Jump to content

Recommended Posts

Quad9 DNS Servers 9.9.9.9

https://www.quad9.net/#/

(If you think this has nothing to do with you .. Think again)

 

There's a new bunch of DNS Servers being setup, and already its amazingly knocked my top DNS servers off the top of the benchmarks :

 

Will Quad9 filter content? 

No. Quad9 will not provide a censoring component and will limit its actions solely to the blocking of malicious domains around phishing, malware, and exploit kit domains. 

Return to Top 
How will Quad9 prevent the accidental blocking of legitimate domains? 

Quad9 implements whitelisting algorithms to make sure legitimate domains are not blocked by accident. However, in the rare case of blocking a legitimate domain, Quad9 works with the users to quickly whitelist that domain. 

Return to Top 
How does Quad9 ensure that it has the latest threat intelligence? 

Quad9 gathers threat intelligence from all its providers and public sources and updates the Quad9 infrastructure with this information. This update happens regularly (several times a day) or may be in near-real-time depending on the ability of the vendor to supply the TI data. 

Return to Top 
Why do threat intelligence (TI) providers share their data with Quad9, and what do they get out of it? 

Quad9 gives anonymized telemetry back to the TI providers only for the malicious domains they share with Quad9. This telemetry does not include source IP information of the users. 

Return to Top 
Does Quad9 collect and store personal data? 

Quad9 infrastructure does not store any personal data about its users. Please read our complete Data Policy here as there are exceptions for harmful attacks against our infrastructure. 

Return to Top 
How does Quad9 ensure my privacy? 

When an entity or an individual is using the Quad9 infrastructure, their IP address is not logged in our system. We, however, log the geo-location of the system (city, state, country) and use this information for malicious campaign and actor analysis, as well as a component of the data we provide our threat intelligence partners. 

Return to Top 
What does Quad9 log/store about the DNS queries? 

We store details of the DNS records queried, timestamp, and the city, state, and country from where the query came. We do not store source IP information of end user queries. 

Return to Top 
Does Quad9 share the DNS data that is generated with marketers? 

Quad9 does not and never will share any of its data with marketers, nor will it use this data for demographic analysis. Our purpose is fighting cyber crime on the Internet and to enable individuals and entities to be more secure. We do this by increasing visibility into the threat landscape by providing generic telemetry to our security industry partners who contribute data for threat blocking. 

Return to Top 
How resilient is the Quad9 DNS infrastructure? 

No infrastructure is 100% safe from attacks and failures. However, Quad9 has built and maintains a very robust and resilient DNS infrastructure, built on decades of past experiences and partnerships in the industry. Much of the Quad9 platform is hosted on infrastructure that supports authoritative DNS for approximately one-fifth of the world’s top-level domains, two root nameservers, and which sees billions of requests per day. There are constantly intentional and unintentional stresses put on this network, and multiple strategies are used successfully to prevent failures. Over-provisioning bandwidth and capacity, engineering multiple layers of caches and query distribution methods, and application-specific isolation or rejection of unwanted traffic all are methods used to provide high uptime. 

 

I have tried allsorts of DNS servers, for various reasons, and run Steve Gibsons DNS Benchmark to test them out periodically. I currently have Googles DNS Servers set as Primary and Secondary servers, to test versus this newbie Quad9, and see how it measured up ..

 

large.5a181fb8c37b9_0DNSBenchMark.png.0d

 

Cant beat it with anything in the UK at my location just now, it comes top of the list for speed in 6 runs of the benchmark so far. And it claims to increase your defences against malware, probably uses things like MVPS Hosts file plus others added to their servers, in an optimised server setup = Not a bad thing imho ...

 

Quote

Whenever a Quad9 user clicks on a website link or types an address into a web browser, Quad9 checks the site against IBM X-Force’s threat intelligence database of over 40 billion analyzed web pages and images. The service also taps feeds from 18 additional threat intelligence partners including Abuse.ch, the Anti-Phishing Working Group, Bambenek Consulting, F-Secure, mnemonic, 360Netlab, Hybrid Analysis GmbH, Proofpoint, RiskIQ, and ThreatSTOP.


Quad9 provides these protections without compromising the speed that users expect when accessing websites and services. Leveraging PCH’s expertise and global assets around the world, Quad9 has points of presence in over 70 locations across 40 countries at launch. Over the next 18 months, Quad9 points of presence are expected to double, further improving the speed, performance, privacy and security for users globally. Telemetry data on blocked domains from Quad9 will be shared with threat intelligence partners for the improvement of their threat intelligence responses for their customers and Quad9.

