New DNS Service Launched by IBM Vows to Keep Your Browsing Habits Secret

Does it support DNSCrypt? DNSSEC?

 

https://www.quad9.net/#/faq

Regarding DNSCrypt, why would it be supported? It offers DNS over TLS instead.

 

Nice, I think they're the first public DNS provider with DNS-over-TLS.
The thing is I don't really want to have to trust IBM with my DNS/browsing history after their history during WWII.

 

Maybe the first worldwide provider, but not the first, there were others before them like:

Code:

https://securedns.eu/

 

I can find nothing on that link on the topic of TLS. All it says is that it uses DNSSEC.

 

#4

#5

 

I have been using dnscrypt (on my router), but might want to try this DNS over TLS.

What do I have to do on my side to enable DNS over TLS? (Next to using 9.9.9.9)

 

Well, there are two choises right now:
1. You can either install full real DNS server like Unbound.
2. Or you can install just stub DNS resolver like Stubby.

And after installing either one, you point it to forward all DNS queries to port 853 at address 9.9.9.9

Windows Unbound guide:
https://unbound.net/documentation/unbound-windows-manual-02.pdf

My own super quick client (and also client/server if needed) setup for Linux:
https://www.orwell1984.today/dns.html

and download for both Linux/Windows
https://unbound.net/download.html
----------------------------------------------
For stubby (both instructions and download link):
https://dnsprivacy.org/wiki/display/DP/Windows installer for Stubby

EDIT: Also, most Linux distros have unbound package but not sure about stubby
EDIT2: That Unbound guide for Windows just have the basics of installing, running and editing config file (there it seems to be called "C:\Program Files\Unbound\service.conf" while on Linux it's /etc/unbound/unbound.conf)- So you will have to check my Linux guide anyway after Windows installation instructions

 

Why is a server/stub needed?

Isn’t it sufficient to let my router use 9.9.9.9:853 as upstream DNS server?

 

Well, of course you can try it but I doubt it will work.

When using DNS-over-TLS your normal DNS packet's are stuffed into encrypted tunnel and normal DNS software don't know howto handle it. That's why u need Unbound/Stubby to translate your ordinary DNS to DNS-over-TLS

Or like this:

Your computer DNS UDP(or TCP) sending to port 53 ----> Your router with Unbound or Stubby listening port 53 ---> wrapping up the DNS into encrypted tunnel and kicking out to big bad Internet toward 9.9.9.9@853

 

Makes sense. I believe Unbound is available via Entware. Should try this some time I guess...

 

Some comparison of the various suggested dns encryption methods.

https://www.slideshare.net/MenandMice/how-to-send-dns-over-anything-encrypted

DNS-over-TLS seems best sofar because it's based on well known method (same as what is used with HTTPS) and the current state is that there is absolutely no (finished) encrypted DNS standard yet.

So we need a baseline and from that start improving (maybe the DNS-over-QUICK that the above link mentions)

Also some comparison between just DNS-over-TLS and DNSCrypt:
https://tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt

 

Cool. So do I have to enable TLS for the DNS or do I just hammer the DNS into the router settings and it works automagically?

 

You really should read the posts after mine too.

 

I see. Will be sticking to DNSCrypt then.

 

I started testing the new Comodo cWatch Office yesterday which uses DNSCrypt. So far, so good.

https://cwatch.comodo.com/office/
https://forums.comodo.com/news-anno...ect-your-computers-smartphones-t121155.0.html

 

While DNS-over-TLS is a welcome improvement one should be aware that this does not mean complete privacy. Yes, your DNS requests are encrypted so your ISP cannot see them - but your ISP still sees the websites you're surfing because of SNI (Server Name Indication). This is explained here and discussed in the comments here (with a link which shows the technical background). This also applies to DNSCrypt. Hence, this is certainly not a way to, e.g., circumvent censorship in countries like China or Iran. (And VPNs are forbidden in those countries anyhow.)

 

Well it's a Yes and No.

Yes, if the site is using SSL/TLS and also servers multiple other sites from the same server (aka virtual hosting in plain old HTTP speaking) then it has to use SNI.

No, if you just have one site served over SSL/TLS then no SNI needed (and of course, if you setup your own DNS-over-TLS server for your own use then of course you don't use SNI then and everything goes encrypted)


There has been some talk about howto handle, and possibly ways to encrypt SNI. Let's see what happens

 

Yes, that's how I understood it, too. But I think the first scenario is certainly much more common.

 

Yes, that is sadly true. However, there is some hope.

Here is two possible solutions offered (need TLS 1.3 but it will be needed in the future anyway ...):
https://tools.ietf.org/html/draft-huitema-tls-sni-encryption-00

EDIT: Hmmm... Now that I think of it and have some extra time, I should maybe try to enable TLS 1.3 in my server and see how it works ....

 

Well that was surprising reading to say the least! I wasn't aware of any of that.

I see their FAQ now shows their secondary IP Address.

1. 9.9.9.9
2. 149.112.112.112

 

IPv6:

Preferred 2620:fe::fe

Alternate (Secure) 2620:fe::9

 

New York City is launching public cybersecurity tools to keep residents from getting hacked
https://finance.yahoo.com/news/york-city-launching-public-cybersecurity-212623275.html
Just saw this article mentioning Quad9. Came to Wilders searched & here I am.

Just tried the DNS settings & as of now with very limited testing. These DNS settings are faster than others. Haven't done any testing with DNSBench, NameBench etc. yet. I'll just run this till I don't.