unclebuk
Senior Member
https://en.wiktionary.org/wiki/kiboze
Other things to do, yes, but Quad9 is a high priority for us, and heck, I'm just sitting around an airport lounge waiting for my next plane, so I might as well be useful, right?
Sure.
Relative to those two, the answer is the same: privacy and security.
A lot of people look at recursive DNS and think that performance is the thing that matters, because it's the thing that they can measure. Performance is easy to see, because anybody can run dnsperftest to see which gives the quickest average response time from their location. But of the four large ones (OpenDNS/Umbrella being the fourth) all are likely to give you very good performance if you're in North America or Western Europe. Because the other three are commercial, they focus their effort in the places where people have the most money to spend, so you're less likely to get good performance from them if you're in Africa or South America or the Caribbean or South Asia, for instance. But if you're in the US, or Canada, or France, or Germany, any of the four will give you perfectly sufficient performance, and no amount of tinkering or switching is likely to yield any user-noticeable improvement. But performance isn't the point. Google was already there when we set up Quad9, and we're not going to blow our donors' money solely to one-up somebody's commercial offering on the basis of performance.
The point was privacy and security.
Google and Cloudflare make money collecting and selling personal information. Whatever you may think about the morality of that, it's flat-out illegal in Europe, and Quad9 was started because European privacy regulators asked us (meaning PCH, in this case) to stand up a GDPR-compliant recursive resolver, as an existence-proof that it was possible to run this critical infrastructure without paying for it by stealing users' personal information and hawking it to data-brokers.
So, unlike the others, Quad9 does not collect personal information. Quad9 does not have a concept of a "user" to hang records off of, and does not collect any IP addresses. Quad9 is the only big anycast resolver that doesn't collect personal information, and it's the only free one that's GDPR-compliant. (Cisco's commercial Umbrella offering is GDPR-compliant and doesn't sell information.) There are people who say that it's okay to collect information if you don't do anything bad with it, but that's completely wrong, because breaches happen all the time. Any information you collect will eventually be stolen, and when it's stolen, it'll be sold. So, don't collect unnecessary information in the first place.
Relative to security, malware and phishing and so forth are a horrible problem, particularly with IoT junk. Botnets are getting very large, and the DDoS attacks they source are a vast problem. So using the recursive resolver to block contact between bot software and its C&C, as David did with OpenDNS, is an excellent way to protect users from malware, and to protect the Internet from infected devices. Whereas OpenDNS has Cisco as its sole source of "threat intelligence," Quad9, as a not-for-profit Internet industry project, has twenty, including Cisco and IBM and F-Secure and many others. So Quad9 offers malware blocking that uses the best information we can glean from all twenty threat intel providers, plus a whitelist of known-good major sites, to make sure that infected devices at your sites can't connect to C&C and start DDoSing people, and that credulous users won't be able to connect to phishing sites that will steal their information.
Google and Cloudflare do not do malware blocking. Cisco Umbrella/OpenDNS does.
What we recommend you do is to run a local caching resolver that performs QNAME minimization and DNS-over-TLS, provision it with plenty of cache, and only leak the minimum possible information out to a recursive resolver, and make sure that you agree with the privacy policy of the recursive resolver. Lots of folks use the combination of PiHole and Stubby for that purpose. One way you can tell whether people are monetizing your data is by seeing whether they recommend you connect your end-nodes directly to their service, or whether they recommend you put a caching resolver in front.
If you want to make this question more visible, you could post it to Quora, and I'll post the answer there as well.
Yoh Woody, how does Quad9 make money?