Quad9

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Quad9
Quad9 logo.svg
FoundedMay 11, 2016 (2016-05-11)
FounderPacket Clearing House
IBM
Global Cyber Alliance
SWITCH
TypePublic-benefit not-for-profit foundation
Registration no.435.091.407
FocusInternet privacy and security
Location
Area served
Global
Employees
12
Websitequad9.net

Quad9 is a global public recursive DNS resolver which aims to protect users from malware and phishing. Quad9 is operated by the Quad9 Foundation, a Swiss public-benefit, not-for-profit foundation with the purpose of improving the privacy and cybersecurity of Internet users, headquartered in Zurich.[1] It is the only global public resolver which is operated not-for-profit, in the public benefit. Quad9 is entirely subject to Swiss privacy law, and the Swiss government extends that protection of law to Quad9's users throughout the world, regardless of citizenship or country of residence.[2] Quad9 is currently the only global recursive resolver which is not subject to United States law, as the others are each domiciled in the San Francisco Bay Area and governed by the Northern District of California US Federal Court.[3][4][original research?]

Security and privacy[edit]

Several independent evaluations have found Quad9 to be the most effective (97%) at blocking malware and phishing domains.[5][6][7][8] As of June, 2021, Quad9 was blocking more than 100 million malware infections and phishing attacks per day.[9] Quad9's malware filtering is a user-selectable option. The domains which are filtered are not determined by Quad9, but instead supplied to Quad9 by a variety of independent threat-intelligence analysts, using different methodologies. Quad9 uses a reputation-scoring system to aggregate these sources, and removes "false positive" domains from the filter list, but does not itself add domains to the filter list.[5][10][11][12]

Quad9 was the first to use standards-based strong cryptography to protect the privacy of its users' DNS queries, and the first to use DNSSEC cryptographic validation to protect users from domain name hijacking.[13][14][15][16][11] Quad9 protects users' privacy by not retaining or processing the IP address of its users, and is consequently GDPR-compliant.[17][18][19]

Locations[edit]

Map of Quad9 recursive resolver locations as of 2021-05-27

As of August 2021, the Quad9 recursive resolver was operating from server clusters in 224 locations on six continents and 106 countries.[20]

Sony Music injunction[edit]

On June 18, 2021, Quad9 was notified of a first-of-its-kind injunction by the District Court of Hamburg, in which Sony Music demanded that Quad9 block DNS resolution of a domain name used by a web site which did not contain copyright-infringing material, but contained links to other sites which did.[21] This is the first instance in which the copyright-holder industry has sought to compel a recursive DNS operator to block access to Internet domain names, so this is a novel interpretation of German law and is thought to be a precedent-setting case with far-reaching consequences. Quad9's General Manager, John Todd, was quoted in the press as saying "Our donors support us to protect the public from cyber-threats, not to further enrich Sony," and "If this precedent holds, it will appear again in similar injunctions against other uninvolved third parties, such as anti-virus software, web browsers, operating systems and firewalls." Legal expert Thomas Rickert of eco, the German Internet association, commented "I cannot imagine a provider who is further removed from responsibility for any illegal domains than a public resolver operator." Quad9 immediately announced that it would contest the injunction and, as of June 24, announced that it had retained German counsel and would be filing an objection to the injunction.[22][23][12][24][25][26][27][28][29] Clemens Rasch, the attorney leading Sony's team, has not clearly stated whether any attempts were made to contact canna.to, the site widely suspected by the press to be behind the redactions in the court documents, saying only that Sony would have done so "if they could have been identified," while confirming that the site has been operating continuously for the past twenty two years. A court spokesperson said that "only the statements presented by the applicant side were used as a basis for the injunction" and that the court "took it on faith that the notifications which the applicant claimed to have sent were not only sent but also arrived at their recipient." At the close of the first week of the conflict, the press noted that donations to Quad9 were up by 900% relative to the prior week, and as of June 27, canna.to was still resolvable through Quad9's servers.[30]

On August 31, 2021, Quad9 filed an objection to the injunction, citing a number of flaws in the legal arguments made by Sony, but principally hinging on the fact that ISPs (which actually have a business relationship with infringing parties) are exempted from third-party liability, despite the fact that they also operate DNS recursive resolvers, and that it's a misinterpretation of the law to exclude independent recursive resolvers from that exemption.[31][5][32]

Service[edit]

Quad9 operates recursive name servers for public use at the following IP addresses. These addresses are routed to the nearest operational server using anycast routing. Quad9 supports DNS over TLS over port 853,[33] DNS over HTTPS over port 443,[34] and DNSCrypt over port 443.[35]

