Quad9 is the collaboration of IBM X-Force, PCH, and Global Cyber Alliance. It provides a DNS platform that combines high performance with security by blocking known malicious domains. At the time of this writing, Quad9 was using 19 threat feeds. I’m not going to get into the marketing speak because quite frankly, enough folks cover that well enough.
Instead, I’ll provide the bare essentials including how it works, speed, and if I’m making the switch.
29Nov2017 – Originally posted
6Dec2017 – Provided download links to DNS Benchmark tool and associated ini file
10Mar2018 – Changed IPv6 secondary address based on feedback
3Apr2018 – Cloudflare DNS (22.214.171.124) section added
How it works
The Quad9 folks did put together a handy little infographic to show how it works (below). Essentially, you set up Quad 9 as your DNS nameservers (preferably in the firewall) and if a machine on your network queries a known bad hostname, the DNS servers respond that the domain does not exist (NX DOMAIN or non-existent domain).
Primary DNS: 126.96.36.199
Secondary DNS: 188.8.131.52
Primary DNS: 2620:fe::fe
Secondary DNS: 2620:fe::9 <- Quad9 states this is not operational at the moment
The secondary DNS for IPv6 is not permanent. I’ll try to update it when the change occurs, but keep an eye on the Quad 9 FAQ for the most up-to-date info.
Stop! Do not get cute and add in a tertiary DNS *or* think you know better by adding in a different DNS (such as OpenDNS or Google) as a secondary DNS. If you do this, you will get unexpected results and break some of the blocking capabilities of Quad9. DNS servers are *not* queried in order as you might expect. If you want to read a bit more on my findings regarding this, see my article below.
What does this look like in the real world? We can test this against the isitblocked.org domain.
Windows command line – test against Google
C:\Users\User>nslookup isitblocked.org @184.108.40.206 Non-authoritative answer: Name: isitblocked.org Addresses: 2607:f1c0:100f:f000::2d1 220.127.116.11
Windows command line – test against Quad9
C:\Users\User>nslookup isitblocked.org @18.104.22.168 *** can't find isitblocked.org: Server failed
Linux command line – test against Google
# dig +short isitblocked.org @22.214.171.124 126.96.36.199
Linux command line – test against Quad9
# dig +short isitblocked.org @188.8.131.52
Nothing is returned above.
** Running the same commands above without the DNS designation (184.108.40.206 or 220.127.116.11) will provide the results against your current nameserver instead of Quad9 or Google DNS.
Example: nslookup isitblocked.org
From a browser, the isitblocked.org domain will appear as though it is down (below).
Using Steve Gibson’s DNS Benchmark tool, I tested multiple times throughout the day and the results were fairly consistent. Quad9 was either #2 or #3 with Google DNS coming in at #1 or #1 and #2. Keep in mind these may change in the future as more anycast servers are brought online. Although OpenDNS lagged behind both of them, the speeds from any of those 3 — Quad9, Google, or OpenDNS — are very respectable and I would not hesitate to use any one of them for DNS services alone.
DNS Benchmark #1
DNS Benchmark #2
DNS Benchmark Numbers
Test it yourself
There no point in blinding assuming what I’m telling you is true and there’s also a 100% chance you will get different results because of your location. Thus, I highly encourage you to test these DNS servers yourself. The first link below is to download the DNS Benchmark tool directly from GRC. The second link is to download my nameservers.ini file from GitHub, which includes the nameservers discussed above as well as a few others. The graphic below shows the 4 steps to follow after downloading DNS Benchmark. Basically, click on the ‘Nameservers’ tab, click ‘Add/Remove,’ click ‘Remove all Nameservers’ followed by ‘Add INI file Nameservers.’ Last, but not least, click on “Run Benchmark” to run the tests. It definitely wouldn’t hurt to notate your results over the course of a few hours/days to see if the results vary.
I’ve switched to Quad9. I made the change shortly after the service was announced and I can say I haven’t had any complaints. Yes, I understand Google had a marginal speed advantage in my case, but I’m okay with the difference knowing I’m getting some security benefits. If the speed difference was greater, this conversation probably wouldn’t happen. Also worth noting is that I did not test the speed of my ISP’s DNS servers. Without question, they would win on speed based on proximity alone, but there’s just something “off” with using the DNS for an ISP beyond potential stability issues. Even if I could reconcile that in my head, when you are talking about such marginal speed differences I am okay with the added security Quad9 brings to the table.
Cloudflare DNS – 18.104.22.168
Cloudflare added their own DNS services on April 1st, 2018… Yes, that is a horrible launch date because of April Fool’s Day, but nobody asked me. I didn’t re-run the DNS Benchmark speed tests with Cloudflare as I did with other systems because I later configured all of the “top DNS” for monitoring in my Nagios XI instance (image below). I didn’t test it right away because I didn’t think that would be very fair comparison given they would likely have a significant jump in activity during launch. So instead, just a few days afterward and I can say that from where I sit I see virtually no speed difference between any of the top DNS providers. In fact, all of the primary DNS returned a response within 5 milliseconds of one another. Also keep in mind that your mileage may vary so I would suggest using the DNS Benchmark tool from Steve Gibson to test things out on your end. I’m personally staying with Quad9 simply because of the added security benefits.
Dallas Haselhorst has worked as an IT and information security consultant for over 20 years. During that time, he has owned his own businesses and worked with companies in numerous industries. Dallas holds several industry certifications and when not working or tinkering in tech, he may be found attempting to mold his daughters into card carrying nerds and organizing BSidesKC.