Quad9 is a global public recursive

DNS The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...

resolver that aims to protect users from malware and phishing. Quad9 is operated by the Quad9 Foundation, a Swiss public-benefit, not-for-profit

foundation Foundation may refer to: * Foundation (nonprofit), a type of charitable organization ** Foundation (United States law), a type of charitable organization in the U.S. ** Private foundation, a charitable organization that, while serving a good cause ...

with the purpose of improving the privacy and

cybersecurity Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...

of Internet users, headquartered in Zurich. It is the only global public resolver which is operated not-for-profit, in the public benefit. Quad9 is entirely subject to Swiss privacy law, and the Swiss government extends that protection of the law to Quad9's users throughout the world, regardless of citizenship or country of residence.

Security and privacy

Several independent evaluations have found Quad9 to be the most effective (97%) at blocking malware and phishing domains. As of June, 2021, Quad9 was blocking more than 100 million malware infections and phishing attacks per day. Quad9's malware filtering is a user-selectable option. The domains which are filtered are not determined by Quad9, but instead supplied to Quad9 by a variety of independent threat-intelligence analysts, using different methodologies. Quad9 uses a reputation-scoring system to aggregate these sources, and removes "false positive" domains from the filter list, but does not itself add domains to the filter list. Quad9 was the first to use standards-based strong cryptography to protect the privacy of its users' DNS queries, and the first to use DNSSEC cryptographic validation to protect users from domain name hijacking. Quad9 protects users' privacy by not retaining or processing the

IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...

of its users, and is consequently GDPR-compliant.

Locations

As of August 2021, the Quad9 recursive resolver was operating from server clusters in 224 locations on six continents and 106 countries.

Sony Music injunction

On June 18, 2021, Quad9 was notified of a first-of-its-kind injunction by the District Court of Hamburg, in which

Sony Music Sony Music Entertainment (SME), also known as simply Sony Music, is an American multinational music company. Being owned by the parent conglomerate Sony Group Corporation, it is part of the Sony Music Group, which is owned by Sony Entertainment ...

demanded that Quad9 block DNS resolution of a domain name used by a web site which did not contain copyright-infringing material, but contained links to other sites which did. This is the first instance in which the copyright-holder industry has sought to compel a recursive DNS operator to block access to Internet domain names, so this is a novel interpretation of German law and is thought to be a precedent-setting case with far-reaching consequences. Quad9's General Manager John Todd was quoted in the press as saying "Our donors support us to protect the public from cyber-threats, not to further enrich Sony" and "If this precedent holds, it will appear again in similar injunctions against other uninvolved third parties, such as anti-virus software, web browsers, operating systems and firewalls." Legal expert Thomas Rickert of eco, the German Internet association, commented: "I cannot imagine a provider who is further removed from responsibility for any illegal domains than a public resolver operator." Quad9 immediately announced that it would contest the injunction and, as of June 24, announced that it had retained German counsel and would be filing an objection to the injunction. Clemens Rasch, the attorney leading Sony's team, has not clearly stated whether any attempts were made to contact canna.to, the site widely suspected by the press to be behind the redactions in the court documents, saying only that Sony would have done so "if they could have been identified", while confirming that the site has been operating continuously for the past twenty two years. A court spokesperson said that "only the statements presented by the applicant side were used as a basis for the injunction" and that the court "took it on faith that the notifications which the applicant claimed to have sent were not only sent but also arrived at their recipient". At the close of the first week of the conflict, the press noted that donations to Quad9 were up by 900% relative to the prior week, and as of June 27, canna.to was still resolvable through Quad9's servers. On August 31, 2021, Quad9 filed an objection to the injunction, citing a number of flaws in the legal arguments made by Sony, but principally hinging on the fact that ISPs (which actually have a business relationship with infringing parties) are exempted from third-party liability, despite the fact that they also operate DNS recursive resolvers, and that it's a misinterpretation of the law to exclude independent recursive resolvers from that exemption.

Service

Quad9 operates recursive name servers for public use at the following IP addresses. These addresses are routed to the nearest operational server using

anycast Anycast is a network addressing and routing methodology in which a single destination IP address is shared by devices (generally servers) in multiple locations. Routers direct packets addressed to this destination to the location nearest the se ...

routing. Quad9 supports

DNS over TLS DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preve ...

over port 853,

DNS over HTTPS DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man- ...

over port 443, and

DNSCrypt DNSCrypt is a network protocol that authenticates and encrypts Domain Name System (DNS) traffic between the user's computer and recursive name servers. It was originally designed by Frank Denis and Yecheng Fu. Although multiple free and ope ...

over port 443.

References

External links