Table of Contents
Quad9 DNS
Return to IBM Cloud DNS, Privacy DNS, DNS sink, Pi-Hole, DNS
Quad9 DNS, launched on November 16, 2016, is a free and privacy-focused DNS service aimed at enhancing Internet security and Internet privacy for users. Its primary IPv4 addresses are 9.9.9.9 and 149.112.112.112, while its IPv6 addresses are 2620:fe::fe and 2620:fe::9. Quad9 DNS operates by leveraging threat intelligence from multiple cybersecurity firms to block access to known malicious domains, providing an additional layer of protection against cyber threats such as malware, phishing, and other forms of cyberattacks. By utilizing Quad9 DNS, users can enhance their online security and online privacy without compromising Internet performance or //quad9.net ==Service Addresses & Features== [[Quad9 has several different service offerings for recursive DNS features. Each is represented by a different IP address (or, in some cases, hostname), which you use to configure your systems. See our Set Up Guides for how to configure the most commonly used devices.
Recommended Settings
Secured w/ECS
Android Configuration Options
DNSCrypt Configuration Options
Recursive DNS Server Addresses and Features - Service based configuration: Recommended: Malware Blocking, DNSSEC Validation (this is the most typical configuration)
IPv4: 9.9.9.9, 149.112.112.112
IPv6: 2620:fe::fe, 2620:fe::9
HTTPS: https://dns.quad9.net/dns-query
TLS: tls://dns.quad9.net
Secured w/ECS: Malware blocking, DNSSEC Validation, ECS enabled IPv4
IPv6 2620:fe::11
2620:fe::fe:11
HTTPS https://dns11.quad9.net/dns-query
TLS tls://dns11.quad9.net
Unsecured: No Malware blocking, no DNSSEC validation (for experts only!)
IPv4: 9.9.9.10, 149.112.112.10
HTTPS: https://dns10.quad9.net/dns-query
TLS: tls://dns10.quad9.net
Hints: If you have devices that need to be configured by IP address, make sure to put ALL the IP addresses listed for your selected service into any configuration areas. Putting in just one of the three will leave you vulnerable to single-path failures if they should occur. Even if you do not yet have IPv6, please add those addresses from the list so you don’t have to remember later – most systems will ignore IPv6 addresses if they cannot be used.
Android Configuration Options
Quad9 provides an app for Android users, which greatly simplifies configuration of Quad9 DNS for those devices. The app includes other features such as a full log of DNS queries, notification on block events, and encryption (using DNS-over-TLS) of all queries to the Quad9 systems.
Find the “Quad9 Connect” app on the Google Play store: Get it on Google Play
It is also possible to use Quad9 services using the Private DNS feature of Android, click here to find out how to do it.
DNSCrypt configuration options
=DNSCrypt is a less frequently used DNS encryption protocol, but it is supported by Quad9. To read more about DNSCrypt, see our post here, or you may download the configuration files and stamps by following https://www.quad9.net/quad9-resolvers.toml
Short description: Global public recursive DNS resolver based in Switzerland
- registration_id = 435.091.407
- founded_date = Start date: 2016-05-11
- location = Zurich, Switzerland
- area_served = Global
- num_employees = 12
- homepage = https://quad9.net]]
Quad9 is a Public recursive name server | global public recursive Domain_Name_System | DNS Recursive_and_caching_name_server | resolver which aims to protect users from malware and phishing. Quad9 is operated by the Quad9 Foundation, a Switzerland | Swiss Charitable organization | public-benefit, not-for-profit Foundation (nonprofit) | foundation with the purpose of improving the Internet privacy | privacy and cybersecurity of Internet users, headquartered in Zurich.<ref>
</ref> It is the only global public resolver which is operated not-for-profit, in the public benefit. Quad9 is entirely subject to Swiss Information privacy law | privacy law, and the Swiss government extends that protection of law to Quad9's users throughout the world, regardless of citizenship or country of residence.<ref>
</ref> Quad9 is currently the only global recursive resolver which is not subject to See_also | United States law, as the others are each domiciled in the San Francisco Bay Area and governed by the United_States_District_Court_for_the_Northern_District_of_California | Northern District of California Courts | US Federal Court.<ref>
</ref><ref>
</ref>
Security and privacy
Several independent evaluations have found Quad9 to be the most effective (97%) at blocking malware and phishing domains.<ref name=“heise-reda-2021-08-30”>
</ref><ref>
</ref><ref>
</ref><ref>
</ref> As of June, 2021, Quad9 was blocking more than 100 million malware infections and phishing attacks per day.<ref>
</ref> Quad9's malware filtering is a user-selectable option. The domains which are filtered are not determined by Quad9, but instead supplied to Quad9 by a variety of independent threat-intelligence analysts, using different methodologies. Quad9 uses a reputation-scoring system to aggregate these sources, and removes “false positive” domains from the filter list, but does not itself add domains to the filter list.<ref name=“heise-reda-2021-08-30” /><ref>
