HecklerNKoch, Sir, I'm a true non-techie. Should I go this route? If this does not work for me is it reversible?

Thanks

Subscription DNS lets you use their service, with the caveat that you are playing by their rules as to filtering and logging. It generally gives the illusion of privacy without any real privacy. Virus and malware filtering are probably more sound.

Some services offer a benefit of DNS over an encrypted channel, or centralized black lists for problematic domains. But, that knife cuts both ways. You are then centrally monitored and the provider (especially cloud flare), can be fickle about what rights you should have or be entitled to.

If you don’t like someone MITM’ing your internet connection I would suggest you stick with your ISP’s name servers.

Better yet, learn to run your own recursive resolver on your own computer and subscribe to RBLs for filtering bad domains.

When you get down into the weeds of internet plumbing, there’s only so far being non-techie will take you.

Quad9 is free and you can use it and stop using it anytime you choose. They do have a compelling story.

I tried it earlier in the year and had some issues resolving some hosts at Schwab. I opened a tech ticket and they were responsive and dogged about finding and fixing the issue, which was impressive considering I was a freeloader trying to tell them they had issues. But alas the issue came back after a few weeks and since it affected my trading platform it was a non-starter for me.

I may try it again in 2021. At minimum I will likely set my wife and kids PCs and tablets to use it. I say give it a try, you have nothing to lose and you can switch away from it in seconds if you want.

A Big Thanks guys

Hi. I'm on Quad9's board of directors... Can you tell me a little more about what happened? Was the Schwab address being intentionally blocked because it was being reported to us as malware-hosting by our threat-intel providers? (i.e. if you popped the domain name into the form on the front page of our web site to check whether it was being blocked, it said it was being blocked and said which threat intel provider was blocking)? Or was it a technical issue like a failure of Schwab's DNSSEC signing process?

If you can give me the ticket number from your original request, we can dig into it and figure out what's going on, and give you some more satisfying answer.

There are a hell of a lot of domains out there, and so we don't wind up resolving problems unless people report them to us, and if the problems come back for some reason, we don't know about it unless they're reported again.

If the issue is Schwab screwing up their DNSSEC signing, and you still want DNSSEC validation, all I can tell you is to lean on them to get their act together, because neither we nor anyone else can fix that. If you don't particularly care about DNSSEC validation nor about malware blocking (which would kinda be living life on the edge), you could use 9.9.9.10, which is mostly there for debugging purposes... It doesn't validate DNSSEC, nor does it block things we know to be malware.

In any event, I'm glad you're happy with Quad9 for your friends-and-family. Let me know if there are any other ways you think we could be improving it. A lot of our effort right now is going into legal protections around interception (there'll be a big press announcement related to that on January 28, Data Privacy Day) and keeping up with growth in traffic. There's also a desperately-needed web site overhaul that's in the works, to provide better documentation. And we're working with DNS server authors to get DoQ, ADoT, and extended error codes implemented.

How well that answer works depends a lot on the ISP, unfortunately. If it's a small ISP, which runs its own nameservers, then it's a good answer, and that's definitely your best bet. If it's a European ISP that's subject to GDPR and is actually audited for compliance (and that's a big if) and has been found to be obeying the law, then it's a good answer. The problem is that, back in 2002, when the surveillance economy got underway and the telecom investment bubble was collapsing, there was a lot of financial pressure on ISPs and dot-com companies that hadn't really had to think too much about their business model, and some of them survived by really aggressively monetizing user data. Companies like Nominum replaced the nameservers that ISPs were operating with outsourced ones. The ISP "wins" because they no longer have to operate the server, and the monetizer "wins" because they clandestinely get access to a large preexisting stream of DNS queries that they can use to profile people and sell. Users lose out because their click-trail is being sold, and they have no way of knowing that it's happened.

I often hear the argument that "the ISP already knows what I'm doing, so it doesn't matter if they also know what DNS queries I'm making." The issue is that while they may not be explicitly monetizing the actual packet streams (or more likely, "flows"), they're very likely to have already outsourced monetization of the DNS, since that's much, much easier for them to do.

Yep. PiHole is an excellent starting point for folks wanting to do that. The advantage to doing it yourself is that it'll be fully under your own control, and you'll know that at least that portion isn't being monetized. The main disadvantage is that, until ADoT is ubiquitous, it means that every query you send will be transmitted in the clear, and uniquely identified with your IP address. A good middle-ground is to operate your own caching forwarding resolver, with DoT on the upstream leg. That gets you the advantages of local caching and aggregation of all your clients (so if you and someone else using your server both send a query, it only goes out once, and nobody can tell which user sent it) as well as the same advantages pooled together with all the other users of the upstream recursive resolver. Then the trick is just to pick an upstream recursive resolver that has policies you agree with. I'm obviously biased in that regard. Aside from Quad9, OpenDNS also has good privacy policies. Pretty much everybody else is in the data-monetization business.

