New DNS Servers = Fast

[Deleted133263User]

Quad9 DNS Servers 9.9.9.9

https://www.quad9.net/#/

(If you think this has nothing to do with you .. Think again)

There's a new bunch of DNS Servers being setup, and already its amazingly knocked my top DNS servers off the top of the benchmarks :

Will Quad9 filter content?

No. Quad9 will not provide a censoring component and will limit its actions solely to the blocking of malicious domains around phishing, malware, and exploit kit domains.

Return to Top

How will Quad9 prevent the accidental blocking of legitimate domains?

Quad9 implements whitelisting algorithms to make sure legitimate domains are not blocked by accident. However, in the rare case of blocking a legitimate domain, Quad9 works with the users to quickly whitelist that domain.

Return to Top

How does Quad9 ensure that it has the latest threat intelligence?

Quad9 gathers threat intelligence from all its providers and public sources and updates the Quad9 infrastructure with this information. This update happens regularly (several times a day) or may be in near-real-time depending on the ability of the vendor to supply the TI data.

Return to Top

Why do threat intelligence (TI) providers share their data with Quad9, and what do they get out of it?

Quad9 gives anonymized telemetry back to the TI providers only for the malicious domains they share with Quad9. This telemetry does not include source IP information of the users.

Return to Top

Does Quad9 collect and store personal data?

Quad9 infrastructure does not store any personal data about its users. Please read our complete Data Policy here as there are exceptions for harmful attacks against our infrastructure.

Return to Top

How does Quad9 ensure my privacy?

When an entity or an individual is using the Quad9 infrastructure, their IP address is not logged in our system. We, however, log the geo-location of the system (city, state, country) and use this information for malicious campaign and actor analysis, as well as a component of the data we provide our threat intelligence partners.

Return to Top

What does Quad9 log/store about the DNS queries?

We store details of the DNS records queried, timestamp, and the city, state, and country from where the query came. We do not store source IP information of end user queries.

Return to Top

Does Quad9 share the DNS data that is generated with marketers?

Quad9 does not and never will share any of its data with marketers, nor will it use this data for demographic analysis. Our purpose is fighting cyber crime on the Internet and to enable individuals and entities to be more secure. We do this by increasing visibility into the threat landscape by providing generic telemetry to our security industry partners who contribute data for threat blocking.

Return to Top

How resilient is the Quad9 DNS infrastructure?

No infrastructure is 100% safe from attacks and failures. However, Quad9 has built and maintains a very robust and resilient DNS infrastructure, built on decades of past experiences and partnerships in the industry. Much of the Quad9 platform is hosted on infrastructure that supports authoritative DNS for approximately one-fifth of the world’s top-level domains, two root nameservers, and which sees billions of requests per day. There are constantly intentional and unintentional stresses put on this network, and multiple strategies are used successfully to prevent failures. Over-provisioning bandwidth and capacity, engineering multiple layers of caches and query distribution methods, and application-specific isolation or rejection of unwanted traffic all are methods used to provide high uptime.

I have tried allsorts of DNS servers, for various reasons, and run Steve Gibsons DNS Benchmark to test them out periodically. I currently have Googles DNS Servers set as Primary and Secondary servers, to test versus this newbie Quad9, and see how it measured up ..

Cant beat it with anything in the UK at my location just now, it comes top of the list for speed in 6 runs of the benchmark so far. And it claims to increase your defences against malware, uses things like MVPS Hosts file plus others added to their servers, in an optimised server setup = Not a bad thing imho ...

 

 

Quote

Whenever a Quad9 user clicks on a website link or types an address into a web browser, Quad9 checks the site against IBM X-Force’s threat intelligence database of over 40 billion analyzed web pages and images. The service also taps feeds from 18 additional threat intelligence partners including Abuse.ch, the Anti-Phishing Working Group, Bambenek Consulting, F-Secure, mnemonic, 360Netlab, Hybrid Analysis GmbH, Proofpoint, RiskIQ, and ThreatSTOP.

