
IBM Quad9 – A free security solution using DNS to protect against cyber threats - bignet
https://www.quad9.net
======
blfr
Namebench says...

    
    
        Mean response (in milliseconds):
        --------------------------------
        8.8.8.8          ########### 71.90
        192.168.1.1      ############# 85.92
        9.9.9.9          ##################################################### 369.26
    
        Mean response (in milliseconds):
        --------------------------------
        8.8.4.4          ################# 85.49
        9.9.9.10         ################################################## 252.25
        9.9.9.9          ##################################################### 268.93
    

... give it some time.

~~~
BillinghamJ
Wait, is 9.9.9.10 the secondary? That's in the same allocation as 9.9.9.9.
What's the point in having a secondary if there's no real separation or
redundancy?

8.8.8.8 and 8.8.4.4 are separate allocations - both /24.

~~~
_wmd
The most useful reason to have two addresses is for client resolvers that
often demand them, assuming the whole configuration is running anycast with
multiple PoPs, the extra "redundancy" provided by Google DNS is essentially
meaningless thanks to BGP route aggregation, a /24 is too small to be treated
uniquely for internetwork routing in the general case, and in any case, both
of Google's subnets are announced by the same AS 15169. The most likely use
for Google's subnet is to make the backup address more memorable.

In both networks, those IP addresses are almost certainly treated identically,
virtualized to all hell with multiple physical termination points leading to
the same pools of machines. One extra /24 isn't going to help reliability much
if at all, especially considering it is part of the same AS.

Perhaps I'm wrong and Google use the /24 somehow for the purposes of internal
routing. If that's true, in the same scenario IBM may be content to have just
these two /32s in their internal tables where route aggregation could be be
made to not apply.

~~~
toast0
Having the backup in a separate /24 allows the option of steering BGP
announcements differently at different peering points (even if they aren't
announced differently in the everything is working case).

------
gmac
Looks like an interesting alternative to Google DNS (8.8.8.8), and possibly a
little more anonymous. Google logs your IP address for 24 - 48 hours[1], while
Quad9 appears not to[2].

[1] [https://developers.google.com/speed/public-
dns/privacy](https://developers.google.com/speed/public-dns/privacy)

[2] [https://www.quad9.net/#/faq#does-quad9-collect-and-store-
per...](https://www.quad9.net/#/faq#does-quad9-collect-and-store-personal-
data)

~~~
krylon
It is surprisingly easy to set up a recursive resolver for oneself.

That way, nobody can log and aggregate the queries you run, and nobody can
mess with it either, unless they manage to break DNS itself in a big way.

~~~
bjpbakker
> nobody can log and aggregate the queries you run

So who do you forward your queries to? :)

~~~
krylon
A recursive resolver does not need to forward queries. ;-)

Conceptually, it starts with the root nameservers and works its way up - dot
by dot, recursively, hence the name - until it finds the domain the host in
question in it, then asks the nameservers for that zone and caches the result.

It is possible - with BIND9 at least, but I guess other DNS servers offer
similar capabilities - to use forward servers for convenience/caching or to
redirect queries to specific servers depending on the name in the query. But
it is not mandatory.

~~~
bjpbakker
True, seems I read over the recursive part. In which case it is definitely not
easy to set up.

But even for a recursive DNS server that is only used by a single client
aggregation for popular dains is not impossible.

There are better and definitely easier ways to have anonymous DNS lookups

------
rootinier
You shouldn't use it in Germany or Europe. It resolves www.google.de with an
IP based in SFO, instead of a local Google server. Even 9.9.9.10 (which is
said to support EDNS Client Subnet) doesn't work.

~~~
gca_dre
This is a byproduct of edns not being transmitted on 9.9.9.9 resolutions for
privacy reasons. 9.9.9.10 will transmit edns, but has no blocking. Soon we
will release another ip that will have blocking+edns transmission on it, as
well as documentation outlining all this and the differences. We just ran out
of time for all that and focused on 9.9.9.9. Sorry for any inconvenience on
your end. (Also sorry if my response latency is high, im a big fan of this
community so im focusing my attention here as best i can)

~~~
rootinier
Thank you for responding. I think four different DNS IPs on your side could be
a little overkill for the standard user in terms of choosing the 'right' one.
Apart from that, good luck with the product!