High Security / High Privacy High Security / Moderate Privacy Low Security / High Privacy
Filters domains Yes Yes No
Validates DNSSEC
Passes ECS No
Via DoH[36] https://dns.quad9.net/dns-query https://dns11.quad9.net/dns-query https://dns10.quad9.net/dns-query
Via DoT[36] dns.quad9.net dns11.quad9.net dns10.quad9.net
Via IPv4[36] 9.9.9.9
149.112.112.112
9.9.9.11
149.112.112.11
9.9.9.10
149.112.112.10
Via IPv6[36] 2620:fe::fe
2620:fe::9
2620:fe::11
2620:fe::fe:11
2620:fe::10
2620:fe::fe:10

See also[edit]

References[edit]

  1. ^ "Quad9 moves to Switzerland". ncsc.admin.ch. Swiss National Cyber Security Centre. 2021-02-17. Retrieved 2021-05-27. Non-profit organisation Quad9 is relocating its headquarters to Zurich.
  2. ^ Steiger, Martin (2021-02-18). "Quad9 Foundation – Recursive DNS Resolver in Switzerland / Applicability of Swiss and European Data Protection Law" (PDF). steigerlegal.ch. Steiger Legal. Archived from the original (PDF) on 2021-05-27. Retrieved 2021-05-27. Quad9 is entirely and fully subject to Swiss data protection law including the Swiss Federal Act on Data Protection (FADP) and its corresponding ordinance with regard to all data subjects, i.e., for all persons worldwide whose data is being processed by Quad9. Compliance with Swiss data protection law is subject to the independent supervision of the Swiss Federal Data Protection and Information Commissioner (FDPIC). Data subjects may file a complaint with the FDPIC regardless of their citizenship or country of residence.
  3. ^ "Cloudflare corporate headquarters". linkedin.com. 2021-05-27. Retrieved 2021-05-27. Cloudflare corporate headquarters: San Francisco, California
  4. ^ "Cisco corporate headquarters". cisco.com. 2021-05-27. Retrieved 2021-05-27. Cisco corporate headquarters: San Jose, California
  5. ^ a b c Reda, Julia (2021-08-30). "Quad9 in Störerhaftung – neue Rechtsunsicherheit für DNS-Resolver". Heise Online. Retrieved 1 September 2021. Quad9 service is characterized by significantly increasing IT security compared to alternative, mostly commercial DNS services. Independent tests have determined that Quad9 filters over 97 percent of tested malware and phishing domains.
  6. ^ Lawrence, Tom (2020-05-03). DNS Malware Filtering Compared: Quad9 VS Cloudflare VS DNS Filter VS OpenDNS. lawrencesystems.com. Lawrence Systems. Retrieved 2021-05-27. Quad9: 97.16% effective, Cloudflare: 56.74% effective, OpenDNS: 9.22% effective
  7. ^ Young, Andrew (2020-05-31). "Comparing Malware-blocking DNS Resolvers". andryou.com. Andryou. Retrieved 2021-05-27. Quad9: 97.08% effective, Cloudflare: 56.20% effective, OpenDNS: 2.19% effective
  8. ^ Kod, Skadlig (2020-05-02). "Malicious Site Filters on DNS". skadligkod.se. Skadlig Kod. Retrieved 2021-05-27. Quad9: 96% effective, Cloudflare: 13% effective, OpenDNS: 46% effective
  9. ^ Editor 3 (25 May 2021). "Quad9: Witnesses Extensive Growth in Blocked DNS Strength". EaDnsKeep. EaDnsKeep. Retrieved 9 June 2021. Quad9 is currently seeing a new record-setting rate of approximately 60 million of these blocking events per day, representing a 600% year-over-year growth rate. During heavy “storms” of cybercrime venture, this volume has increased to over 100M events per day. {{cite web}}: |last1= has generic name (help)
  10. ^ "Quad9 Partners". Retrieved 1 September 2021. Quad9 partners with a large number of threat intelligence sources who provide up-to-the-minute data about domains that pose a threat because of malware, phishing, botnets, or other malicious activities. Quad9 uses vetted open-source threat data as well as donated information from commercial sources.
  11. ^ a b Schmitt, Paul; Edmundson, Anne; Mankin, Allison; Feamster, Nick (2019). "Oblivious DNS: Practical Privacy for DNS Queries". Proceedings on Privacy Enhancing Technologies. 2019 (2): 228–244. arXiv:1806.00276. doi:10.2478/popets-2019-0028. S2CID 44126163. Retrieved 13 June 2021. Quad9 provides both security and privacy features for DNS. Quad9 uses threat intelligence data at the recursive resolver to prevent a client from accessing a malicious site. This recursive resolver does not store or distribute the DNS data passing through.
  12. ^ a b Jackson, Mark (2021-06-21). "DNS Providers May Be Forced to Block Internet Piracy Websites". ISPreview. Retrieved 21 June 2021. The court also seemed to accept Sony’s argument that Quad9 already blocks problematic websites (e.g. those that contain malware – viruses, spyware etc.), despite that being a very different consideration. Quad9’s General Manager, John Todd, said: 'Quad9 derives its threat intelligence from qualified experts on malware and phishing, not from the claims of parties without relevant expertise. We would be unable to maintain our 98% success rate in blocking cyber-threats if we accepted input based on self-interested claims, rather than on forensics and expert analysis.' we could imagine that many more Rights Holders may rush to make use of this for similar websites. Naturally, Quad9 intends to appeal and so the battle is not yet over.
