Quad9 - a private and secure DNS in South Africa

Bradley Prior

MyBroadband Journalist
Super Moderator
Joined
Oct 16, 2018
Messages
1,807
Quad9 - a private and secure DNS in South Africa

For the past year, a non-profit organisation called CleanerDNS has been running a Domain Name System service in South Africa called Quad9 in partnership with INX-ZA.

Located at 9.9.9.9, Quad9 describes itself as a free, recursive, anycast DNS platform that provides security protections, privacy, and high-performance.
 

Bryn

Doubleplusgood
Joined
Oct 29, 2010
Messages
14,577
1.1.1.1 must be making life very difficult for all other DNS services.
 

elvis_presley

Expert Member
Joined
Sep 5, 2007
Messages
3,284
I tried quad9 a few months ago and it was quite flakey - blocked a lot of legit sites, but a subsequent DNS query worked. I loved the concept, but it didn't work in practice. Maybe time to give it another go to see if they've ironed out the kinks.
 
  • Like
Reactions: Yuu

ekske1

Executive Member
Joined
Apr 22, 2017
Messages
5,073

ponder

Honorary Master
Joined
Jan 22, 2005
Messages
76,598
Been using coudfares 1.1.1.1 & 1.0.0.1 for a while now and it's great.
 

Sollie

Expert Member
Joined
Apr 20, 2005
Messages
4,279
1.1.1.1 must be making life very difficult for all other DNS services.
How does Cloudflare's malicious domain filter work for you? ;)

I think you missed the point. The point of Quad9:
Quad9 said it checks all sites you look up through its DNS against a list of domains combined from 19 different threat intelligence partners. It then blocks known malicious domains, preventing your computers and IoT devices from connecting to malware or phishing sites.
Earlier in the year, Irena Damsky did a pretty good pick-and-choose for us:

https://medium.com/damsky-tech/the-rising-of-the-alternative-dns-services-464876dbf007
This was too long — can you summarize in 4 sentences?
1.1.1.1 — for speed
8.8.8.8 — for privacy
9.9.9.9 — for security (although, you get privacy here as well)
(and, if you are already on 8.8.8.8, either go to 9.9.9.9 or stay there, the 20 ms that 1.1.1.1 will gain you is not worth the time you will invest in changing configuration and/or the lost privacy)
So if you need to set up DNS for your company/mother or somebody you care about and need to protect them from something like sars.gov.com or yourbank.za.com, or even punycode attacks, use 9.9.9.9 :)
 

Daruk

Honorary Master
Joined
Jul 18, 2008
Messages
39,038
The potential for spying via DNS is huge. Who is behind the 9999 service?

No personally identifiable information is collected by the system, and Quad9 promises that not even IP addresses are stored to disk or distributed outside of the equipment it uses to answer DNS queries.
What about government? Given that IS operates the service here, are they not under the same law as any other service provider in terms of storing and handing over information to government on demand?
 

Anthro

Expert Member
Joined
Jun 13, 2006
Messages
2,369
Yup, using Pi-Hole with 1.1.1.1 with DNS over SSL ftw.
Do you maybe have a decent comprehensive guide (I tried but failed to implement this.
Currently running NXFilter with DNS over HTTPS protocol
 

MidnightWizard

Expert Member
Joined
Nov 14, 2007
Messages
4,694
Do you maybe have a decent comprehensive guide (I tried but failed to implement this.
Currently running NXFilter with DNS over HTTPS protocol
I know squat about this but there are a whole lot of guides if you do a search

Try this one if you like fiddling with Raspberry

Raspberry Pi
 

Daruk

Honorary Master
Joined
Jul 18, 2008
Messages
39,038
I know squat about this but there are a whole lot of guides if you do a search

Try this one if you like fiddling with Raspberry

Raspberry Pi
The hardest part is usually getting your regular router to handle DHCP while forwarding DNS to the pi... depending on the router.
 

MidnightWizard

Expert Member
Joined
Nov 14, 2007
Messages
4,694
The hardest part is usually getting your regular router to handle DHCP while forwarding DNS to the pi... depending on the router.
I need to go and see how one implements this in a Windows Active directory setup -- where DNS is handled by the server.
 

Daruk

Honorary Master
Joined
Jul 18, 2008
Messages
39,038
Why is that hard?
Some routers don’t let you configure DNS or configure a different DNS for clients than it uses or a different DNS server than itself.

Of course there are ways around that but it can be a ball-ache.

And I’m not debating levels of hardness here lol. I’m saying relative or setting the pihole up, that last hurdle can be a challenge if you have the wrong router.
 

eg2505

Honorary Master
Joined
Mar 12, 2008
Messages
15,813
Question , I use the 1.1.1.1 app on my android phone, and recently I set up proton (free) VPN service,

Problem is, the 2 can't work together, why?
Why can't one use a custom dns with a VPN service, or does they conflict somehow?
 

uncleedd

New Member
Joined
Jan 5, 2019
Messages
1
The potential for spying via DNS is huge. Who is behind the 9999 service?

What about government? Given that IS operates the service here, are they not under the same law as any other service provider in terms of storing and handing over information to government on demand?
The point of quad nine is to make browsing a) safe and b) anonymous. They filter out a large chunk of info that can be used to link a query to an ip.

As to who runs it, it is a company called PCH, and they also host a wod of TLDs. ver nice bunch of people


Some people I know implemented it on their networks early on and saw a substancial drop in malware on their networks just because bad sites were being dropped.

Also, IS does not run in in ZA. They run it as much as Cloudflare is run by teraco.
There are two nodes in an IS DC yes, but there is also nodes in I think two of the teracos


I tried quad9 a few months ago and it was quite flakey - blocked a lot of legit sites, but a subsequent DNS query worked. I loved the concept, but it didn't work in practice. Maybe time to give it another go to see if they've ironed out the kinks.
Initially, there were some funnies based on people who routed traffic based on DNS source. So the routing went funny because they dont send that level of information.

run this from a terminal in linux and see what you see
dig @8.8.8.8 txt edns-client-sub.net +short
dig @9.9.9.9 txt edns-client-sub.net +short
 
Top