The document discusses the Domain Name System (DNS) and its vulnerabilities, emphasizing the issues with recursive resolvers and the importance of maintaining user privacy. It introduces Quad9, a public DNS resolver that enhances security by blocking malware and preventing data leaks, while stressing the significance of cryptographic authentication. Furthermore, it outlines Quad9's infrastructure and recent deployments across various countries to improve DNS reliability and performance.

1. Quad9 and
DNS Privacy
CATNIX
Barcelona, 23 Noviembre 2018
Gael Hernandez
Interconnection Policy at PCH
gael@pch.net

2. What’s the DNS?
The Domain Name System (DNS) is
the “phone book” of the Internet.
It translates domain names like
www.example.org into Internet
Protocol addresses, like 192.0.2.89.

3. How the system works ?
3
recursive
resolverEnd User
www.example.net
root
nameserver
www.example.net
ns: a.gtld-servers.net
.net
nameserver
www.example.net
example.net
nameserver
www.example.net
93.184.216.3
web
server
93.184.216.34 https
93.184.216.34

4. How the system works ?
4
recursive
resolverEnd User
www.example.net
root
nameserver
www.example.net
ns: a.gtld-servers.net
.net
nameserver
www.example.net
example.net
nameserver
www.example.net
93.184.216.3
web
server
93.184.216.34 https
93.184.216.34
1
2
4
7
8
9
5
6

5. recursive
resolver
.org
nameserver
root
nameserver
5
example.net
nameserver
What are the Problems with this System?
?

6. .org
nameserver
root
nameserver
6
example.org
nameserver
So What are the Problems with this System?
recursive
resolver
www.example.org

7. .org
nameserver
root
nameserver
7
example.org
nameserver
So What are the Problems with this System?
recursive
resolver
€€€€PII =
PII constitutes a rich “click trail” of information about
the user’s browsing history, email, all of the software
on their computer that’s checking for updates, and all
of the malicious software that’s infected their machine.
www.example.org

8. .org
nameserver
root
nameserver
8
example.org
nameserver
So What are the Problems with this System?
recursive
resolver
Even when users are already using recursive
resolvers that are broadly anycast, the failure of a
local node often results in users’ queries being
backhauled to other continents.
www.example.org
X

9. .org
nameserver
root
nameserver
9
example.org
nameserver
So What are the Problems with this System?
recursive
resolver
The maximum performance a user can receive is
limited by the distance between the user and
the recursive resolver: the further away, the
slower the user’s performance will be.
www.example.org

10. recursive
resolver
.org
nameserver
root
nameserver
10
example.org
nameserver
So What are the Problems with this System?
When a recursive resolver has a “cache miss”
performance takes another huge hit as the
resolver begins querying authoritative servers
that are far away and
potentially slow to respond.
Many commercial recursive resolver operators
intentionally pass user IP address information onward
to authoritative server operators.
www.example.org

11. recursive
resolver
.org
nameserver
root
nameserver
11
example.org
nameserver
So What are the Problems with this System?
As the recursive resolver continues to query
authoritative servers, the performance
degrades still further.
www.example.org
Any authoritative nameserver in the
recursion chain which fails to provide
cryptographic authentication of the DNS data (DNSSEC)
precludes the authentication of any domain names
further downstream.

12. www.example.org
recursive
resolver
.net
nameserver
root
nameserver
12
example.org
nameserver
So What are the Problems with this System?
Every additional authoritative server in the
chain is another potential weak link which could
be compromised and caused to provide
malicious data to the end user.
Attacks against authoritative
servers can leave recursive resolvers
unable to obtain answers on users’ behalf.

13. recursive
resolver
.net
nameserver
root
nameserver
13
example.org
nameserver
So What are the Problems with this System?
Recursive resolvers leak far more information to
authoritative servers than is necessary to answer
queries. In this example, a query to
a Root nameserver need not
include the “www.example”
portion of the domain name.
www.example.org
Many authoritative nameserver operators
monetise click-trail information by collecting and selling
recordings of network traffic collected between the
recursive servers and their authoritative servers.