DNS query encryption is (mostly) worthless, as even aggregators such as your solution can still be mandated by the Govt. to log source IP / request pairs. On the outbound side the query is still unencrypted in the majority of cases, unless you are violating TTLs and retaining data in your cache.

That’s why I said that such services offer the illusion of privacy. Everything from such a service is traceable back to your origin, and via sideband tracking can be traced back to origin when transitioning on/off VPNs.

The positives aggregated DNS offers are not really sufficient to offset the privacy concerns and why I personally run a caching forwarding recursive resolver on my own.

I agree the only worthwhile change coming down the pipe is fully encrypted DNS, but even then someone that’s monitoring your traffic still can map your queries by capturing headers to the DNS servers and subsequent requests to the destination site’s IP requested.

That’s the real reason encryption has not practically materialized, because its actual worth is questionable when your DNS query is simply reading publicly available data and then turning right around and requesting resources from the answer. The query can be guessed; it’s plainly visible, regardless of the DNS mechanism.

Better privacy would entail a router network of DNS servers or distributed proxy network, a la Tor. However, Tor has shown that its failure state is a poisoning and subsequent monopoly of exit nodes, as the exit nodes retain data sufficient to map the requesting network.

An even better solution would be a hardware-level cache, an edge device for every subnet. It possibly exists that the entire DNS IPv4 namespace (excluding v6, for the moment), could be contained in ~ 256 GB of storage, and operated on akin to BGP. A hardware device that initially loads a compiled DNS map and then receives synchronized delta updates each minute would, in theory, lead to much better operational security for upstream traffic captures.

Your service could be the compiler of that data for subscription.

Hello, my ticket was opened Feb 4 2020, the ticket# seems to be 5912. The person who responded and helped me was Megan Schxxxxxr. I should note again that she was very helpful and responsive.

IIRC, before I opened my ticket I did use your debug server to validate my results.

At first the DNSSEC for these Schwab hosts was suspected by your folks, even though no other DNS resolver including anycast providers like Google and OpenDNS had any problem with these hosts. I was specifically told these hosts were not being blocked by Quad9.

But I could make queries from other networks I have access to, to Quad9 for these same hosts and they would resolve fine, which seemed to prove that only certain Quad9 servers had issues.

Then Quad9 came back and said the problem was only exhibited by the SFO Quad9 server(s), which unfortunately is the one closest to me and the one where my DNS queries were serviced. They took the SFO site offline and that fixed it, but then they brought it back online a week later and broke it again.

The last email I had after I reported the problem had returned on Feb 13, was:


Then shortly after that, the world blew up with Covid and I got completely distracted from the issue. I have no idea where it left off and I have not tried it again since. For all I know the problem was fixed, but I have not checked back to see.

The three hosts I specifically was interested in and having problems with were:
streetsmart.schwab.com
help.streetsmart.schwab.com
stream.schwab.com

There were probably others, but those are the ones that broke my trading terminal when they could not be resolved. And there were other hosts at Schwab that resolved just fine.

PS - thanks for checking in on us Calgunners!!


.

Apologies for the delay in seeing this.

You're more a technie than you know for even getting to this point.

I don't know how old you are, but there was a time when there were payphones everywhere and payphones had a binder-phonebook dangling under them. That phonebook (or telephone directory) contained both the 'Yellow Pages' and the 'White Pages'. That dangling telephone directory is DNS.

When DNS was originally conceived, it was done so without the need nor the framework for security. Because if you were at a payphone in Los Angeles, you needed to look up 'Domino's Pizza' because 'Domino's Pizza' is a human-name, but the payphone needed to know and dial out to '(213) 623-2424' and this is all public information.
To take away all fanciness, all that is happening is a 'Name resolution' is taking place. You tell your phone "Call 'Mom'" and your phone calls a number because your phone cannot compute 'Mom'.

You are giving me a name: 'Domino's Pizza' and you are, in return, getting the address of the server to the connect to (a non-human name).

I don't know much about Quad9.

Here is a bold statement I can make: the two most dangerous DNS solutions are (i) your actual Internet Service Provider and (ii) your subscription private VPN service. These two will manipulate your results, among things. They are in the business of profiting and if their profiting can keep your monthly subscription payments down, then their model is working.

There are public DNS services and private ones and at anytime you are free to make your selection and it is as easy as flicking a light switch to change from one to another ... and there are countless DNS resolvers out there.

