What's new

Cloud9 DNS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I don't blindly do anything, nor do I follow the leader, but the information in this thread has converted me over to Quad9. They clearly have less need for information than Cloudflare. The experimental IP range use bothers me as well. I'm in full testing mode as we speak. :D

I am as well.

Currently, not all Stubby site tests shown here validate with Quad9:

https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin/blob/master/README.md

but that has been mentioned before somewhere in this thread-I just can’t remember exactly in which post:

https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/.

I will also attempt to modify some of my settings as according to @Xentrk in this:

https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/page-78#post-495578

and according to @Swistheater in this:

https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/page-78#post-495587

to see how they work for me.




Sent from my iPhone using Tapatalk
 
I don't blindly do anything, nor do I follow the leader, but the information in this thread has converted me over to Quad9. They clearly have less need for information than Cloudflare. The experimental IP range use bothers me as well. I'm in full testing mode as we speak. :D
Same here @skeal , the information in this thread has helped explain the thinking behind their services and helped shed some light on things that outsiders like us might not know such as the experimental IP addresses that cloudflare uses. I too was not aware of that, but I can say that I enjoy tinkering so in the next couple years I'd be surprised if I'm still using the same DNS servers (except Quad9 unless something changes).
 
  • Like
Reactions: Gar
@Bill Woodcock , is there any benefit in setting both 9.9.9.9 and 149.112.112.112 , or are they routed to the exact same node, and the second address is only intended for clients that absolutely require two different nameservers in their configuration?
I’ll be interested in the official answer.

I’m speculating...Typically, these Infrastructures are hardened against SPOF by not only being on separate subnets but distinct pHW/nodes. These maybe linked by a private subnet to keep the DB in sync. Of course, both and all would be fronted by load-balancers and these are likely spread over regions. Later.
 
@Bill Woodcock , is there any benefit in setting both 9.9.9.9 and 149.112.112.112 , or are they routed to the exact same node, and the second address is only intended for clients that absolutely require two different nameservers in their configuration?

Every anycast node is a whole stack of VMware ESXi hosts, so all of this is for routing diversity more than server redundancy. You're not going to get any significant diversity between the two IPv4 addresses, but IPv6 often gives significantly better performance (and more direct paths) than IPv4 now, depending on your upstream ISPs. What we recommend is that you set 2620:fe::fe as your first nameserver, and 9.9.9.9 as your second one. 149.112.112.112 would, as you say, only be really very useful if you had a client that both had to have two nameservers, and didn't support IPv6.
 
The majority of routers that have any built-in caching resolver use dnsmasq, which doesn't do recursive lookups, it mostly acts as a caching forwarder. So the burden of RFC7816 lies in the upstream servers used by the forwarder.
This is the same case AFAIK with Stubby, which is probably the most popular stub resolver that supports DoT.

Thanks. I work more on routing security and economics, and not so much in the nuts and bolts of the nameservers, so you're providing more detail here than I knew.
 
...IPv6 often gives significantly better performance (and more direct paths) than IPv4 now, depending on your upstream ISPs. What we recommend is that you set 2620:fe::fe as your first nameserver, and 9.9.9.9 as your second one. 149.112.112.112 would, as you say, only be really very useful if you had a client that both had to have two nameservers, and didn't support IPv6.
I've always disabled IPV6 on my router side for sometime b/c it's a whole other set of code paths to deal with ...but this might prompt me to enable it. more study required. Today I use the 2 IPV4 variants only. Thanks!
 
Quad9 is an interesting service. I personally don't use because it's backed by some entities like the City of London Police, known for their overreach online.

Quad9 was created, in part, by the Global Cyber Alliance (GCA), a non-profit that was founded by Manhattan District Attorney Cy Vance, Jr., the City of London Police, and the Center for Internet Security, with a seed investment of asset forfeiture funds provided by the Manhattan District Attorney.

First, I'll point out that you're describing several degrees of remove. I'm probably equally closely associated with Elvis Presley and Jimmy Hoffa, for instance.

But ultimately, one doesn't choose who likes one or finds utility in one's work.

It is a fact that most of the earliest and most enthusiastic adopters of Quad9 tended to be local and regional governments, globally, and that includes their law enforcement offices just as much as their schools and parks and libraries. Quad9 emphasizes privacy and security, and those are, by and large, the goals of law enforcement, as well as sysadmins everywhere.

I recognize that there are some people who say "if X likes Y, I cannot also like Y, because I dislike X." And that's fine, but it's an essentially dogmatic stance, not a pragmatic or utilitarian one. You have a bone to pick with the City of London Police, and they use Quad9 to protect themselves, so you choose not to. Which is fine.

The utilitarian counterpoint would be "If it's good enough for them, it's good enough for me."
 
Typically, these Infrastructures are hardened against SPOF by not only being on separate subnets but distinct pHW/nodes. These maybe linked by a private subnet to keep the DB in sync. Of course, both and all would be fronted by load-balancers and these are likely spread over regions.

