I'm a fan of "Quad9"
IBM partnered with a bunch of security firms to pull a database of the most malicious domains on the internet (phishing domains, "phone home" domains for malware, actively installing malware on visitors machines, etc), and refuses to resolve them.
Settings > Network & Internet > Advanced > Private DNS
> Quad9 is a free security solution that uses DNS to protect your system against the most common cyber threats. It improves your system's performance, plus, it preserves and protects your privacy.
I can create a DNS service, create a page saying "I don't log anything" and then log every query and sell it to advertisers. Let's not put all our trust on the privacy page.
> If they're not descriptive, then it's probably not a good one to use.
I agree. Still, many use and recommend services that don't describe what they're doing and are trusted anyway.
> https://www.quad9.net/policy/ is just one example.
I don't know if you think that Quad9 is better than Cloudflare from a privacy point of view, but what's the difference between both?
For many Quad9 is like the holy grail, but they seem to collect more and less the same data, which is probably required to run a stable service on level like this. Not to mention that Quad9 is supported by entities like this one: https://old.reddit.com/r/privacy/comments/8v0qru/next_mozilla_release_will_forward_all_your_dns/e1jzg88/
Both services log and share anonymized stats with 3rd parties. The main difference having a quick look at Quad9's privacy page is that they have a wall of text and, for example, talk about logging query data while Cloudflare specifies which part of the query is logged:
>Query Rd bit set
>Query Do bit set
>Query Size Query EDNS
I'm not going to go after CF because they used a list to show every single thing they log. Also we would be having a similar discussion if the service was operated by Mozilla.
Den DNS im Router ändern. (Standardmäßig ist der ISP dort eingetragen, der nun scheinbar verpflichtet ist beim Verbreiten des Staatstrojaner mitzuhelfen). Ich würde hier den Quad9 DNS empfehlen.
VPN nutzen und in die Schweiz verbinden. Hier kann ich MullvadVPN empfehlen. Durch einen VPN wird ein verschlüsselter Tunnel zum VPN server des Anbieters hergestellt, der ab dann Quasi wie der Anbieter fungiert. MullvadVPN hat eine cleane history und hat noch nie irgendwelche Daten oder sonstiges rausgegeben. Zudem können Deutsche Behörden einen VPN Anbieter aus einem anderen Land nicht zwingen, irgendwas umzuleiten.
Kein Plan inwiefern die Behörden in der Lage sind Zeroday-Exploits für die Verbreitung zu nutzen, aber ich würde auf jeden Fall empfehlen alle Geräte und Softwares immer auf den neusten Stand zu halten. Dazu gehört vor Allem auch die FritzBox oder andere Router.
If anyone has issues trusting Google with their nameresolution there's a swiss based public DNS resolver called quad9 at - who'd have guessed - 184.108.40.206
They even have optional threat blocking: https://www.quad9.net/service/threat-blocking
quad9 is also in the data collection business FWIW (https://www.quad9.net/policy/ > see Logs, Compliance), and consider if an organization (https://www.globalcyberalliance.org/community-partners.html) who is interested in your privacy would be logging at all...I wonder if they ever got around to blacklisting basic botnet command & control domains.
I usually avoid the ISPs DNS, they are mostly shit. I almost always point to quad9.
its privacy respecting, and blocks some of the more stupid things most dns providers don't or cant be bothered with.
What do you mean by dns? If you're talking about bootstrap address, literally any DNS service will do for that. Firefox only sends out a single request to that service (assuming you have trr.mode set to 3) and that's for the IP of your DoH URL. For Cloudflare, that's https://mozilla.cloudflare-dns.com/dns-query but there are a few other services that support DoH, such as Quad9 which afaict is a privacy-focused DNS service.
I'd just like to suggest 220.127.116.11 (run by Cloudflare) and 18.104.22.168 as two among a handful of large (and therefore generally also robust) alternatives to Google's DNS.
The important thing in this solution seems to be to change your DNS to something that isn't from your ISP, so in terms of fixing the problem, any good third party DNS service should suffice.
(Spectre has linked to a list in a comment in this thread with more alternatives for those so inclined)
AdguardHome OPNsense plugin that has a few DNS rewrites for lookups of my local servers.