~~~
quad9_dre
Totally understand, we are trying to find the right balance for those that
need options. We can always shift how we present things, configurations,
technologies implemented etc based on end users feedback. We really do want
folks to help us make this system better.

------
jacquesm
There is something very funny about that service being immediately unavailable
right after launch.

I think I'll pass for now.

~~~
blfr
The DNS server works though. Only the website appears to be unavailable. EDIT:
Even the website loaded eventually.

    
    
        » dig @9.9.9.9 news.ycombinator.com +short
        news.ycombinator.com.cdn.cloudflare.net.
        104.20.44.44
        104.20.43.44
    

Not great but not a complete failure either.

------
tombrossman
After recently setting up Pi-hole on my Turris Omnia I had to choose between
using Google's DNS (which supports DNSSEC) or sticking with OpenDNS (which
does not...yet?), so I gave up using DNSSEC. The submitted IBM site is really
slow to load but I did manage to grab a screenshot of the FAQ page[0] which
confirms they do support it. And the privacy policy looks pretty good also[1].

I tried to archive the pages with archive.is but it did not appear to be
loading for them either.

Hopefully the site comes back up soon but I have to say I expected to see yet
another surveillance capitalism service and I was pleasantly surprised. I'll
try it out for a week and see how it goes.

[0][https://screenshots.firefox.com/LiNdj97Ck3qaLXze/www.quad9.n...](https://screenshots.firefox.com/LiNdj97Ck3qaLXze/www.quad9.net)
[1][https://screenshots.firefox.com/YEsWa5TwhGYQDZFZ/www.quad9.n...](https://screenshots.firefox.com/YEsWa5TwhGYQDZFZ/www.quad9.net)

~~~
armitron
Why would you use Google/OpenDNS/whatever when you can use dnscrypt [1]?

[1] [https://dnscrypt.org/](https://dnscrypt.org/)

~~~
detaro
Which still requires you to pick a resolver you trust to send your (then
encrypted) traffic to, and if the parent wants DNSSEC it still requires them
to find one that supports that (DNSCrypt is not a replacement for DNSSEC)

The list of resolvers they have there it's not exactly obvious why I should
trust any of those more? (and OpenDNS is _on_ that list)
[https://dnscrypt.org/dnscrypt-resolvers.html](https://dnscrypt.org/dnscrypt-
resolvers.html)

------
joenathanone
That's funny the quad9.net website it down at the moment, I guess that answers
if their DNS will be reliable.

~~~
kaioshi
The site is down, but the DNS server seems to be fine.

~~~
jacquesm
The DNS server is also super slow.

~~~
ifrit
Hi this is Alex from GCA! Could you please run `dig +short @9.9.9.9 id.server
TXT chaos` and post the results here? That will help us troubleshoot. Thanks!

~~~
dserodio
Quad9 DNS is 10x (or worse!) slower then Google's for me (I'm in São Paulo,
Brazil). Will this output help you troubleshoot DNS performance?

    
    
      $ dig +short @9.9.9.9 id.server TXT chaos
      res300.ams.rrdns.pch.net

~~~
quad9_dre
Thanks for this, we will see what we can do to run this down.

~~~
shock
I wrote you an email to the address in your profile but got a failure notice:

    
    
      Sorry, we were unable to deliver your message to the following address.
    
      <CTO@globalcyberalliance.org>:
      550: 5.1.1 The email account that you tried to reach does not exist.

------
Cthoma
It's designed quite badly to be honest.

9.9.9.9 is allegedly with security features. 9.9.9.10 does not have any
security features.

People will put 9.9.9.9 in the Primary DNS, 10 in the secondary in many of
OSes.

Also What is Quad9 resolves to a video rather than a quick explanation. There
is almost no information that this is a DNS server service on landing.

>It's easy to setup Quad9 on your Mac or PC. Watch the video for your
operating system.

Where is Linux? I doubt people who are using those OSes will bother changing
their dns.

