Quad9
Quad9 is a free, non-profit recursive DNS resolver service that enhances internet security and privacy by blocking user access to domains known to host malware, phishing, or other cyber threats, utilizing threat intelligence from over 25 providers without logging personal identifying information.[1][2] Launched on November 17, 2017, through a collaboration between the Global Cyber Alliance, Packet Clearing House, and IBM Security, Quad9 employs an anycast network of over 230 resolver clusters across more than 110 countries to deliver high-performance query resolution while preventing an average of 670 million malicious domain blocks daily.[3][2] Operated by the Quad9 Foundation, a Swiss-based public-benefit organization headquartered in Zürich since 2021 to leverage stringent privacy laws, the service adheres to GDPR principles by anonymizing query data and focusing solely on threat mitigation rather than content censorship or surveillance.[4][5] Quad9's defining characteristics include its commitment to empirical threat blocking via heuristics and real-time intelligence, such as domain behavior analysis and malware signatures, serving millions of users globally without commercial data exploitation.[6][2]
The service's architecture emphasizes causal resilience against DNS-based attacks, with no reported systemic failures in core operations and a track record of defending against evolving threats like ransomware and botnets through collaborative intelligence sharing.[1][7] While early criticisms questioned its non-profit status and blocking efficacy, these have been addressed by transparent operations and verifiable privacy audits, positioning Quad9 as a privacy-centric alternative to ISP or commercial DNS providers.[8][9]
History
Founding and Early Development
Quad9 originated as a collaborative initiative spearheaded by the Global Cyber Alliance (GCA), a nonprofit organization focused on combating cybercrime, in partnership with Packet Clearing House (PCH) and IBM Security. The project stemmed from GCA's need for a scalable DNS resolver that could deliver security protections at the network edge without compromising user privacy, building on PCH's longstanding expertise in anycast DNS infrastructure developed over more than two decades. Early conceptual work at PCH began around 2014, initially in response to European regulatory pressures on privacy and security in DNS services, though the service remained internal until formalized with partners.[10][11][12] The service was publicly launched on November 16, 2017, as a free, recursive DNS resolver accessible via the IP address 9.9.9.9, which leverages IBM's allocation of the 9.0.0.0/8 IPv4 block dating back to 1992. At inception, Quad9 integrated threat intelligence from IBM's X-Force database alongside feeds from 18 other sources, including government agencies and security firms, to block access to approximately 10 million known malicious domains associated with malware, phishing, botnets, and ransomware. PCH deployed the initial anycast network across multiple global points of presence, enabling low-latency resolution while committing to a no-logging policy for user IP addresses to prioritize privacy. This design emphasized empirical threat blocking over content censorship, with resolutions failing safe by default for non-malicious queries.[13][14][15] In its early phase through 2018, Quad9 rapidly expanded its resolver footprint to over 70 locations worldwide, handling millions of daily queries and demonstrating effectiveness in reducing exposure to verified threats, as measured by integration with PCH's global Internet exchange points. Development focused on refining blocklist heuristics, incorporating real-time updates from diverse intelligence providers to minimize false positives, and establishing operational independence as a public-benefit entity rather than a commercial service. Initial adoption grew among privacy-conscious users and organizations seeking alternatives to ISP-provided DNS, with early evaluations confirming high availability and performance comparable to established resolvers.[7][16][17]Transition to Independent Foundation
In early 2021, Quad9 transitioned from its initial operational structure under the Packet Clearing House (PCH) and a consortium of partners—including IBM Security and the Global Cyber Alliance—to an independent Swiss-based nonprofit foundation. This shift was formalized with the establishment of the Quad9 Foundation on February 17, 2021, following approval of its "Stiftung" (foundation) status by Swiss tax authorities in mid-January 2021.[4][18] The move to Switzerland, facilitated by SWITCH—an independent foundation managing Switzerland's .ch and .li top-level domains and a center for internet security expertise—aimed to enhance user privacy protections under Swiss law. Swiss legal findings exempted Quad9 from routine law enforcement and intelligence data requests, positioning it outside jurisdictions with broader surveillance mandates, such as those in the United States where PCH is based.[4][19] This transition preserved Quad9's commitment to not logging personally identifiable information while insulating operations from potential foreign government overreach.[4] The Quad9 Foundation assumed full responsibility for service operations, threat intelligence integration, and global infrastructure expansion, maintaining the free, public recursive DNS resolver model launched in 2017. Founding council members included representatives from SWITCH, PCH, and cybersecurity experts, ensuring continuity in technical governance while emphasizing nonprofit independence.[4][18] This structure has supported ongoing growth, with the foundation reporting over 670 million daily queries by 2025 without reliance on commercial funding models.[20]Technical Architecture
