Quad 9 (9.9.9.9) vs Quad 1 (1.1.1.1) DNS

Just a while back quad-9 was released as a more secure option for DNS sponsored by IBM, PCH, and GCA. Now we have quad-1 sponsored by cloudflare and APNIC.

As their site says, Quad9 routes your DNS queries through a secure network of servers around the globe. The system uses threat intelligence from more than a dozen of the industry’s leading cyber security companies to give a real-time perspective on what websites are safe and what sites are known to include malware or other threats. If the system detects that the site you want to reach is known to be infected, you’ll automatically be blocked from entry – keeping your data and computer safe.

So that is great help block botnets and a like from leveraging DNS queries to be apart of the attack network.

As I read it quad-1 does not do this. Quad-1 is just a fast DNS server that supports DoH (DNS-over-HTTPS). This is an experimental protocol that does remote DNS resolutions via HTTPS protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks and/or by ISPs. Another protocal quad-1 supports is DNS-over-TLS whose goal is the same as DoH. I believe DoT is the protocol that Google is planning on putting in android sometime.

Quad-9 also supports DNS-over-TLS.

Which is better for you?

If you manage your own DNS blocklist and want privacy you can use both! But only if you are using DNS-over-TLS if you want to use DNS-over-HTTPS you will have to use quad-1. Quad-1, Quad-9 and Google’s Quad-8 support DNS-over-TLS. Run a DNS Bench test and against them then and let that help your test.

 

These are my test results from where I am on the internets:

 

Not much of a difference.

 

 

Update:

 

Just found some more info about private-minded DNS servers. Source

 

  • Google 8.8.8.8: Private and unfiltered. Most popular option.
  • CloudFlare 1.1.1.1: Private and unfiltered. New player.
  • Quad9 9.9.9.9: Private and security aware. New player that blocks access to malicious domains.
  • OpenDNS 208.67.222.222: Old player that blocks malicious domains and offers the option to block adult content.
  • Norton DNS 199.85.126.20: Old player that blocks malicious domains and is integrated with their Antivirus.
  • CleanBrowsing 185.228.168.168: Private and security aware. New player that blocks access to adult content.
  • Yandex DNS 77.88.8.7: Old player that blocks malicious domains. Very popular in Russia.
  • Comodo DNS 8.26.56.26: Old player that blocks malicious domains.

 

1 Comment

Leave a Reply