~~~
_jal
I have a new rule: if I have to watch a video to understand the 'value
proposition' or even what something does, I will close the browser tab and
keep looking.

Video is not documentation.

~~~
blfr
Product presentations aren't even the worst offenders. The absolute worst are
providers doing "webcasts" in lieu of writing actual user documentation.

------
rmdoss
Quick performance test comparing these 4 players:

* Google: 8.8.8.8 * Quad9.com: 9.9.9.9 * [http://OpenDNS.com](http://OpenDNS.com): 208.67.222.222 * [https://CleanBrowsing.org](https://CleanBrowsing.org): 185.228.168.168

Results:

    
    
      New York:
      64 bytes from 8.8.8.8: icmp_seq=2 ttl=60 time=1.62 ms
      64 bytes from 9.9.9.9: icmp_seq=2 ttl=60 time=0.924 ms
      64 bytes from 208.67.222.222: icmp_seq=2 ttl=60 time=1.18 ms
      64 bytes from 185.228.168.168: icmp_seq=2 ttl=57 time=1.93 ms
    
      Montreal:
      64 bytes from 8.8.8.8: icmp_seq=2 ttl=55 time=13.0 ms
      64 bytes from 9.9.9.9: icmp_seq=2 ttl=56 time=16.7 ms
      64 bytes from 208.67.222.222: icmp_seq=2 ttl=56 time=16.5 ms
      64 bytes from 185.228.168.168: icmp_seq=2 ttl=50 time=9.18 ms
    
      Dallas:
      64 bytes from 8.8.8.8: icmp_seq=1 ttl=61 time=1.09 ms
      64 bytes from 9.9.9.9: icmp_seq=1 ttl=59 time=29.8 ms
      64 bytes from 208.67.222.222: icmp_seq=1 ttl=58 time=1.03 ms
      64 bytes from 185.228.168.168: icmp_seq=1 ttl=57 time=1.29 ms
    
      Paris:
      64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=4.61 ms
      64 bytes from 9.9.9.9: icmp_seq=2 ttl=56 time=6.71 ms
      64 bytes from 208.67.222.222: icmp_seq=2 ttl=56 time=4.60 ms
      64 bytes from 185.228.168.168: icmp_seq=2 ttl=54 time=3.85 ms
    
      Tokyo:
      64 bytes from 8.8.8.8: icmp_seq=1 ttl=59 time=1.10 ms
      64 bytes from 9.9.9.9: icmp_seq=1 ttl=55 time=65.7 ms
      64 bytes from 208.67.222.222: icmp_seq=1 ttl=57 time=1.57 ms
      64 bytes from 185.228.168.168: icmp_seq=1 ttl=59 time=0.551 ms
    

Only New York and Paris were close. Their performance in Tokyo & Dallas were
sub optimal. OpenDNS has a much better performance and closer to Google than
quad9.

But I will still try it out and hope they keep supporting it.

------
chewz
Sending DNS queries in open does not protect from DNS hijacking which is
ubiquitous in SE Asia for example. So you end up getting ‘free security
solution’ that at the last mile is deliberately slowed down, registered and
falsified.

Much better and more secure solution could be assembled in 15 minutes using
dnscrypt-proxy with ip and domain filtering and caching. [^1]

Additionally I am always suspicious why IBM suddenly wants to collect my DNS
queries? Sorry big corpo but I don’t trust your good intentions any more. We
are long past the innocence of first years of the Internet.

If IBM or any other big name really wants to help with DNS security why don’t
they give financial and material help to heroes like jedisct1, Martin 'd0wn'
Albus, soltysiak and others who put their time, effort and money into running
DNSCrypt servers? Money plunged just in design of Quad9 webpage they could
have kept some servers running for years[^2]

[1] [https://github.com/jedisct1/dnscrypt-
proxy/wiki](https://github.com/jedisct1/dnscrypt-proxy/wiki)

[2] According to soltysiak his monthly costs are c.a. 40€/month but as it is
his private expense he had to limit memory in his server.

[https://dnscrypt.pl/2017/04/02/finacials-
in-q1-2017/](https://dnscrypt.pl/2017/04/02/finacials-in-q1-2017/)

------
tribaal
The website seems to be down for me.

Doesn't DDoS defense fall in the "internet threat protection" bucket? :p

------
js2
Re: "In some circumstances this may result in suboptimal routing between CDN
origins and end users."

Maybe it's better now, but a couple years back I found streaming iTunes movies
(I think Apple used Akamai at the time and may still) would not work at all if
not using my ISP's DNS servers. So I had to configure dnsmasq to forward CDN
domain lookups to my ISP's DNS servers.

I wonder if a good compromise for EDNs w.r.t. privacy would be that instead of
forwarding the client subnet, instead have a lookup table mapping the client
IP to their ISP's DNS servers, and then insert subnet of the ISP's DNS
servers. I suppose it could be any "representative" subnet of the client ISP
though.

Also, minor typo in the FAQ answer for "Does Quad9 implement DNSSEC?": "...
Note that some variations of our resolver (differente IP addresses) may not
provide DNSSEC."

Different has an extraneous trailing "e".

