Reddit Feeds

Sign up and stay connected to your favorite communities.

sign uplog in
75

What DNS do you use & thoughts on quad9.net

I was wondering what DNS others are using and why

Also, for those who have used quad9.net (9.9.9.9) what do you think about it

93 comments
91% Upvoted
What are your thoughts? Log in or Sign uplog insign up
20 points·1 month ago·edited 1 month ago

I just setup a raspi running Pi-Hole + DNSCrypt 2.0 that's pulling records from 1.1.1.1, with quad9 as a backup.

Outside of some configuration snafus due [to] tor, it's actually a slick little setup. No ads, and secured DNS requests. It's like the 90s came back but with better graphics and design, and fewer security issues.

By DNSCrypt 2.0, do you mean DNS over TLS? I didn't think quad 1 supported DNSCrypt

A new build of dnscrypt proxy, called v2, was released that supports dns over tls - maybe this is what they’re referring to

This is in fact what I was referring to.

Just followed the instructions for DNSCrypt proxy 2.0 on the Pi-Hole wiki, with a few adjustments.

Or you could set it to pull over http: https://scotthelme.co.uk/securing-dns-across-all-of-my-devices-with-pihole-dns-over-https-1-1-1-1/

Comment deleted1 month ago

No, this is my home setup. You could do this in a business environment, but it would need a little more hardening than the stock testing setup (Pi-Hole doesn't use https on the stock interface for example).

There's also commercial services that are dedicated to fighting malware at the switch/router level that use the same principal.

Comment deleted1 month ago

Yup, oh and obviously in a business environment you wouldn't want a raspi as your DNS unless maybe you were a one person shop.

Until you wife complains because she can't shop on Google :P

That's why they make whitelists. :)

I have a dns server at home and it caches and queries the 13 root servers directly.

Am I the only one?

Nope. Same here.

Do you happen to have a guide somewhere for this? Would like to set it up myself

does slaac on /112 networks12 points·1 month ago

install "unbound"

turn it on

resolv.conf: 127.0.0.1

Or if you have enough servers to make it worth it:

Install FreeIPA

Behold the magic of already configured, replicated* DNS that updates itself and has a GUI with a robust cli interface.

* Assuming you have multiple IPA servers. I use a physical box that I always have and a VM. Replication of IPA also replicates the DNS, which is stored in LDAP in this case.

Why is he getting so downvoted? I have no clue what FreeIPA is, but can it be that bad ?

I do not know why he is downvoted. but i guess that it could be because it is massive overkill for a recursive dns server.

FreeIPA is at its core an user management and authentication system. All users are stored in a central LDAP server, but it integrates Kerberos so it’s more secure. It manages DNS because it must, it also controls NTP because Kerberos needs it

It provides a nice web front end along with some additional access controls like just based acl’s so that user a can log into host a but not host b.

There are other features, but that’s for another discussion.

Downvotes? They really don’t matter, it is valid information. Perhaps GUI hate? I don’t mind one when it can make things better. I’ve written bind config files for 20 years, so I’m quite able. IPA’s GUI is still quite nice.

It's pretty off-topic. FreeIPA is an identity management and control system, not a DNS server. It includes a DNS server, but it's only tangentially related to the request of 'how to set up my own resolver', and for most people's homes is not an appropriate solution at all.

I tried this for a while, but doing a secure lookup directly to a root server takes quite a bit longer than using a DNS server like Google or Cloudflare's. Now I still run unbound for local caching, but I forward requests to Cloudflare's DNS for speed on new names.

CISSP3 points·1 month ago

To correct a common misconception though, it doesn't query those 13 root servers for much.

All you get from the root is the name servers for each TLD, which then provide you the name servers for each domain, and so on. But it's not like you need to keep asking the root that yes, Verisign name servers are for .com.

How does one do this. Would love to build a DNS server and possibly web proxy to better black/whitelist domains

Look into OpenBSD's pf(4) and relayd(8), along with something like unbound(8) to have an authoritative recursive DNS resolver, though if you'd prefer, relayd can proxy DNS requests over an arbitrarily large table of servers depending on their availability, as well as proxy web traffic to enable highly customizable filtering and redirection.

Where does this box sit in relation to router and clients — or is this running local on the machine in use

Technically, it could be your router too if you wanted, but I use it in place of other firewalls.

Same. Unbound is the resolver for my home network, running on FreeBSD.

Me too. Makes things noticably faster. Cached results on your lan > any public DNS.

SPBM Zealot0 points·1 month ago

Why directly to root vs a public cache like the mentioned quad9 or similar?

does slaac on /112 networks3 points·1 month ago

because I don't want them to sell my data?

SPBM Zealot4 points·1 month ago

Because an inspection filter on UDP 53 is any harder and having your IP be the source querier to every remote domain host instead of some public caching server is better? Safer bet to pick 1 entity to trust instead of everyone you query and everyone inbetween but whatever.