It passes on queries to Quad9. I used it have a separate PowerDNS server on my local net with block lists but I'm trying to simplify things a bit.
This is the term I’ll be using if it turns out that DDG collects user data anyway because of gag orders in the USA. Imo, they should move their legal HQ to Switzerland just like Quad9 did recently to add more weight to their privacy claim.
https://adguard.com/en/privacy/dns.html They only do aggregated logging (ie, no user IP is included) to improve performance, identify the new addresses to block, and remove outdated ones. Seems to be pretty similar to what Quad9 collects https://www.quad9.net/privacy/policy/ aggregated logging to detect new threat, monitor performance and remove false positives
Everyone in this thread is clueless, that is the secondary Quad9 server at 22.214.171.124. You can do nslookup rpz-public-resolver1.rrdns.pch.net. to confirm.
> Secure IP: 126.96.36.199 Provides: Security blocklist, DNSSEC, No EDNS Client-Subnet sent. If your DNS software requires a Secondary IP address, please use the secure secondary address of 188.8.131.52
Quad9 is blocking (or was recently) lookups to ak.privatelink.msidentity.com
IBM X-Force Exchange has marked the domain as malicious.
login.microsoftonline.com has the above address as it's CNAME entry.
Looks like IBM X-Force Exchange just performed a security analyst review and marked the domain safe.
Try googling for secure dns.
If your country firewall is shitty enough. You won't need VPN
But I don't recommend torrenting if you're not in a third world country. As this doesn't hide your ip, just unblock it.
Reddit is blocked in my country. But all is well using secure dns.
Also, Quad9 has a human rights policy, rather than being the punchline to the joke about how many nazis are at the table. And they're a privacy-centric non-profit, rather than surveillance capitalists.
Unfortunately, you can't. Something about how dpinger determines routes. You can use quad9's alternate IP though: 184.108.40.206 . I generally use quad9's primary/secondary or if needed, cloudflare primary/secondary 220.127.116.11 18.104.22.168
I would advice against cloudflare, since they bought this IP to be able to test their anti ddos and other security tools.
22.214.171.124, or (quad9)[https://www.quad9.net] is fast and protects you from malicious websites.
All of the alternates likely collect less information than google does, though.
You don't have to revert back to StarHub DNS.
Google, Cloudflare, and Quad9 DNS are faster, more private (at least for Cloudflare and Quad9), and more reliable as well since they are definitely doing a better job keeping it up compared to StarHub.
About it in the FAQ: https://www.quad9.net/#/faq
What does Quad9 log/store about the DNS queries?
"We store details of the DNS records queried, timestamp, and the city, state, and country from where the query came. We do not store source IP information of end user queries. "
How does Quad9 ensure my privacy?
When an entity or an individual is using the Quad9 infrastructure, their IP address is not logged in our system. We, however, log the geo-location of the system (city, state, country) and use this information for malicious campaign and actor analysis, as well as a component of the data we provide our threat intelligence partners.
IDK about your ISP, but here they just block DNS, meaning you can just set a custom DNS server such as quad9 and all those websites will work.
If they block the actual IPs instead of just DNS then you can just download tor browser and access the website directly.
Statt Google vielleicht lieber 126.96.36.199. Damit kann man auch gleich noch dem LG Hamburg einen virtuellen Mittelfinger zeigen. :)
One thing you could try, is switching your DNS.
It may not help, however if it's due to the ISP's dns servers not being able to keep it, it may though probably won't, help.
Quad 9 DNS
There are others as well, these are just the ones that came to the top of my head.
Again, chances are it won't make a difference as it's probably congestion, however it's something you can try.
Sort of apropos:
The main reason Quad9 moved to Switzerland is because Switzerland has criminal, rather than civil, privacy law. While the US basically has none at all. So if a US company violates its privacy law, it just gives someone a private right of action, if they can demonstrate standing. That's slim succor, after a high hurdle. If a Swiss company violates Swiss privacy law, the Swiss government is the plaintiff, not the individual whose privacy was violated, so the Swiss government doesn't care who the individual was, what country they're in, or their citizenship; they just have to register their complaint with the Swiss federal privacy office.