~~~
dserodio
Maybe the author's mother tongue is Portuguese (we spell "diferente"). This
typo is probably the one I commit the most :)

------
quotha
I totally just got the name, Quad9 == 9.9.9.9, duh

~~~
millerm
Ugh... same here.

------
farrokhi
The response time depends on network peering from their anycast locations. I
am seeing different response times based on test locations.

From US:

    
    
      # ./dnseval.py -f google-vs-quad9.txt -c 50 -C yahoo.com
      server      avg(ms)     min(ms)     max(ms)     stddev(ms)  lost(%)  ttl        flags
      ----------------------------------------------------------------------------------------------------
      8.8.8.8     31.857      31.278      33.416      0.434       %0       1332       QR -- -- RD RA -- --
      8.8.4.4     31.865      31.361      32.872      0.336       %0       1330       QR -- -- RD RA -- --
      9.9.9.9     93.703      92.797      95.362      0.586       %0       1391       QR -- -- RD RA -- --
    

From Iran:

    
    
      # ./dnseval.py -f google-vs-quad9.txt -c 50 -C yahoo.com
      server      avg(ms)     min(ms)     max(ms)     stddev(ms)  lost(%)  ttl        flags
      ----------------------------------------------------------------------------------------------------
      8.8.8.8     105.093     90.046      130.871     9.749       %0       3590       QR -- -- RD RA -- --
      8.8.4.4     99.458      84.472      133.375     11.308      %0       3585       QR -- -- RD RA -- --
      9.9.9.9     96.231      83.957      134.709     9.503       %0       3595       QR -- -- RD RA -- --
    

Tests are performed using dnsdiag tools:
[https://github.com/farrokhi/dnsdiag](https://github.com/farrokhi/dnsdiag)

------
edbergavera

            $ ping 9.9.9.9
    	PING 9.9.9.9 (9.9.9.9): 56 data bytes
    	64 bytes from 9.9.9.9: icmp_seq=0 ttl=53 time=98.011 ms
    	64 bytes from 9.9.9.9: icmp_seq=1 ttl=53 time=96.444 ms
    	64 bytes from 9.9.9.9: icmp_seq=2 ttl=53 time=96.556 ms
    	64 bytes from 9.9.9.9: icmp_seq=3 ttl=53 time=96.769 ms
    	64 bytes from 9.9.9.9: icmp_seq=4 ttl=53 time=104.274 ms
    	64 bytes from 9.9.9.9: icmp_seq=5 ttl=53 time=102.235 ms
    	64 bytes from 9.9.9.9: icmp_seq=6 ttl=53 time=97.185 ms
    
    	$ ping 8.8.8.8
    	PING 8.8.8.8 (8.8.8.8): 56 data bytes
    	64 bytes from 8.8.8.8: icmp_seq=0 ttl=45 time=54.808 ms
    	64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=54.407 ms
    	64 bytes from 8.8.8.8: icmp_seq=2 ttl=45 time=55.173 ms
    	64 bytes from 8.8.8.8: icmp_seq=3 ttl=45 time=55.058 ms
    	64 bytes from 8.8.8.8: icmp_seq=4 ttl=45 time=54.583 ms
    	64 bytes from 8.8.8.8: icmp_seq=5 ttl=45 time=54.589 ms
    	64 bytes from 8.8.8.8: icmp_seq=6 ttl=45 time=54.645 ms

------
0x0
It's also interesting that they have a public "insecure" DNS server on
9.9.9.10 with none of the additional threat protections -
[https://www.quad9.net/#/faq#is-there-a-service-that-
quad9-of...](https://www.quad9.net/#/faq#is-there-a-service-that-quad9-offers-
that-does-not-have-the-blocklist-or-other-security)

------
krylon
Ironically, the page takes _forever_ to load for me.

If they cannot handle the HN hug of death, I am not so sure if they can ward
off a serious attack.

The idea - Realtime blacklisting via DNS - is not bad. But if the first
impression I get is a page that loads very slowly, I am doubtful if they can
implement it well.

