**Quad9: keeping DNS slightly less terrible - 5th Dec 2025** _____________________________________ / For once on the internet, this post \ \ isn't sponsored by NordVPN / ------------------------------------- \ \ /\_)o< | \ | O . O| \_____/ *Introduction* You know that "oh cock" feeling when you mistype a URL and your browser tries very hard to sell you malware? Maybe your anti-virus may kick in, or even your browser, may start to focus and stop any infection. However we can take this layer even better, and use DNS, and in this case, the free Quad9 service, to block a lot of these threats before you even send the request. Quad9 is a public (and more importantly, free!) recursive DNS service that tries to fix that. It uses threat-intelligence feeds to block domains used for malware, phishing, and command-and-control traffic, while also supporting encrypted DNS protocols and a privacy-first logging policy [1], [2] So here we'll cover; * what Quad9 actually is; * which addresses and hostnames you care about; * how to use it on Android, iOS, and Linux; * how to check that it is really working. *What is Quad9* Quad9 operates a global anycast recursive resolver network, with servers in hundreds of locations worldwide [2]. When you point your DNS at Quad9 (so called Quad9, since the IP address is... 9.9.9.9, your queries go to the nearest alive node. It then provides an extra security layer in your network stack. (a) Threat blocking (malware, phishing, botnet domains); (b) DNSSEC validation; (c) No logging of your source IP address; (d) Encrypted transports available (DoT, DoH) [1], [2]. The key "secure with threat blocking" addresses are: (e) IPv4: 9.9.9.9 and 149.112.112.112 (f) IPv6: 2620:fe::9 and 2620:fe::fe (g) DoT: dns.quad9.net (port 853) (h) DoH: https://dns.quad9.net/dns-query [1], [2], [3] There are also variants with EDNS Client Subnet and with no filtering at all, but for most end-user devices, the default "secure" profile is the right starting point [1], [3]. *So why bother changing* Changing to Quad9 will not magically make everything safe. However it does give you: - a first line of defence against known-bad domains; - some privacy against ISPs selling your DNS data; - a single policy you can apply across devices, if doing managed devices It is cheap defence-in-depth: one control, at the network layer, that quietly blocks entire classes of mistakes. *So how do we set it up* Let's go through each device type, Android, iOS, Windows, and Linux. I'm afraid I don't have much experience with macOS, but there are other resources covering that usecase. /Android/ --------- On Android 9>, you get system-wide DNS-over-TLS via the "Private DNS" feature. Quad9 publishes the DoT hostname `dns.quad9.net`, which maps to the secure resolver profile [3], [4]. The exact menu names vary slightly between vendors, but the flow is usually: (1) Open "Settings". (2) Tap "Network & Internet". (3) Tap "Advanced". (4) Tap "Private DNS". (5) Choose "Private DNS provider hostname". (6) Enter: dns.quad9.net (7) Save and back out. If you mistype the hostname, Android will silently fall back to whatever DNS the network provides. To check that you are really using Quad9, install a terminal (for example, Termux) and run: | dig +short txt proto.on.quad9.net. Quad9 will return a short string describing how your query arrived (plain UDP, DoT, DoH, etc.) [5]. If you see a DoT/DoH result and the resolver is reported as Quad9, you are in business. /iOS 14 >/ From iOS 14 onwards, Apple added a system-level "Encrypted DNS" feature. Instead of a toggle in Settings, it is controlled via configuration profiles (.mobileconfig files) which declare DoT or DoH settings [4], [6]. Quad9 provides profiles for iOS and macOS that: * use Quad9 resolvers; * request DoT or DoH to dns.quad9.net; * apply system-wide, including to apps that know nothing about encrypted DNS [4], [6]. The setup flow is: (1) On the device, in Safari, download the Quad9 encrypted DNS profile (for example, their DoH or DoT profile for iOS 14+). (2) After download, open "Settings". (3) At the top, you should see "Profile Downloaded". (4) Tap it, then tap the Quad9 profile. (5) Review the contents, then tap "Install". (6) Enter