Here are popular ones. I'm listing all but one from memory.They each promise something. They each admit their limitations. They each work off a promised model.

There are some that try as best as they can to block advertisements. There are some that are for parental control.

How about this ... think of China. China decides what their citizens get to access. So if China says no to Facebook then dialing out to 'facebook.com' lands you at a page that says 'sorry, not sorry.'

The mechanics behind what is going on in getting you 'your results' is very complex.Ever heard of the Rolodex device? This is where performance becomes a factor.
What if you are in Los Angeles but the DNS server you are making contact with is in ... New York? Will you notice a delay in the roundtrip time?

Although your concern is safety, try this link to see DNS performance analytics based on where you are to get an idea that your results for 'Domino's Pizza' will vary based on what city you are in because what good would it do if your DNS in NYC provided you the 'Domino's Pizza' number in Los Angeles?

https://www.dnsperf.com/#!dns-resolvers


The security measures behind all these DNS resolvers differ. Some are better than others. But none of them are going to give "you INSTANT protection from scammers, phishing sites, and malware!" How incredible that would be. We've then reached the final end of cybersecurity at that point. Perhaps, at best, that big promise translates into 'we are blocking large known bad alleyways in the Internet'.

The big picture that you need to understand is that all the above-named DNS resolvers are all just middle-men. They filter and/or don't filter your results but ultimately they ask the Root-servers above them, which asks the Authoritative servers above them and in the end you get a result of one variation or another.

What some of the commenters on this page are writing about is currently being addressed by DNS over HTTPS -- the point being that the man in the middle not only (a) see your request (i.e.) where you are trying to go but (b) not manipulate your results. (This is where your ISP and Private VPN would try to steer your results for monetization.) DoH is a work in progress and has a long way to go.

Each of these security measures have their weaknesses. DoH creates a mess in the enterprise workplace. It also helps criminals. It's going to get too deep. All these security measures are answers to very complex problems but they all bring their own problems with them.

As far as I can tell Quad9 uses a few whitelisting methods and relies on the assistance of partnerships to either whitelist or blacklist your requests, particularly with Packet Clearing House. I can see that they have a good number of points of presence globally (122 active as of right now of 150 overall) and at least 3 autonomous systems. I like that they are not in the business of monetizing user data.

Again, I will state I know nothing about them other than surface level. They answer to IBM, Packet Clearing House (PCH), Global Cyber Alliance (GCA), other cyber-security organizations, and private donations... whatever that means at the end of the day. None of this is my concern.

Objectively, Quad9 is a part of the telephone directory ecosystem of the Internet and they state a good mission. And, at the same time, bad actors will figure a way around them because that is what they are supposed to do.

In the end, know that there is no one thing that can protect you. Use only a modern day browser and always keep it up-to-date and whichever DNS provider you go with is only doing their job (and, yes, you can switch DNS at the flip of a dime).

As I stress on this particular forum, make your goal clear so that people can help guide you to what you are actually aiming for.

If anything, know if your quoted statement were true ... life would be that much more grand. Anything in life with big promises ... hmmm.

I'm checking on it. I'll report back what I find.

Just use Google Public DNS resolver addresses. They're the world leaders in not getting their stuff pwned, they're extremely reliable, they won't track queries in any useful / privacy-invading way. Quad9 is just dumb. It's solving a problem that never really existed unless you were already running a compromised computer.

Will keep and return to...

Well written and stated, Thanks, impressed!

It is also a strawman, in that it's a quote from a random social media marketing guy who's not connected with Quad9.

We're engineers, not marketing people, and we don't have anything to sell. So if you ask anyone actually connected with the project whether it protects you from malware, they'd say "most, but not all, so it's one building-block in a layered defense" and they'd point you at independent lab tests of the effectiveness of the malware filtering:

96%-97% isn't bad, and I can explain both why that's never going to get to 100% and why it's difficult for any of the for-profit companies to approach that range, if anyone's interested in digging in to the topic, but fundamentally a one-in-thirty chance of something bad happening is still bad, so Quad9 is in no way a stand-alone solution for malware. It is one very helpful building block, in conjunction with something like tripwire, something like Little Snitch, and not clicking on dubious links.

I know you weren't the one asking, but if you have any questions, I'm happy to try to answer them.

Yeah, I'd agree with all of that. In addition to monetization, both ISPs and particularly VPN operators are targets for compromise by lots of different governments. The "but I have nothing to hide from my government" argument falls apart in the face of networks that are compromised by multiple competing governments, which is often enough the case. Some security issues depend on your threat model, some are just matters of good hygiene, which will help across a broad range of threats.