~~~
gca_dre
The problem is all the hugs of death. :(

Website is being worked, dns infrastructure is solid and working well. Sorry
for brief response, a bit busy ;)

~~~
krylon
I see. ;-)

I hope you succeed. Filtering out bad actors via DNS is a good idea, you will
have to be very careful about false positives, though. ;-)

I think a similar approach is already being used for mail servers to detect
spam... but I am short on details, because the only mail server I have ever
taken care of is the Exchange server at work, and Exchange is not all that
proactive when it comes to spam.

~~~
jlgaddis
DNSBLs [0] are _very_ popular. Pretty much anyone running a mail server that
accepts connectiona from the public Internet use them -- you have to! I manage
several mail servers and I use many different DNSBLs, including one of my own.

The best anti-spam advice I could give WRT your Exchange box (I've managed
those too) is to put another box in front of it to handle the spam filtering
(Postfix + SpamAssassin + friends in my case, but you have many options),
though IIRC even Exchange can directly use these blacklists nowadays.

[0]:
[https://en.wikipedia.org/wiki/DNSBL](https://en.wikipedia.org/wiki/DNSBL)

------
pantulis
That's quite a vanity IP. Wonder if they already had it or bought the address
block from someone.

~~~
rndmio
IBM owns 9.0.0.0/8

~~~
chaoticmass
Baller.

------
heipei
Does anyone have an example query that would be blocked? Trying to see what
the reply looks like.

~~~
gjem97
dieutribenhkhop.com (which resolves to 127.0.0.1) works on 8.8.8.8 but not
9.9.9.9, and quad9.net reports it as "blocked"

~~~
dylz
presumably 1) public domains resolving local is a threat, 2) that domain has
bad reputation and previously hosted nasties

------
jacoss
fm malaysia: Pinging 8.8.8.8 with 32 bytes of data: Reply from 8.8.8.8:
bytes=32 time=17ms TTL=54 Reply from 8.8.8.8: bytes=32 time=12ms TTL=54 Reply
from 8.8.8.8: bytes=32 time=32ms TTL=54 Reply from 8.8.8.8: bytes=32 time=11ms
TTL=54

Ping statistics for 8.8.8.8: Packets: Sent = 4, Received = 4, Lost = 0 (0%
loss), Approximate round trip times in milli-seconds: Minimum = 11ms, Maximum
= 32ms, Average = 18ms And Pinging 9.9.9.9 with 32 bytes of data: Reply from
9.9.9.9: bytes=32 time=20ms TTL=54 Reply from 9.9.9.9: bytes=32 time=17ms
TTL=54 Reply from 9.9.9.9: bytes=32 time=18ms TTL=54 Reply from 9.9.9.9:
bytes=32 time=17ms TTL=54

Ping statistics for 9.9.9.9: Packets: Sent = 4, Received = 4, Lost = 0 (0%
loss), Approximate round trip times in milli-seconds: Minimum = 17ms, Maximum
= 20ms, Average = 18ms

------
Integer
I hope one of those planned locations will be somewhere in Eastern Europe. At
the moment I measure a 44ms ping, which is just 1ms slower than 8.8.8.8, and
2ms faster than OpenDNS for this location.

