Quad9 – First Thoughts & Benchmarks

Quad9 – First Thoughts & Benchmarks

Quad9 is the collaboration of IBM X-Force, PCH, and Global Cyber Alliance. It provides a DNS platform that combines high performance with security by blocking known malicious domains. At the time of this writing, Quad9 was using 19 threat feeds. I’m not going to get into the marketing speak because quite frankly, enough folks cover that well enough.

Quad9 <- Main Site
New “Quad9” DNS service blocks malicious domains for everyone <- Ars Technica

Instead, I’ll provide the bare essentials including how it works, speed, and if I’m making the switch.

Changelog
29Nov2017 – Originally posted
6Dec2017  – Provided download links to DNS Benchmark tool and associated ini file
10Mar2018 – Changed IPv6 secondary address based on feedback
3Apr2018 – Cloudflare DNS (1.1.1.1) section added

How it works

The Quad9 folks did put together a handy little infographic to show how it works (below). Essentially, you set up Quad 9 as your DNS nameservers (preferably in the firewall) and if a machine on your network queries a known bad hostname, the DNS servers respond that the domain does not exist (NX DOMAIN or non-existent domain).


IPv4
Primary DNS: 9.9.9.9

Secondary DNS: 149.112.112.112
IPv6
Primary DNS: 2620:fe::fe
Secondary DNS: 2620:fe::9 <- Quad9 states this is not operational at the moment
The secondary DNS for IPv6 is not permanent. I’ll try to update it when the change occurs, but keep an eye on the Quad 9 FAQ for the most up-to-date info.

Stop! Do not get cute and add in a tertiary DNS *or* think you know better by adding in a different DNS (such as OpenDNS or Google) as a secondary DNS. If you do this, you will get unexpected results and break some of the blocking capabilities of Quad9. DNS servers are *not* queried in order as you might expect. If you want to read a bit more on my findings regarding this, see my article below. 

Configuring Quad9 on pfSense

What does this look like in the real world? We can test this against the isitblocked.org domain.

Windows command line – test against Google

C:\Users\User>nslookup isitblocked.org @8.8.8.8
Non-authoritative answer:
Name:    isitblocked.org
Addresses:  2607:f1c0:100f:f000::2d1
          74.208.236.124

Windows command line – test against Quad9

C:\Users\User>nslookup isitblocked.org @9.9.9.9
*** can't find isitblocked.org: Server failed

Linux command line – test against Google

# dig +short isitblocked.org @8.8.8.8
74.208.236.124

Linux command line – test against Quad9

# dig +short isitblocked.org @9.9.9.9

Nothing is returned above.

** Running the same commands above without the DNS designation (9.9.9.9 or 8.8.8.8) will provide the results against your current nameserver instead of Quad9 or Google DNS.
Example: nslookup isitblocked.org

Browser

From a browser, the isitblocked.org domain will appear as though it is down (below).

Speed

Using Steve Gibson’s DNS Benchmark tool, I tested multiple times throughout the day and the results were fairly consistent. Quad9 was either #2 or #3 with Google DNS coming in at #1 or #1 and #2. Keep in mind these may change in the future as more anycast servers are brought online. Although OpenDNS lagged behind both of them, the speeds from any of those 3 — Quad9, Google, or OpenDNS — are very respectable and I would not hesitate to use any one of them for DNS services alone.

DNS Benchmark #1

DNS Benchmark #2

DNS Benchmark Numbers

Test it yourself

There no point in blinding assuming what I’m telling you is true and there’s also a 100% chance you will get different results because of your location. Thus, I highly encourage you to test these DNS servers yourself. The first link below is to download the DNS Benchmark tool directly from GRC. The second link is to download my nameservers.ini file from GitHub, which includes the nameservers discussed above as well as a few others. The graphic below shows the 4 steps to follow after downloading DNS Benchmark. Basically, click on the ‘Nameservers’ tab, click ‘Add/Remove,’ click ‘Remove all Nameservers’ followed by ‘Add INI file Nameservers.’ Last, but not least, click on “Run Benchmark” to run the tests. It definitely wouldn’t hurt to notate your results over the course of a few hours/days to see if the results vary.

