Frequently Asked Questions | Quad9 (original) (raw)
General questions
What is DNS?
The Domain Name System (DNS) is the Internet’s equivalent of a phone book. It maintains a directory of domain names and translates them to Internet Protocol (IP) addresses. Even though domain names are more comfortable for people to remember, computers and other devices access websites based on IP addresses.
Does my computer use DNS?
In order to access websites on the Internet, your computer must leverage a DNS service, and it is usually configured by your ISP or your network administrator.
How do I setup/use Quad9?
Your systems are already using a DNS service either through your ISP or some other third party provider. Switching to Quad9 takes only a few minutes and is a very straightforward process. Specific configuration will depend on your network configuration, and we are happy to assist you during the on-boarding process. Get in contact with us through our contact page.
We do have video guides for setting up Quad9 on a Mac and with Windows.
How much does it cost for my organization to use Quad9?
Using Quad9 does not have an additional cost to an organization and does not require any additional software or hardware to be installed. If you need additional information on using Quad9 in your organization or want to inquire on setting up a dedicated instance if you are a larger enterprise contact-us at through our contact page.
Is there a URL I can check to see if I am configured to use Quad9, and what will I see if I am configured to use Quad9?
Users receive an “NXDOMAIN” response if a site is blocked; the end user system acts as if the domain does not exist. This behavior is subject to change in the future to point individual requests to a Quad9 operated information page, informing the user of the threat mitigation and additional information.
We are in the process of setting up a test page for users.
Does Quad9 redirect misspelled domain names?
No. There is no redirection of misspelled domain lookups. NXDOMAIN replies are provided for DNS lookups that do not exist.
Does Quad9 implement DNSSEC?
Yes. Quad9 provides DNSSEC validation on our primary resolvers.
9.9.9.9, 149.112.112.112
2620:fe::fe, 2620:fe::9
In addition we validate DNSSEC on our EDNS enabled service.
9.9.9.11, 149.112.112.11
2620:fe::11, 2620:fe::fe:11
This means that for domains that implement DNSSEC security, the Quad9 system will cryptographically ensure that the response provided matches the intended response of the domain operator. In the event of a cryptographic failure, our system will not return an answer at all. This ensures protection against domain spoofing or other attacks that attempt to provide false data. Learn more about DNSSEC here: https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-en
Is there a service that Quad9 offers that does not have the blocklist or other security?
The primary IP address for Quad9 is 9.9.9.9, which includes the blocklist, DNSSEC validation, and other security features. However, we do provide an unsecured service and it can be helpful in determining if there are false positives in the Quad9 threat feed or DNSSEC errors with a specific domain.
Unsecured IP: 9.9.9.10 Provides: No security blocklist, no DNSSEC, No EDNS Client-Subnet sent. Please use the unsecured secondary address of 149.112.112.10
IPv6: 2620:fe::10, 2620:fe::fe:10
Note: We do not recommend mixing the secure and unsecured IP addresses in the same configuration. Your devices will not be protected 100% of the time and it leads to confusion when debugging potential problems.
Is there IPv6 support for Quad9?
Yes. Quad9 operates identical services on a set of IPv6 addresses, which are on the same infrastructure as the 9.9.9.9 systems.
Secure IPv6 Primary: 2620:fe::fe Blocklist, DNSSEC, No EDNS Client-Subnet
Secure IPv6 Secondary: 2620:fe::9 Blocklist, DNSSEC, No EDNS Client-Subnet
Unsecured IPv6 Primary: 2620:fe::10 No blocklist, no DNSSEC,No EDNS Client-Subnet
Unsecured IPv6 Secondary: 2620:fe::fe:10 No blocklist, no DNSSEC,No EDNS Client-Subnet
Secure IPv6 Primary (EDNS): 2620:fe::11 Blocklist, DNSSEC, EDNS Client-Subnet sent.
Secured IPv6 Secondary(EDNS): 2620:fe::fe:11 Blocklist, DNSSEC, EDNS Client-Subnet sent.
Note: If you need expanded addresses for IPv6 they are as follows
2620:fe::fe – 2620:fe:0:0:0:0:0:fe
2620:fe::9 – 2620:fe:0:0:0:0:0:9
2620:fe::10 – 2620:fe:0:0:0:0:0:10
2620:fe::fe:10 – 2620:fe:0:0:0:0:fe:10
2620:fe::11 – 2620:fe:0:0:0:0:0:11
2620:fe::fe:11 – 2620:fe:0:0:0:0:fe:11
What is EDNS Client-Subnet?
EDNS Client-Subnet is a method that includes components of end-user IP address data in requests that are sent to authoritative DNS servers. This means that there is privacy “leakage” for recursive resolvers that send EDNS Client-Subnet data, where components of the end user’s IP address are transmitted to the remote site. While this is typically used to improve the performance of Content Distribution Networks, we have determined that Client-Subnet data falls into a grey area of personally identifiable information, and we do not transmit that data in our default service. In some circumstances, this may result in suboptimal routing between CDN origins and end users. We do support a secure service that sends Client-Subnet data.
Secure IPv4: 9.9.9.11 Provides: Security blocklist, DNSSEC, EDNS Client-Subnet sent. If your DNS software requires a Secondary IP address, please use the secure secondary address of 149.112.112.11
Secure IPv6: 2620:fe::11 Provides: Security blocklist, DNSSEC, EDNS Client-Subnet sent. If your DNS software requires a Secondary IP address, please use the secure secondary address of 2620:fe::fe:11
Reliability & maintenance
How resilient is the Quad9 DNS infrastructure?