Quad9 is a DNS provider that has cybersecurity and privacy in mind. It's backed by IBM and can add protection from a lot of this as well. I use it instead of Google's service in my PiHole configuration. https://www.quad9.net/ - 188.8.131.52
Google just wants to data mine you more. Try Quad DNS for TLS over DNS ( https://www.quad9.net/faq/). Otherwise DNS Resolver is a great option since your server becomes 'google' in your case.
No, Quad9 only blocks dns resolution to verified bad addresses which are the host to things like bot nets, phishing sights, etc.
When you use Quad9, attackers and malware cannot leverage the known malicious domains to control your systems, and their ability to steal your data or cause harm will be hindered. Quad9 is an effective and easy way to add an additional layer of security to your infrastructure for free.
No. Quad9 will not provide a censoring component and will limit its actions solely to the blocking of malicious domains around phishing, malware, and exploit kit domains.
Quad9 brings together cyber threat intelligence about malicious domains from a variety of public and private sources and blocks access to those malicious domains when your system attempts to contact them.
Quad9 implements whitelisting algorithms to make sure legitimate domains are not blocked by accident. However, in the rare case of blocking a legitimate domain, Quad9 works with the users to quickly whitelist that domain. Please use our support form if you believe we are blocking a domain in error.
Learn more: https://www.quad9.net/faq/
Quad9 is founded by the Global Cyber Alliance according to their page here.
The GCA is founded by the City of London Police and the New York County District Attorney, according to this page.
I personally wouldn't trust either of those at all.
Probably an issue with the DNS servers provided by your ISP. If you can log into your router, note down what the primary and alternate DNS are on whatever the status page is (in case you have to switch back) and try Google's DNS addresses: 184.108.40.206 and 220.127.116.11. Though it might be worthwhile to test it on a single system first, assuming you're using Windows here's a guide on how to do it. If you're not comfortable using Google DNS (which is understandable), Quad9 is a more privacy oriented option.
By the way, people who don't have budget for Umbrella yet, have a look at Quad9 DNS. Free security/privacy DNS service backed by IBM: https://www.quad9.net/
> Quad9 blocks against known malicious domains, preventing your computers and IoT devices from connecting malware or phishing sites. ...Quad9 will check the site against IBM X-Force threat intelligence that includes 800+ terabytes of threat intelligence data including 40B+ analyzed web pages and images and 17 million spam and phishing attacks monitored daily
self-hosted dns server that routes a list of over 100k advertising and tracking domains to itself, killing ads before they ever consume any network bandwidth. Pair it with quad9 dns to get extra security.
You sweet summer child <3
> In the permanent logs, we do not keep personally identifiable information (PII) or IP information. We do keep some location information (at the city/metro level) so that we can conduct debugging and analyze abuse phenomena. We also use the collected information for the creation and sharing of telemetry (timestamp, geolocation, number of hits, first seen, last seen) for contributors, public publishing of general statistics of use of system (protections, threat types, counts, etc.), and use of a passive DNS platform (domain resolved to this IP, at this time).
https://www.quad9.net/#/policy read the whole thing though
and wait what is this...?!
> In the permanent logs, we don't keep personally identifiable information or IP information. We do keep some location information (at the city/metro level) so that we can conduct debugging, analyze abuse phenomena. After keeping this data for two weeks, we randomly sample a small subset for permanent storage.
https://developers.google.com/speed/public-dns/privacy practically one of those sentences is copied practically word for word! And unlike Google, they don't specify how long they keep their logs! Which means they keep them forever! Amazing! But they said privacy a bunch of times on their homepage! It must be more private than using Google!
They claim to be a non-profit with a "reasonable" take on privacy, and extensive logging:
Doesn't block ninite.co (don't go there please, go here instead: https://www.threatcrowd.org/domain.php?domain=ninite.co) FWIW, which is low hanging fruit for such a service :/
https://dns10.quad9.net/dns-query (dns10) is the non-DNSSEC version.
I wonder if that's the problem here.
As others were saying, use DNS over TLS or some other form of encrypted DNS. 18.104.22.168 and Quad9 are 2 decent options, with the latter protecting your privacy better.
If India uses IP blocking as well (I don't know if they do), then the only real way to get around it would be Tor or a VPN. If using Tor, DuckDuckGo has an onion service at <https://3g2upl4pq6kufc4m.onion/>.
