Secure and Privacy Respecting DNS-Resolver Infrastructure

The Domain Name System (DNS) serves as a translator between the human-recognizable domain names and machine-recognizable locations on the internet and is a core service for the latter’s function. DNS is increasingly being used as a security control; it’s now commonplace for a DNS service to prevent the translation of domains deemed “malicious.”

New encryption standards are creating privacy in the vital DNS function, however, existing tools for censorship circumvention, decentralized browsing, and private messaging are likely weakened by utilization of unprotected DNS services, which remain dominant in most network environments. Quad9 provides encryption protection as a basic part of service, and has championed encryption standards in the DNS protocol since introduction in 2017.

In addition to protection against observation and interception of user site access metadata, Quad9’s free, open, and recursive DNS anycast resolver provides an extra layer of protection from malware, phishing, and spam. With an anycast resolver, many servers are addressable via one IP address and, typically, the closest one geographically to the request origination will provide the response. This distributed model reduces latency, improves uptime for the DNS resolving service, and provides protection against DNS flood DDoS attacks as well as keeping DNS and content traffic local. The DNS protections Quad9 offers are at zero cost for all users, and do not require account-based personal information in order to provide benefit.

This project will expand Quad9’s secure and privacy respecting DNS resolver infrastructure, and deliver its global-to-local service provision of secure domain lookups to end users. It will also support public-interest research activities. The project recently deployed resolvers in Jakarta, Indonesia and Blantyre, Malawi based on increased need and the strategic importance of these locations. Quad9 is actively pursuing deployments in areas where traditional infrastructure operators of cybersecurity services are minimal or entirely absent, and where expansion of encrypted DNS queries protects one of the last vital metadata components of end-to-end cryptographically-secure internet traffic. The project is currently engaging with Packet Clearing House to include Quad9 in presentations on the importance of protective DNS services in emerging economies.