▸ Threat blocking

Threat Blocking

Quad9 has integrated both commercial and publicly available threat intelligence feeds. Each has been chosen on the basis of its proven capability to identify threat actors and provide a broad array of capabilities to identify exploits, malware, ransomware, spyware, and other potentially harmful sites. These domains or hosts are updated in our lists from our threat intelligence (TI) partners, who supply us with data on feeds that are rapidly updated and distributed as new domain-based risks emerge.

Blocking Method

Nearly every transaction on the Internet begins with a name lookup. A browser, mobile device, application, or IoT system tries to establish a connection to a name (“www.example.com”) as the start of a page load or other interaction. However, names are meaningless to Internet-connected systems – they require connecting to an IP address (“10.10.2.3”) instead. So a name-to-number mapping system known as the Domain Name System (DNS) is used to look up those names and then discover what IP addresses are associated with them. The client device needs to communicate with what is known as as “recursive DNS server” or “resolver” to perform this lookup. Usually, this resolver is provided by the ISP or the local network administrator or by the home router device – it is a server that sits somewhere nearby on the network. The client connects to the resolver and gives it the name and then, after a fairly complex set of lookups that may span much of the Internet, the resolver hands back to the client the IP address needed. Quad9 replaces the local resolver, performing exactly the same function, but adding a blocking list of domains known to be malicious. If the client asks for a malicious host, then the Quad9 resolver refuses to answer with the IP address, preventing the client from connecting to the malicious destination. Configuration of Quad9 in your devices can be found here.

Types of Blocking

Quad9 blocks only sites that present a danger to the end user, their equipment, or the network. Quad9 does not block content, and the agreements with threat intelligence providers stipulate that the criteria for blocking be exclusively security-related and not based on other categories. Quad9 does not block advertisements or web trackers. For users who wish to resolve all names, without blocking, Quad9 operates a set of IP addresses that provide this ability - see our configuration page.

Benefits of Blocking

By preventing connections to malicious sites, Quad9 eliminates exposure to risks before they are even downloaded to computers or before a victim can see the fraudulent website. The inability to reach a malicious host means that second-layer defenses such as virus protection or user-based detection such as certificate examination are never called into action.
Quad9 can prevent connections only to sites that use DNS within their signaling or distribution. A recent study determined that approximately 33% of cybersecurity breaches could be blocked by a DNS-based system such as Quad9 (https://www.globalcyberalliance.org/reports_publications/measuring-the-economic-value-of-dns-security/)
Quad9 suggests that all users have multiple methods of defending themselves against cyber risks, such as anti-virus software. But as a no-cost, easily installed first-layer defense, Quad9 is extremely effective at preventing a broad set of infections or fraudulent activities and can easily be implemented on almost all Internet-connected devices in a network or home.

Sources of Blocking Data

Quad9 partners with many threat intelligence (TI) sources, both commercial and public. These partners provide threat data to Quad9 as part of their missions to help reduce risk and cybercrime on the Internet and also because their partnership with Quad9 may help them improve their own ability to detect these risks. The combination of philanthropic sponsorship coupled with a virtuous feedback loop of detection improvement creates conditions in which Quad9 users benefit as the usage of the platform increases – more blocks mean increased improvement of blocking feedback.

TI partners supply Quad9 with information about domains or hosts that they believe should be blocked, and in turn the partners receive near-real-time feedback from Quad9 on the volumetric rates of the threats they list. This volumetric data allows them to understand the rising or falling status of various threatening campaigns and allows them to improve the lists of risky domains they provide to Quad9. Quad9 is exclusively a distribution tool for the threat data generated by partners – we do not generate our own set of domain-based Indicators of Compromise (IOCs) and, therefore, do not compete with our TI partners.

Typically Quad9 obtains malicious domains from around twenty difference TI sources. Many of these sources have broad malware detection capabilities and provide wide coverage against newly emerging domain threats. Some are more specific – they may, for example, target niche markets such as financial fraud, homoglyphs, network IDS past behaviors, phishing detectable by visual object recognition, optical character recognition (OCR), structure and linkages to other sites, or app-based spyware. This combination of extremely diverse TI provider expertise allows Quad9 to be more effective than any other DNS blocking system that relies upon only its own source of malware or fraud domain detection.

This model of donated data and cooperative improvement exists because Quad9 is a not-for-profit organization whose goals are specifically aligned with the security and privacy of our end users and not with the extraction of money from customers. Quad9 continually adds to and modifies the set of threat providers to extend more accurate and rapid threat-blocking abilities to our user community.