a CACR Security Brownbag discussion
Humans like to give things meaningful names: that's how we remember things.
Computers work best with numbers: numbers are ordered and can be arranged in hierarchies, they are easy to process and make routing traffic from point A to point B easier and more reliable.
DNS, the Domain Name System, maps the names that humans like to numbers that a computer can use to find the thing a human wants.
It's also useful that a domain name can remain constant while the IP address(es) it points to may change... this makes it easy to continue finding something that has moved to a different service or data center.
Normal DNS image credit Wikipedia, Quad9 image from Quad9.net
Cannot be used with any fallback DNS services.
US-based: may face pressure from government to censor.
Any compromise at Quad9 could cause malicious censorship of a site for many users if it has its desired high adoption.
Quad9 is only as fast as traditional DNS when it has recently cached information for a particular request.
Approx. 500% slow-down otherwise.
A typical web app may have as many as 12 DNS calls in its first page load, of which 3-4 are usually local to the organization or its close partners.
This is effectively a hellban on small, niche websites.
DNSBLs have been around since the 1990s, but traditionally they were services for service providers rather than end users. We have established best practices to protect service providers, consumers, and the internet.
We ended up having an interesting, in-depth discussion on the future of DNS Blocklisting. I've created a blog post here to capture as much of it as possible.