No infrastructure is 100% safe from attack or failure. However, Quad9 has built and maintains a very robust and resilient DNS infrastructure, built on decades of past experiences and partnerships in the industry. Much of the Quad9 platform is hosted on infrastructure that supports authoritative DNS for approximately one-fifth of the world’s top-level domains, two root nameservers, and which sees billions of requests per day. There are constantly intentional and unintentional stresses put on this network, and multiple strategies are used successfully to prevent failures. Over-provisioning bandwidth and capacity, engineering multiple layers of caches and query distribution methods, and application-specific isolation or rejection of unwanted traffic all are methods used to provide high uptime.
How long has the DNS service been in production?
The service was brought online in August of 2016 with the first beta users. Since that time more threat intelligence has been added, more resolvers brought online, and more users added to the system.
What has your DNS up-time been?
Quad9 is a global anycast service. Multiple points of presence around the world mean redundancy is built into the system. If a resolver goes down, the traffic is automatically routed to the next closest resolver. To date, our uptime has been 99.999%.
If maintenance needs to happen on your DNS, how is that coordinated and how much lead time is given to the end users?
Maintenance of the service is continuously performed and users should not experience any disruption in service.
Security
How does Quad9 protect me from malicious domains?
Quad9 brings together cyber threat intelligence about malicious domains from a variety of public and private sources and blocks access to those malicious domains when your system attempts to contact them.
How will Quad9 prevent the accidental blocking of legitimate domains?
Quad9 implements whitelisting algorithms to make sure legitimate domains are not blocked by accident. However, in the rare case of blocking a legitimate domain, Quad9 works with the users to quickly whitelist that domain. Please use our support page if you believe we are blocking a domain in error.
How does Quad9 ensure that it has the latest threat intelligence?
Quad9 gathers threat intelligence from all its providers and public sources and updates the Quad9 infrastructure with this information. This update happens regularly (several times a day) or in near-real-time depending on the ability of the vendor to supply threat data.
Why do threat intelligence (TI) providers share their data with Quad9, and what do they get out of it?
Quad9 gives anonymized telemetry back to the TI providers only for the malicious domains they share with Quad9. This telemetry never includes the source IP information of the user.
What will I see if a domain is blocked by Quad9?
Users receive an “NXDOMAIN” response if a site is blocked; the end user system acts as if the domain does not exist. This behavior is subject to change in the future to point individual requests to a Quad9 operated information page, informing the user of the threat mitigation and additional information.
What types of domains does Quad9 block?
At Quad9 we block “malicious” hostnames, which in some way are intended to directly lead to behavior or results that a reasonable end user would consider detrimental. This does not currently include spam sites, which send repeated advertising information, or in some cases which may even send an email that contains phishing requests. The URLs of content is where we make our determination on inclusion into the blocklist, not the origin of emails. While spam may be annoying, and even costly, it is not necessarily a security risk. Quad9 can protect mail servers against malicious hosts and phishing domains which appear in our blended threat intelligence list, but not against spammers. There are other DNS-based lists which are specifically tuned for spam mitigation, though we cannot endorse any particular one to use at this time
How do I report malicious domains?
If you think there is a malicious domain that we are not blocking, please report through our contact page. We will work with our upstream threat intelligence providers to investigate the domain.
Does Quad9 support DNS over TLS?
We do support DNS over TLS on port 853 (the standard) using an auth name of dns.quad9.net.
My ISP captures port 53, is there another port I can use for Quad9?
We support standard DNS queries on port 9953 as well as 53. In addition we support DNS-over-TLS on the standard port of 853 using the auth name of dns.quad9.net. For more information on the configuration of DNS-over-TLS see the DNS Privacy Project.
Does Quad9 support dnscrypt?
We do support dnscrypt. For more information on the configuration of dnscrypt see the the DNSCrypt Information Page. Quad9 is included in the list of public resolvers.
Privacy & Data protection
How will Quad9 protect my data?
When you use Quad9, attackers and malware cannot leverage the known malicious domains to control your systems, and their ability to steal your data or cause harm will be hindered. Quad9 is an effective and easy way to add an additional layer of security to your infrastructure for free.
Will Quad9 filter content?
No. Quad9 will not provide a censoring component and will limit its actions solely to the blocking of malicious domains around phishing, malware, and exploit kit domains.
Does Quad9 collect and store personal data?
The Quad9 infrastructure does not store any personal data about its users. Please read our complete Data Policy as there are exceptions for harmful attacks against our infrastructure.
How does Quad9 ensure my privacy?
When an entity or an individual is using the Quad9 infrastructure, their IP address is not logged in our system. We, however, log the geo-location of the system (city, state, country) and use this information for malicious campaign and actor analysis, as well as a component of the data we provide our threat intelligence partners.
What does Quad9 log/store about the DNS queries?
Quad9 does not store IP address data of clients. For a detailed explanation of how Quad9 treats DNS query data, please see the Data and Privacy Policy page
Does Quad9 share the DNS data that is generated with marketers?
Quad9 does not and never will share any of its data with marketers, nor will it use this data for demographic analysis. Our purpose is fighting cybercrime on the Internet and to enable individuals and entities to be more secure. We do this by increasing visibility into the threat landscape by providing generic telemetry to our security industry partners who contribute data for threat blocking.
How do we become an Appliance Manufacturer partner?
Drop us a line through our contact page with your organization details and contact information.