 

Long term reliability is the thing to watch for now, but no doubt it will be well supported by the organisations behind it, it cant be any worse than British Telecoms default DNS servers which are prone to the office cleaner sitting on the off switch anyway :P

 

How to set it up on Windows 10 :

NB : For anyone on British Telecom UK wanting to set your own DNS Servers - You have to go to MyBT and switch off both BT Web Protect, and BT Parental Controls, FIRST : Because they both rely on using BT DNS servers. If you have either of those selected for your internet (and by default they are on unless you specifically go to MyBT and set them to off), when you change DNS server the internet will not work, so go switch them off at MyBT first .. See this support topic where one user had trouble switching them off .. Then you can set your own DNS Servers. If you still get errors accessing the internet after switching off dependant services, and changing DNS servers (you see this page) - Then you may need to just flush DNS cache, and reboot your machine.

For other ISP's, your mileage may vary, but it would not surprise me if others also provide similar 'services' which lock you into using only your ISP's DNS Servers. See if you need to close anything down before setting any new DNS Servers. And see if your ISP has any help and support forums where you can find out, or any detailled FAQ / Knowledge base.

If you get to a stage where your Internet no longer works, and you cant figure it out .. Just set your DNS Server back to what it was to start with (probably the "Obtain DNS Server Automatically" at step 7 below, look at the screenshot), and reboot your machine.

 

1. Go to Start and click the Settings Gear Icon

2. Click "Network & Internet"

3. Scroll down and click "Network and Sharing Centre"

4. Click "Change Adaptor Settings"

5. See screenshot below - Right click the network adaptor which is in use (Ethernet or WIFI), choose "Properties"

6. Left click (just once) "Internet Protocol Version 4 (TCP/IPv4)", so that it is highlighted, then click the "Properties" button

7. Choose "Use the following DNS addresses", then click in the boxes to set your Primary and Secondary DNS Server

For example I have set 9.9.9.9 as Primary, and one of Googles (8.8.8.8 or 8.8.4.4) for secondary.

8. You can also click on the Advanced Button, and in the next dialogue, click the DNS Tab .. Here you can enter more fallback DNS servers if you wish, and also using the up / down arrows you can position any of them you have highlighted to the top (Primary) position.

Then click Okay on all dialogues.

( Windows XP / Vista / 7 / 8 / 8.1 : look in your SysTray for the Network Icon, right click it and choose Open Network and Sharing, and then go to around step 4. above .. Its all pretty similar from there on IIRC,  or go to Control Panel > Network and Internet > Network Connections ).

 

large.5a181fbfb63ef_0DNSSettings.png.45d

 

If you go back to step 5., you can also choose the not in use adaptor and go through the steps setting the same, in case you switch to / from ethernet / wifi at some point.

Also at Step 6 above, if you can use "Internet Protocol Version 6 (TCP/IPv6)" on your Internet connection (or even just wish to set it pre-emptively for when it does start getting used), you can set it to have a Primary setting of 2620:fe::fe for Quad9 DNS Server, and for a secondary if you know of no others Google also has an IPv6 setting of 2001:4860:4860::8888 or 2001:4860:4860::8844

 

Q. What if I have an ISP provided Router - And the ISP sets its own DNS server in that box, but does not allow the customer to change it ?

A. The furthest box away from the DNS server in the chain of hops has its preferred DNS server honoured, so setting this on your computer / laptop will override any setting the ISP has set in your router, because that box is further along the chain.

 

Your Machine (Set to automatic) ------- ISP Router 62.6.40.178 -------- Internet

= 62.6.40.178 is used

 

Your Machine 9.9.9.9 -------- ISP Router 62.6.40.178 --------- Internet

= 9.9.9.9 is used

 

Setting your own (instead of the default automatic) bypasses any ISP DNS servers, your machines requested DNS server has to be used.

 

ISPs count on users just accepting defaults, and take advantage of that so that all your searches etc go through their DNS servers .. And they log it for sale to marketing and advertising behavior analysis (which probably in turn goes to Data Brokers like Equifax, who lose your data to hackers, who sell it to criminal orgs etc etc), making more money out of you, the ISPs cattle being farmed. If you have a lot of time on your hands, read your ISPs T&Cs and eventually you will find it mentioned (probably with obfuscated wording so it is not easily noticeable). These details in your T&Cs are the kind of thing that get updated periodically and most people cant be bothered reading them. ISPs are Sneaky bar stewards.

Top tip : Never use any ISP provided setup CDs. They want to set their own servers directly on your computer behind your firewall they cant get to normally.

 

If you have your own Router to replace any ISP provided rubbish, you may be able to set the Primary and Secondary DNS Server in their aswell, which means all machines in your house using that router (some of which may not be able to set such things as DNS settings, like mobiles or pads or game machines), will also benefit from Quad9's malware / security protection when they request urls on the internet.

