FAQs

How Do I Confirm I'm Using Quad9?

The simplest test is to open on.quad9.net in your browser of choice.

Protocol Test - Confirm on which Protocol Quad9 received your query

Confirm which protocol is used when Quad9 receives your DNS queries. This is particularly relevant after setting up DNS encryption, such as DNS over TLS or DNS over HTTPS, in the operating system, router, DNS forwarder.

Execute the following command and refer to the possible responses below:

Windows (PowerShell/Terminal)MacOS/Linux/Unix (Terminal)

Resolve-DnsName -Type txt proto.on.quad9.net.

dig +short txt proto.on.quad9.net.

Possible Responses:

• do53-udp (53/UDP - Plaintext)
• do53-tcp (53/TCP - Plaintext)
• doh (443/TCP - DNS over HTTPS)
• dot (853/TCP - DNS over TLS)
• dnscrypt-udp (UDP - DNSCrypt)
• dnscrypt-tcp (TCP - DNSCrypt)

If you do not receive a response (NXDOMAIN), then Quad9 was not used to perform this DNS query.

Identifying a Quad9 block

The quickest way to see if a domain is blocked at Quad9 is using our Blocked Domain Tester.

When Quad9 blocks a domain, the response is NXDOMAIN. NXDOMAIN is also returned when a domain does not exist.To differentiate between domains that are nonexistent, and domains that are blocked, we set the AUTHORITY value differently. When you receive an NXDOMAIN with AUTHORITY: 0, that is a block from Quad9. When you receive NXDOMAIN with AUTHORITY: 1, then that is a domain that does not exist.

A domain will also fail to resolve if DNSSEC authentication fails, but that will result in the SERVFAIL code instead of NXDOMAIN.

Blocked domainNonexistent domainDNSSEC Failure

dig @9.9.9.9 isitblocked.org | grep "status\|AUTHORITY"

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29193
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

dig @9.9.9.9 sfaisofnadgre.odafds | grep "status\|AUTHORITY:"

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22595
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

dig @9.9.9.9 A brokendnssec.net +dnssec | grep status

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40999

Detecting DNS Transparent Redirection (Hijacks)

Some ISPs, most often in Asia, Africa, or the Middle East, will transparently redirect DNS requests destined for third-party DNS services, like Quad9, to their own DNS forwarders/servers. This may be an attempt to enforce local policies/laws, or to simply increase their cache HIT rate on their DNS forwarders.

You can detect a transparent DNS redirection by executing the following command from the Command Prompt or Terminal of any operating system. If the answer is anything except resXXX.xxx.rrdns.pch.net, then DNS is being transparently redirected.

Windows (PowerShell)MacOS/Linux/BSD (Terminal)

nslookup -q=txt -class=chaos id.server. 9.9.9.9 | Select-String "pch"

dig +short ch txt id.server. @9.9.9.9

If the output does not look similar to the following, or there is no output, then DNS is being transparently redirected.

Windows (PowerShell)MacOS/Linux/BSD (Terminal)

Non-authoritative answer:
"res200.vie.rrdns.pch.net"

"res860.qfra3.rrdns.pch.net"

My ISP is transparently redirecting DNS. Now what?

Please refer to our Setup Guides appended with (Encrypted) in the title. By using encrypted DNS, transparent DNS redirection will not be possible.

What is EDNS Client Subnet (ECS)?

Quad9's 9.9.9.11 service supports ECS.

EDNS Client Subnet (ECS) allows Quad9 to send a portion of your IP address to authoritative name servers, which helps major content providers (CDNs), such as Google, Microsoft, etc, accurately determine your geolocation.

ECS will have no effect on which Quad9 location your queries are sent to, it simply effects what information Quad9 forwards to the authoritative name server and may effect what IP address they return back. Quad9 uses anycast addressing to ensure you are routed to the nearest Quad9 location available to you regardless of whether or not you use our ECS service.

Since ECS does not play any role in determining where your queries are sent to, it does not have any positive or negative effect on the round trip time (ping) to Quad9

ECS can be viewed as a trade off between privacy and getting geospecific content. One option for the privacy focused user is to leave it disabled and only enable it if you notice a specific domain not delivering you the correct content or not loading at all.

Network Providers / DNS Leak Tests

Quad9 utilizes multiple network providers in our global network. When running a DNS leak test, it's expected to see IP addresses owned by the following providers:

Recommended DNS Leak Test Tool

dnscheck.tools

• WoodyNet (AKA PCH.net)
• PCH.net
• GSL Networks
• i3D
• EdgeUno
• Equinix Metal (FKA: Packet, Packet.net, or Packethost)
• Path.net (Path Network)

These organizations are also listed on the Sponsors page of the Quad9 website: quad9.net/about/sponsors

If you are trying to simply determine if you are using Quad9, you can visit on.quad9.net instead of relying on a DNS leak test. However, a DNS leak test can be useful to ensure you're exclusively using Quad9, which is required to ensure that all of your DNS requests will be protected by Quad9.