Quad9 Enables DNS over HTTP/3 and DNS over QUIC (opens in new tab)

(quad9.net)

69 pointsitchingsphynx1mo ago17 comments

17 comments

b3lvedere1mo ago

I used the Quad9 resolvers in the past, but i've been using the DNS4EU for a while now [1]

[1] https://joindns4.eu/

crote1mo ago

What made you switch?

b3lvedere1mo ago

It seems faster for me and it has multiple choices of protection.

esbranson1mo ago

Excellent. Since privacy and cybersecurity are goals, TLS Encrypted Client Hello (RFC 9849, ECH) and its DNS service bindings (RFC 9848) were finalized last month.

itchingsphynxOP1mo ago

Quad9 has enabled DNS over HTTP/3 (DoH3) and DNS over QUIC (DoQ) across its global resolver network.

lofaszvanitt1mo ago

Quad9 is quite unreliable. Lots of outages and the like.

wpm1mo ago

I've been using Quad9 at home for years as my only upstream DNS resolver and your comment does not track at all with my experience. My ISP goes out more often.

lofaszvanitt1mo ago

Well, my experience differs. Lots and lots of downtimes in the EU region. Not using the default one, I'm using the one without any malware etc. related protections.

ZeroCool2u1mo ago

Does quad9 have a resolver that includes ad blocking?

itchingsphynxOP1mo ago

"Does Quad9 offer content filtering? No. Quad9 has no plans to provide content filtering. Quad9 is dedicated solely to internet security and the blocking of malicious domains, such as phishing, malware, and exploit kits." https://quad9.net/support/faq/#dns_crypt

justinclift1mo ago

That's a shame, because ad blocking would seem to fit in:

> blocking of malicious domains

MrDrMcCoy1mo ago

I expect Mullvad will implement all this soon enough, and they do have adblocking with public endpoints.

ape41mo ago

So many more layers than the original simple DNS protocol.

crote1mo ago

"Simple" doesn't always mean "better". A car without seatbelts is less complicated than one with, but it definitely doesn't make it a better car.

Similarly, The original DNS protocol doesn't have any form of verification: it is is trivially easy for a MitM attacker to alter the responses - or even for a non-MitM one to send spoofed responses "in the blind". It also doesn't have any form of confidentiality: it is trivially easy for a MitM attacker to log all the requests you make, which essentially means your entire browser history.

It takes an awful lot of hacking to turn classic DNS into something even remotely representing a mature and well-designed protocol. By the time you are done bolting on all the other stuff it really isn't all that simple anymore.

hulitu1mo ago

> it is is trivially easy for a MitM attacker to alter the responses

This is true even for DOH. There is no guaranty that your TLS certificate issuer is to be trusted. And, by the way, most of them are in the USA, a country known for its surveillance programs.

pixl971mo ago

Too bad ISPs are real dicks and capture all your DNS requests for tracking and resale.

UqWBcuFx6NV4r1mo ago

OK. It is still there, and you are welcome to use it.

j / k navigate · click thread line to collapse

17 comments

b3lvedere1mo ago

I used the Quad9 resolvers in the past, but i've been using the DNS4EU for a while now [1]

[1] https://joindns4.eu/

crote1mo ago

What made you switch?

b3lvedere1mo ago

It seems faster for me and it has multiple choices of protection.

esbranson1mo ago

Excellent. Since privacy and cybersecurity are goals, TLS Encrypted Client Hello (RFC 9849, ECH) and its DNS service bindings (RFC 9848) were finalized last month.

itchingsphynxOP1mo ago

Quad9 has enabled DNS over HTTP/3 (DoH3) and DNS over QUIC (DoQ) across its global resolver network.

lofaszvanitt1mo ago

Quad9 is quite unreliable. Lots of outages and the like.

wpm1mo ago

I've been using Quad9 at home for years as my only upstream DNS resolver and your comment does not track at all with my experience. My ISP goes out more often.

lofaszvanitt1mo ago

Well, my experience differs. Lots and lots of downtimes in the EU region. Not using the default one, I'm using the one without any malware etc. related protections.

ZeroCool2u1mo ago

Does quad9 have a resolver that includes ad blocking?

itchingsphynxOP1mo ago

justinclift1mo ago

That's a shame, because ad blocking would seem to fit in:

> blocking of malicious domains

MrDrMcCoy1mo ago

I expect Mullvad will implement all this soon enough, and they do have adblocking with public endpoints.

ape41mo ago

So many more layers than the original simple DNS protocol.

crote1mo ago

"Simple" doesn't always mean "better". A car without seatbelts is less complicated than one with, but it definitely doesn't make it a better car.

hulitu1mo ago

> it is is trivially easy for a MitM attacker to alter the responses

This is true even for DOH. There is no guaranty that your TLS certificate issuer is to be trusted. And, by the way, most of them are in the USA, a country known for its surveillance programs.

pixl971mo ago

Too bad ISPs are real dicks and capture all your DNS requests for tracking and resale.

UqWBcuFx6NV4r1mo ago

OK. It is still there, and you are welcome to use it.

j / k navigate · click thread line to collapse