Billed as “immunisation for your computer”, Quad9, a new DNS service, promises to enable much safer Web browsing, enhance your privacy while preserving performance. On top of all this, it’s free to use. So is there a catch? We take a look…
Quad9: what are we talking about?
The Domain Name System (DNS) refers to the framework in which all of those easy-to-remember website addresses (e.g. stationx.net) are translated into the long numerical IP addresses that your computer actually understands. So DNS servers act as a kind of internet phone book, matching those human-recognisable names to their correct IP addresses.
By default, the DNS servers you use are likely the ones provided by your Internet service provider (ISP). But you don’t have to use your ISP default DNS servers. If you want, you can opt for a third-party DNS server, which typically tend to offer enhancements such as faster connection times and optional website filtering.
Quad9 is a new DNS service worthy of serious attention.
First off, its credentials are impressive. Three organisations are involved: IBM Security, a group called Packet Clearing House (PCH), who are providing the infrastructure support, and The Global Cyber Alliance (GCA), an international cross-sector community of organisations geared towards identifying and preventing malicious cyber activity.
How does it work?
The service is free and easy to set up. Go to the DNS settings on your internet-enabled device. Next, simply reconfigure the primary DNS server to 126.96.36.199 (hence the Quad9 moniker). For the secondary DNS server set this to 188.8.131.52
If you’ve got a multi-endpoint setup, you can also change the settings via your DHCP server, and this should update all devices automatically.
You may want to change the DNS server of your router too to force a whole network to use Quad9.
Quad9: the benefits…
- A powerful blocklist. Links clicked on by the Quad9 user or addresses typed into the browser are automatically cross-checked against the IBM X-Force threat intelligence database (this analyses more than 40 billion websites and tracks an estimated 17 million spam and phishing attacks daily). The system automatically blocks you from entering sites that are known to be infected.
- Privacy. Some DNS services store things like browsing histories, geographic and ID data for marketing and other purposes. Quad9 doesn’t do any of this. No personally identifiable information (PII) is stored by the service.
- Covers a range of devices. Beyond the usual desktops, portable and mobile devices, it can also be used with Internet of Things (IoT) technologies, e.g. smart thermostats and connected home appliances.
- Little or no adverse impact on performance. At the time of launch (November 2017), the service is present in 70 locations across 40 countries. This is expected to double over the next 18 months, helping to ensure optimum speed and performance for users globally. Performance tends to be ISP and location-specific. That said, early user tests suggests that 184.108.40.206 is “not noticeably slower” than standard ISP services for many people. See how to test the speed of Quad9 below.
Should I use Quad9?
This method of using DNS services to block attacks is a familiar one – especially if you are a big business user or someone willing to pay a premium for access to sophisticated threat feeds.
Now, by drawing on multiple threat intel feeds (including IBM X-Force) – and by making all of this available for free, Quad9 brings to the wider table a promising and potentially useful tool for combating certain types of known threats – such as domain-spoofing phishing attacks.
But just be aware that like any signature or list-based method of protection, it has its limits. If an infected link hasn’t yet been picked up by the major feeds, it’s still going to go unblocked. And it’s not going to do much to pick up the type of malware that’s able to morph through rapidly changing DNS addresses to avoid detection.
So by all means, add Quad9 to your cyber security arsenal – but don’t let it be the ‘be-all-and-end-all’ of your protective shield!
Want to test it out?
Check out the Quad9 website here. For testing to ensure you’re not suffering from lags in performance, take a look at this DNS benchmark tool. This is definitely worth doing – as performance can depend a lot on geographic location!
My VPN service provides my DNS service.
But do they provide the blacklisting? If not then its not the same.
At your suggestion, I ran the dns benchmark.
If the goal was for speed for Quad9, it did not make the top 25. Hopefully, that will improve over time. I will leave my opinions about IBM at the door.
If this is for better protections against DNS threat vectors, I think this will be a great thing. Maybe more dns providers will think about security in the future? Too hopeful?
