Clicky

skip to Main Content

FAQ

DNS Need to Know Info

What is DNS? 

Domain Name Servers (DNS) are the Internet’s equivalent of a phone book. They maintain a directory of domain names and translate them to Internet Protocol (IP) addresses. This is necessary because although domain names are easy for people to remember, computers or machines access websites based on IP addresses.

Return to Top 

In order to access websites on the Internet, your computer must leverage a DNS service, and it is usually configured by your ISP or your network administrator.

Return to Top 

Quad9 brings together cyber threat intelligence about malicious domains from variety of public and private sources and blocks access to those malicious domains when your system attempts to contact them.

Return to Top 

How will Quad9 help protect my data?

When you use Quad9, attackers and malware cannot leverage the known malicious domains to control your systems, and their ability to steal your data or cause harm will be hindered. Quad9 is an effective and easy way to add an additional layer of security to your infrastructure for free.

Return to Top 

No. Quad9 will not provide a censoring component and will limit its actions solely to the blocking of malicious domains around phishing, malware, and exploit kit domains.

Return to Top 

When you use Quad9, attackers and malware cannot leverage the known malicious domains to control your systems, and their ability to steal your data or cause harm will be hindered. Quad9 is an effective and easy way to add an additional layer of security to your infrastructure for free.

Return to Top 

Quad9 implements whitelisting algorithms to make sure legitimate domains are not blocked by accident. However, in the rare case of blocking a legitimate domain, Quad9 works with the users to quickly whitelist that domain.

Return to Top 

Quad9 gathers threat intelligence from all its providers and public sources and updates the Quad9 infrastructure with this information. This update happens regularly (several times a day) or may be in near-real-time depending on the ability of the vendor to supply the TI data.

Return to Top 

Quad9 gives anonymized telemetry back to the TI providers only for the malicious domains they share with Quad9. This telemetry does not include source IP information of the users.

Return to Top 

Quad9 infrastructure does not store any personal data about its users. Please read our complete Data Policy here as there are exceptions for harmful attacks against our infrastructure.

Return to Top 

When an entity or an individual is using the Quad9 infrastructure, their IP address is not logged in our system. We, however, log the geo-location of the system (city, state, country) and use this information for malicious campaign and actor analysis, as well as a component of the data we provide our threat intelligence partners.

Return to Top 

We store details of the DNS records queried, timestamp, and the city, state, and country from where the query came. We do not store source IP information of end user queries.

Return to Top 

Quad9 does not and never will share any of its data with marketers, nor will it use this data for demographic analysis. Our purpose is fighting cyber crime on the Internet and to enable individuals and entities to be more secure. We do this by increasing visibility into the threat landscape by providing generic telemetry to our security industry partners who contribute data for threat blocking.

Return to Top 

No infrastructure is 100% safe from attacks and failures. However, Quad9 has built and maintains a very robust and resilient DNS infrastructure, built on decades of past experiences and partnerships in the industry. Much of the Quad9 platform is hosted on infrastructure that supports authoritative DNS for approximately one-fifth of the world’s top-level domains, two root nameservers, and which sees billions of requests per day. There are constantly intentional and unintentional stresses put on this network, and multiple strategies are used successfully to prevent failures. Over-provisioning bandwidth and capacity, engineering multiple layers of caches and query distribution methods, and application-specific isolation or rejection of unwanted traffic all are methods used to provide high uptime.

Return to Top 

Your systems are already using a DNS service either through your ISP or some other third party provider. Switching to Quad9 takes only a few minutes and is a very straightforward process. Specific configuration will depend on your network configuration, and we are happy to assist you during the on-boarding process. Get in contact with us by emailing support@quad9.net.

We do have video guides for setting up Quad9 on a Mac and with Windows.  Additional resources for Quad9 can be found in our Resource Kit.

Return to Top 

Using Quad9 does not have an additional cost to an organization and does not require any additional software or hardware to be installed.
Return to Top 

The service was brought online in August of 2016 with the first beta users. Since that time more threat intelligence has been added, more resolvers brought online, and more users added to the system.

Return to Top 

Quad9 is a global anycast service. Multiple points of presence around the world means redundancy is built into the system. If a resolver goes down, the traffic is automatically routed to the next closest resolver. To date, our up-time has been 99.999%.

Return to Top 

Maintenance to the service is continuously performed and users should not experience any disruption in service.

Return to Top 

We have a test domain isitblocked.org that can be used to test if the service is working.

If a site is blocked, users receive an “NXDOMAIN” response, the end user system acts like the domain does not exist. This may change in the future to point certain requests to a Quad9-operated information page, informing the user of the threat mitigation and additional information.

Return to Top 

No. There is no redirection of misspelled domain lookups. NXDOMAIN replies are provided for DNS lookups that do not exist.

Return to Top 

Yes. Quad9 provides DNSSEC validation on our 9.9.9.9 resolver. This means that for domains that implement DNSSEC security, the Quad9 system will cryptographically ensure that the response provided matches the intended response of the domain operator. In the event of a cryptographic failure, our system will not return an answer at all. This ensures protection against domain spoofing or other attacks that attempt to provide false data. Learn more about DNSSEC here: https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-en Note that some variations of our resolver (different IP addresses) may not provide DNSSEC.

Return to Top 

Secure IP: 9.9.9.9 Provides: Security blocklist, DNSSEC, No EDNS Client-Subnet sent. If your DNS software requires a Secondary IP address, please use the secure secondary address of 149.112.112.112

Unsecure IP: 9.9.9.10 Provides: No security blocklist, DNSSEC, sends EDNS Client-Subnet. If your DNS software requires a Secondary IP address, please use the unsecure secondary address of 149.112.112.10

Note: Use only one of these sets of addresses – secure or unsecure. Mixing secure and unsecure IP addresses in your configuration may lead to your system being exposed without the security enhancements, or your privacy data may not be fully protected

Return to Top 

Yes. Quad9 operates identical services on a set of IPv6 addresses, which are on the same infrastructure as the 9.9.9.9 systems.
Secure IPv6: 2620:fe::fe Blocklist, DNSSEC, No EDNS Client-Subnet

Unsecure IPv6: 2620:fe::10 No blocklist, DNSSEC, send EDNS Client-Subnet

Return to Top 

EDNS Client-Subnet is a method that includes components of end-user IP address data in requests that are sent to authoritative DNS servers. This means that there is privacy “leakage” for recursive resolvers that send EDNS Client-Subnet data, where components of the end user’s IP address are transmitted to the remote site. While this is typically used to improve performance of Content Distribution Networks, we have determined that Client-Subnet data falls into a grey area of personally identifiable information, and we do not transmit that data. In some circumstances this may result in suboptimal routing between CDN origins and end users. We hope to have an EDNS Client-Subnet solution in place shortly which gives a “middle ground” between the two options we have today of “secure” and “unsecure”.

Return to Top 

Send an email to partnerships@quad9.net with your organization details and contact information.

Return to Top 

We do support DNS over TLS on port 853 (the standard) using an auth name of dns.quad9.net.

Return to Top 

In Collaboration With
ibm-logo@2x
pch-logo@2x
gca-logo@2x
Back To Top