15 points·1 month ago·edited 1 month ago

Right .. all these people talking about using their "own DNS server" don't seem to realize that DNS is plaintext anyway. The root DNS servers don't resolve domains either. They just tell you to look to someone else to get closer to your query. Reddit's DNS is hosted on AWS, so when you resolve reddit.com, AWS gets your query one way or another.
Running "your own server" also doesn't help if your ISP is doing the snooping, or anyone else between you and the internet. It's trivial to flag UDP/53 and inspect the headers to determine what's being resolved and when. Even if you could prevent someone from snooping on your DNS, they can still look at your TCP traffic to see what IP addresses you were talking to.
This is just not worth the administration effort, IMO.

If you're going to run a DNS caching server on premises, do it for speed/efficiency, not because you think it'll protect your privacy.

So much this.

There's no privacy on the Internet. People need to accept it and move on.

We have our own local DNS both at work and at my home to resolve queries or forward them to our ISP or OpenDNS/Google DNS - depending which site. Local DNS just helps speed up queries and reduce load on public DNS servers.

If the isp is snooping they just see the dns server, they dont know if its one machine or 1000 though.

Facebook alteady knew you connected to them since they also control the webserver. They do not learn much more thru your dns query. In this case quad9 also know since they now control your dns. Also quad9 know everything you lookup/browse/use. If you use your own dns. Only the company you connect to knows, and they allready knew since they control the service.

SPBM Zealot2 points·1 month ago

Facebook alteady knew you connected to them since they also control the webserver.

Most sites on the internet do not host their own DNS server.

most big ones do.

And if they do not, they pay for the DNS/registrar service from someone. the DNS operator have no incentive to farm and sell your information since that may loose them their paying customer, if it becomes known.

when you use a free service you are the product beeing sold.

so use your own in house recursive caching dns server if you care about who sees your dns queries. run it thru tor onion routing if you are serious and/or paranoid.

SPBM Zealot2 points·1 month ago

the DNS operator have no incentive to farm and sell your information since that may loose them their paying customer, if it becomes known.

By that logic there is no reason to fear your ISP.

so use your own in house recursive caching dns server if you care about who sees your dns queries. run it thru tor onion routing if you are serious and/or paranoid.

Sure, but the original statement was "I have my home server query root servers directly" not "I run DNS requests through TOR".

By that logic there is no reason to fear your ISP.

less reason then to fear a "free" service yes. I work for an ISP, and know exactly what our DNS servers are doing so a bit special for me. But in my country ISP's are not normally up to very shady stuff, and they want your continued business so they have a bigger incentive to stay "clean" when there is some competition.

Sure, but the original statement was "I have my home server query root servers directly" not "I run DNS requests through TOR".

Still better then relying on someone else's DNS server if you care about that. quad9 is even funded by foreign (for me) law enforcement agencies. I am not saying they are up to shady business, and they are harvesting precrime evidence ala minority report. Could be it is a awesome security measure. But I just do not know them, I have no incentive to trust them more then anyone else I do not know.

the point was that if you was serious about privacy there are tools for that. And I need to see a lot more transparency and history from quad9 (and it's funding company) before i would recommend them to anyone.

Because an inspection filter on UDP 53 is any harder

It is substantially harder to collect data this way than turning on a DNS resolver's query logging. Not much of a barrier for a determined adversary, but acting like it's the same or as easy is disingenuous.

And as has already been pointed out, if you're doing a DNS query, you're typically trying to connect to something within that domain, which will certainly be able to log you whether you query them directly or not.

And this does nothing to solve that, your ISP controls the pipe you use, it is trivial for them to log all port 53 traffic and inspect/log the dns query regardless of the dns server you are using.

You think you're protecting yourself but you really aren't.

They can do this whether you implement your own recursive resolver or use someone else's. Using someone else is another party with your query history, and one that is more motivated to monetize it, if you're using a 'free' service. It still seems worthwhile.

I mean, agree to disagree. It's more effort than whatever marginal benefit you may get. At the end of the day the websites still know where you are connecting from, and, the root DNS servers are not authoritative for every domain on the planet and are still going to defer the query to the authoritative server regardless.

For example, you don't want amazon to see your DNS queries, so you query a root server, well they will pass that DNS query to amazon's authoritative servers and they will still see the source of that query was you, on top of the fact that they will see the IP you are connecting from. You've gained no additional privacy and just wasted your time.

For example, you don't want amazon to see your DNS queries, so you query a root server, well they will pass that DNS query to amazon's authoritative servers and they will still see the source of that query was you, on top of the fact that they will see the IP you are connecting from. You've gained no additional privacy and just wasted your time.