DNS Resolution and Anycast Deployment
Quad9 operates recursive DNS resolvers that handle client queries by checking local caches and, if data is absent, iteratively contacting root servers, top-level domain (TLD) servers, and authoritative name servers to resolve domain names to IP addresses, delivering a single response to the client while caching results based on time-to-live (TTL) values for efficiency.[21] This process reduces the burden on authoritative servers and accelerates subsequent queries for frequently accessed domains.[21] Quad9 employs anycast routing for its deployment, announcing identical IP addresses—such as 9.9.9.9 (IPv4) and 2620:fe::fe (IPv6)—from multiple points of presence (POPs) worldwide, enabling Border Gateway Protocol (BGP) to route queries to the geographically closest available resolver for minimal latency.[1] The infrastructure features over 230 resolver clusters across more than 110 countries, with distribution at over 200 locations in 90 nations, predominantly at Internet Exchange Points (IXPs) to leverage peering for optimal performance and cost-effectiveness.[2] This anycast architecture ensures high redundancy and resilience, with automatic failover to alternative POPs if a specific resolver experiences downtime, contributing to a reported uptime of 99.999%.[8] Launched in 2017, the system has expanded to support global scalability without single points of failure.[2]Threat Intelligence Integration
Quad9 maintains a centralized threat blocklist compiled from aggregated feeds provided by over a dozen specialized partners, enabling real-time DNS resolution blocking of domains associated with malware, phishing, botnets, ransomware, and other cyber threats.[20] This integration process involves continuous ingestion of domain and IP reputation data, which Quad9's recursive resolvers cross-reference against incoming user queries before forwarding legitimate resolutions or NXDOMAIN responses for malicious ones.[22] The system prioritizes high-confidence indicators of compromise, such as those derived from sinkhole telemetry and active threat hunting, to minimize false positives while maximizing coverage of active campaigns.[6] Foundational to Quad9's threat intelligence is its partnership with IBM X-Force, established at launch in November 2017, which supplies proprietary indicators from global incident response data and vulnerability research.[10] By 2018, the platform had expanded to incorporate feeds from 19 contributors, including Abuse.ch for botnet command-and-control tracking, Bambenek Consulting for phishing datasets, Netlab 360 for malware distribution analysis, and ThreatSTOP for behavioral risk scoring.[23] These sources undergo Quad9's internal validation for data quality and uniqueness to ensure efficacy without over-reliance on any single provider, as demonstrated in evaluations for new integrations like Criminal IP's malicious domain lists in May 2024.[24] Recent enhancements include preemptive analytics from BforeAI's PreCrime Intelligence, integrated in June 2025 to predict emerging threats via AI-driven pattern recognition ahead of widespread exploitation.[25] Similarly, Quad9 announced incorporation of HaGeZi Threat Intelligence Feeds in September 2025, adding community-curated blocklists focused on adware, trackers, and exploit kits to broaden coverage against lesser-known vectors.[26] Updates to the blocklist occur in near-real-time, with Quad9's infrastructure processing billions of queries daily to refine threat signatures based on observed global patterns, such as cryptocurrency scam domains or exploit-after-math infrastructure.[27] This multi-source approach contrasts with single-vendor reliance, reducing blind spots from provider-specific biases or delays, though Quad9 emphasizes empirical validation over unverified crowd-sourced inputs.[28]Features and Services
Security Protections
Quad9's core security protection mechanism involves filtering DNS queries to block resolution of domains identified as malicious, thereby preventing user devices from establishing connections to sites hosting threats such as malware, phishing pages, botnet command-and-control servers, and exploit kits. Upon receiving a query, Quad9's recursive resolvers cross-reference the requested domain against aggregated threat intelligence feeds; if a match is found, the service returns a null or NXDOMAIN response, effectively denying access before any harmful content can be downloaded or interacted with. This proactive approach eliminates exposure risks at the network layer, safeguarding endpoints including computers, mobile devices, and IoT hardware from common cyber threats.[6][2][8] The threat blocking relies on real-time data from over a dozen commercial and public intelligence providers, which supply lists of confirmed malicious hostnames derived from observed attack patterns, sinkholing operations, and global telemetry. Quad9 integrates these feeds without logging user IP addresses, ensuring the blocking process does not compromise query anonymity while prioritizing accuracy to minimize false positives. Partners include entities focused on cyber defense, such as those contributing to botnet takedowns and phishing database maintenance, enabling coverage of emerging threats like ransomware distribution networks.[6][28][29] In practice, this system has demonstrated effectiveness against prevalent attack vectors; for instance, Quad9's biannual reports highlight blocks on domains linked to phishing kits and malware loaders, with the service processing millions of queries daily while deflecting connections to verified threats. Users can verify blocked domains through Quad9's transparency tools, though the service emphasizes prevention over notification to avoid alerting potential attackers. This DNS-level intervention complements endpoint security but does not substitute for comprehensive antivirus measures, as it targets only domain-based threats resolvable via DNS.[22][8]Privacy and Data Handling