 

large.5a181fc6dc134_0RouterDNSSetting.pn

 

15 devices in my house (PS4, WII U, Iphones, IPads, laptops and a few more, plus family visitor devices) going through that Router ^^ all now benefit from Quad9 protection.

 

 

Press Release and a few Reviews :

http://www-03.ibm.com/press/us/en/pressrelease/53388.wss

https://www.ghacks.net/2017/11/19/quad9-dns-promises-better-privacy-and-security/

https://arstechnica.co.uk/information-technology/2017/11/new-quad9-dns-service-blocks-malicious-domains-for-everyone/

Also on Security Now! 638 ( Go to time bar at 1:28:35 )

 

Share this post


Link to post
Share on other sites

I've been using it as my primary since the article about it on Ars Technica showed up. I doubt anyone is going to notice a few milliseconds on response time, but it's been working fine and I'm using Google's 8.8.8.8 as a secondary. Only reason I do this is because Frontier is one of those jerkwad ISPs who intercepts invalid domain lookups and routes them to an ad infested search page instead.

Share this post


Link to post
Share on other sites
44 minutes ago, Arthmoor said:

~ jerkwad ISPs who intercepts invalid domain lookups and routes them to an ad infested search page instead.

:D Yep, different ISP here but similar reasons, skipping the default ISP DNS server and error redirects which monetize its customer search data to be sold to third parties without a by-your-leave (well, its probably noted somewhere in the modified T&Cs if I could be bothered to search through the mountain of legal waffle) .. as if they dont get enough out of me paying for the pipe every month. Brass necked buccaneers.

Share this post


Link to post
Share on other sites
On 11/22/2017 at 7:28 AM, alt3rn1ty said:

A. The furthest box away from the DNS server in the chain of hops has its preferred DNS server honoured, so setting this on your computer / laptop will override any setting the ISP has set in your router, because that box is further along the chain.

Hey, I learn something new every day! Makes sense now that I think about it though. And here I thought I was fairly proficient at home networking.

Thanks alt3rn1ty, this is FANTASTIC information!!

Share this post


Link to post
Share on other sites

By the way,  Arthmoor mentioned using Google's DNS as secondary, and I noticed you do as well. I've been learning more & more about just how prolific Google's data collection is becoming. Does this not concern either of you, using Google's DNS?

Edit: Whoops, tagged Arthmoor out of habit. Sorry, this is not pressing - at all.

Share this post


Link to post
Share on other sites

@RavenMind I normally use OpenDNS, google was just a good choice I thought most people around the world reading this would have a comparatively fast DNS server to weigh it up against Quad9. And OpenDNS needs a bit more technical study to get the best out of it, depends on your location, best OpenDNS for me on some days is not based in the UK, but across the North Sea in Germany .. And then another takes the lead for a week .. aaagh!. 208.67.222.220 is quite good currently in my DNS Benchmark screenshot in the OP, but occasionally I have seen some of the OpenDNS servers wink out and drop your internet connection, so aswell as being up / down in performance they can be unreliable too).

Compaired with my ISP though, google are saints, but I know what you mean. A lot of the other DNS Servers are as bad if not worse than my ISP DNS servers, so for some it would be a case of better the devil you know than the devil you dont, and hopefully the one you know performs better. Some DNS Servers policies state they record everything everybody does, some only partial. Some are secure, others not. Some when they see an error or typo in your searched for url will automatically give a redirect to dodgy lookup sites (as in the case of Arthmoors ISP) instead of just giving the expected error (ISPs say this idea is helpful to our customers but its really just another way of getting more money out of customers behaviour), and some servers dont have any kind of declaration about what they do or dont do, maybe for all we know about them they could be part of a criminal organisation setup just waiting for your credit card numbers or whatever they target to pass through their own DNS servers which have been taken over with malware ..

.. But if what IBM has to say holds true about Quad9 forever more, we now have a solution to all those concerns :)

 

The Secondary DNS Server you set is just in case your primary goes down or is unresponsive to queries, if your primary is 100% reliable, the secondary will never get used.

Having a reliable Secondary (better the devil you know), will probably never get used, but ought to be reliable too so that the chances of your internet winking out completely due to them both being down becomes extremely unlikely. In my case I go one step further and utilise the Advanced DNS server dialogue to set a third one as backup to both of them (usually another OpenDNS like the German one in my case).

For this purpose, google will do fine for most people, the moment the Primary comes back online it will be getting used again.