Yeah, the first four there are the big ones. The Verisign one is small but has been around for a long time. There's a list of the large ones on Wikipedia, but it compares them on an up-down basis on criteria that are easy for the commercial ones to meet, which isn't necessarily what a user would be interested in. And another list on GitHub.

Honorable mention to Quad-101, the Taiwanese NIC's service, which is one of the very few GDPR-compliant ones. Under pretty much constant attack by the PRC, though.

In this case, "modern" very definitely doesn't mean "better." DoH is a scam. DoT actually does provide a significant privacy improvement over Do53 (clear text), while not introducing any new privacy weaknesses. That was problematic for some of the folks monetizing DNS data, so they introduced the "competing" DoH protocol, which gives them two advantages: First, fingerprinting of users as they move from behind one NAT to behind another NAT. (So unlike Do53 or DoT, when you go from home to school to work to a cafe, if you're using DoH, the operator at the other end definitely, and clever third-party observers, can now glue those together into a single profile and know that all four were "you." This wasn't possible before, except by DPI and a lot of guesswork.) Second, it gives the ones that are principally in the web CDN business an anti-net-neutrality club with which to beat on their competitors... If they receive a query which resolves to content that they host, they can preemptively fill the user's bandwidth with unasked-for additional answers to all the possible queries that might follow, based on every possible link or ad that's in that content. Conversely, if they receive a query which resolves to content hosted by their competitor... they... can... think... about... it... very... deliberately... and... give... you... just... the... minimum... possible... information... while... looking... up... each... answer... from... their... competitor... individually... and... not... caching... it. ("Honestly, judge, we were doing the best we could!")

This is related to EDNS Client Subnet. Which is another scam. You're very right that if your ISP sends your query to a distant recursive resolver, and nobody passes EDNS Client Subnet information along, you're going to get an answer related to a distant Domino's Pizza. However, this is a specific and easily corrected failure on your ISP's part. You should open a ticket with your ISP, and they should fix it. It's costing them money every minute it's broken, so they generally won't whine too much about it being pointed out. The alternative is that the recursive resolver operator passes your origin IP address along to the authoritative server chain (and anyone in-between, since until ADoT, it's all in clear-text) to monetize. The scam is that if you choose not to pass your IP address along, there are CDNs that are used to monetizing that data which will artificially drop some of your queries, in order to convince you that your recursive resolver is unreliable, and convince you to switch to one that passes your data along to them to monetize. Again, a net-neutrality violation.

You're tarring everyone with the same brush here, when a significant part of the point of Quad9 was to get away from this vulnerability. MITM attacks against the recursive-to-authoritative leg have always been a big problem. By colocating the Quad9 servers on the same VM backplane as the PCH authoritative servers (several hundred TLDs and a lot of big companies) and the D-root and E-root nameservers, that attack surface is collapsed and unavailable. In addition, we have private crossconnects with the next-largest authoritative server operator, which is at least in a comparable range of difficulty to attack.

No... DoT and DNSSEC address those issues. DoH does nothing for the latter, and makes things significantly worse relative to DoT. Encryption on the client-to-recursive link is a solved problem. DANE authentication on that link still needs a lot of implementation work. DoH does nothing to advance the state of the art, while introducing some very significant new harms.

Quad9 maintains an internal whitelist (list of sites that should never be blocked) and gets threat intel feeds from twenty or so security analyst firms and CERTs and community projects. We reputation-score the incoming threat intel feeds. We mark them down if, for instance, they include something which gets reported to us as a false positive, and which we determine to have, in fact, been a false positive (the badguys always report their own blocked malware distribution URLs as false positives, so we have to investigate each one individually). We mark them up if they're the first to report something that not all of the others noticed, and which protected a significant number of users, and which turned out to not be a false positive.

PCH is not one of the threat intel providers... Threat analysis isn't a big part of PCH's CERT's activity. IBM, F-Secure, and Cisco are the largest threat intel providers, both in terms of size of company, and in terms of the number of reliable blocks they provide us. A lot of the CERTs are also very good, though many of them tend to be geographically or linguistically focused. The Swiss CERT is really good, for example.

Yep, and many of the bad actors have either a lot of VC money or the resources of a national government behind them, and they tend to be pretty dogged. Some of them are trying to compromise systems, some of them are trying to infiltrate operational staff... A surprising number attack the standards system, trying to degrade security standards and introduce weaker ones, ones with back-doors, or ones which add new vulnerabilities at a faster rate than the fix old ones. Or, more to the point add vulnerabilities that the attacker knows about, while fixing ones that their competitors know about. None of which is good for users.