≡ Menu

How to setup Quad9 DNS on a Linux

Domain Name Servers (DNS) are essential for the Internet. Every computer or mobile device use DNS to access websites, email servers, APIs and other stuff. One must configure a DNS service. You can use your ISP’s DNS, Google DNS, and OpenDNS. Now you have one more option from IBM. It is called Quad9 DNS service. It can block malicious domains for everyone. You can get an additional layer of protection.

How does Quad9 protect me from malicious domains?

From the Quad9 site:

Quad9 brings together cyber threat intelligence about malicious domains from variety of public and private sources and blocks access to those malicious domains when your system attempts to contact them. When you use Quad9, attackers and malware cannot leverage the known malicious domains to control your systems, and their ability to steal your data or cause harm will be hindered. Quad9 is an effective and easy way to add an additional layer of security to your infrastructure for free.

Quad9 DNS server

You need to point your DNS server to 9.9.9.9, and known malware and phishes won’t be able to use DNS for bad purposes:

  • Secure IPv4: 9.9.9.9 Blocklist, DNSSEC, No EDNS Client-Subnet
  • Unsecure IPv4: 9.9.9.10 No blocklist, no DNSSEC, send EDNS Client-Subnet
  • Secure IPv6: 2620:fe::fe Blocklist, DNSSEC, No EDNS Client-Subnet
  • Unsecure IPv6: 2620:fe::10 No blocklist, no DNSSEC, send EDNS Client-Subnet

How to setup Quad9 DNS resolvers

Linux uses /etc/resolv.conf file. Some modern systemd based Linux distro use systemd-resolved.

Configure Quad9 using /etc/resolv.conf

Edit the file /etc/resolv.conf:
$ sudo nano /etc/resolv.conf
OR
$ sudo vim /etc/resolv.conf
Edit/append as follows:

nameserver 9.9.9.9
nameserver 2620:fe::fe
domain dnsknowledge.com
options rotate

Save and close the file. Test it with the host or dig command:
$ dig google.com
$ host dnsknowledge.com

Quad9 resolving domain names

Quad9 resolving domain names

Configure Quad9 on a Ubuntu 14.04/16.04 LTS and Debian 8/9

Edit the file /etc/network/interfaces:
$ sudo nano /etc/network/interfaces
Edit/append as follows:

# Add DNS resolvers for resolvconf.
  dns-nameservers 9.9.9.9 2620:fe::fe
  dns-search dnsknowledge.com
  dns-options rotate

Save and close the file.

Configure Quad 9 on an Arch, CoreOS Container Linux, Ubuntu 17.10

Here is my sample /etc/systemd/network/05-eth0.network (assuming that interface name is eth0) file:

## READ following man pages ##
# man systemd-networkd
# man systemd-resolved
##
[Match]
Name=eth0
[Network]
DHCP=no
Domains=dnsknowledge.com
IPv6PrivacyExtensions=false
# DNS resolvers (safe to mix IPv4 and IPv6)
DNS=9.9.9.9 2620:fe::fe
# IPv4 gateway and primary address.
Gateway=192.168.1.1
Address=192.168.1.2/24
# IPv6 gateway and primary address.
# Gateway=your-router-ipv6
# Address=your-ipv6-here

Setup Quad9 DNS using the NetworkManager on Linux

One can just use the NetworkManager too. It is a free and open source program for providing detection and configuration for systems to automatically connect to network:
Go to System Settings and select Network such as WiFI or Wired network connection. Click Settings icons and select IPv4 or IPv6. Finally enter IPv4 address “9.9.9.9” and turn off Automatic. Finally click Apply.

You can setup Quad9 on Linux using GUI method

You can setup Quad9 on Linux using GUI method

Setup Quad9 DNS on a RHEL 7/Fedora (latest)/Scientific/Oracle/CentOS Linux 7

Here is my /etc/sysconfig/network-scripts/ifcfg-eth0 file (assuming that interface name is eth0):
$ cat /etc/sysconfig/network-scripts/ifcfg-eth0
Sample file:

## Please read the following man pages ##
# man systemd-networkd
# man networkmanager
BOOTPROTO=none
PEERDNS=no
IPV6_AUTOCONF=no
DOMAIN=dnsknowledge.com
GATEWAY0=192.168.1.1
# DNS resolvers
DNS1=9.9.9.9
DNS2=2620:fe::fe
IPADDR0=192.168.1.2
PREFIX0=24
# IPv6 gateway and primary address.
#IPV6_DEFAULTGW=
#IPV6ADDR=

Testing

To apply your changes, reboot from the box or restart networking services. Make sure your /etc/resolv.conf updated:
$ cat /etc/resolv.conf
Make sure all IP address are correct:
$ /sbin/ifconfig
$ ip a

Use the ping and host/dig command for testing:
$ ping -c 5 google.com
$ dig google.com
$ host dnsknowledge.com

See Quad9 site for further details how service blocks malicious domains for everyone.

{ 4 comments… add one }
  • Kent Lion November 18, 2017, 9:47 am

    Reading the above suggests to me that for machines with only wired connections to a network, the above could be implemented by a change on the local gateway router, which would also protect any visitors connected to that router’s wireless SSID. Looking through the options on a router with dd-wrt, I see that DNS shut off because the service is provided by my ISP; so I’m not sure how I’d go about it…if it’s possible. Perhaps a mention above would be useful…

  • Lord_Beavis November 18, 2017, 1:04 pm

    Or just run your own DNS server that talks to the root domains. You have way more control that way

  • Ronen November 19, 2017, 9:27 pm

    What are the policies regarding logging, privacy etc. ? Do they log requests ? do they comply with law enforcement an hand over these logs ?

  • Joseph Lee November 25, 2017, 1:50 pm

    Thanks for the tutorial. I’m always eager to improve security and trust IBM is on the mark, but don’t know much about DNS. What are the chances of spinning up a remote server on DO and having the IP be on the blacklist of Quad9?

Seurity: Are you a robot or human?

Leave a Comment