Cloud9 DNS

[Marin]

I don't blindly do anything, nor do I follow the leader, but the information in this thread has converted me over to Quad9. They clearly have less need for information than Cloudflare. The experimental IP range use bothers me as well. I'm in full testing mode as we speak.

I am as well.

Currently, not all Stubby site tests shown here validate with Quad9:

https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin/blob/master/README.md

but that has been mentioned before somewhere in this thread-I just can’t remember exactly in which post:

https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/.

I will also attempt to modify some of my settings as according to @Xentrk in this:

https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/page-78#post-495578

and according to @Swistheater in this:

https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/page-78#post-495587

to see how they work for me.




Sent from my iPhone using Tapatalk

 

[QuikSilver]

I don't blindly do anything, nor do I follow the leader, but the information in this thread has converted me over to Quad9. They clearly have less need for information than Cloudflare. The experimental IP range use bothers me as well. I'm in full testing mode as we speak.

Same here @skeal , the information in this thread has helped explain the thinking behind their services and helped shed some light on things that outsiders like us might not know such as the experimental IP addresses that cloudflare uses. I too was not aware of that, but I can say that I enjoy tinkering so in the next couple years I'd be surprised if I'm still using the same DNS servers (except Quad9 unless something changes).

 

[gattaca]

@Bill Woodcock , is there any benefit in setting both 9.9.9.9 and 149.112.112.112 , or are they routed to the exact same node, and the second address is only intended for clients that absolutely require two different nameservers in their configuration?

I’ll be interested in the official answer.

I’m speculating...Typically, these Infrastructures are hardened against SPOF by not only being on separate subnets but distinct pHW/nodes. These maybe linked by a private subnet to keep the DB in sync. Of course, both and all would be fronted by load-balancers and these are likely spread over regions. Later.

 

[Bill Woodcock]

@Bill Woodcock , is there any benefit in setting both 9.9.9.9 and 149.112.112.112 , or are they routed to the exact same node, and the second address is only intended for clients that absolutely require two different nameservers in their configuration?

Every anycast node is a whole stack of VMware ESXi hosts, so all of this is for routing diversity more than server redundancy. You're not going to get any significant diversity between the two IPv4 addresses, but IPv6 often gives significantly better performance (and more direct paths) than IPv4 now, depending on your upstream ISPs. What we recommend is that you set 2620:fe::fe as your first nameserver, and 9.9.9.9 as your second one. 149.112.112.112 would, as you say, only be really very useful if you had a client that both had to have two nameservers, and didn't support IPv6.

 

[Bill Woodcock]

The majority of routers that have any built-in caching resolver use dnsmasq, which doesn't do recursive lookups, it mostly acts as a caching forwarder. So the burden of RFC7816 lies in the upstream servers used by the forwarder.
This is the same case AFAIK with Stubby, which is probably the most popular stub resolver that supports DoT.

Thanks. I work more on routing security and economics, and not so much in the nuts and bolts of the nameservers, so you're providing more detail here than I knew.

 

[gattaca]

...IPv6 often gives significantly better performance (and more direct paths) than IPv4 now, depending on your upstream ISPs. What we recommend is that you set 2620:fe::fe as your first nameserver, and 9.9.9.9 as your second one. 149.112.112.112 would, as you say, only be really very useful if you had a client that both had to have two nameservers, and didn't support IPv6.

I've always disabled IPV6 on my router side for sometime b/c it's a whole other set of code paths to deal with ...but this might prompt me to enable it. more study required. Today I use the 2 IPV4 variants only. Thanks!

 

[Bill Woodcock]

Quad9 is an interesting service. I personally don't use because it's backed by some entities like the City of London Police, known for their overreach online.

Quad9 was created, in part, by the Global Cyber Alliance (GCA), a non-profit that was founded by Manhattan District Attorney Cy Vance, Jr., the City of London Police, and the Center for Internet Security, with a seed investment of asset forfeiture funds provided by the Manhattan District Attorney.

First, I'll point out that you're describing several degrees of remove. I'm probably equally closely associated with Elvis Presley and Jimmy Hoffa, for instance.

But ultimately, one doesn't choose who likes one or finds utility in one's work.

It is a fact that most of the earliest and most enthusiastic adopters of Quad9 tended to be local and regional governments, globally, and that includes their law enforcement offices just as much as their schools and parks and libraries. Quad9 emphasizes privacy and security, and those are, by and large, the goals of law enforcement, as well as sysadmins everywhere.

I recognize that there are some people who say "if X likes Y, I cannot also like Y, because I dislike X." And that's fine, but it's an essentially dogmatic stance, not a pragmatic or utilitarian one. You have a bone to pick with the City of London Police, and they use Quad9 to protect themselves, so you choose not to. Which is fine.

The utilitarian counterpoint would be "If it's good enough for them, it's good enough for me."

 

[Bill Woodcock]

Typically, these Infrastructures are hardened against SPOF by not only being on separate subnets but distinct pHW/nodes. These maybe linked by a private subnet to keep the DB in sync. Of course, both and all would be fronted by load-balancers and these are likely spread over regions.