Quad9 provides these protections without compromising the speed that users expect when accessing websites and services. Leveraging PCH’s expertise and global assets around the world, Quad9 has points of presence in over 70 locations across 40 countries at launch. Over the next 18 months, Quad9 points of presence are expected to double, further improving the speed, performance, privacy and security for users globally. Telemetry data on blocked domains from Quad9 will be shared with threat intelligence partners for the improvement of their threat intelligence responses for their customers and Quad9.

 

Long term reliability is the thing to watch for now, but no doubt it will be well supported by the organisations behind it, it cant be any worse than British Telecoms default DNS servers which are prone to the office cleaner sitting on the off switch anyway

How to set it up on Windows 10 :

NB : For anyone on British Telecom UK wanting to set your own DNS Servers - You have to go to MyBT and switch off both BT Web Protect, and BT Parental Controls, FIRST : Because they both rely on using BT DNS servers. If you have either of those selected for your internet (and by default they are on unless you specifically go to MyBT and set them to off), when you change DNS server the internet will not work, so go switch them off at MyBT first .. See this support topic where one user had trouble switching them off .. Then you can set your own DNS Servers. If you still get errors accessing the internet after switching off dependant services, and changing DNS servers (you see this page) - Then you may need to just flush DNS cache, and reboot your machine.

For other ISP's, your mileage may vary, but it would not surprise me if others also provide similar 'services' which lock you into using only your ISP's DNS Servers. See if you need to close anything down before setting any new DNS Servers. And see if your ISP has any help and support forums where you can find out, or any detailled FAQ / Knowledge base.

If you get to a stage where your Internet no longer works, and you cant figure it out .. Just set your DNS Server back to what it was to start with (probably the "Obtain DNS Server Automatically" at step 7 below, look at the screenshot), and reboot your machine.

1. Go to Start and click the Settings Gear Icon

2. Click "Network & Internet"

3. Scroll down and click "Network and Sharing Centre"

4. Click "Change Adaptor Settings"

5. See screenshot below - Right click the network adaptor which is in use (Ethernet or WIFI), choose "Properties"

6. Left click (just once) "Internet Protocol Version 4 (TCP/IPv4)", so that it is highlighted, then click the "Properties" button

7. Choose "Use the following DNS addresses", then click in the boxes to set your Primary and Secondary DNS Server

For example I have set 9.9.9.9 as Primary, and one of Googles (8.8.8.8 or 8.8.4.4) for secondary.

8. You can also click on the Advanced Button, and in the next dialogue, click the DNS Tab .. Here you can enter more fallback DNS servers if you wish, and also using the up / down arrows you can position any of them you have highlighted to the top (Primary) position.

Then click Okay on all dialogues.

( Windows XP / Vista / 7 / 8 / 8.1 : look in your SysTray for the Network Icon, right click it and choose Open Network and Sharing, and then go to around step 4. above .. Its all pretty similar from there on IIRC, or go to Control Panel > Network and Internet > Network Connections ).

If you go back to step 5., you can also choose the not in use adaptor and go through the steps setting the same, in case you switch to / from ethernet / wifi at some point.

Also at Step 6 above, if you can use "Internet Protocol Version 6 (TCP/IPv6)" on your Internet connection (or even just wish to set it pre-emptively for when it does start getting used), you can set it to have a Primary setting of 2620:fe::fe for Quad9 DNS Server, and for a secondary if you know of no others Google also has an IPv6 setting of 2001:4860:4860::8888 or 2001:4860:4860::8844

Q. What if I have an ISP provided Router - And the ISP sets its own DNS server in that box, but does not allow the customer to change it ?

A. The furthest box away from the DNS server in the chain of hops has its preferred DNS server honoured, so setting this on your computer / laptop will override any setting the ISP has set in your router, because that box is further along the chain.

Your Machine (Set to automatic) ------- ISP Router 62.6.40.178 ------- Internet

= 62.6.40.178 is used

Your Machine 9.9.9.9 ------- ISP Router 62.6.40.178 -------- Internet

= 9.9.9.9 is used

Setting your own (instead of the default automatic) bypasses any ISP DNS servers, your machines requested DNS server has to be used.

