How to setup Quad9 DNS on a Linux

Domain Name Servers (DNS) are essential for the Internet. Every computer or mobile device use DNS to access websites, email servers, APIs and other stuff. One must configure a DNS service. You can use your ISP’s DNS, Google DNS, and OpenDNS. Now you have one more option from IBM. It is called Quad9 DNS service. It can block malicious domains for everyone. You can get an additional layer of protection.

How does Quad9 protect me from malicious domains?

From the Quad9 site:

Quad9 brings together cyber threat intelligence about malicious domains from variety of public and private sources and blocks access to those malicious domains when your system attempts to contact them. When you use Quad9, attackers and malware cannot leverage the known malicious domains to control your systems, and their ability to steal your data or cause harm will be hindered. Quad9 is an effective and easy way to add an additional layer of security to your infrastructure for free.

Quad9 DNS server

You need to point your DNS server to 9.9.9.9, and known malware and phishes won’t be able to use DNS for bad purposes:

• Secure IPv4: 9.9.9Blocklist, DNSSEC, No EDNS Client-Subnet
• Unsecure IPv4: 9.9.10No blocklist, no DNSSEC, send EDNS Client-Subnet
• Secure IPv6: 2620:fe::feBlocklist, DNSSEC, No EDNS Client-Subnet
• Unsecure IPv6: 2620:fe::10No blocklist, no DNSSEC, send EDNS Client-Subnet

How to setup Quad9 DNS resolvers

Linux uses /etc/resolv.conf file. Some modern systemd based Linux distro use systemd-resolved.

Configure Quad9 using /etc/resolv.conf

Edit the file /etc/resolv.conf:
$ sudo nano /etc/resolv.conf 
OR
$ sudo vim /etc/resolv.conf 
Edit/append as follows:

nameserver 9.9.9.9nameserver 2620:fe::fedomain dnsknowledge.comoptions rotate

Save and close the file. Test it with the host or dig command:
$ dig google.com
$ host dnsknowledge.com

Quad9 resolving domain names

Configure Quad9 on a Ubuntu 14.04/16.04 LTS and Debian 8/9

Edit the file /etc/network/interfaces:
$ sudo nano /etc/network/interfaces
Edit/append as follows:

# Add DNS resolvers for resolvconf.  dns-nameservers 9.9.9.9 2620:fe::fe  dns-search dnsknowledge.com  dns-options rotate

Save and close the file.

Configure Quad 9 on an Arch, CoreOS Container Linux, Ubuntu 17.10

Here is my sample /etc/systemd/network/05-eth0.network (assuming that interface name is eth0) file:

## READ following man pages ### man systemd-networkd# man systemd-resolved##[Match]Name=eth0[Network]DHCP=noDomains=dnsknowledge.comIPv6PrivacyExtensions=false# DNS resolvers (safe to mix IPv4 and IPv6)DNS=9.9.9.9 2620:fe::fe# IPv4 gateway and primary address.Gateway=192.168.1.1Address=192.168.1.2/24# IPv6 gateway and primary address.# Gateway=your-router-ipv6# Address=your-ipv6-here

Setup Quad9 DNS using the NetworkManager on Linux

One can just use the NetworkManager too. It is a free and open source program for providing detection and configuration for systems to automatically connect to network:
Go to System Settings and select Network such as WiFI or Wired network connection. Click Settings icons and select IPv4 or IPv6. Finally enter IPv4 address “9.9.9.9” and turn off Automatic. Finally click Apply.

You can setup Quad9 on Linux using GUI method

Setup Quad9 DNS on a RHEL 7/Fedora (latest)/Scientific/Oracle/CentOS Linux 7

Here is my /etc/sysconfig/network-scripts/ifcfg-eth0 file (assuming that interface name is eth0):
$ cat /etc/sysconfig/network-scripts/ifcfg-eth0
Sample file:

## Please read the following man pages ### man systemd-networkd# man networkmanagerBOOTPROTO=nonePEERDNS=noIPV6_AUTOCONF=noDOMAIN=dnsknowledge.comGATEWAY0=192.168.1.1# DNS resolversDNS1=9.9.9.9DNS2=2620:fe::feIPADDR0=192.168.1.2PREFIX0=24# IPv6 gateway and primary address.#IPV6_DEFAULTGW=#IPV6ADDR=

Testing

To apply your changes, reboot from the box or restart networking services. Make sure your /etc/resolv.conf updated:
$ cat /etc/resolv.conf
Make sure all IP address are correct:
$ /sbin/ifconfig
$ ip a 
Use the ping and host/dig command for testing:
$ ping -c 5 google.com
$ dig google.com
$ host dnsknowledge.com
See Quad9 site for further details how service blocks malicious domains for everyone.