Almost none of your queries will touch the root. You're connecting to Amazon, they have your information already whether the DNS query hits them or not. There doesn't seem to be any advantage to denying them the DNS traffic when you're about to establish a TCP connection with them.

You're not connecting (in this example) to CloudFlare, so they know nothing about your traffic to Amazon unless you are using them for DNS.

Obviously some services will use 3rd-party DNS, but this is a much smaller cross section, and a much smaller window of visibility, than giving all of your queries to one party.

I think Quad9 is pretty decent. Although because it’s security-minded, it does not send eDNS0 and therefore I have found that sometimes I am sent to a less than ideal CDN endpoint which does result than slower than usual downloads.
I just run my own recursive resolvers on my network.

It works, it's quick, and it's "safer". No complaints.

Original Poster4 points·1 month ago

I just found out about quad9. Outside of an internal DNS server to keep people off of things like FaceBook & Pornhub, I never really thought of a DNS as a security feature. I figure it might be worth while if it adds an ounce of security without any real speed cost. I'm just worried about false positives.

What happens if you go to a blocked site? Does it just say this site doesn't exist, or does it give you a page with options?

I think it just times out when trying to connect. I've never seen that yet though.

Thanks will check out quad9 now too

Have been OpenDNS fan for years because can choose what categories to block so handy for home/office networks can configure each as needed. Only limit to free plan is only 15 domains black/whitelist otherwise their curated categories are just what they make them to be. Users get a notify screen you configure that admin has blocked this site etc.

Comment deleted1 month ago
commit confirmed1 point·1 month ago

You could take a look at the Untangle firewall

Just switched (in the past two weeks) to quad1 and 1.1 I am quite impressed with the speed and want to believe the privacy claims.

I had issues resolving records through nslookup with quad1, mainly mx records and as a sys admin it kinda forced me to change back to quad8..

commit confirmed1 point·1 month ago

Based on the rate of errors I see from CloudFlare sites in general, I am PRETTY hesitant to think their DNS is going to be any more reliable.

Hilariously 1.1.1.1 has been an example in configurations as a lab IP and "non-routeable" for years, even though it's very much a real address. Some interesting chat on NANOG about this.

Our DNS forwarder order:

Quad9

OpenDNS

Everything working well so far.

OpenDNS, I've been using them for years in various areas across the US. Haven't found a place where it is slow. Also features like blockign what you want to block, etc.

JNCIS-SEC3 points·1 month ago

Currently using 1.1.1.1 with 8.8.8.8 as secondary. I tried using 9.9.9.9 for a bit but found slow response times.

I'm using 9.9.9.9 as my primary, with 8.8.8.8 as my secondary at home. I haven't noticed any speed issues... but for shits and giggles I might just give 1.1.1.1 a shot.

FYI - Quad9 and OpenDNS block phishing addresses, while Google and CloudFlare DNS do not.

FYI - Chrome and Safari block fishing addresses, while a fork and a spoon do not.

FYI - Quad9 blocks botnet addresses, while Chome, Safari, and a banana do not.

I love that you jumped on the bandwagon. 🤗👍🏻

I tend to rotate through a pretty large list from various companies. I mostly like that it's a decent public DNs service that's easy to remember and isn't google.

While not currently implemented, I'd much rather use OpenBSD with pf(4) and relayd(8) for webfiltering than rely on DNS services to handle that for me.

  • Work: AD DNS forwarding to Umbrella

  • Home: IPA forwarding to OpenDNS Family Shield

Considering moving home to forward to pihole then to OpenDNS Family Shield, but I have other projects on my plate at the moment.

Our own recursive servers that go straight to the roots. That anybody would do differently, using somebody else's infrastructure, is really odd to me. You should not allow DNS outbound except for your external recursive DNS servers. Security 101.

Same for my home network.

[deleted]
0 points·1 month ago

[removed]

Moderator of r/networking, speaking officially4 points·1 month ago

Thanks for your interest in posting to this subreddit. To combat spam new accounts can't immediately submit or post.

Please DO NOT message the mods requesting your post be approved.

You are welcome to resubmit your thread or comment in ~24 hrs or so.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

I like quad9. Don't notice any issues with speed, but then i don't really have a use-case for needing the bleeding edge, so i'll take the additional security features instead.

Cloudflare.

Have tried most of the large free varients. I have all the wifi clients in my home on quad9 and all of my devices go to 1.1.1.1 as I wanted the slight speed boost. If I could choose 1 I would choose quad9 as it has 0 speed effect for me for the added security. Also don't want any rogue IOT devices going to malicious links that quad9 apprantly stops in some cases

Got many problems with it at work: many popular domains unreachable for no reason. Switched to 1.1.1.1.

I'm using 9.9.9.9. as my primary at home, and haven't had any issues.

I use 9.9.9.9 for family, friends, and a few small business situations I help out with.