Nope, Quad9 is a Swiss not-for-profit public-benefit foundation.
You might want to read this:
as an explanation of some of the biggest differences between Quad9 and CloudFlare. Basically, Quad9 is legally accountable to its users, regardless of their location; and there is no legal mechanism for the Swiss, or any other government, or any private party by legal action, to compel Quad9 to collect or turn over user data. Also, there's no gag law that could prevent Quad9 from talking about anything.
So, some pretty huge differences, privacy-wise.
Quad9 is a reputable, privacy oriented DNS. They also have malware list so they forbid your computer to connect to known malware directly by blocking DNS requests to these malware domains, which is really nice if you ask me.
Thanks! Looked into it a bit more and alternate-dns has ECS enabled, which might help with CDN download times (with a slight privacy downside: https://www.quad9.net/faq/#What_is_EDNS_Client-Subnet). AdGuard has this disabled.
I will try alternate-dns out!
Pode não ser do teu interesse mas deixo aqui de qualquer das formas:
Como já foi dito, é costume colocarem aqui links no início do jogo. No entanto, eu sou cliente da NOS e às vezes tenho problemas em aceder a eles.
Algumas streams vão ser bloqueadas pela tua operadora através do DNS, e ao tentares aceder às streams aquilo vai-te redirecionar para uma página que diz que o site foi bloqueado.
Portanto, eu aconselho-te a configurares um serviço de DNS alternativo para conseguires aceder aos sites todos sem problemas. Eu uso o da Quad9. Aqui tens um link para te ajudar a configurar (tens de selecionar a caixa de validar ao sair, senão tens de reiniciar o PC para aplicar a mudança).
Thanks, you can find the stamps at https://www.quad9.net/quad9-resolvers.md
The most useful stamp is the first one, dnscrypt-ip4-filter-pri, followed by and -alt.
Independent tests showed that they had the best performance at blocking, and even with that success explained how even the independent test could have been skewed in their favor. They’re also a non-profit so they don’t have a commercial motive like the others and do not charge a fee to use their service. NextDNS charges a fee for their blocking services after 30,000 queries IIRC. Secure+ also has a fee attached. Cloudflare would be my second choice.
I second the recommendation for Quad9. Fast and reliable, and they block known malware sites. https://www.quad9.net/faq/#How_does_Quad9_protect_me_from_malicious_domains
Yes but I believe their intentions, from what I've seen in their statements, are clear and IMO, although each is entitled to theirs, the lesser of evils until i see a better alternative.
> We share anonymized data on specific domains (such as domain, timestamp, geolocation, number of hits, first seen, last seen) with our threat intelligence partners. Please note that this information does not contain source IP information or any other identifier that would directly identify the end user or their organization.
This is the best I've seen but I'm always ready to pack my bags and go. I prefer this over anything from any ISP or other DNS provider, but are you saying Cloudflare is better? Google? What's the better option and how'd you come to that conclusion? I very well may have overlooked something!
Quad9 Blog have link about what private dns is, what is DoT (and other dns solution briefly. Also there is dns that use not a domain, not an ip but server "stamp" to use them), and how to set them.
Με την ευκαιρία: εγώ χρησιμοποιώ το Quad9 DNS (https://www.quad9.net/) που μπλοκάρει αρκετές επικίνδυνες διευθύνσεις, όχι όμως sites με ενδιαφέρον περιεχόμενο.
Its the shit. A mature project that can run on a Raspberry Pi or a VM on your home network.
At home I set the pihole as the DNS server and Quad9 as the upstream DNS. Pihole blocks Big Tech and their ads, and Quad9 blocks malware. All network-wide.
For what it's worth, Quad9 is STILL not blocking a few easily researched and fundamental malware domains (such as https://www.quad9.net/result/?url=ninite.co). I don't know if this is due to incompetence, or that they avoid blocking their own nation-state malware distribution networks. Either way, I wouldn't rely on them for security...
And again, how do I change my DNS without a VPN.
And did you read the quad 9 page. Oh of course you didn't.
So when I use services of the EFF, am I the product? Have you ever heard of something called a non-profit?
