PSA regarding Quad9 DNS Resolver
Like OpenDNS, Quad9 is a censoring DNS resolver and exits using it are / should be considered bad exits. I haven’t seen any exits using it yet however I thought I’d bring it up. Thoughts? Cheers, Nathaniel Sent from my iPhone
On Fri, May 11, 2018 at 07:41:45AM -0400, Nathaniel Suchy (Lunorian) wrote:
Like OpenDNS, Quad9 is a censoring DNS resolver and exits using it are / should be considered bad exits. I haven’t seen any exits using it yet however I thought I’d bring it up. Thoughts?
Yes, but nusenu's email is the better course of action. Using Quad9 is one of the examples listed on the wiki page for why a relay is marked as a badexit [0], but if the operator can simply change their configuration then that is a significantly better solution. [0] https://trac.torproject.org/projects/tor/wiki/doc/ReportingBadRelays
Toralf Förster:
On 05/11/2018 01:41 PM, Nathaniel Suchy (Lunorian) wrote:
Like OpenDNS, Quad9 is a censoring DNS resolver Is this true for 9.9.9.10 too ?
Is there a service that Quad9 offers that does not have the blocklist or other security?
The primary IP address for Quad9 is 9.9.9.9, which includes the blocklist, DNSSEC validation, and other security features. However, there are alternate IP addresses that the service operates which do not have these security features. These might be useful for testing validation, or to determine if there are false positives in the Quad9 system.
Secure IP: 9.9.9.9 Provides: Security blocklist, DNSSEC, No EDNS Client-Subnet sent. If your DNS software requires a Secondary IP address, please use the secure secondary address of 149.112.112.112
Unsecured IP: 9.9.9.10 Provides: No security blocklist, DNSSEC, sends EDNS Client-Subnet. If your DNS software requires a Secondary IP address, please use the unsecured secondary address of 149.112.112.10
Note: Use only one of these sets of addresses secure or unsecured. Mixing secure and unsecured IP addresses in your configuration may lead to your system being exposed without the security enhancements, or your private data may not be fully protected
-- https://mastodon.social/@nusenu twitter: @nusenu_
As long as their alternate resolvers do not censor any queries it's (probably) allowed and will (probably) not get you flagged as a bad exit for censoring traffic. On 5/11/18 12:24 PM, nusenu wrote:
Toralf Förster:
On 05/11/2018 01:41 PM, Nathaniel Suchy (Lunorian) wrote:
Like OpenDNS, Quad9 is a censoring DNS resolver Is this true for 9.9.9.10 too ?
Is there a service that Quad9 offers that does not have the blocklist or other security?
The primary IP address for Quad9 is 9.9.9.9, which includes the blocklist, DNSSEC validation, and other security features. However, there are alternate IP addresses that the service operates which do not have these security features. These might be useful for testing validation, or to determine if there are false positives in the Quad9 system.
Secure IP: 9.9.9.9 Provides: Security blocklist, DNSSEC, No EDNS Client-Subnet sent. If your DNS software requires a Secondary IP address, please use the secure secondary address of 149.112.112.112
Unsecured IP: 9.9.9.10 Provides: No security blocklist, DNSSEC, sends EDNS Client-Subnet. If your DNS software requires a Secondary IP address, please use the unsecured secondary address of 149.112.112.10
Note: Use only one of these sets of addresses secure or unsecured. Mixing secure and unsecured IP addresses in your configuration may lead to your system being exposed without the security enhancements, or your private data may not be fully protected
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
participants (4)
-
Matthew Finkel -
Nathaniel Suchy (Lunorian) -
nusenu -
Toralf Förster