=56 time=4.60 ms 64 bytes from 185.228.168.168: icmp_seq=2 ttl=54 time=3.85 ms Tokyo: 64 bytes from 8.8.8.8: icmp_seq=1 ttl=59 time=1.10 ms 64 bytes from 9.9.9.9: icmp_seq=1 ttl=55 time=65.7 ms 64 bytes from 208.67.222.222: icmp_seq=1 ttl=57 time=1.57 ms 64 bytes from 185.228.168.168: icmp_seq=1 ttl=59 time=0.551 ms </code></pre> Only New York and Paris were close. Their performance in Tokyo &amp; Dallas were sub optimal. OpenDNS has a much better performance and closer to Google than quad9.<p>But I will still try it out and hope they keep supporting it.

Sending DNS queries in open does not protect from DNS hijacking which is ubiquitous in SE Asia for example. So you end up getting ‘free security solution’ that at the last mile is deliberately slowed down, registered and falsified.<p>Much better and more secure solution could be assembled in 15 minutes using dnscrypt-proxy with ip and domain filtering and caching. [^1]<p>Additionally I am always suspicious why IBM suddenly wants to collect my DNS queries? Sorry big corpo but I don’t trust your good intentions any more. We are long past the innocence of first years of the Internet.<p>If IBM or any other big name really wants to help with DNS security why don’t they give financial and material help to heroes like jedisct1, Martin &#x27;d0wn&#x27; Albus, soltysiak and others who put their time, effort and money into running DNSCrypt servers? Money plunged just in design of Quad9 webpage they could have kept some servers running for years[^2]<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;jedisct1&#x2F;dnscrypt-proxy&#x2F;wiki" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jedisct1&#x2F;dnscrypt-proxy&#x2F;wiki</a><p>[2] According to soltysiak his monthly costs are c.a. 40€&#x2F;month but as it is his private expense he had to limit memory in his server.<p><a href="https:&#x2F;&#x2F;dnscrypt.pl&#x2F;2017&#x2F;04&#x2F;02&#x2F;finacials-in-q1-2017&#x2F;" rel="nofollow">https:&#x2F;&#x2F;dnscrypt.pl&#x2F;2017&#x2F;04&#x2F;02&#x2F;finacials-in-q1-2017&#x2F;</a>

The website seems to be down for me.<p>Doesn&#x27;t DDoS defense fall in the &quot;internet threat protection&quot; bucket? :p

Re: &quot;In some circumstances this may result in suboptimal routing between CDN origins and end users.&quot;<p>Maybe it&#x27;s better now, but a couple years back I found streaming iTunes movies (I think Apple used Akamai at the time and may still) would not work at all if not using my ISP&#x27;s DNS servers. So I had to configure dnsmasq to forward CDN domain lookups to my ISP&#x27;s DNS servers.<p>I wonder if a good compromise for EDNs w.r.t. privacy would be that instead of forwarding the client subnet, instead have a lookup table mapping the client IP to their ISP&#x27;s DNS servers, and then insert subnet of the ISP&#x27;s DNS servers. I suppose it could be any &quot;representative&quot; subnet of the client ISP though.<p>Also, minor typo in the FAQ answer for &quot;Does Quad9 implement DNSSEC?&quot;: &quot;... Note that some variations of our resolver (differente IP addresses) may not provide DNSSEC.&quot;<p>Different has an extraneous trailing &quot;e&quot;.

I totally just got the name, Quad9 == 9.9.9.9, duh

The response time depends on network peering from their anycast locations. I am seeing different response times based on test locations.<p>From US:<p><pre><code> # .&#x2F;dnseval.py -f google-vs-quad9.txt -c 50 -C yahoo.com server avg(ms) min(ms) max(ms) stddev(ms) lost(%) ttl flags ---------------------------------------------------------------------------------------------------- 8.8.8.8 31.857 31.278 33.416 0.434 %0 1332 QR -- -- RD RA -- -- 8.8.4.4 31.865 31.361 32.872 0.336 %0 1330 QR -- -- RD RA -- -- 9.9.9.9 93.703 92.797 95.362 0.586 %0 1391 QR -- -- RD RA -- -- </code></pre> From Iran:<p><pre><code> # .&#x2F;dnseval.py -f google-vs-quad9.txt -c 50 -C yahoo.com server avg(ms) min(ms) max(ms) stddev(ms) lost(%) ttl flags ---------------------------------------------------------------------------------------------------- 8.8.8.8 105.093 90.046 130.871 9.749 %0 3590 QR -- -- RD RA -- -- 8.8.4.4 99.458 84.472 133.375 11.308 %0 3585 QR -- -- RD RA -- -- 9.9.9.9 96.231 83.957 134.709 9.503 %0 3595 QR -- -- RD RA -- -- </code></pre> Tests are performed using dnsdiag tools: <a href="https:&#x2F;&#x2F;github.com&#x2F;farrokhi&#x2F;dnsdiag" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;farrokhi&#x2F;dnsdiag</a>

