Add Quad9 (9.9.9.9) to the default DNS servers

I would like to have the new Quad9 (https://www.quad9.net/) DNS server added. 9.9.9.9

Quad9 is a joint venture between IBM Security, Packet Clearing House (PCH) and the Global Cyber Alliance (GCA). It blocks malicious domains around phishing, malware, and exploit kit domains. (Bad domains are returned with NXDOMAIN.)

They also have pretty decent privacy policies. "Quad9 infrastructure does not store any personal data about its users." "When an entity or an individual is using the Quad9 infrastructure, their IP address is not logged in our system." "Quad9 does not and never will share any of its data with marketers, nor will it use this data for demographic analysis."

They respect NXDOMAIN: "There is no redirection of misspelled domain lookups. NXDOMAIN replies are provided for DNS lookups that do not exist. "

They use DNSSEC: "Quad9 provides DNSSEC validation on our 9.9.9.9 resolver."

They offer IPv6: "Quad9 operates identical services on a set of IPv6 addresses[...]"

How do you tell which domains Quad9 are blocking and which would return NXDOMAIN even without Quad9?

To put it another way I'd rather have Quad9's block list in my Pi-hole so I could see its effects in the query logs.

2 Likes

Related PRs:

If you can't get Quad9's block list by downloading it, it would still be possible to write code to probe Quad9 to get their "opinion" and then treat it like a blocklist entry. This would allow query logging and whitelisting on Pi-hole.

you've intrigued me, Pi-hole aside, that would be a very handy tool in general to troubleshoot if an external (or internal) DNS is not allowing certain traffic, and then use the same tool on another that does allow.

1 Like

A very simple example of how to compare two DNS servers follows.
The syntax is funny so I will explain it first with a very simple example of just the syntax:

Pure diff on ordinary files:

$ echo one > one
$ echo two > two
$ 
$ diff one two
1c1
< one
---
> two

Same using subshells to access the files:

$ diff <(cat one) <(cat two)
1c1
< one
---
> two
$ 

Pseudo-code breakdown of the dig example:

diff <(
       sort -u <(
                 dig +nottlid +noall +answer @ns.myfirstserver.com example.com A
		)
      )
     <(
       sort -u <(
                 dig +nottlid +noall +answer @ns.mysecondserver.com example.com A
      	         )
      )

Actual code for diff of two dig commands:
With no output due to match:

diff <(sort -u <(dig +nottlid +noall +answer @8.8.8.8 example.com A) ) <(sort -u <(dig +nottlid +noall +answer @9.9.9.9 example.com A) )

With output due to Quad9 blocking:

diff <(sort -u <(dig +nottlid +noall +answer @8.8.8.8 dieutribenhkhop.com A) ) <(sort -u <(dig +nottlid +noall +answer @9.9.9.9 dieutribenhkhop.com A) )
1d0
< dieutribenhkhop.com.	IN	A	127.0.0.1

going to bookmark this for now,,,,

but if you add some whiptail boxes, you could specify the dns servers on each run!

Ultimately, I want Pi-hole to have dynamic block lists so that Quad9 or similar DNS data sources can be treated like block lists and thereby evaluated via the Pi-hole query log output and whitelisted like classic block list entries.

It may make more sense to compare 9.9.9.9 against 9.9.9.10 but then again maybe not.

At this point I know:

The difference between 9.9.9.9 and 9.9.9.10: one is not just a "secondary" for the other. 9.9.9.9 has a blocklist and supports DNSSEC, but doesn't support EDNS Client-Subnet which means your geolocation might get messed up. 9.9.9.10 is the opposite, no blocklist or DNSSEC but it does support EDNS Client-Subnet.

Quad9 will be available in the next release (after 3.2)

1 Like

With or without recursion, Quad9 reports NXDOMAIN for a blocked entry:

$ dig +nord @9.9.9.9 isitblocked.org A

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +nord @9.9.9.9 isitblocked.org A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50942
;; flags: qr ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;isitblocked.org.		IN	A

;; Query time: 19 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Fri Dec 15 09:12:25 EST 2017
;; MSG SIZE  rcvd: 44
$ dig @9.9.9.9 isitblocked.org A

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @9.9.9.9 isitblocked.org A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8982
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;isitblocked.org.		IN	A

;; Query time: 12 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Fri Dec 15 09:12:42 EST 2017
;; MSG SIZE  rcvd: 44

For a genuine non-existent domain, with recursion Quad9 hands off the query ('ra' flag set)

$ dig @9.9.9.9 isitblocked.org.asdf A

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @9.9.9.9 isitblocked.org.asdf A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33765
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;isitblocked.org.asdf.		IN	A

;; AUTHORITY SECTION:
.			3162	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2017121500 1800 900 604800 86400

;; Query time: 16 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Fri Dec 15 09:13:48 EST 2017
;; MSG SIZE  rcvd: 124

Without recursion it returns REFUSED

$ dig +nord @9.9.9.9 isitblocked.org.asdf A

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +nord @9.9.9.9 isitblocked.org.asdf A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 53746
;; flags: qr ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; Query time: 20 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Fri Dec 15 09:13:43 EST 2017
;; MSG SIZE  rcvd: 12

So you do not have to compare two different name servers to see if Quad9 is blocking or not.

Kudos to the president of IvyDNS for telling me to look at something along these lines.

1 Like

don't use Quad 9, it's not good for your health

but hey! it is run by London "police" - their big claim to fame was replacing ad banners on torrent sites with police badge logos to warn people the site is under investigation!

maybe it is a great new service which they totally wont use to gather data on people using the internet for something they dont agree with. just happened to fall into place right when they got permission by the courts to kill live football streams without further court orders they just need to monitor traffic flows and grab IP's and ISPs have to kill it instantly..

wonder what they could be thinking about setting up a DNS....

To be fair, we include Google as an option and they aren't much better.