Quad9 operates as a privacy-focused DNS resolver, committing to minimal data collection and stringent protections against user identification. Under normal conditions, it does not store IP addresses or any personal identifying information (PII) from DNS queries, with client IP addresses held only temporarily in RAM during processing for microseconds to milliseconds before being purged and never correlated with other data.[30] This approach ensures that Quad9 lacks knowledge of individual user identities, as no user database or accounts are maintained.[31] The service collects only anonymized, aggregated telemetry data to support threat intelligence and operational improvements, including integer counters for query types, response types, and approximate geographic regions (resolved to city centers for areas with fewer than 10,000 residents to prevent deanonymization), along with timestamps for first and last queries per domain label.[30][31] No unique identifiers or query logs linking users to specific requests are retained; instead, permanent archives hold solely these non-PII counters.[30] Support for encrypted protocols such as DNS over TLS (DoT), DNS over HTTPS (DoH), and DNSCrypt further shields query content from interception during transit.[31] Data retention is limited to the aggregated metrics described, with no indefinite storage of query metadata or user-specific details.[32] Exceptions apply during anomalous events like cyber attacks, where IP addresses and query data may be temporarily retained and shared internally for defensive purposes, but such instances are governed by separate policies and do not extend to routine operations.[31] As a nonprofit, Quad9 does not sell or monetize user data, instead sharing stripped, anonymized telemetry with threat intelligence partners and researchers to enhance global DNS security.[31] Quad9's practices align with Swiss Federal Act on Data Protection (FADP), EU GDPR, and RFC 8932 guidelines for developing privacy-enhanced DNS resolvers, rendering it exempt from certain Swiss surveillance laws due to the absence of stored user data.[30][32] Its transparency report discloses minimal legal data requests—none from 2017 to 2022, and only one in Q1 2023 from the Leipzig District Court (file 05 O 807/22), to which no substantive data could be provided owing to non-retention policies.[32] These measures position Quad9 as compliant with international privacy standards while prioritizing security without compromising anonymity.[30]Protocol Support and Client Options
Quad9 supports standard DNS queries over UDP and TCP on port 53 using anycast IP addresses such as 9.9.9.9 for IPv4 and 2620:fe::fe for IPv6.[33] It also enables encrypted DNS transport protocols, including DNS over TLS (DoT) on port 853 via hostnames like dns.quad9.net, which encrypts queries between clients and resolvers to prevent eavesdropping.[8] DNS over HTTPS (DoH) is available on port 443, supporting GET and POST methods to the endpoint /dns-query under dns.quad9.net, a capability introduced on October 4, 2018, to integrate securely with web browsers and applications.[34] Additionally, Quad9 accommodates DNSCrypt, an alternative encryption protocol using UDP on port 443 or TCP on port 8443, providing authenticated encryption for queries.[9] All secure Quad9 resolvers enforce DNSSEC validation by default, verifying digital signatures on DNS responses to mitigate spoofing and man-in-the-middle attacks, though clients must enable DNSSEC support locally if forwarding queries.[33] Unsecured resolvers, such as 9.9.9.10, omit malware blocking and DNSSEC but support the same protocols for compatibility testing or reduced filtering.[33] Clients configure Quad9 by setting device or router DNS servers to designated IP addresses or hostnames, with options differentiated by features like threat blocking, Extended Client Subnet (ECS) for geolocation accuracy, and logging preferences.[33] For encrypted protocols, applications or operating systems must specify DoT/DoH endpoints; for example, modern browsers like Firefox support DoH via about:config settings pointing to Quad9's resolver.[8] Quad9 offers setup guides for Windows, macOS, Linux, iOS, Android, and routers, recommending exclusive use of its addresses to avoid mixing with other resolvers that could bypass protections.[8]| Service Type | IPv4 Addresses | IPv6 Addresses | Key Features |
|---|---|---|---|
| Secure (Malware Blocking + DNSSEC, No ECS) | 9.9.9.9, 149.112.112.9 | 2620:fe::9, 2620:fe::9:9 | Threat blocking, DNSSEC validation, privacy-focused (no PII logging)[33] |
| Secure with ECS | 9.9.9.11, 149.112.112.11 | 2620:fe::11, 2620:fe::fe:11 | Adds approximate client geolocation for better CDN performance[33] |
| Unsecured | 9.9.9.10, 149.112.112.10 | 2620:fe::10, 2620:fe::10:10 | No blocking or DNSSEC; for baseline resolution[33] |