<p><pre><code> $ ping 9.9.9.9 PING 9.9.9.9 (9.9.9.9): 56 data bytes 64 bytes from 9.9.9.9: icmp_seq=0 ttl=53 time=98.011 ms 64 bytes from 9.9.9.9: icmp_seq=1 ttl=53 time=96.444 ms 64 bytes from 9.9.9.9: icmp_seq=2 ttl=53 time=96.556 ms 64 bytes from 9.9.9.9: icmp_seq=3 ttl=53 time=96.769 ms 64 bytes from 9.9.9.9: icmp_seq=4 ttl=53 time=104.274 ms 64 bytes from 9.9.9.9: icmp_seq=5 ttl=53 time=102.235 ms 64 bytes from 9.9.9.9: icmp_seq=6 ttl=53 time=97.185 ms $ ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=45 time=54.808 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=54.407 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=45 time=55.173 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=45 time=55.058 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=45 time=54.583 ms 64 bytes from 8.8.8.8: icmp_seq=5 ttl=45 time=54.589 ms 64 bytes from 8.8.8.8: icmp_seq=6 ttl=45 time=54.645 ms</code></pre>

It&#x27;s also interesting that they have a public &quot;insecure&quot; DNS server on 9.9.9.10 with none of the additional threat protections - <a href="https:&#x2F;&#x2F;www.quad9.net&#x2F;#&#x2F;faq#is-there-a-service-that-quad9-offers-that-does-not-have-the-blocklist-or-other-security" rel="nofollow">https:&#x2F;&#x2F;www.quad9.net&#x2F;#&#x2F;faq#is-there-a-service-that-quad9-of...</a>

Ironically, the page takes <i>forever</i> to load for me.<p>If they cannot handle the HN hug of death, I am not so sure if they can ward off a serious attack.<p>The idea - Realtime blacklisting via DNS - is not bad. But if the first impression I get is a page that loads very slowly, I am doubtful if they can implement it well.

That&#x27;s quite a vanity IP. Wonder if they already had it or bought the address block from someone.

Does anyone have an example query that would be blocked? Trying to see what the reply looks like.

fm malaysia: Pinging 8.8.8.8 with 32 bytes of data: Reply from 8.8.8.8: bytes=32 time=17ms TTL=54 Reply from 8.8.8.8: bytes=32 time=12ms TTL=54 Reply from 8.8.8.8: bytes=32 time=32ms TTL=54 Reply from 8.8.8.8: bytes=32 time=11ms TTL=54<p>Ping statistics for 8.8.8.8: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 11ms, Maximum = 32ms, Average = 18ms And Pinging 9.9.9.9 with 32 bytes of data: Reply from 9.9.9.9: bytes=32 time=20ms TTL=54 Reply from 9.9.9.9: bytes=32 time=17ms TTL=54 Reply from 9.9.9.9: bytes=32 time=18ms TTL=54 Reply from 9.9.9.9: bytes=32 time=17ms TTL=54<p>Ping statistics for 9.9.9.9: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 17ms, Maximum = 20ms, Average = 18ms

I hope one of those planned locations will be somewhere in Eastern Europe. At the moment I measure a 44ms ping, which is just 1ms slower than 8.8.8.8, and 2ms faster than OpenDNS for this location.

It&#x27;s like Herman Cain&#x27;s tax plan, but one 9 better.<p>Joking aside, shouldn&#x27;t they have an alternative DNS server, too, like Google does with 8.8.4.4? Maybe 9.9.7.7 or 9.9.3.3?

Wow, 30k blocks per day? That&#x27;s 0.25% of the entire address space every year. In 400 years they&#x27;ll have blocked every IPv4 address!

Hey, you support Ed25519! Only some of the time -- I&#x27;d bet your PowerDNS resolvers support it but your Unbound ones don&#x27;t -- but you might be the first public recursive DNS provider to support Ed25519 at all.<p>(Recent versions of Unbound do support it, but you might be running an older version or missing the right dependency.)<p>(Example zone: ed25519.nl.)

I know this has been mentioned already, to much lament... but if companies like google and ibm were really serious about hosting a DNS service to promote privacy and securit they should host a dnscrypt interface to it.<p>I&#x27;m sure people in the dnscrypt community would rather trust privately hosted servers but I really don&#x27;t see the difference in risk.