14. Quad9: Collaboration Between
Internet Industry Leaders

15. Quad9: A DNS Public Recursive Resolver
▪ Global open recursive DNS
platform
▪ Populated by data crowd-
sourced from the security
industry
▪ Strong privacy controls built
in (not even we know the
source of requests)
▪ Core/root DNS level
reliability on infrastructure
▪ NO INDIVIDUAL
REPORTING OF BLOCKS!
15

16. .org
nameserver
root
nameserver
16
example.org
nameserver
How does Quad9 protect you?
Quad9 recursive
resolver
www.example.org
PII

17. .org
nameserver
root
nameserver
17
example.org
nameserver
How does Quad9 protect you?
Quad9 recursive
resolver
www.example.org
DNS-over-TLS (since launch)
DNSCrypt (July 2018)
DNS-over-HTTP (in beta)

18. www.example.org
.org
nameserver
root
nameserver
18
example.org
nameserver
How does Quad9 protect you?
Quad9 recursive
resolver
PCH DNS Node

19. 19
How does Quad9 protect you?
Quad9 recursive
resolver
www.random_malware.example
www.random_malware.example
on average Quad9 “blocks” over 8 million malware requests daily
NXDOMAIN

20. !20
END USER
PROTECTION
▪ Reduction of malicious events: the accidental turn-off of Quad9
increased in 2200% the malicious events. In other words,
Quad9 reduced the events those events in 95.5%

21. !21
Quad9
Architecture
▪ Cisco UCS servers with VM support.
▪ 3 DNS resolvers and 1 telemetry instance per node
▪ Load balancing with dnsdist
▪ DNS redundancy: PowerDNS and Unbound
▪ Root and TLD DNS “back-to-back” in the same physical
installation
▪ Routing using Quad9’s own ASN (AS19281) and via PCH’s
ASN (AS42)
▪ Peering connections of 10/1Gbps depending on the size of the
node

22. !22
Matriz de sabores
Quad9
▪ Por defecto: 9.9.9.9 o 2620:fe::fe
▪ Sin bloqueo (insegura): 9.9.9.10 o 2620:fe::ff
▪ CDN-Friendly: 9.9.9.11 (todavia no esta operacional)
▪ IoT-Friendly: 9.9.9.12 (todavia no esta operacional)
Name | IP | Blocklist | NXDOMAIN only | Send EDNS Subnet | DNSSEC Validation
Default 9.9.9.9 x x
Non-secure 9.9.9.10 x
CDN-Friendly 9.9.9.11 x x x
IOT-Friendly 9.9.9.12 x x x

23. !23
162 ubicaciones de IX en 79 países (Noviembre 2018)
Quad9 Deployments

24. !24
Quad9 recent and future deployments in Europe
▪ Albania: Albanian Neutral Internet Exchange, Tirana (2019)
▪ France: France-IX Paris*, Equinix Paris* (in November), France-IX
Marseille and DE-CIX Marseille.
▪ Germany: DE-CIX Frankfurt*, DE-CIX Dusseldorf, DE-CIX
Munich, DE-CIX Hamburg and Wuppertal (UP-IXP).
▪ Netherlands: AMS-IX Amsterdam*
▪ Portugal: GigaPIX Lisbon (October)
▪ Serbia: Serbian Open Exchange (SOX) (December)
▪ Spain: DE-CIX Madrid and CATNIX Barcelona (October)
▪ Switzerland: RomandIX Laussane (November)
* = Dedicated Quad9 servers

25. !25
Ya estamos en CATNIX

26. !26
CURRENT LINES
OF WORK
▪ Collaboration with IoT device manufacturers
▪ Routing optimisation to improve traffic delivery and latency with
new deployments, including at ISPs own network
▪ Addition of specialised thread-intelligence data to the block list:
▪ Financial services providers and cryptocurrency domain attack data
▪ Specific API-based service attack data
▪ Mobile device platforms at high risk
▪ Implementation of DNS-over-TLS on Android’s source code
▪ Implementation of ECDN Client Subnet (ECS) to mitigate potential
issues with highly distributed CDNs
▪ In the meanwhile, mapping of Quad9 nodes with CDNs

27. 2620:fe::fe www.quad9.net
9.9.9.9
Gracias CATNIX!