Quad 9 DNS

[Nyr]

https://www.quad9.net/

New DNS in town. Anycast, maintained by a reliable organisation and looks good all around.

Their marketing talks mainly about malware blocking, and previously my policy on this has been clear: only anycast, reliable and unfiltered DNS would be added to the script.

This time the situation is a bit different and I think it requires some consideration:

• Quad 9 offers a secondary, non advertised resolver which is unfiltered, just vanilla DNS without malware filtering or false positives. So at the very least, this resolver should make it to the script.
• The "main" resolver, doesn't look that bad either. It's not another useless "secure" recursor just interested in profiting from NXDOMAIN hijacking. They get threat intelligence from mostly reliable organisations and don't monetise the service.

That said, I see three options:

1. Add their main resolver only. My opinion is that filtering malware, when done right, should be considered an acceptable choice.
2. Add their secondary, unfiltered resolver instead. Some people doesn't want to risk false positives and will not care about malware filtering. My position is that this group of people would probably use a different resolver anyway.
3. Provide both options during setup. A bit confusing to the user given that we would need to explain the differences.

I'm currently gearing towards option 1, but open to arguments if someone wants to chime in.

[Ph0enix777]

I seem to be having a problem with dns leaks the vpn always picks opendns even when picking others and changing in vps. Also have problems with dns leaks from my own isp, can you kindly advise me or look into this? Tried multiple vps providers btw

[Nyr]

@Ph0enix777 yours is a client side problem unrelated to this issue. Please go to the OpenVPN forums or use the support channels for whatever is the client that you are using.

[Ph0enix777]

Thank you and it makes sense only started leaking when I upgraded to Ubuntu 17.10. And I lean more on unfiltered traffic from Quad 9 but do think adding an option for custom dns would be a great addition to the script. Keep up the good work.

[holdit]

I think the script should offer both options, something like "Quad9 Filtred" and "Quad9 Unfiltred", or "safe"/"unsafe". But as you said, It's hard to explain the differences between the two in a word or two.

If this is not possible, then go with the first option. We already have other options that don't have any kind of protection.

[itseoconsulting]

I would recommend, if quad9 enabled, you can select one of the current 4 ones.

[Nyr]

I have decided against integrating Quad 9 DNS for now.

Main reason, other than the fact that malware filtering at the DNS level is almost useless for the regular user is that the service is still very new. For example, I couldn't even find the .11 and .12 servers advertised on the site.

The "NXDOMAIN only" option doesn't inspire much confidence in future monetization efforts, nor do some of the organizations and persons behind the project. Special mention deserved to Manhattan District Attorney Cyrus Vance Jr. which provided the $25M funding for this project.

We'll see and re-evaluate in the future, if needed.