  13. ^ "New "Quad9" DNS service blocks malicious domains for everyone". Ars Technica. 16 November 2017. Retrieved 2018-04-08.
  14. ^ Bortzmeyer, Stéphane (2017-11-21). "Quad9, a Public DNS Resolver - with Security". labs.ripe.net. RIPE Labs. Retrieved 2021-05-27. Last week, the new DNS resolver Quad9 has been announced. It is a public DNS resolver with the additional benefit that it is accessible in a secure way. There are other public DNS resolvers, but the link to them is not secure. This allows hijackings as well as third-party monitoring. The new Quad9 service on the other hand is operated by the not-for-profit Packet Clearing House (PCH), which manages large parts of the DNS infrastructure, and it allows access to the DNS over TLS. This makes it very difficult for third parties to listen in. And it makes it possible to authenticate the resolver.
  15. ^ Woodcock, Bill (2021-02-09). "Statement by Bill Woodcock, chairman of Quad9's board". Reddit. Retrieved 2021-05-27.
  16. ^ Dickinson, Sara (2019-11-28). "DNS Privacy Public Resolvers". DNS Privacy Project. Retrieved 2021-05-27.
  17. ^ "Quad9 Data and Privacy Policy". Quad9. Retrieved 2021-05-27. The Reply To Address is purged from RAM as soon as we have transmitted the reply to the user's Reply To Address. The Reply To Address (or any representation of, or proxy for, it) is not copied to permanent storage, nor is it transmitted across the network to any destination other than the user. It leaves the machine on which we received it only in the form of a reply to the user – to no other destination, in no other form, for no other purpose.
  18. ^ "A Deeper Dive Into Public DNS Resolver Quad9". Internet Society. Retrieved 2018-04-08.
  19. ^ Brennan, Jim (2017-11-16). "New Quad9 DNS Service Makes the Internet Safer and More Private". securityintelligence.com. Security Intelligence. Retrieved 2021-05-27. Quad9 goes far beyond standard DNS name resolution. Unlike many other DNS services, Quad9 does not store, correlate or otherwise employ any personally identifiable information (PII).
  20. ^ "Internet Exchange Points Quad9 is Present In". pch.net. Packet Clearing House. 2021-05-27. Retrieved 2021-05-27.
  21. ^ Huston, Geoff (11 February 2022). "Opinion: DNS4EU". APNIC. Sony Music Germany bought a suit against the DNS open resolver provider Quad9 in a German court. The court ruled that Quad9 must block the resolution of a domain name of a website in Ukraine that itself does not hold copyright-infringing material, but instead contains pointers to another website that is reported to hold alleged copyright infringements. Quad9’s interpretation of this ruling is that queries received from IP addresses that can be geolocated to Germany must generate a SERVFAIL response from Quad9’s recursive resolvers.
  22. ^ Van der Sar, Ernesto (2021-06-21). "Sony Wins Pirate Site Blocking Order Against DNS-Resolver Quad9". TorrentFreak. Retrieved 21 June 2021. Sony Music has obtained an injunction that requires the freely available DNS-resolver Quad9 to block a popular pirate site. The order, issued by the District Court in Hamburg, Germany, is the first of its kind. The Quad9 foundation has already announced that it will protest the judgment, which could have far-reaching consequences. The Hamburg court found that the DNS service is not eligible for the liability protections that other third-party intermediaries such as ISPs and domain registrars typically enjoy. And if Quad9 fails to comply with the injunction, it will have to pay a fine of 250,000 euros per ‘infringing’ DNS query plus potentially two years in prison.
  23. ^ Ermert, Monika (2021-06-19). "Copyright infringement: Sony obtains injunction against DNS resolvers". Heise Online. Retrieved 21 June 2021. Sony wants to ban the DNS resolution of domains by injunction. The district court in Hamburg ruled that Quad9 was not covered by the usual liability privileges for pure intermediaries like an Internet service provider or even domain registrars.