You can get alot of free ways to block adds on the internet
Costume HOST file
If you need to block adds IRL than you would need to make adds useless, so you would have to buy up any company that needs to advertise, and make them stop advertisement (I saw a movie about just that awhile ago (can't remember name(was set in Russia)))
It's still good. I would look into Quad 9 as well instead of OpenDNS. Free OpenDNS isn't bad but it's more for blocking porn and Quad 9 is more about blocking threats like malware unless porn is your main goal. Also in Ublock, go into settings and enable all of the malvertising lists. You can block porn easily in ublock by importing a list. https://github.com/gorhill/uBlock/wiki/Filter-lists-from-around-the-web
tbh malwaare domains come and go so fast.....i honestly prefer to let quad9 (22.214.171.124) or cloudflare (126.96.36.199) do the malware blocking. I dont believe either outlet has a "public" blocklist...but theyve worked for me thus far
Using Quad9 filtered option as your resolver includes managed filtering malware/phishing site, per At Quad9 we block “malicious” hostnames, which in some way are intended to directly lead to behavior or results that a reasonable end user would consider detrimental.
Default should not to be 0.0.0.0 it should be whatever COX supplies for DNS, that would probably be your issue.
If you can in your router set the WAN DNS to Quad9: https://www.quad9.net/, do the same for your LAN side if you can set DNS for LAN. See if that resolves your issue.
Danke für den Link. Ich habe aber jetzt durch Zufall den eigentlichen Fehler gefunden. Ich hatte im PiHole die DNS-Server von Quad9 angegeben und die funktionierten aus irgend einem Grund nicht. Hab jetzt einen anderen genommen und es funktioniert alles.
It’s up to you, usually the best reason to change it is reliability.
Pointless historical story:
I had/have charter most of my life and in the mid 2000s they relied on two red hat boxes in Chicago to serve DNS to the entire country. They were overloaded and underpowered plus usually around midnight to 0130 I assume they had a maintenance window as DNS would suddenly stop even though the rest of the connection was fine. Using anything else (in those days 188.8.131.52) was an amazing reliability boost.
As for privacy that depends on your ISP I often recommend quad9 as an alternative to google / cloudflare as they claim to respect your privacy but we can’t verify if that is true or not. They do also blacklist known malware domains so that’s nice to have.
Hurricane Electric also provides a public resolver without any extra features that is very reliable.
Look in to changing your DNS this is the one I use https://www.quad9.net/
The default is to use your ISP. If you do not access to the router to change it for the whole network you can change it on each computer.
Make a Pi-Hole.
Change your DNS to 184.108.40.206 and 220.127.116.11
Check out Quad9's website!
Use script blockers and adblock browser add ons.
Make good decisions when browsing.
Disable network protection in AV, browsers already have it integrated anyway, like smartscreen or google safe browsing. You can use a safer DNS as well, like Quad9.
Stand News is still accessible if you change your default DNS. This is yet again evidence of the soft intro of a filtered web to the city.
You can use Quad9 (https://www.quad9.net/) as your DNS on your phone and your home router to bypass whatever the local ISPs decide is okay to show you. Plenty of quick instructions on how to change this setting.
Quad9 is IBM: https://www.quad9.net/about/
Reputations for privacy are questionable. It's very difficult to know if any of these VPN vendors will "sell you out" to marketing or governments. I normally assume they will. Some are incorporated/operated out of countries with privacy laws, yet court orders can trump a lot. Any of these vendors which say they don't keep logging have to keep some basic account records and logs (signups, logs of sign-on, etc.). These can be turned over under court orders in most countries.
That said, for what you're intending to do, Proton or Nord or most any top-tier is likely "okay." TOR is perhaps an even better venue.
> google's (18.104.22.168 and 22.214.171.124) you're good to go. No need for a VPN.
Might I suggest quad 9? (126.96.36.199)
It's a free service maintained by security experts to filter spam and protect your privacy. Details
Adding to this:
We use Quad 9 with EDNS (188.8.131.52) so our users don't get shoved off into random/default CDN locations when browsing.
Another hint: you can use Cloudflare's 184.108.40.206 or Quad9's 220.127.116.11 as well (a nice discussion in this 3 y.o. thread: https://www.reddit.com/r/privacy/comments/88qyf1/9999_vs_1111_dns_resolvers/)
You're again mixing 2 things. DoH *is* a protocol, and has nothing to do with moving ISP servers to big tech servers.
