Quad9 is a new DNS service that prevents against malware. Previously I would have recommended OpenDNS to provide this service. But OpenDNS doesn’t support IPv6 with the malware protection. It only has an IPv6 resolver. Quad9 supports both IPv6 and protects against malware domains.
Quad9 is the result of a partnership between IBM (who provided the 9.9.9.9 IP address used), Packet Clearing House, and the Global Cyber Alliance. PCH has worked since 1995 to deliver a faster, more scalable Domain Name System, making it more resilient against attack. PCH pioneered DNS anycast to spread DNS load among servers in more locations. They have been anycasting top-level domain name servers since 1997, and root name servers since 2001. The GCA is an international, cross-sector group, who want to confront, address, and prevent malicious cyber activity. The Global Cyber Alliance is unique as it spans borders and sectors, making it different to industry or country-specific endeavours.
While all that sounds reasonable, there are a large number of law enforcement agencies within the GCA. That might hinder adoption from the ultra-paranoid, even if Quad9 claim no identifiable logging of DNS requests. However, queries transmitted across the network can be TLS encrypted, and the resolvers use DNSSEC to ensure names passed come from confirmed sources. Various threat feeds, including IBM’s X-Force screen the DNS addresses against known malicious sites, and these return an NXDOMAIN error, rather than redirecting you to an alternate location. (Compared with other providers which may fill a landing page with adverts to provide a revenue stream).
If you want to set up your systems to use the Quad9 DNS service, then just set the DNS servers on your system to 9.9.9.9, or 2620:fe::fe, the IPv6 resolver. (Although why they didn’t reflect either :9999 or 9:9:9:9 at the end of the address, I’ll never know.) Use the videos on the Quad9 Setup page to help for Apple and Microsoft Windows platforms.
Stay safe out there.
