New secure Quad9 DNS service supports IPv6

Quad9 is a new DNS service that prevents against malware. Previously I would have recommended OpenDNS to provide this service. But doesn’t support IPv6 with the malware protection. It only has an resolver. Quad9 supports both and protects against malware domains.

Quad9 is the result of a partnership between IBM (who provided the 9.9.9.9 IP address used), Packet Clearing House, and the Global Cyber Alliance. PCH has worked since 1995 to deliver a faster, more scalable Domain Name System, making it more resilient against attack. PCH pioneered anycast to spread load among in more locations. They have been anycasting top-level domain nameservers since 1997, and root nameservers since 2001. The GCA is an international, cross-sector group, who want to confront, address, and prevent malicious cyber activity. The Global Cyber Alliance is unique as it spans borders and sectors, making it different to industry or country-specific endeavours.

While all that sounds reasonable, there are a large number of law enforcement agencies within the GCA. That might hinder adoption from the ultra-paranoid, even if Quad9 claim no identifiable logging of DNS requests. However, queries transmitted across the network can be TLS encrypted, and the resolvers use DNSSEC to ensure names passed come from confirmed sources. Various threat feeds, including IBM’s X-Force to screen the DNS addresses of known malicious sites, and these return an NXDOMAIN error, rather than redirecting you to an alternate location.

If you want to set up your systems to use the Quad9 DNS service, then just set the DNS servers on your system to 9.9.9.9, or 2620:fe::fe, the IPv6 resolver. (Although why they didn’t reflect either :9999 or 9:9:9:9 at the end of the address, I’ll never know.) Use the videos on the Quad9 Setup page to help for Apple and Microsoft Windows platforms.

Stay safe out there.