Dont believe me? Here's wikipedia -
>DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol.
So then what's DoT? It is an alternative to DoH.
>An alternative to DoH is the DNS over TLS (DoT) protocol, a similar standard for encrypting DNS queries, differing only in the methods used for encryption and delivery.
If you're upset about being switched from ISP to quad9 servers (that supports DoH), that's because your ISP isnt supporting DoH at this moment. If you trust ISPs more than big tech, then ask your ISP to support DoH and then point to those.
To bring it back to https. You like the concept of encryption that https offers, but you're upset that your favorite library (say written in golang) isnt supported but is being swapped out for the one in rust (which say, supports https in this hypothetical example).
In this hypothetical example - you're essentially spreading misinformation saying https is a way to move everybody off of golang to rust, when in reality it is just an implementation detail.
u/Sheezdudeln keeps telling you to check your facts, since you keep saying things that aren't actually the case. Facts that are, for example, readily available here:
Also, you seem to be conflating GCA and Quad9. If you have a beef with GCA, you're welcome to take it up with them. It has nothing to do with Quad9.
BTW they are re-incorporating in Switzerland which is great towards their privacy goals: https://www.quad9.net/news/blog/quad9-public-domain-name-service-moves-to-switzerland-for-maximum-internet-privacy-protection/
You just need to use a client like Dnscrypt Proxy, which is a command line program or Simple Dnscrypt, which is basically a non command line version. Quad9 does have dnscrypt: https://www.quad9.net/news/blog/dns-crypt-and-more-doh-support-live-via-dnscrypt
I only have a hosts file, but that's ineffective in Firefox, because I use DoH via Quad9.
And Quad9 (that applies filtering as well) can't be the culprit, because I experience the same issue in Chromium, that doesn't have DoH.
After looking at this for a year or so I chose to go custom; A Pi-Hole solution (which acts as an ad-block, tracking filter) and that Pi-Hole points, over https, to Quad 9 (security and non-logging DNS. That lookup, and all browsing, goes through a VPN to access the internet. Browsers, Firefox mainly, also have some script and ad blocking.
Müsste theoretisch reichen deinen DNS Server im Router anzupassen.
Standartmäßig nutzen Router die jeweiligen DNS Server vom Provider. Wenn du allerdings z.b. den von Cloudflare oder Quad9 nutzt müssten die sperren umgehbar sein.
Wenn du eh schon dabei ist packst du am besten noch ein Pi Hole in dein Netzwerk um tracker und Werbung zu blocken :)
I would recommend Quad 9 with ECS over Cloudflare 18.104.22.168. The reason being is performance for services which use geolocation. Services which do not pass on a portion of the client's subnet will be misrouted; since 22.214.171.124 doesn't support ECS, you may not be being served content from the closest location. This especially impacts Google services and it can be noticable.
Quad9 does not collect user data, or have any "phone home" mechanism. Apps may well perform "cache-busting" DNS queries to their own domains (the authoritative servers for their own domains) which could leak information, though.
Wouldn't that be impossible when they don't keep IP logs, how would they be able to contact you when they don't know who you are?
The same page says they had no requests for data the last 4 years.
Dns is used for name resolution so it makes sense that your connection is slow on first connection to a server if the dns is slow. Although i wouldnt use Google DNS for privacy reasons. I‘d recommend Quad9 DNS its a non profit organization powered by donations from IBM etc and they also have included malware blocking
This is about specifics. We spent five years reviewing specific laws, getting specific legal opinions, and getting specific findings of law. This isn't about "Switzerland is private."
The actual facts are here, with full citations and original sources, if you want to review them: https://www.quad9.net/privacy/compliance-and-applicable-law/
That is the entirety of what yesterday was about.
Yeah, of course they do. Or did when I benchmarked them, Ill dig it out of my old configs.
EDIT: not got my old config files but it's on their website:
Recommended: Malware Blocking, DNSSEC Validation (this is the most typical configuration)
Unsecured: No Malware blocking, no DNSSEC validation (for experts only!)
Secured w/ECS: Malware blocking, DNSSEC Validation, ECS enabled
For a business? I would consider a DNS that provides security features. I am a fan of Quad 9.