A few years ago we had British Telecom's own Router in our house (I just had not gotten around to replacing it with a compatible Router of our own), and literally a week after having it installed the Internet went down. After a bit of investigation we found out it was BT had an outage of one of their server racks down south, which took out most of the UKs internet. Anyway, long story short, office tea boy / cleaner sat on a switch or something .. Change DNS Server on each machine = Problem was solved for us.

Rest of the country with BTs HomeHub Router that did not know how to fix it by setting their own preferred DNS, had to wait for BT to switch the rack on again.

Share this post


Link to post
Share on other sites

I'm not particularly worried about what Google may or may not be collecting from DNS queries to the secondary address. Whatever it is they may be doing is bound to be less of a problem than what my own ISP does with the same queries.

Share this post


Link to post
Share on other sites

Wow, fantastic information alt3rn1ty! Thank you both for the replies! I'll have to do a bit of investigating & see what's around here & what their times are. Comcast is my ISP, and I'm pretty sure it's safe to assume they're collecting every bit of data they can. One of these days I'll get around to switching to XMission. They've got a really good reputation.

Share this post


Link to post
Share on other sites

Ah, thanks for linking that page. I was just about to go find some supporting docs for Benchmark.

That's interesting.. When I downloaded it yesterday I was surprised to see Steve was on a Class A domain, not that it means much anymore with CIDR, but I felt compelled to look it up anyway and it's Level 3! LOL!!

Share this post


Link to post
Share on other sites

He is on Cox which is the only ISP choice in his area, he grudgingly mentions this on Security now! occasionally and wishes there was competition to choose from.

GRC.com website however is on a Level 3 network, which is a different kettle of fish to a DNS Server on Level 3 being run by another company.

Extra supporting Doc links are at the bottom of every page on Steve's site. 12 pages for DNS Benchmark.

Share this post


Link to post
Share on other sites

While anyone reading this is looking into Router setups, you may aswell try something else too ..

Shields Up! https://www.grc.com/x/ne.dll?bh0bkyd2

Click Proceed, then first click the "UPnP Exposure test", its a setting a lot of Routers left open by default, which is exploitable. Make sure its switched off ..

After that, go back to the same link, click Proceed again, and then click the Shields up "All Service Ports" button and check if your firewall is all shored up against being probed.

M3rHTDr.png

Share this post


Link to post
Share on other sites
1 hour ago, lmstearn said:

It depends whether the security layers are using SOAP (Simple Object Access Protocol) or REST (Representational State Transfer).

According to this article, SOAP is better than REST.

Yeah thats LAN side I think which is not so much of an issue (but even there malware on one machine can use it to hop between networked devices, Steve Gibson made a utility to disable the UPnP Service on individual Laptops and Computers when a Windows XP exploit was discovered, but the utility has been updated to work on all versions of windows and still works fine on Win 10 if you dont need this mostly redundant service running).

Trouble with some routers is they open up a UPnP port WAN side, up until recently they mostly had it on by default.

A lot of peoples routers will not get updated because to most its just a box doing the internet connection thing and they probably dont even know you can access a bunch of settings in there, or get it to update its firmware when vulnerabilities are found (recently Krack exploit is a good example needing a firmware update in a lot of devices). So getting them to do the UPnP scan on Shields UP! might just be beneficial.

 

Edit : PS For anyone wondering - UPnP has nothing to do with Plug & Play hardware standard for PCs

Share this post


Link to post
Share on other sites

Just updated the OP to include a few tips on undoing this if it all goes wrong because of unforeseen circumstances, and in case other ISP's provide similar services to British Telecom which require the ISP's own DNS Servers to be in use, otherwise the ISP then sends you to an error page all the time.

I also sent a message to Quad9 informing them that the simple instructions they give in the video, may not be quite so simple where ISP's are meddling with this stuff.

I got a reply ..

Quote

Thanks for bringing this to our attention. We will provide an update in our FAQs to address these types of issues. 

 

Also to future proof this a bit, I included a paragraph on setting IPv6 settings.

Share this post


Link to post
Share on other sites

Looks like everyone wants a slice of this pie

New service 1.1.1.1 https://1.1.1.1/

Also Steve Gibsons DNS Benchmark has been updated and taken 9.9.9.9 and 1.1.1.1 onboard as part of its default set for comparison with whatever you are using.

https://www.grc.com/dns/benchmark.htm

I think from now I will be testing 1.1.1.1 as Primary DNS server, and 9.9.9.9 as Secondary backup DNS server.

9.9.9.9 has served me well and has proved very reliable since I started this topic.

Anyway before anyone asks if I work for the company or some crap .. Go read Cloudflares missions statements on 1.1.1.1 yourself and make up your own mind instead of listening to me blab :P 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Support us on Patreon!

×