</ref><ref name=“oblivious-dns”>
</ref><ref name=“ispreview”>
</ref>
Quad9 was the first to use DNS_over_TLS | standards-based strong cryptography to protect the Internet privacy | privacy of its users' DNS queries, and the first to use DNSSEC cryptographic validation to protect users from domain hijacking | domain name hijacking.<ref>
</ref><ref>
</ref><ref>
</ref><ref>
</ref><ref name=“oblivious-dns” /> Quad9 protects users' privacy by not retaining or processing the IP address of its users, and is consequently GDPR-compliant.<ref>
</ref><ref>
</ref><ref>
</ref>
Locations
| none | 900px | Map of Quad9 recursive resolver locations as of 2021-05-27 As of August, 2021, the Quad9 recursive resolver was operating from server clusters in 224 locations on six continents and 106 countries.<ref>
</ref>
Sony Music injunction
On June 18, 2021, Quad9 was notified of a first-of-its-kind injunction by the Ordinary_courts | District Court of Hamburg, in which Sony Music demanded that Quad9 block DNS resolution of web sites which could be used to download its music. This is the first instance in which the copyright-holder industry has sought to compel a recursive DNS operator to block access to Internet domain names, so this is a novel interpretation of German law and is thought to be a precedent-setting case with far-reaching consequences. Quad9's General Manager, John Todd, was quoted in the press as saying “Our donors support us to protect the public from cyber-threats, not to further enrich Sony,” and “If this precedent holds, it will appear again in similar injunctions against other uninvolved third parties, such as anti-virus software, web browsers, operating systems and firewalls.” Legal expert Thomas Rickert of eco – Verband der Internetwirtschaft | eco, the German Internet association, commented “I cannot imagine a provider who is further removed from responsibility for any illegal domains than a public resolver operator.” Quad9 immediately announced that it would contest the injunction and, as of June 24, announced that it had retained German counsel and would be filing an objection to the injunction.<ref>
</ref><ref>
</ref><ref name=“ispreview” /><ref>
</ref><ref>
</ref><ref>
</ref><ref>
</ref><ref>
</ref><ref>
</ref> Clemens Rasch, the attorney leading Sony's team, has not clearly stated whether any attempts were made to contact canna.to, the site widely suspected by the press to be behind the redactions in the court documents, saying only that Sony would have done so “if they could have been identified,” while confirming that the site has been operating continuously for the past twenty two years. A court spokesperson said that “only the statements presented by the applicant side were used as a basis for the injunction” and that the court “took it on faith that the notifications which the applicant claimed to have sent were not only sent but also arrived at their recipient.” At the close of the first week of the conflict, the press noted that donations to Quad9 were up by 900% relative to the prior week, and as of June 27, canna.to was still resolvable through Quad9's servers.<ref>
</ref>
On August 31, 2021, Quad9 filed an objection to the injunction, citing a number of flaws in the legal arguments made by Sony, but principally hinging on the fact that ISPs (which actually have a business relationship with infringing parties) are exempted from third-party liability, despite the fact that they also operate DNS recursive resolvers, and that it's a misinterpretation of the law to exclude independent recursive resolvers from that exemption.<ref>
</ref><ref name=“heise-reda-2021-08-30” /><ref>
</ref>
Addresses
Quad9 operates recursive name servers for public use at the following addresses. These addresses are routed to the nearest operational server using IP anycast routing. Quad9 offers DNS over TLS over port 853,<ref>
</ref> DNS over HTTPS over port 443,<ref>
</ref> and DNSCrypt over port 443.<ref>
</ref>
{]] | class="wikitable" ! ! High Security / High Privacy ! High Security / Moderate Privacy ! Low Security / High Privacy | - | Blocks [[Malware | malicious domains ]] | {{yes}} | {{yes}} | {{no}} | - | DNSSEC_support | DNSSEC validation ]] | {{yes}} | {{yes}} | {{no}} | - | Passes [[EDNS Client Subnet | ECS ]] | {{yes | No}} | {{no | Yes}} | {{yes | No}} | - | Via '''[[DNS over HTTPS | DoH<ref name=“addresses”>
</ref> ]] | //dns.quad9.net/dns-query</nowiki> | //dns11.quad9.net/dns-query</nowiki> | //dns10.quad9.net/dns-query</nowiki> | - | Via '''[[DNS over TLS | DoT<ref name=“addresses” /> ]] | dns.quad9.net | dns11.quad9.net | dns10.quad9.net | - | Via '''[[IPv4<ref name=“addresses” /> ]] | 9.9.9.9<br />149.112.112.112 | 9.9.9.11<br />149.112.112.11 | 9.9.9.10<br />149.112.112.10 | - | Via '''[[IPv6<ref name=“addresses” /> ]] | 9 | 11 | 10 | } == See also == * [[Response policy zone