your device passcode and confirm. Once installed, the Encrypted DNS setting is enforced by the profile. To remove it, you delete the profile again from Settings > General > VPN & Device Management. /Linux (desktop and server)/ Linux gives you more ways to hang yourself, so we will pick three common patterns: - simple resolv.conf or NetworkManager pointing at Quad9; - systemd-resolved with Quad9 upstreams; - optional encrypted DNS stubs if you want DoT/DoH. *Simple resolver settings* On a minimal server without NetworkManager or systemd-resolved, you can point `/etc/resolv.conf` straight at Quad9: | nameserver 9.9.9.9 | nameserver 149.112.112.112 This assumes that `resolv.conf` is not being overwritten by another tool (such as a DHCP client). If it is, configure the DHCP client or your network stack to hand out Quad9 instead. On a NetworkManager-managed desktop: - Open your connection editor (for example, `nm-connection- editor`). - Edit your active connection (wired or Wi-Fi). - In the IPv4 tab, set "Automatic (DHCP) addresses only". - Set DNS servers to: 9.9.9.9, 149.112.112.112 - Repeat in IPv6 tab with: 2620:fe::9, 2620:fe::fe - Save and reconnect. You can then run: | dig +short txt test.quad9.net. | dig +short txt proto.on.quad9.net. to confirm that Quad9 is answering, and which protocol it sees for your queries [5]. *systemd-resolved* On modern distributions, `systemd-resolved` is often the real resolver, with `/etc/resolv.conf` pointing at `127.0.0.53`. In that case, you configure Quad9 as an upstream in `/etc/systemd/resolved.conf`: | [Resolve] | DNS=9.9.9.9 149.112.112.112 | DNS=2620:fe::9 2620:fe::fe | DNSSEC=yes Then: | systemctl restart systemd-resolved You can check with: | resolvectl status to ensure that Quad9 is listed as the current DNS server, and again confirm via: | dig +short txt proto.on.quad9.net. If you want DoT with systemd-resolved, newer versions support `DNSOverTLS=yes` and `DNS=` pointing at DoT-capable servers. Quad9 publishes `dns.quad9.net` as its DoT endpoint [1], [3], but mapping that cleanly into `systemd-resolved` still depends on your distro and version, so testing is mandatory. *Encrypted stubs (DoT / DoH)* If you prefer explicit stubs for encrypted DNS, tools like `stubby` or `dnscrypt-proxy` can speak DoT or DoH directly to Quad9 [2], [7]. The high-level steps look like this: (1) Install a stub resolver (for example, `stubby`). (2) Configure it with: upstream_recursive_servers: - address_data: 9.9.9.9 tls_auth_name: "dns.quad9.net" - address_data: 149.112.112.112 tls_auth_name: "dns.quad9.net" (3) Point your system resolver at `127.0.0.1`. The details differ per stub implementation, but the principle is always: a local daemon on `127.0.0.1` speaks DoT/DoH to Quad9 using the documented hostnames and URLs [1][3], [7]. *Overview* Remember that Quad9 is one control in a stack. It will not block everything, but it will quietly stop a whole class of "clicked the wrong thing" incidents, and it costs you almost nothing to deploy. References [1] Quad9, "Recursive DNS Server Addresses and Features," Quad9, online documentation. [Online]. Available: https://quad9.net/service/service-addresses-and-features/ [Accessed: 05-Dec-2025]. [2] "Quad9," Wikipedia, the free encyclopedia. [Online]. Available: https://en.wikipedia.org/wiki/Quad9 [Accessed: 05-Dec-2025]. [3] Quad9, "9.9.9.9 (Secure with Threat Blocking)," Quad9 Documentation Services. [Online]. Available: https://quad9dns.github.io/documentation/services/ [Accessed: 05-Dec-2025]. [4] Quad9, "Android 9+ (Encrypted)," Setup Guides Android, Sep. 2018. [Online]. Available: https://quad9dns.github.io/documentation/Setup_Guides/ Android/Android_9%2B_%28Encrypted%29/ [Accessed: 05-Dec-2025]. [5] Quad9, "FAQs Protocol Test," Quad9 Documentation. [Online]. Available: https://quad9dns.github.io/documentation/FAQs/ [Accessed: 05-Dec-2025]. [6] Quad9, "iOS and MacOS Mobile Provisioning Profiles Are Here!," Quad9 Blog, Mar. 2022. [Online]. Available: https://quad9.net/news/blog/ios-mobile-provisioning-profiles/ [Accessed: 05-Dec-2025]. [7] DNS Privacy Project, "Public Resolvers," dnsprivacy.org. [Online]. Available: https://dnsprivacy.org/public_resolvers/ [Accessed: 05-Dec-2025].