The primary IP address for Quad9 is 9.9. 9.9, which includes the blocklist, DNSSEC validation, and other security features.
Quad9 brings together cyber threat intelligence about malicious domains from a variety of public and private sources and blocks access to those malicious domains when your system attempts to contact them.
What makes you think quad9 has been audited? The only mention of an audit is on there “your-data” page which date from 2018 and talk about an hypothetical future audit: https://www.quad9.net/quad9-yourdata/
From a quick glance:
Notable quotes on their site:
> We will not retain any personal information for marketing purposes and will not resell your personal data. IP address information...is stored for up to 24 hours for the purpose of stopping malicious activity abusing the CIRA Canadian Shield service for illegal activity after which all personally identifiable information is deleted.
> We offer CIRA Canadian Shield to all households as a part of our mission to help to build a more trusted internet for all Canadians.
> CIRA has committed to a full annual privacy audit, conducted by a third-party auditor, to ensure adherence to the highest standards of data privacy.
Are you saying that Google's dns servers are somehow MORE legit than Quad 9 or Cloudfare? What about quad 75s?
wtf is PURE dns information?
I'm not worried about it. Quad9 and dnscrypt just have differences in opinions about how long a key should be valid for. You could write to [email protected] or submit feedback at https://www.quad9.net/contact/ if you think it's a serious issue. They have been responsive to me in the past when needing to whitelist a site.
Appreciate this. Happy for the https://www.quad9.net/ lead. I was aware of the child protection are of OpenVPN and was looking for a similar solution for scammers/attacks.
Ghostery looks like a great browsing solution.
Thank you for your help and I agree with all of your comments. I will rethink my approach. It is amazing the increase in malware attacks this year:
To be honest some may think trying to address these issues is a bit "paranoid." But this is the reality we live in now.
Ok, so, here are some thoughts on attack vectors;
1. email (e.g. embedded payload, malicious attachments)
2. Web (malicious links & sites)
3. Physical (theft of property, threat to human life)
- To influence 1; use a good endpoint security solution. Configure it to stay up to date.
- To influence 2; filter traffic by routing it through a service like this; https://www.quad9.net/ or others - more examples here; https://www.allconnect.com/blog/best-free-dns-servers
- To influence 3; encrypt devices. For the second part consult local law enforcement, connect with other non-profits..
To lower the attack surface, consider some rules around not accessing any social media or general internet browsing from such devices (culture piece)
Does it help?
Not what OP is requesting though... quad9 blocks malware sites. And the .11 service they offer is only different from .9 in that it serves client subnet data to queried servers to avoid suboptimal routing due to geolocation errors.
Doesn't block porn. Their frontpage has a friendly test form, https://www.quad9.net/
I've been using Cloudflare's 126.96.36.199 which does block porn and malware domains for the past three months and haven't had any issues or resolution response time complaints.
I encourage you, and everyone else to stop giving Google so much data by using their DNS.
I encourage you (and everyone else) to consider alternative DNS providers instead:
Those DNS providers are screening out malicious domains, with faster response times than Google, and have privacy statements that make it much more clear that they aren't doing anything inappropriate with your lookup data.
So if you close the app and reopen, it works "for a bit" then stops.
How does your ISP know you've closed the app and therefore offer you a bit more service?
You're perfectly explaining an app or device problem.
Anyhow. Yes, you pay for 50mbit broadband, but you don't pay for a business level SLA and 24/7 technical support, so don't get pissy with random Internet strangers who are trying to help you.
If you want a solution to your problem, give more details.
What app? What device? WiFi or wired? Have you tried another device? Is this the first time or is it every night?
Seriously look into changing the DNS, though. Yes, it's not "required", but it will increase your security and remove one of the weaknesses from the system. Personally I recommend Quad9 and although you can't change this on the Superhub, you should be able to change it the device you're having issues with.
Help us to help you.
Yes it does seem to be ambiguous; I personally chose not to chance it (especially for my parents) and set their router to use Quad9 (their EDNS Client-Subnet enabled addresses: https://www.quad9.net/faq/#What_is_EDNS_Client-Subnet) as they like to stream a lot of videos and this helps with choosing servers closer to them.
188.8.131.52 is the default for most enterprise. They're a little bit more aggressive on blocks, and have a decent filter for what can't possibly be work related.