Yeah, that basically sums it up. Essentially, every location is its own stand-alone entity, and traffic is load-balanced across all of them using eBGP anycast. I first anycast nameservers when I was running an ISP in 1989, and have been building anycast DNS networks like Quad9 ever since. For any of you who aren't already familiar with anycast routing, here's a quick tutorial on how it works:

https://www.pch.net/resources/Papers/anycast/Anycast-v07.pdf

Here's a tutorial on how to build an anycast network to work reasonably reliably:

https://www.pch.net/resources/Papers/dns-service-architecture/dns-service-architecture-v11.pdf

Here's an overview of how it's applied to our authoritative DNS network:

https://www.pch.net/resources/Papers/anycast-services/DNS-Hosting-v22.pdf

Within each location, there's a cluster of PowerDNS and BIND recursive nameservers (they do different things well and poorly) fronted by a DNSdist load-balancer that makes sure the right queries end up on the right code-bases. And there's a cluster of NSD and BIND authoritative nameservers. The recursive nameservers are completely autonomous, in the sense that they don't depend upon any back-end infrastructure or synchronization between nodes. The authoritatives are dependent on our zone mastering and DNSSEC signing infrastructures, which are necessarily more centralized, for their input data.

You can see a reasonably up-to-date list of our locations, with our interconnection ("peering") requirements here:

https://www.pch.net/peering

and an interactive map here:

https://www.pch.net/ixpdir

 

[XIII]

You have a bone to pick with the City of London Police, and they use Quad9 to protect themselves, so you choose not to.

I might be wrong, but I had the impression that Citizen93d has problems with the fact that certain parties might be founders/sponsors (with possibly special rights?), not that they are users of Quad9.

PS: thank you for contributing here!

 

[Ramz]

Every anycast node is a whole stack of VMware ESXi hosts, so all of this is for routing diversity more than server redundancy. You're not going to get any significant diversity between the two IPv4 addresses, but IPv6 often gives significantly better performance (and more direct paths) than IPv4 now, depending on your upstream ISPs. What we recommend is that you set 2620:fe::fe as your first nameserver, and 9.9.9.9 as your second one. 149.112.112.112 would, as you say, only be really very useful if you had a client that both had to have two nameservers, and didn't support IPv6.

Let me get this striaght I use 2640:fe:fe in DNS server 1? and 9.9.9.9 in DNS server 2 and not 149.......???

 

[Bill Woodcock]

Let me get this striaght I use 2640:fe:fe in DNS server 1? and 9.9.9.9 in DNS server 2 and not 149.......???

2620:fe::fe is the primary IPv6 address, and 9.9.9.9 is the primary IPv4 address. Yes, our recommendation is that you use those two, in that order.

If you want redundancy in the form of a recursive nameserver operated by a different organization, TWNIC operates one on 2001:de4::101 and 101.101.101.101 which has the same privacy policy as Quad9, though it doesn't have malware blocking.

 

[Ramz]

2620:fe::fe is the primary IPv6 address, and 9.9.9.9 is the primary IPv4 address. Yes, our recommendation is that you use those two, in that order.

If you want redundancy in the form of a recursive nameserver operated by a different organization, TWNIC operates one on 2001:de4::101 and 101.101.101.101 which has the same privacy policy as Quad9, though it doesn't have malware blocking.

I enter the info in IPv4 or IPv6 DNS 2620:fe:fe and 9.9.9.9? I currently have them in IPv4

 

[Centrifuge]

2620:fe:fe

This is a IPv6 address.

 

[QuikSilver]

I've always disabled IPV6 on my router side for sometime b/c it's a whole other set of code paths to deal with ...but this might prompt me to enable it. more study required. Today I use the 2 IPV4 variants only. Thanks!

Would it be worth turning IPV6 on if your isp doesn’t support or use it?


Sent from my iPhone using Tapatalk

 

[Gar]

I enter the info in IPv4 or IPv6 DNS 2620:fe:fe and 9.9.9.9? I currently have them in IPv4

I put 2620:fe:fe in IPv6 DNS 1 and 9.9.9.9 in Wan DNS 2. You have to choose the correct setting from the IPv6 pull-down menu too, I used the default setting and it seems to work. There may be a better choice though, I'm new at this. Hopefully, others will correct me.

 

[QuikSilver]

I put 2620:fe:fe in IPv6 DNS 1 and 9.9.9.9 in Wan DNS 2. You have to choose the correct setting from the IPv6 pull-down menu too, I used the default setting and it seems to work. There may be a better choice though, I'm new at this. Hopefully, others will correct me.

Are you putting them directly into the Wan DNS Server 1 and Server 2 or into the DNS Over TLS server settings, like below?? I thought that if you put something into the settings below what ever you have in the Wan DNS settings get overwritten by the DNS over TLS settings.

 

[Gar]

Are you putting them directly into the Wan DNS Server 1 and Server 2 or into the DNS Over TLS server settings, like below?? I thought that if you put something into the settings below what ever you have in the Wan DNS settings get overwritten by the DNS over TLS settings.
View attachment 18162

I did both. Yes, I realize, they're overwritten. DNS filter set to Router.

 

[gattaca]

Would it be worth turning IPV6 on if your isp doesn’t support or use it?

IDK - since I disabled IPV6 on my router (IPV6 tab). All DOCSIS 3.0 and later modems support IPV6. Honestly, I do not really understand the IPV6 setup on the modem or our Asus routers. This reference sort of helps...I still kept it off. https://major.io/2014/09/11/howto-time-warner-cable-ipv6/ Thanks.

 

[Gar]

Would it be worth turning IPV6 on if your isp doesn’t support or use it?


Sent from my iPhone using Tapatalk

Doesn't seem like it. I wouldn't expect it to work at all. What would the benefit be?

 

[RMerlin]

It's not about whether your modem supports it or not, it's about whether your ISP does. If your ISP doesn't support IPv6, then you can't turn it on, unless using a tunneling service like TunnelBroker.