ISPs count on users just accepting defaults, and take advantage of that so that all your searches etc go through their DNS servers .. And they log it for sale to marketing and advertising behavior analysis (which probably in turn goes to Data Brokers like Equifax, who lose your data to hackers, who sell it to criminal orgs etc etc), making more money out of you, the ISPs cattle being farmed. If you have a lot of time on your hands, read your ISPs T&Cs and eventually you will find it mentioned (probably with obfuscated wording so it is not easily noticeable). These details in your T&Cs are the kind of thing that get updated periodically and most people cant be bothered reading them. ISPs are Sneaky bar stewards.

Top tip : Never use any ISP provided setup CDs. They want to set their own servers directly on your computer behind your firewall they cant get to normally.

If you have your own Router to replace any ISP provided rubbish, you may be able to set the Primary and Secondary DNS Server in their aswell, which means all machines in your house using that router (some of which may not be able to set such things as DNS settings, like mobiles or pads or game machines), will also benefit from Quad9's malware / security protection when they request urls on the internet.

15 devices in my house (PS4, WII U, Iphones, IPads, laptops and a few more, plus family visitor devices) going through that Router ^^ all now benefit from Quad9 protection.

Press Release and a few Reviews :

http://www-03.ibm.com/press/us/en/pressrelease/53388.wss

https://www.ghacks.net/2017/11/19/quad9-dns-promises-better-privacy-and-security/

https://arstechnica.co.uk/information-technology/2017/11/new-quad9-dns-service-blocks-malicious-domains-for-everyone/

Also on Security Now! 638 ( Go to time bar at 1:28:35 )

Edited December 4, 2017 by Guest

[Deleted133263User]

Your Mileage May Vary

 

Difference for me between the top ten DNS Servers in DNS Benchmark is Microseconds difference really, depends upon your local and distance to nearest server .. Which will get better as they put in place far more servers around the world.

 

 

A few years ago we had British Telecom's own Router in our house (I just had not gotten around to replacing it with a compatible Router of our own), and literally a week after having it installed the Internet went down. After a bit of investigation we found out it was BT had an outage of one of their server racks down south, which took out most of the UKs internet. Anyway, long story short, office tea boy / cleaner sat on a switch or something .. Change DNS Server on each machine = Problem was solved for us.

Rest of the country with BTs HomeHub Router that did not know how to fix it by setting their own preferred DNS, had to wait for BT to switch the rack on again

Edited December 3, 2017 by Guest

[TheMastersSon]

I object to any DNS server forcibly interfering with my chosen site selection. Period. There's currently a race between everyone from web browser developers to ISPs and even our own federal government, to see who can be first to get away with flat-out refusing to take people where they wish to go on the internet. Eventually, and with any luck shortly, this right of unimpeded access will be a legally protected one in our country, along with unmanipulated web search results, privacy and fair use protection of internet traffic and the rest. But for now, and especially given Trump's Verizon-centric FCC, what is currently being sold under the guise of malware protection by ISPs and DNS providers is simply an initial foot in the door for fascist final control over end-user internet navigation. E.g. see how long it takes Quad9 to start denying access to legitimate hacking sites like Doom9 and legitimate video software sites like videohelp.com etc etc. It's neither the place nor within the ability of DNS providers or ISPs to keep anyone safe from anything, it's like asking your phone company to keep you safe from prank and scam phone calls, or expecting the USPS to keep us safe from junk and scam postal mail. It will never happen because it cannot happen even theoretically in a free country. :) Edited December 1, 2017 by TheMastersSon

[Deleted133263User]

I get where you are coming from but dont be so quick to tar this with the same brush.

 

 

Do you use Adblock / Adblock plus / UBlock origin ? (the latter is my preference over all others) ..

 

.. Then you are using similar filtering of the net already.

 

 

 

 

Anyone who has ever used the MVPS Hosts file is also doing the same kind of filtering of the net. As I said in the OP thats no bad thing imho.

