Security Via DNS

14th June 2019

Article DNS security filtering

Quad9 is a free offering from an IBM led group of security organizations. OpenDNS made this type of service popular and Quad9 builds on that by making the service faster using AnyCast and a fleet of world-wide distributed DNS servers.
This method makes it easy to protect your entire Home/Enterprise from KNOWN bad/phishing sites by replacing your ISP’s DNS server entries with Quad9’s DNS servers. IBM has given us a very easy to remember address 9.9.9.9 (hence the name Quad9)
Add a few DNS servers for redundancy. Following order based on speed
9.9.9.9 Quad9 WorldWide ThreatFilter (IBM, PCH, GCA), strict filtering
94.149.14.14 AdGuard, strict filtering
208.67.222.222 OpenDNS US ThreatFilter, mild filtering
208.67.220.220 OpenDNS US ThreatFilter, mild filtering
208.67.220.123 OpenDNS Parental Control
208.91.112.220 Fortinet US ThreatFilter, gets DDoS’d occasionally?
149.112.121.20 Cira (Canadian)
149.112.122.20 Cira (Canadian)

The Good
easy to implement
protects an entire network
auto updating
resilient
free
supports DNSSEC (not to be confused with DNS over TLS)
can prevent IoT relay attacks (Chromecast, Alexa etc)
easy to troubleshoot (https://www.quad9.net/ has a search function)
The Bad
only mitigates KNOWN threats
DNS caching hinders fast updates
Easy to circumvent by querying specific DNS server

Single Computer/Testing
use NirSoft’s Quickset DNS https://www.nirsoft.net/utils/quick_set_dns.html
Home Network
set DNS in router/Firewall
Business
set DNS in M$ Domain Controller integrated DNS server

ref https://quad9.net/
Blocking Test surf to darkweb.com
Dns Benchmark https://www.grc.com/dns/benchmark.htm

See Lawrence Systems