------
mtgx
It's like Herman Cain's tax plan, but one 9 better.

Joking aside, shouldn't they have an alternative DNS server, too, like Google
does with 8.8.4.4? Maybe 9.9.7.7 or 9.9.3.3?

~~~
quad9_dre
We do have another IP tied to the anycast cloud on a different /8.

149.112.112.112 - blocking, no edns (same setup/config as 9.9.9.9)

I will see about adding this to the list of things to add to documentation.
(thanks for the feedback guys!)

------
sp332
Wow, 30k blocks per day? That's 0.25% of the entire address space every year.
In 400 years they'll have blocked every IPv4 address!

~~~
Sir_Cmpwn
Here's to another 400 years of stagnant IPv6 adoption!

~~~
quotha
Is there IPv6 support for Quad9?

Yes. Quad9 operates identical services on a set of IPv6 addresses, which are
on the same infrastructure as the 9.9.9.9 systems.

Secure IPv6: 2620:fe::fe Blocklist, DNSSEC, No EDNS Client-Subnet

Unsecure IPv6: 2620:fe::10 No blocklist, no DNSSEC, send EDNS Client-Subnet

------
mnordhoff
Hey, you support Ed25519! Only some of the time -- I'd bet your PowerDNS
resolvers support it but your Unbound ones don't -- but you might be the first
public recursive DNS provider to support Ed25519 at all.

(Recent versions of Unbound do support it, but you might be running an older
version or missing the right dependency.)

(Example zone: ed25519.nl.)

------
INTPenis
I know this has been mentioned already, to much lament... but if companies
like google and ibm were really serious about hosting a DNS service to promote
privacy and securit they should host a dnscrypt interface to it.

I'm sure people in the dnscrypt community would rather trust privately hosted
servers but I really don't see the difference in risk.

~~~
quad9_dre
We currently support DNS over TLS, and are looking at other options in the
space. So if folks want dnscrypt I can take that feedback back to the team and
see what we can do for you guys. From my perspective the calculation on
private encrypted dns server over something like our service comes down to
your threat model. We are trying our best to be as transparent as we can on
what we do, how we do it etc so we can earn trust. That being said, trusting
any thing you dont 100% control and 100% monitor every little thing on starts
to erode absolute security/privacy/control. The one thing that sets us aside
from a private server is the infrastructure we use, it is a growing anycast
cloud spread across the globe, that with usage (helllooo hot cache's!) should
provide better performance then a single locale/remote recursive server (or
chain of servers).

~~~
INTPenis
I'm pleasantly surprised that you support DNS over TLS but I barely know how
to use that. Dnsmasq doesn't support it yet for example and that's the
forwarder I use at home.

To clarify, I have a dnsmasq but I also have a dnscrypt forwarder. Dnsmasq
only resolves LAN names and forwards the rest to dnscrypt.

So I'd have to forward to a service that supports DNS over TLS to use quad9.

Edit: Unbound does this.

~~~
Alex_Band
DNS-over-TLS with Quad9 how-to: [https://medium.com/@alexander_band/privacy-
using-dns-over-tl...](https://medium.com/@alexander_band/privacy-using-dns-
over-tls-with-the-new-quad9-dns-service-1ff2d2b687c5)

------
foobarbecue
Their attention to detail inspires confidence: "It's like and immunization for
your computer"

~~~
forbiddenlake
Also: "setup", used all over the front page, is not a verb, yet is used as
one.

------
redm
It seems like a cool idea, but I'm worried about the practical implementation,
and that it is just another service to monitor (like Safe Browsing) where you
could get blocked incorrectly.

------
phonon
Looks like a competitor to Comodo's free Secure DNS service.

[https://www.comodo.com/secure-dns/](https://www.comodo.com/secure-dns/)

8.26.56.26

8.20.247.20

~~~
shock
Interestingly, your link didn't work for me because comodo.com was blocked by
Quad9 :)

~~~
phonon
Wut?

Sounds like a pretty good reason not to use Quad9 then.

------
jacoss
Fm Malaysia, quad and google performed almost identical over last two days

------
dod9er
pi-hole was also the first thing that came to my mind. They should setup a
feature version on 9.9.9.13 with the same blacklists as a pi-hole :)

------
solotronics
is this hosted on Softlayer/Bluemix? if so hit me up if you need help getting
more servers in different locations or have any network or load balancer
performance related questions (I am a net. eng. for Bluemix infrastructure)

------
devnull42
Sooo they are running RPZ and calling it a product....?