 

ADBlock owners can be bought by any company wanting themselves to be whitelisted these days.

 

 

For the average user / person who is responsible for the household broadband and wants to protect their kids from crap (bad links, redirects to somewhere not intended, IFrame redirects typically in those advertising boxes on a web page to malware etc etc), Quad9 is a good idea if they adhere to their promises.

 

 

Having read everything they have to say I dont see any reason why this particular collaboration would shift the goal posts. Do you ?.

 

I take it that what you suspect could happen is not actually happening with Quad9 right now ? .. If it is, just contact them and get it sorted out (see FAQ quotes below which are from the Quad9 website, first link in the OP)

 

And if there is any mission creep in future, its so easy to change (most people would not even know the information in the OP was a possibility for them to control, now they do), there is no need for any scaremongering at this time.

 

 

Anyway up, I will ask this just once, can we not get political on this and leave chump out of it :smile:. I know, probably pointless trying to stem the flow in the current environment, and now its reared its ugly head already.

 

Edit : Putting the following quotes in the OP

 

 

 

Will Quad9 filter content?

No. Quad9 will not provide a censoring component and will limit its actions solely to the blocking of malicious domains around phishing, malware, and exploit kit domains.

Return to Top

How will Quad9 prevent the accidental blocking of legitimate domains?

Quad9 implements whitelisting algorithms to make sure legitimate domains are not blocked by accident. However, in the rare case of blocking a legitimate domain, Quad9 works with the users to quickly whitelist that domain.

Return to Top

How does Quad9 ensure that it has the latest threat intelligence?

Quad9 gathers threat intelligence from all its providers and public sources and updates the Quad9 infrastructure with this information. This update happens regularly (several times a day) or may be in near-real-time depending on the ability of the vendor to supply the TI data.

Return to Top

Why do threat intelligence (TI) providers share their data with Quad9, and what do they get out of it?

Quad9 gives anonymized telemetry back to the TI providers only for the malicious domains they share with Quad9. This telemetry does not include source IP information of the users.

Return to Top

Does Quad9 collect and store personal data?

Quad9 infrastructure does not store any personal data about its users. Please read our complete Data Policy here as there are exceptions for harmful attacks against our infrastructure.

Return to Top

How does Quad9 ensure my privacy?

When an entity or an individual is using the Quad9 infrastructure, their IP address is not logged in our system. We, however, log the geo-location of the system (city, state, country) and use this information for malicious campaign and actor analysis, as well as a component of the data we provide our threat intelligence partners.

Return to Top

What does Quad9 log/store about the DNS queries?

We store details of the DNS records queried, timestamp, and the city, state, and country from where the query came. We do not store source IP information of end user queries.

Return to Top

Does Quad9 share the DNS data that is generated with marketers?

Quad9 does not and never will share any of its data with marketers, nor will it use this data for demographic analysis. Our purpose is fighting cyber crime on the Internet and to enable individuals and entities to be more secure. We do this by increasing visibility into the threat landscape by providing generic telemetry to our security industry partners who contribute data for threat blocking.

Return to Top

How resilient is the Quad9 DNS infrastructure?

No infrastructure is 100% safe from attacks and failures. However, Quad9 has built and maintains a very robust and resilient DNS infrastructure, built on decades of past experiences and partnerships in the industry. Much of the Quad9 platform is hosted on infrastructure that supports authoritative DNS for approximately one-fifth of the world’s top-level domains, two root nameservers, and which sees billions of requests per day. There are constantly intentional and unintentional stresses put on this network, and multiple strategies are used successfully to prevent failures. Over-provisioning bandwidth and capacity, engineering multiple layers of caches and query distribution methods, and application-specific isolation or rejection of unwanted traffic all are methods used to provide high uptime.

Edited December 1, 2017 by Guest

[TheMastersSon]

Do you use Adblock / Adblock plus / UBlock origin ? (the latter is my preference over all others) ..

