Quad9 – First Thoughts & Benchmarks
Quad9 is the collaboration of IBM X-Force, PCH, and Global Cyber Alliance. It provides a DNS platform that combines high performance with security by blocking known malicious domains. At the time of this writing, Quad9 was using 19 threat feeds. I’m not going to get into the marketing speak because quite frankly, enough folks cover that well enough.
Quad9 <- Main Site
New “Quad9” DNS service blocks malicious domains for everyone <- Ars Technica
Instead, I’ll provide the bare essentials including how it works, speed, and if I’m making the switch.
29Nov2017 – Originally posted
6Dec2017 – Provided download links to DNS Benchmark tool and associated ini file
10Mar2018 – Changed IPv6 secondary address based on feedback
3Apr2018 – Cloudflare DNS (18.104.22.168) section added
How it works
The Quad9 folks did put together a handy little infographic to show how it works (below). Essentially, you set up Quad 9 as your DNS nameservers (preferably in the firewall) and if a machine on your network queries a known bad hostname, the DNS servers respond that the domain does not exist (NX DOMAIN or non-existent domain).
Primary DNS: 22.214.171.124
Secondary DNS: 126.96.36.199
Primary DNS: 2620:fe::fe
Secondary DNS: 2620:fe::9 <- Quad9 states this is not operational at the moment
The secondary DNS for IPv6 is not permanent. I’ll try to update it when the change occurs, but keep an eye on the Quad 9 FAQ for the most up-to-date info.
Stop! Do not get cute and add in a tertiary DNS *or* think you know better by adding in a different DNS (such as OpenDNS or Google) as a secondary DNS. If you do this, you will get unexpected results and break some of the blocking capabilities of Quad9. DNS servers are *not* queried in order as you might expect. If you want to read a bit more on my findings regarding this, see my article below.
What does this look like in the real world? We can test this against the isitblocked.org domain.
Windows command line – test against Google
C:\Users\User>nslookup isitblocked.org @188.8.131.52 Non-authoritative answer: Name: isitblocked.org Addresses: 2607:f1c0:100f:f000::2d1 184.108.40.206
Windows command line – test against Quad9
C:\Users\User>nslookup isitblocked.org @220.127.116.11 *** can't find isitblocked.org: Server failed
Linux command line – test against Google
# dig +short isitblocked.org @18.104.22.168 22.214.171.124
Linux command line – test against Quad9
# dig +short isitblocked.org @126.96.36.199
Nothing is returned above.
** Running the same commands above without the DNS designation (188.8.131.52 or 184.108.40.206) will provide the results against your current nameserver instead of Quad9 or Google DNS.
Example: nslookup isitblocked.org
From a browser, the isitblocked.org domain will appear as though it is down (below).
Using Steve Gibson’s DNS Benchmark tool, I tested multiple times throughout the day and the results were fairly consistent. Quad9 was either #2 or #3 with Google DNS coming in at #1 or #1 and #2. Keep in mind these may change in the future as more anycast servers are brought online. Although OpenDNS lagged behind both of them, the speeds from any of those 3 — Quad9, Google, or OpenDNS — are very respectable and I would not hesitate to use any one of them for DNS services alone.
DNS Benchmark #1
DNS Benchmark #2
DNS Benchmark Numbers
Test it yourself
There no point in blinding assuming what I’m telling you is true and there’s also a 100% chance you will get different results because of your location. Thus, I highly encourage you to test these DNS servers yourself. The first link below is to download the DNS Benchmark tool directly from GRC. The second link is to download my nameservers.ini file from GitHub, which includes the nameservers discussed above as well as a few others. The graphic below shows the 4 steps to follow after downloading DNS Benchmark. Basically, click on the ‘Nameservers’ tab, click ‘Add/Remove,’ click ‘Remove all Nameservers’ followed by ‘Add INI file Nameservers.’ Last, but not least, click on “Run Benchmark” to run the tests. It definitely wouldn’t hurt to notate your results over the course of a few hours/days to see if the results vary.
Download DNS Benchmark from GRC
I’ve switched to Quad9. I made the change shortly after the service was announced and I can say I haven’t had any complaints. Yes, I understand Google had a marginal speed advantage in my case, but I’m okay with the difference knowing I’m getting some security benefits. If the speed difference was greater, this conversation probably wouldn’t happen. Also worth noting is that I did not test the speed of my ISP’s DNS servers. Without question, they would win on speed based on proximity alone, but there’s just something “off” with using the DNS for an ISP beyond potential stability issues. Even if I could reconcile that in my head, when you are talking about such marginal speed differences I am okay with the added security Quad9 brings to the table.
Cloudflare DNS – 220.127.116.11
Cloudflare added their own DNS services on April 1st, 2018… Yes, that is a horrible launch date because of April Fool’s Day, but nobody asked me. I didn’t re-run the DNS Benchmark speed tests with Cloudflare as I did with other systems because I later configured all of the “top DNS” for monitoring in my Nagios XI instance (image below). I didn’t test it right away because I didn’t think that would be very fair comparison given they would likely have a significant jump in activity during launch. So instead, just a few days afterward and I can say that from where I sit I see virtually no speed difference between any of the top DNS providers. In fact, all of the primary DNS returned a response within 5 milliseconds of one another. Also keep in mind that your mileage may vary so I would suggest using the DNS Benchmark tool from Steve Gibson to test things out on your end. I’m personally staying with Quad9 simply because of the added security benefits.
Dallas Haselhorst has worked as an IT and information security consultant for over 20 years. During that time, he has owned his own businesses and worked with companies in numerous industries. Dallas holds several industry certifications and when not working or tinkering in tech, he may be found attempting to mold his daughters into card carrying nerds and organizing BSidesKC.
12 thoughts on “Quad9 – First Thoughts & Benchmarks”
Nice, was looking for what secondary should be. Thanks for details!
Not a problem! Happy to help!
Apparently there is no secondary DNS for IPv6 anymore?!
Quad9 states 2620:fe::9 is not operational at the moment, but it will be shortly. https://twitter.com/Quad9DNS/status/972203088743469056
Thanks for the good info. I ended up switching to Quad9 as well.
Relative performance tested and compared well at my location on a fixed wireless connection, 45 miles outside of DFW TX.
Great write up!
What are your thoughts on dns.watch or opennic? After a bit over a year does Quad9 still stand up?
Hey Christian! I haven’t used either of those. I use Quad9 almost exclusively. With their anycast addressing, their service is always extremely fast in my experience. I will say I use more granular DNS blackholing at the firewall level so Quad9 is only used to block the worst of the worst. If I didn’t have the option for a secondary blackhole, I would probably try something a bit more aggressive.
Thank you for your response Dallas!
I was look to add a secondary to having Quad9 as my primary
No problem Christian! Make sure you head the warning about mixing and matching other DNS providers though. For example, if you use Quad9 for your primary and your non-Quad9 DNS is just a titch faster, there is a near certainty it will take precedence so you may loose out on some of Quad9’s blocking capabilities. This tendency does seem to vary from one OS to the next, but it is the default more often than not. Basically, your OS most likely does *not* care what you specify as primary, secondary, tertiary, etc. Instead, it tests the response time to each and then specifies the order while changing it as necessary. Best of luck!
I disagree about April 1 being a horrible launch date. April Fool’s Day is a thing for children and not something adults should be doing. April 1 is, for adults, a day like any other. People that think otherwise should, quite honestly, grow up.
You took the time to go through captcha to write that? That’s the type of comment I would typically delete, but instead I’ll just say that everyone is entitled to their opinion, even if it’s wrong. Have fun and lighten up a bit!