Download DNS Benchmark from GRC

Nameservers.ini from GitHub

DNS Benchmark How To

Conclusion

I’ve switched to Quad9. I made the change shortly after the service was announced and I can say I haven’t had any complaints. Yes, I understand Google had a marginal speed advantage in my case, but I’m okay with the difference knowing I’m getting some security benefits. If the speed difference was greater, this conversation probably wouldn’t happen. Also worth noting is that I did not test the speed of my ISP’s DNS servers. Without question, they would win on speed based on proximity alone, but there’s just something “off” with using the DNS for an ISP beyond potential stability issues. Even if I could reconcile that in my head, when you are talking about such marginal speed differences I am okay with the added security Quad9 brings to the table.

Cloudflare DNS – 1.1.1.1

Cloudflare added their own DNS services on April 1st, 2018… Yes, that is a horrible launch date because of April Fool’s Day, but nobody asked me. I didn’t re-run the DNS Benchmark speed tests with Cloudflare as I did with other systems because I later configured all of the “top DNS” for monitoring in my Nagios XI instance (image below). I didn’t test it right away because I didn’t think that would be very fair comparison given they would likely have a significant jump in activity during launch. So instead, just a few days afterward and I can say that from where I sit I see virtually no speed difference between any of the top DNS providers. In fact, all of the primary DNS returned a response within 5 milliseconds of one another. Also keep in mind that your mileage may vary so I would suggest using the DNS Benchmark tool from Steve Gibson to test things out on your end. I’m personally staying with Quad9 simply because of the added security benefits.

DNS Benchmarks with Cloudflare

12 thoughts on “Quad9 – First Thoughts & Benchmarks

  1. Thanks for the good info. I ended up switching to Quad9 as well.
    Relative performance tested and compared well at my location on a fixed wireless connection, 45 miles outside of DFW TX.
    I like the added protection and privacy policy

    1. Thanks for the feedback! I agree 100% on the privacy policy. I’m gathering some long-term statistics to see how Quad9 stacks up against Cloudflare, Google, etc. and I’ll add that to this page in the future. Also, depending on your router/firewall, you might take a peek at the DNS over TLS features of Quad9. I’ve tested it a bit and recently added it my “Configuring Quad9 on pfSense post if you are interested. https://linuxincluded.com/configuring-quad9-on-pfsense/

    1. Hey Christian! I haven’t used either of those. I use Quad9 almost exclusively. With their anycast addressing, their service is always extremely fast in my experience. I will say I use more granular DNS blackholing at the firewall level so Quad9 is only used to block the worst of the worst. If I didn’t have the option for a secondary blackhole, I would probably try something a bit more aggressive.

        1. No problem Christian! Make sure you head the warning about mixing and matching other DNS providers though. For example, if you use Quad9 for your primary and your non-Quad9 DNS is just a titch faster, there is a near certainty it will take precedence so you may loose out on some of Quad9’s blocking capabilities. This tendency does seem to vary from one OS to the next, but it is the default more often than not. Basically, your OS most likely does *not* care what you specify as primary, secondary, tertiary, etc. Instead, it tests the response time to each and then specifies the order while changing it as necessary. Best of luck!

  2. I disagree about April 1 being a horrible launch date. April Fool’s Day is a thing for children and not something adults should be doing. April 1 is, for adults, a day like any other. People that think otherwise should, quite honestly, grow up.

    1. You took the time to go through captcha to write that? That’s the type of comment I would typically delete, but instead I’ll just say that everyone is entitled to their opinion, even if it’s wrong. Have fun and lighten up a bit!

Leave a Reply

Your email address will not be published. Required fields are marked *