TIL: Quad9.net

2026-06-26

• #en
• #til
• #dns
• #systemd

Thanks to a comment over at lobste.rs I learned about Quad9. Quad9 is public recursive DNS resolver with a focus on 'privacy' and cyber-security.

They maintain a list of malicous host names (e.j. sites that host malware) which they block by resolving them to NXDOMAIN. I use square quotes for privacy because they do share some anonymized information with threat intelligence providers, the organizations which tell them which are malicious host names, when a user tries resolve on of the domains they block.

However the user can opt-out of that behaviour if they by using 9.9.9.10 instead of 9.9.9.9 as their DNS server. By doing so they also opt out of the blocking of malicious host names.

Below is how to configure systemd-resolved to use Quad9 with DNSSEC and DNS over TLS:

# Place the following in /etc/systemd/resolved.conf
# man 5 resolved.conf
[Resolve]
DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
# Disable fallback DNS
FallbackDNS=
DNSOverTLS=yes
DNSSEC=yes
Domains=~.
Cache=yes