60M blocks every day is the new “normal”
Quad9’s free, open recursive DNS service blocks hosts, which contain malware, phishing, botnets, spyware, and a variety of other risks that try to defraud end-users, or harm their computers or networks. Millions of users around the world use Quad9’s free DNS recursive resolvers (188.8.131.52/184.108.40.206) to map hostnames to IP addresses as part of almost every Internet transaction. Quad9 protects users from connecting to damaging sites by filtering every DNS transaction for mobile, desktop/laptop, and even difficult-to-secure and botnet-prone IoT devices.
Quad9 currently is seeing a new record-setting rate of approximately 60 million of these blocking events per day, which represents a 600% year-over-year growth rate. During heavy “storms” of cybercrime activity, this volume has spiked to over 100M events per day. This growth relates directly to hackers launching new tools, new phishing campaigns that send out vast amounts of increasingly sophisticated messages, or as dormant networks of bots awaken and try to reach their control systems. While the rate of non-blocked queries has grown significantly with additional users connecting to Quad9 over the last year, the growth rate in blocks has far exceeded these baseline growth numbers.
In the last month, Quad9 has brought additional geographies online and expanded our number of threat intelligence providers. This has improved the coverage and volume of blocked sites. Specific geographic locations trend towards risk-heavy lookup traffic: Sub-Saharan Africa, the Middle East, Central Asia, and Eastern Europe tend to have higher percentages of blocked events.
Quad9 is a nonprofit with a goal of broader Internet security worldwide. Part of the mission is to deploy systems into areas where other forms of cybersecurity are challenging to find, resulting in better coverage where cybercriminals are most active, and where market interest by for-profit providers is low. These risk-heavy regions are well-represented in Quad9’s network deployment and growth in the last year, in addition to the many dozens of locations Quad9 operates in developed nations.
The blocks Quad9 deploys have a very high confidence value, meaning that they are verified to be distributing malware, performing phishing attacks, have botnet command-and-control systems, or are harboring other dangerous activities.
In the coming year, Quad9 will continue to expand the geography of deployments providing secure, local, high-privacy DNS to users at no cost. Along with the increase in our global footprint, Quad9 will add increased protection with more threat intelligence providers having specialized areas of risk identification such as election security, IP classification (in addition to domain classification,) and improved DGA (Domain Generation Algorithm) heuristics.