Domain Name Servers (DNS) are essential for the Internet. Every computer or mobile device use DNS to access websites, email servers, APIs and other stuff. One must configure a DNS service. You can use your ISP’s DNS, Google DNS, and OpenDNS. Now you have one more option from IBM. It is called Quad9 DNS service. It can block malicious domains for everyone. You can get an additional layer of protection.
How does Quad9 protect me from malicious domains?
From the Quad9 site:
Quad9 brings together cyber threat intelligence about malicious domains from variety of public and private sources and blocks access to those malicious domains when your system attempts to contact them. When you use Quad9, attackers and malware cannot leverage the known malicious domains to control your systems, and their ability to steal your data or cause harm will be hindered. Quad9 is an effective and easy way to add an additional layer of security to your infrastructure for free.
Quad9 DNS server
You need to point your DNS server to 9.9.9.9, and known malware and phishes won’t be able to use DNS for bad purposes:
- Secure IPv4: 9.9.9.9 Blocklist, DNSSEC, No EDNS Client-Subnet
- Unsecure IPv4: 9.9.9.10 No blocklist, no DNSSEC, send EDNS Client-Subnet
- Secure IPv6: 2620:fe::fe Blocklist, DNSSEC, No EDNS Client-Subnet
- Unsecure IPv6: 2620:fe::10 No blocklist, no DNSSEC, send EDNS Client-Subnet
How to setup Quad9 DNS resolvers
Linux uses /etc/resolv.conf file. Some modern systemd based Linux distro use systemd-resolved.
Configure Quad9 using /etc/resolv.conf
Edit the file /etc/resolv.conf:
$ sudo nano /etc/resolv.conf
OR
$ sudo vim /etc/resolv.conf
Edit/append as follows:
nameserver 9.9.9.9 nameserver 2620:fe::fe domain dnsknowledge.com options rotate
Save and close the file. Test it with the host or dig command:
$ dig google.com
$ host dnsknowledge.com
Configure Quad9 on a Ubuntu 14.04/16.04 LTS and Debian 8/9
Edit the file /etc/network/interfaces:
$ sudo nano /etc/network/interfaces
Edit/append as follows:
# Add DNS resolvers for resolvconf. dns-nameservers 9.9.9.9 2620:fe::fe dns-search dnsknowledge.com dns-options rotate
Save and close the file.
Configure Quad 9 on an Arch, CoreOS Container Linux, Ubuntu 17.10
Here is my sample /etc/systemd/network/05-eth0.network (assuming that interface name is eth0) file:
## READ following man pages ## # man systemd-networkd # man systemd-resolved ## [Match] Name=eth0 [Network] DHCP=no Domains=dnsknowledge.com IPv6PrivacyExtensions=false # DNS resolvers (safe to mix IPv4 and IPv6) DNS=9.9.9.9 2620:fe::fe # IPv4 gateway and primary address. Gateway=192.168.1.1 Address=192.168.1.2/24 # IPv6 gateway and primary address. # Gateway=your-router-ipv6 # Address=your-ipv6-here
Setup Quad9 DNS using the NetworkManager on Linux
One can just use the NetworkManager too. It is a free and open source program for providing detection and configuration for systems to automatically connect to network:
Go to System Settings and select Network such as WiFI or Wired network connection. Click Settings icons and select IPv4 or IPv6. Finally enter IPv4 address “9.9.9.9” and turn off Automatic. Finally click Apply.
Setup Quad9 DNS on a RHEL 7/Fedora (latest)/Scientific/Oracle/CentOS Linux 7
Here is my /etc/sysconfig/network-scripts/ifcfg-eth0 file (assuming that interface name is eth0):
$ cat /etc/sysconfig/network-scripts/ifcfg-eth0
Sample file:
## Please read the following man pages ## # man systemd-networkd # man networkmanager BOOTPROTO=none PEERDNS=no IPV6_AUTOCONF=no DOMAIN=dnsknowledge.com GATEWAY0=192.168.1.1 # DNS resolvers DNS1=9.9.9.9 DNS2=2620:fe::fe IPADDR0=192.168.1.2 PREFIX0=24 # IPv6 gateway and primary address. #IPV6_DEFAULTGW= #IPV6ADDR=
Testing
To apply your changes, reboot from the box or restart networking services. Make sure your /etc/resolv.conf updated:
$ cat /etc/resolv.conf
Make sure all IP address are correct:
$ /sbin/ifconfig
$ ip a
Use the ping and host/dig command for testing:
$ ping -c 5 google.com
$ dig google.com
$ host dnsknowledge.com
See Quad9 site for further details how service blocks malicious domains for everyone.
Reading the above suggests to me that for machines with only wired connections to a network, the above could be implemented by a change on the local gateway router, which would also protect any visitors connected to that router’s wireless SSID. Looking through the options on a router with dd-wrt, I see that DNS shut off because the service is provided by my ISP; so I’m not sure how I’d go about it…if it’s possible. Perhaps a mention above would be useful…
Or just run your own DNS server that talks to the root domains. You have way more control that way
What are the policies regarding logging, privacy etc. ? Do they log requests ? do they comply with law enforcement an hand over these logs ?
Thanks for the tutorial. I’m always eager to improve security and trust IBM is on the mark, but don’t know much about DNS. What are the chances of spinning up a remote server on DO and having the IP be on the blacklist of Quad9?
Thank you for this amazing info!