~~~
gca_dre
We dont run rpz on the resolver nodes, hopefully when we clear the backlog of
things we want to fix/tweak/finish we can get around to dropping some docs on
the cool stuff we built/did, and why. #todolist

~~~
devnull42
I look forward to reading that as a fellow DNS Engineer that works at large
scale and has a passion for security.

------
nerdponx
Fitting that the site looks like it's down.

------
feelin_googley
"When a Quad9 user clicks on a website link or types an address into a web
browser, Quad9 checks the site against IBM X-Force's threat intelligence
database of more than 40 billion analysed web pages and images. The service
also taps feeds from 18 further threat intelligence partners, including
Abuse.ch, the Anti-Phishing Working Group, Bambenek Consulting, F-Secure,
mnemonic, 360Netlab, Hybrid Analysis GmbH, Proofpoint, RiskIQ and ThreatSTOP."

Why not share the database with the public? This is meant to be a free
service, isn't it?

"Quad9 is designed to provide these protections without affecting the speed
that users expect when accessing websites and services."

Very careful choice of words. It does not say it will not affect the speed. It
says it will not affect the "speed which user expect". What speed is that?

I already check domains against a database of ones I want to block. I do this
locally using djbdns, without needing to send DNS queries over the internet.
The speed is better than any third party DNS service, including 8.8.8.8 or
9.9.9.9. IMO, there is no need to send personal, private DNS queries to "18
further threat intelligence providers".

"Telemetry data on blocked domains from Quad9 will be shared with threat
intelligence partners to improve their threat intelligence responses for their
customers and Quad9."

Telemetry. So they are collecting data about users' DNS queries. This would
explain how the service is "free".

When a user tries to access a blacklisted domain, a host of "threat
intelligence partners" are notified.

"PCH, which provides Quad9's network infrastructure; and IBM, which provides
IBM X-Force threat intelligence and the easily memorable IP address
(9.9.9.9)."

Quad9 suggests IP addresses can be memorized. I will rememeber that.

"The personal information protections and selectable DNS encryption, DNSSEC,
and blocklist that are in place show that this project is in line with PCH's
values," he said. "Quad9 will inspire trust in both individuals and businesses
who understand the importance of securing their private browsing data."

If someone digitally signs a document, does anyone believe the document is
hence "encrypted"?

When DNSSEC is used, does anyone believe that DNS is hence "encrypted"?

A less misleading description might be something like "DNS record signing".

Using DNSSEC does not mean the DNS packets are encrypted. Anyone sniffing the
network can read them.

DNSSEC also makes DDOS easier for malfeasants.

Have those providing the DNSSEC signed records and those providing DNSSEC
enabled third party DNS service solved this problem yet?

I am not implying that this "service" could not be useful for users who _must_
use third party DNS service. The question is whether users who really care
about security issues _must_ use third party DNS services.

source: [http://www.computerweekly.com/news/450430188/Free-
Quad9-inte...](http://www.computerweekly.com/news/450430188/Free-
Quad9-internet-threat-protection-launched)

"HQ

1442 A Walnut Street

Suite 501

Berkeley CA 94709"

source: [https://www.quad9.net](https://www.quad9.net)

Is this an office of IBM?

------
RoutinePlayer
The lady from that video presentation sounds like she's using a fake British
accent.

------
tgdn
Doesn't work

~~~
quad9_dre
I am assuming you are talking about the website?

We should be working on that front right now.

------
napa15
This just sounds like an advertisement for a partial virus checker software,
most virus checkers now have browser plugins that do something like this. Why
this gets 120 upvotes here is not obvious to me.