We monitor and fall back to 184.108.40.206 then to 220.127.116.11.
u/PHealthy looks like Quad9 has a blog article specifically about Covid-19 sites getting blocked - https://www.quad9.net/help-my-new-covid-19-site-is-getting-blocked/
Ihan samat datat tuokin kerää kuin Google:
> What does Quad9 log/store about the DNS queries?
> We store details of the DNS records queried, timestamp, and the city, state, and country from where the query came. We do not store source IP information of end-user queries.
Mut joo, eipä avoimien ilmaisten DNS-palvelimien ylläpidosta taida paljon rahaa saada jos ei tee bisnestä sivussa, tuskinpa on olemassa yhtään joka ei keräisi käyttäjien dataa. Kaippa tuo vähän vähemmän kaupallisesti käyttää dataasi, mutta ei tuota nyt ihan yksityisyydeksikään voi kutsua.
aba kunlai data dine vanne ho ,
Quad9 is a nonprofit organization supported by IBM, Packet Clearing House (PCH), Global Cyber Alliance (GCA), and many other cybersecurity organizations for the purpose of operating a privacy-and-security-centric public DNS resolver. Its main differentiator from other open DNS resolvers is that it automatically blocks domains known to be associated with malicious activity, and it does not log the IP addresses of its users and of queries sent to it.
To be correct, 18.104.22.168 is hosted by Cloudflare (https://22.214.171.124/dns/), but 126.96.36.199 is hosted by quad9 which is supported by IBM and others (https://www.quad9.net/about/). So it's not the same, but both are good and definitely more private then google or any other public dns server.
As a pen tester you should know the last thing you want is a way to access you internal network from the outside.
Use SAAS for filer sharing. Drop Box, One Drive, Google Drive.
Might want to use one of those as your mail provider also.
Find a good Anti-virus/Malware product, encourage users to use something like https://www.quad9.net/ for some level of web filtering.
Yes you could do a VPN to make web browsing more secure, but as soon as they disconnect from the VPN they are no longer secure, and then they connect a computer that wasn't secure to your internal network again.
Nice setup, let’s try different DNS first. Use a computer ideally and login to your router. (Netgear uses routerlogin.net but go direct instead and access 192.168.0.1 or however your subnet is setup. It’ll ask for credentials, which I hope you’ve changed (admin,password).
Under advanced > DNS, uncheck “use ISP provided” and replace the entries with your choice of DNS provider. I like Quad9, no logs and supports DNSSEC. There’s many, Privacytools.io can help out there.
>The browsers essentially found a way to own and direct all of that traffic.
Soooo... telecom company talking points? You are implying that Mozilla is doing this because the data has value and they want to own it?
You are saying that profit driven ISPs that already sell data in the US are more trustworthy than the Mozilla Foundation who has a long track record of prioritizing user privacy and self-ownership of data? Also we don't know that Mozilla will be running their own DNS servers, they aren't a DNS provider, and atm they allow the DOH (https-dns) server to be set in the browser configuration. The final decision hasn't yet been made but there is a good chance that Mozilla will make the decision to set a DOH supporting DNS provider like Quad9 as the default DNS for FireFox because they are are open, don't kept logs of user IP's, don't enforce government/corporate censorship, most importantly are a user privacy and security focused non-profit like much the Mozilla Foundation.
>The browsers essentially found a way to own and direct all of that traffic.
You are saying that profit driven ISPs that already sell data in the US are more trustworthy than the Mozilla Foundation? Also we don't know that Mozilla will be running their own DNS, they aren't a DNS provider, and atm they allow the DOH (https-dns) server to be set in the browser configuration. The final decision hasn't yet been made by there is a good chance that Mozilla will make the decision to get a DOH supporting DNS provider like Quad9 as the default DNS for FireFox because they are are open and most importantly are a user privacy and security focused non-profit like much the Mozilla Foundation.
Yup. If you are using your ISP or Google for DNS... don't. I also don't use CloudFlare, dispite their virtue signaling marketing, because they are a for profit business that has reason to monetize user data.
I use Quad9. They are the Mozilla Foundation of major DNS providers being a non-profit, user privacy and security focused, don't log user data, and big enough to not get steamrolled by governments.