For work we use 1.1.1.1 and 8.8.8.8 because the slow lookups on quad9 and the way it responds on blocked sites caused an issue. People complained they could not get to places, and our blocking software in the enterprise/ corporate world was more informative. We found letting Google Chrome and our Firewall block at least caused it to be logged and the user informed.

For home setups where you don't have a filtering FW or you don't trust them (and they might have local admin) I like quad9.

Odd for an enterprise/corporate world to not have your own recursive dns servers.

It's about what you choose to use for your upstream lookups. You can go for the root servers or you can use ISP or others. Some places, especially smaller enterprise use ISP or one of the quads.

Ahh so you do have internal DNS servers but you're using forwarders instead of root hints, thought you were just pointing everyone directly outside. Any particular reason for relying on someone elses recursive dns server as a forwarder instead of just enabling root hints on your own?

typically speed of lookups.

Faster, and as a consultant for years I find people did not do a good job of maintaining their DNS servers. It's always an afterthought. Using forwarders avoided issues if missing root hints, slow connections from some providers, and security. DNSSec and DNS over TLS was something some are making a big deal about to avoid DNS poisoning issues.

So just relying on them to already have it cached due to other users, makes sense I guess.

For the quads they have the major items cached, the rest will be looked up. This pulls a lot of load off of the DNS servers and honestly even in 1000+ to 5000+ user companies I find that AD & DNS get little love. So, it is not uncommon for them to have issues, errors, and need help.

We have a global Infoblox deployment, if anything needs to reach out to the internet the 'Bloxes hit the root servers.

I'm not a big fan of breaking the DNS protocol. That means redirect queries that don't respond (like some vendors did in the past) or filtering.

Filtering relies on blocking the requests to specific sites and sending a false respond back to the clients. I want a DNS service to tell me the truth, if something responds or not on the Internet.

1.1.1.1 because of the speed and opendns for back-up.

I started using Quad9 when it came out and have switched to CloudFlaire. I wish Windows supported secure DNS naively.

at homeLocal AD servers use two Piholes as forwarders that are using 1.1.1.1 and 8.8.8.8. MSP clients we use open dns

Started using 1.1.1.1 but we have CloudFlare on our Internet Exchange here in Pittsburgh so our datacenter gets like 0.33ms to CloudFlare. They seem to be the fastest no matter how high/low your latency to them is, they just query faster I guess.

8.8.8.8 is the other option. We run local resolvers, but almost no one uses them.

I use $dayjob's resolvers because they are my ISP, and I operate them.

At home I'm forwarding all requests to a Debian VM running DNSDIST (PowerDNS) to cache responses and balance between 6 PiHoles, which use Quad9 as their forwarder through DNS-over-TLS. This setup adds about 2ms over querying Quad9 directly when caching is not involved.

If only there was a way to use DNS natively...

packetpushers.net1 point·1 month ago

Cloudflare but I use 1.0.0.1 instead of 1.1.1.1

Just because I'm that person.

Considering it's down today should tell us something...

https://twitter.com/hashtag/quad9

https://www.quad9.net/faq/#Is_there_a_service_that_Quad9_offers_that_does_not_have_the_blocklist_or_other_security

The primary IP address for Quad9 is 9.9.9.9, which includes the blocklist, DNSSEC validation, and other security features. However, there are alternate IP addresses that the service operates which do not have these security features. These might be useful for testing validation, or to determine if there are false positives in the Quad9 system.

Secure IP: 9.9.9.9 Provides: Security blocklist, DNSSEC, No EDNS Client-Subnet sent. If your DNS software requires a Secondary IP address, please use the secure secondary address of 149.112.112.112

Unsecure IP: 9.9.9.10 Provides: No security blocklist, DNSSEC, sends EDNS Client-Subnet. If your DNS software requires a Secondary IP address, please use the unsecure secondary address of 149.112.112.10

Note: Use only one of these sets of addresses – secure or unsecure. Mixing secure and unsecure IP addresses in your configuration may lead to your system being exposed without the security enhancements, or your privacy data may not be fully protected

Every1 it’s the fastest. Check out dnsperf.com

Just switched yesterday from OpenDNS to SafeDNS. I like the content controls so far, and through testing they are doing a good job of blocking ads/banners.

-5 points·1 month ago(0 children)

The United States Government owns several of the root server addresses.

Community Details

118k

Subscribers

517

Online

###Enterprise Networking Routers, switches and firewalls. Network blogs, news and network management articles. Cisco, Juniper, Brocade and more all welcome.

Create Post

r/networking Rules

1.
Rule #1: No Home Networking.
2.
Rule #2: No Certification Brain Dumps / Cheating.
3.
Rule #3: No BlogSpam / Traffic re-direction.
4.
Rule #4: No Low Quality Posts.
5.
Rule #5: No Early Career Advice.
6.
Rule #6: Educational Questions must show effort.
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.