This is not just against DNS threats but all threats that come from URLs and IPs. Plus they don’t log. As for speed. I think this is a question of load and location. Many people report good service. Others delays. They are deploying lots more servers globally. So in time I think the issue will be resolved.
Hello Nathan, I have previously used OpenDNS and Google’s DNS services, mostly as a consumer and to bypass my ISP’s DNS service. I like the thought of OpenDNS and while Quad9 sounds like an exciting prospect I am somewhat concerned with some of the members of Global Cyber Alliance, their “partners”, like US Secret Service, City of London Police, NITA-Uganda, National French Police, etc.. I read the Quad9’s Privacy statement and it sounds solid but what’s your feel on the Global Cyber Alliance group? Is there an increased risk of becoming entry in some Intel Orgs database? Thanks
If you are going for privacy no DNS service is good because there isn’t encryption. If you want privacy you need a VPN or anonymising service plus your choice of DNS. Then it doesn’t matter if they log.
if not for privacy then why use “privacy” in the title? isn’t that a bit misleading?
They state they do not log – Hence privacy.
do not log. that is the key there I overlooked it. thanks Nathan, by the way I love your courses.
Hi Nathan, nice article, I’m using pi-hole as local DNS(ad-block, etc..) I just change it to 220.127.116.11 a…will see if I notice any difference 🙂
I’ll try it soon to check performances impacts , I’m in France.
Anyway, in french “quad9” (quoi de neuf) means “what’s up”! I will be easy to remember…
Really interesting article, Im changing my DNS server right now!
18.104.22.168 for secondary DNS server? their website only mentions the 22.214.171.124 so I’m a little confused?
If you do not have a secondary then only use 126.96.36.199
If you lookup 188.8.131.52 this is also their server.
great thanks. 🙂
and the mac only has one place for the DNS server. no place to add a secondary one.
thank you sir, am on a wifi an l dont have aces to routers to make any changes.
You can set this up on clients. Not just routers.
can I use it in SA ?
is it safe?
can they see my data?
Thanks, Nathan, for your expert opinion on 184.108.40.206! I’ve since moved everything to their servers. Compared to the others, overall it seems to be the best free (security-minded) DNS service out there. (I just can’t trust Google.) But I think they’ll start charging a fee sometime soon.
Do you have a recommendation for third and fourth DNS servers?
Not with these features.
What l mean is that, l share a WiFi which belongs to my neighbor. How do l make changes on clients side?
I am confused. talktalk is my server. Will it interfere with that. I don’t understand computer jargon and assume server is the provider of the ability to email
If you don’t understand this then I don’t recommend you implement it. Talktalk is your isp.
What’s about people who live in South America ? do we can use it without losing speed ?
I use Norton safe search through either internet explorer or Mozilla Firefox. Do I understand correctly that Quad9 provides a similar service to that provided by Norton in that it identifies problem /safe sites and blocks those that are known to be damaging?
Not aware of that service. But no it is not just for searching. Its all DNS lookups are checked.
Thanks Nathan for great suggestion. I just confused if my mobile modem will connect to internet if I will change DNS in my client.
We will see then :-).
I like the content you provide on this blog.
You wrote: You may want to change the DNS server of your router too to force a whole network to use Quad9.
IN MY ROUTER SETTTINGS, do I set here:
DHCP Server Setting
Static DNS 1: 220.127.116.11
Static DNS 2:18.104.22.168
Static DNS 3:
and that is all? How to know if everything is working right?
If your devices get their ip from DHCP then use ipconfig /all to check the dns.
Nathan, a quick
22.214.171.124 v 126.96.36.199
188.8.131.52 s 184.108.40.206
Ive been using the quad9 for DNS. I’ve been unable to open links in emails that stationX sends out. So now I have to find another DNS solution I guess? which one should I use?
You can try 220.127.116.11
If privacy is a concern then Quad9 protects the users’ privacy and its service doesn’t retain requested data.