Yeah, that basically sums it up. Essentially, every location is its own stand-alone entity, and traffic is load-balanced across all of them using eBGP anycast. I first anycast nameservers when I was running an ISP in 1989, and have been building anycast DNS networks like Quad9 ever since. For any of you who aren't already familiar with anycast routing, here's a quick tutorial on how it works:

https://www.pch.net/resources/Papers/anycast/Anycast-v07.pdf

Here's a tutorial on how to build an anycast network to work reasonably reliably:

https://www.pch.net/resources/Papers/dns-service-architecture/dns-service-architecture-v11.pdf

Here's an overview of how it's applied to our authoritative DNS network:

https://www.pch.net/resources/Papers/anycast-services/DNS-Hosting-v22.pdf

Within each location, there's a cluster of PowerDNS and BIND recursive nameservers (they do different things well and poorly) fronted by a DNSdist load-balancer that makes sure the right queries end up on the right code-bases. And there's a cluster of NSD and BIND authoritative nameservers. The recursive nameservers are completely autonomous, in the sense that they don't depend upon any back-end infrastructure or synchronization between nodes. The authoritatives are dependent on our zone mastering and DNSSEC signing infrastructures, which are necessarily more centralized, for their input data.

You can see a reasonably up-to-date list of our locations, with our interconnection ("peering") requirements here:

https://www.pch.net/peering

and an interactive map here:

https://www.pch.net/ixpdir
 
You have a bone to pick with the City of London Police, and they use Quad9 to protect themselves, so you choose not to.
I might be wrong, but I had the impression that Citizen93d has problems with the fact that certain parties might be founders/sponsors (with possibly special rights?), not that they are users of Quad9.

PS: thank you for contributing here!
 
Every anycast node is a whole stack of VMware ESXi hosts, so all of this is for routing diversity more than server redundancy. You're not going to get any significant diversity between the two IPv4 addresses, but IPv6 often gives significantly better performance (and more direct paths) than IPv4 now, depending on your upstream ISPs. What we recommend is that you set 2620:fe::fe as your first nameserver, and 9.9.9.9 as your second one. 149.112.112.112 would, as you say, only be really very useful if you had a client that both had to have two nameservers, and didn't support IPv6.

Let me get this striaght I use 2640:fe:fe in DNS server 1? and 9.9.9.9 in DNS server 2 and not 149.......???
 
Let me get this striaght I use 2640:fe:fe in DNS server 1? and 9.9.9.9 in DNS server 2 and not 149.......???

2620:fe::fe is the primary IPv6 address, and 9.9.9.9 is the primary IPv4 address. Yes, our recommendation is that you use those two, in that order.

If you want redundancy in the form of a recursive nameserver operated by a different organization, TWNIC operates one on 2001:de4::101 and 101.101.101.101 which has the same privacy policy as Quad9, though it doesn't have malware blocking.
 
2620:fe::fe is the primary IPv6 address, and 9.9.9.9 is the primary IPv4 address. Yes, our recommendation is that you use those two, in that order.

If you want redundancy in the form of a recursive nameserver operated by a different organization, TWNIC operates one on 2001:de4::101 and 101.101.101.101 which has the same privacy policy as Quad9, though it doesn't have malware blocking.
I enter the info in IPv4 or IPv6 DNS 2620:fe:fe and 9.9.9.9? I currently have them in IPv4
 
I've always disabled IPV6 on my router side for sometime b/c it's a whole other set of code paths to deal with ...but this might prompt me to enable it. more study required. Today I use the 2 IPV4 variants only. Thanks!

Would it be worth turning IPV6 on if your isp doesn’t support or use it?


Sent from my iPhone using Tapatalk
 
I enter the info in IPv4 or IPv6 DNS 2620:fe:fe and 9.9.9.9? I currently have them in IPv4
I put 2620:fe:fe in IPv6 DNS 1 and 9.9.9.9 in Wan DNS 2. You have to choose the correct setting from the IPv6 pull-down menu too, I used the default setting and it seems to work. There may be a better choice though, I'm new at this. Hopefully, others will correct me.
 
I put 2620:fe:fe in IPv6 DNS 1 and 9.9.9.9 in Wan DNS 2. You have to choose the correct setting from the IPv6 pull-down menu too, I used the default setting and it seems to work. There may be a better choice though, I'm new at this. Hopefully, others will correct me.
Are you putting them directly into the Wan DNS Server 1 and Server 2 or into the DNS Over TLS server settings, like below?? I thought that if you put something into the settings below what ever you have in the Wan DNS settings get overwritten by the DNS over TLS settings. o_O
upload_2019-6-10_17-18-58.png
 
  • Like
Reactions: Gar
Are you putting them directly into the Wan DNS Server 1 and Server 2 or into the DNS Over TLS server settings, like below?? I thought that if you put something into the settings below what ever you have in the Wan DNS settings get overwritten by the DNS over TLS settings. o_O
View attachment 18162
I did both. Yes, I realize, they're overwritten. DNS filter set to Router.
 
Last edited:
Last edited:
Would it be worth turning IPV6 on if your isp doesn’t support or use it?


Sent from my iPhone using Tapatalk
Doesn't seem like it. I wouldn't expect it to work at all. What would the benefit be?
 
It's not about whether your modem supports it or not, it's about whether your ISP does. If your ISP doesn't support IPv6, then you can't turn it on, unless using a tunneling service like TunnelBroker.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top