Their attention to detail inspires confidence: &quot;It&#x27;s like and immunization for your computer&quot;

It seems like a cool idea, but I&#x27;m worried about the practical implementation, and that it is just another service to monitor (like Safe Browsing) where you could get blocked incorrectly.

Looks like a competitor to Comodo&#x27;s free Secure DNS service.<p><a href="https:&#x2F;&#x2F;www.comodo.com&#x2F;secure-dns&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.comodo.com&#x2F;secure-dns&#x2F;</a><p>8.26.56.26<p>8.20.247.20

Fm Malaysia, quad and google performed almost identical over last two days

pi-hole was also the first thing that came to my mind. They should setup a feature version on 9.9.9.13 with the same blacklists as a pi-hole :)

is this hosted on Softlayer&#x2F;Bluemix? if so hit me up if you need help getting more servers in different locations or have any network or load balancer performance related questions (I am a net. eng. for Bluemix infrastructure)

Sooo they are running RPZ and calling it a product....?

Fitting that the site looks like it&#x27;s down.

&quot;When a Quad9 user clicks on a website link or types an address into a web browser, Quad9 checks the site against IBM X-Force&#x27;s threat intelligence database of more than 40 billion analysed web pages and images. The service also taps feeds from 18 further threat intelligence partners, including Abuse.ch, the Anti-Phishing Working Group, Bambenek Consulting, F-Secure, mnemonic, 360Netlab, Hybrid Analysis GmbH, Proofpoint, RiskIQ and ThreatSTOP.&quot;<p>Why not share the database with the public? This is meant to be a free service, isn&#x27;t it?<p>&quot;Quad9 is designed to provide these protections without affecting the speed that users expect when accessing websites and services.&quot;<p>Very careful choice of words. It does not say it will not affect the speed. It says it will not affect the &quot;speed which user expect&quot;. What speed is that?<p>I already check domains against a database of ones I want to block. I do this locally using djbdns, without needing to send DNS queries over the internet. The speed is better than any third party DNS service, including 8.8.8.8 or 9.9.9.9. IMO, there is no need to send personal, private DNS queries to &quot;18 further threat intelligence providers&quot;.<p>&quot;Telemetry data on blocked domains from Quad9 will be shared with threat intelligence partners to improve their threat intelligence responses for their customers and Quad9.&quot;<p>Telemetry. So they are collecting data about users&#x27; DNS queries. This would explain how the service is &quot;free&quot;.<p>When a user tries to access a blacklisted domain, a host of &quot;threat intelligence partners&quot; are notified.<p>&quot;PCH, which provides Quad9&#x27;s network infrastructure; and IBM, which provides IBM X-Force threat intelligence and the easily memorable IP address (9.9.9.9).&quot;<p>Quad9 suggests IP addresses can be memorized. I will rememeber that.<p>&quot;The personal information protections and selectable DNS encryption, DNSSEC, and blocklist that are in place show that this project is in line with PCH&#x27;s values,&quot; he said. &quot;Quad9 will inspire trust in both individuals and businesses who understand the importance of securing their private browsing data.&quot;<p>If someone digitally signs a document, does anyone believe the document is hence &quot;encrypted&quot;?<p>When DNSSEC is used, does anyone believe that DNS is hence &quot;encrypted&quot;?<p>A less misleading description might be something like &quot;DNS record signing&quot;.<p>Using DNSSEC does not mean the DNS packets are encrypted. Anyone sniffing the network can read them.<p>DNSSEC also makes DDOS easier for malfeasants.<p>Have those providing the DNSSEC signed records and those providing DNSSEC enabled third party DNS service solved this problem yet?<p>I am not implying that this &quot;service&quot; could not be useful for users who <i>must</i> use third party DNS service. The question is whether users who really care about security issues <i>must</i> use third party DNS services.<p>source: <a href="http:&#x2F;&#x2F;www.computerweekly.com&#x2F;news&#x2F;450430188&#x2F;Free-Quad9-internet-threat-protection-launched" rel="nofollow">http:&#x2F;&#x2F;www.computerweekly.com&#x2F;news&#x2F;450430188&#x2F;Free-Quad9-inte...</a><p>&quot;HQ<p>1442 A Walnut Street<p>Suite 501<p>Berkeley CA 94709&quot;<p>source: <a href="https:&#x2F;&#x2F;www.quad9.net" rel="nofollow">https:&#x2F;&#x2F;www.quad9.net</a><p>Is this an office of IBM?

The lady from that video presentation sounds like she&#x27;s using a fake British accent.

Doesn&#x27;t work

This just sounds like an advertisement for a partial virus checker software, most virus checkers now have browser plugins that do something like this. Why this gets 120 upvotes here is not obvious to me.