  24. ^ Grüner, Sebastian (2021-06-21). "Sony will DNS-Sperre bei Quad9 durchsetzen". Golem. Retrieved 21 June 2021. The DNS provider Quad9, which is now officially located in Switzerland, is held liable as a "Stoerer" (interferer) in this case, because the DNS resolution of the service enables copyright infringement. The "Stoererhaftung" (Breach of Duty of Care), its effects on copyright law, and any associated warnings against private individuals or even companies have been a point of contention in the law-making process of politics and the judiciary for decades. What is surprising about the current case is that Internet providers and registrars are actually exempt from "Stoererhaftung" (Breach of Duty of Care) under the so-called provider privilege. However, the Hamburg Regional Court apparently sees things differently.
  25. ^ "Sony zieht gegen Schweizer NPO Quad9 vor Gericht". IT-MARKT. 2021-06-21. Retrieved 21 June 2021. Sony has obtained an injunction from the district court of Hamburg against Quad9, a non-profit organization (NPO) recently based in Switzerland. … Not Quad9's size, but the fact that Quad9 is the only major DNS resolver no longer based in the US prompted Sony to obtain the injunction, Woodcock says to the news portal. (translation from German)
  26. ^ King, Ashley (2021-06-24). "Sony Music Wins Injunction Requiring DNS Resolver to Block Pirate Site". Digital Music News. Retrieved 25 June 2021. Sony Music has won an injunction requiring a DNS resolver to block a popular piracy site. The ruling is the first of its kind and may signal a new direction in tackling music piracy. The order was issued by the District Court in Hamburg, Germany. The Hamburg Court ruling finds that DNS resolvers like Quad9 are not eligible for liability protections like ISPs and domain registrars. If Quad9 fails to block the infringing site, it faces a fine of up to $298,356.00 (€250,000) per infringing DNS query it processes and a potential prison stint of up to two years.
  27. ^ "Quad9 and Sony Music: German Injunction Status". Quad9. 2021-06-24. Retrieved 25 June 2021. Quad9 was notified last Friday that Sony Music had obtained an injunction against Quad9 in the lower court of Hamburg, Germany, seeking to block DNS resolution of domains used to host music content files on the grounds that such resolution contributes to infringement upon Sony’s copyrights. Quad9 has no relationship with any of the parties to the alleged infringement. Our systems resolve domain names, conveying public information on the public Internet, as any other recursive resolver would do, and there is no allegation that the domain names themselves, or any information that Quad9 has handled, infringe upon Sony’s copyrights. We have retained counsel, and we are in the process of filing an objection to the injunction.
  28. ^ "Beschluss In der Sache Sony Music Entertainment Germany GmbH gegen Quad9 Stiftung" (PDF). Landgericht Hamburg. 2021-05-21. Archived from the original (PDF) on 2021-06-24. Retrieved 25 June 2021.
  29. ^ "Resolution in the case Sony Music Entertainment Germany GmbH versus Quad9 Foundation" (PDF). Hamburg Lower Court. 2021-05-21. Archived from the original (PDF) on 2021-06-24. Retrieved 25 June 2021. By way of interim injunction - for reasons of urgency without oral proceedings - the defendant is ordered to avoid a Tine to be determined by the court for each case of culpable infringement and, in the event that this cannot be recovered, to serve a term of imprisonment of up to six months (fine in individual cases not exceeding 250,000.00, imprisonment for a total of not more than two years) prohibited to enable third parties in the territory of the Federal Republic of Germany the music album "Evanescence - The Bitter Truth" to be made publicly available.
  30. ^ Ermert, Monika (2021-06-27). "Sony vs. Quad9: a wave of donations for the DNS resolver". Heise Online. Retrieved 27 June 2021.
  31. ^ Stegeman, Koen (2021-09-02). "Quad9 Files Appeal Against Copyright Lawsuit from Sony Music Germany". Hosting Journalist. Retrieved 3 September 2021.
  32. ^ Carnesi, Ken (2021-07-27). "DNSFilter CEO Responds to Quad9 Injunction: "DNS resolvers should not police the Internet for copyright violations"". DNSfilter. Retrieved 3 September 2021.
  33. ^ Dickinson, Sara (2019-11-28). "DNS Privacy Public Resolvers: DNS-over-TLS (DoT)". DNS Privacy Project. Retrieved 2021-05-27.
  34. ^ Dickinson, Sara (2019-11-28). "DNS Privacy Public Resolvers: DNS-over-HTTPS (DoH)". DNS Privacy Project. Retrieved 2021-05-27.
  35. ^ Kumar, Arvind (2021-05-27). "DNScrypt Resolvers". github.com. EnKrypt. Retrieved 2021-05-27. quad9-dnscrypt-ip4-filter-pri Quad9 (anycast) dnssec/no-log/filter 9.9.9.9 / 149.112.112.9
  36. ^ a b c d "Service Addresses & Features". Quad9. Retrieved 2021-10-05.

External links[edit]