Switch to Quad9 DNS Service to Block Malicious Domains
In November 2017, the Global Cyber Alliance in partnership with IBM and Packet Clearing House launched a new service to help combat cybercrime which is free for personal and business use.
It is a public DNS server called “Quad9” (18.104.22.168) which blocks DNS requests to known malicious sites. If a domain name is in the block list, the service simply responds to the query with a non-existent domain message. This is very appealing because historically, DNS queries are considered to be a weak link even in a mature security architecture. This can help prevent malware from phoning home and phishing links from connecting back to their sender’s servers.
How Quad9 Works
Quad9 routes your DNS queries through a secure network of servers around the globe. The system uses threat intelligence from more than a dozen of the industry’s leading cyber security companies, to give a real-time perspective on what websites are safe, and what sites are known to include malware or other threats. If the system detects that the site you want to reach is known to be infected, you’ll automatically be blocked from entry keeping your data and computer safe.
To use the service, simply change client DNS settings or DNS forwarders to 22.214.171.124 (“Quad 9”). The filtering will immediately start working. There is no sign up or account required. This service gets its intelligence from 19 different feeds, including IBM’s X-force. Most IT technicians have fallen in love with using Google’s DNS service (primarily 126.96.36.199) since its launch in 2009, but Quad-9 could be the new widespread favorite.
IBM owns the 188.8.131.52/8 “Class A” IPv4 address block (24 million IPs) and donated 2 IPs (184.108.40.206 and 220.127.116.11) to this cause. The second IP 18.104.22.168, is used for research, testing and troubleshooting. It doesn’t have any blocking enforced.
Will My Privacy Be Protected?
The Global Cyber Alliance’s president and COO, Phil Rettinger, stated the following in an interview with Ars Technica: “Anyone anywhere can use it. The service will be ‘privacy sensitive’, with no logging of the addresses making DNS requests. We will keep only [rough] geolocation data for the purposes of tracking the spread of requests associated with particular malicious domains. We’re anonymizing the data, sacrificing on the side of privacy.”
Sounds great, but what about performance and reliability? As of launch, there were clusters of DNS servers configured in 70 different locations around the world. The organization expects to have 160 sites up and running by the end of 2018. Each cluster has at least 3 servers with more in critical points of presence.
Performance Depends on Location
SWC ran the DNS Benchmark tool created by Steve Gibson and the Gibson Research Corporation from a datacenter in Chicago in December 2017. The results showed that the Quad-9 address just as fast as Google DNS (22.214.171.124), Level 3 DNS servers (4.2.2.*) and OpenDNS.
Different areas of the globe will likely have better performance than others. Check performance for yourself by downloading GRC’s free tool or use the trace route (tracert) command. It has become the industry standard DNS performance testing and benchmark too.
What about False Positives?
Threat feeds are expected to be updated once or twice a day. This will not block malware that uses fast changing DNS names and should not be counted on to block zero-day attacks. As with all security features, it could be used as an additional layer of defense. You can also use Quad9’s site to see if Quad9 is blocking a certain DNS record. This could also help with verifying false positives.
The services address the topic of false positives by using the Majestic Million daily top-million sites feed to whitelist the top domains that never should be blocked. Requests for false positive reviews can be submitted on the front page of the services site, quad9.net.
The Quad 9 DNS servers are likely to be used by many businesses and home users by the end of 2018 as an additional layer of security.