No, since many sites today check for ad blocking plugins and refuse to load or operate properly if it finds any -- even though there's no technical reason why pages can't work with the plugins. But I do use NoScript which allows complete control over scripts, i.e. you can even disable sites from checking for plugins etc.

 

.. Then you are using similar filtering of the net already.

That's perfectly fine imo, because the filtering is where it belongs: in the hands of end-users. Not somebody or anybody else.Also imo Quad9's FAQ is a masterpiece of disingenuity, e.g.:"Will Quad9 filter content? ""No. Quad9 will not provide a censoring component and will limit its actions solely to the blocking of malicious domains around phishing, malware, and exploit kit domains."The forced blocking of any domain necessarily qualifies as both filtering and censorship. So the correct answer to their question is yes not no.

[Deleted133263User]

What does anyone else have to say about this, is anyone else pessimistic enough to agree with TheMastersSon that they are not to be trusted from day one, and unwilling to give a try to a solution to malware due to fear of mission creep at a later date ?.

 

Do you agree their words are a "masterpiece of dis-ingenuity" ?, or are you more optimistic that if they stand by their words in future this idea could actually be a good one ?.

 

It may well block your favourite hacking site, or porn site, or cracking / warez sites .. Personally I believe such sites only contribute to the malware issues people get on their machines, so you are better off blocking them.

[TheMastersSon]

It may well block your favourite hacking site, or porn site, or cracking / warez sites .. Personally I believe such sites only contribute to the malware issues people get on their machines, so you are better off blocking them.

In my experience that opinion is invariably heard from people who have no clue what a legitimate hacking site even is. Among other things and to correct your assumption, they're both your own and our government's best friends in the world against malicious software. Our FBI even hosts an annual event for this group, so both can get up to speed on the latest problems and solutions.

 

Also you seem to be missing my larger point, which is the last part of your comment. If YOU believe you're better off blocking a given site, it's YOUR decision and nobody is stopping you. My objection is to the subjugation of internet navigation rights period, to anyone, whether it's DNS providers or Mozilla or ISPs or our government.

Edited December 1, 2017 by TheMastersSon

[TheGreatFalro]

All I want to know is how much you got paid to post this.

[Deleted133263User]

 

Also you seem to be missing my larger point, which is the last part of your comment. If YOU believe you're better off blocking a given site, it's YOUR decision and nobody is stopping you. My objection is to the subjugation of internet navigation rights period, to anyone, whether it's DNS providers or Mozilla or ISPs or our government.

 

Similarly, you or anyone else with an honorable white hat topped with a halo of pure intent is free not to use this DNS Server if Quad9 really do represent what you clearly have strong issues with.

 

You have provided no proof of any ill intent so far against the ideas Quad9 have. Are Quad9 really subjugating your internet navigation rights ?.

 

And the site you like is easily visited with the 9.9.9.9 DNS Server set. Seriously if you have issues with them contact them and make a representation for changes needed. Communication channels are open.

 

I certainly have no beef with hackers for the good of the internet and appreciate very much how much good they do. I believe the group you speak of are mentioned quite often in Steve Gibsons Security Now! podcast, which on a weekly basis is full of stories where companies have a shoddy implementation of what they call Secure software, baby monitors and cameras which are left wide open to the internet etc which hackers show the company (and its customers) just how rubbish their product is. Then shiz gets fixed.

 

This topic is meant to be just showing people an idea, which on the face of it seems good to me. Yes companies do shift their goal posts, amend terms and conditions to their own benefit, and such maneuvering is probably part of their long term plans, suck people in and then obfuscate the important changes.

 

When Quad9 starts doing that, then it turns bad in my eyes.

 

Until then its a good service as far as I can see for Joe average who is probably being manipulated by their ISP before this topic was produced.

 

What would you have them do instead ?. Do you have a better DNS server setup to recommend ?. Or should we just leave people being monetized by their ISPs by default ?

[Deleted133263User]

All I want to know is how much you got paid to post this.

 

Nothing, nor do I work for any of the mentioned organisations. And I am not affiliated with them in any way. I saw it mentioned on Security Now (as linked in the OP), and thought it was a good idea.