The Defender’s Log episode features John Todd from Quad9, discussing their mission to protect the internet through secure DNS. Quad9, a non-profit launched in 2017 with founding partners Global Cyber Alliance, Packet Clearing House, and IBM, provides a free, global recursive DNS resolver that blocks malicious domains.

Todd emphasizes that Quad9’s success is a team effort and highlights their network of 260 locations in 130 countries, largely sustained by donated infrastructure. He explains their threat intelligence ecosystem, where 35 providers contribute data, receiving usage insights in return, allowing them to improve their services. Quad9 prioritizes a low false-positive rate to maintain user trust, acknowledging the challenge of balancing comprehensive blocking with minimal disruption. Todd also touches on future innovations like Zero Trust DNS and EDSR, aiming to decentralize DNS operations and enhance privacy. Quad9’s Swiss location provides strong legal protection for user data, reinforcing their commitment to privacy and security.

Defending the DNS: How Quad9 Protects the Internet | John Todd – CTO, Quad9 | The Defender’s Log

How Quad9 Protects the Internet

• Quad9 is a free, non-profit DNS security platform that blocks malicious domains.
• It was founded by Global Cyber Alliance, Packet Clearing House, and IBM (who provided the 9.9.9.9 IP address).
• Quad9 leverages threat intelligence from 35 providers, sharing anonymized data back to improve their services.
• They prioritize a very low false positive rate to maintain user trust, as their service is free and has no user commitment.
• Quad9 operates a global anycast network with over 260 points of presence, largely built on donated infrastructure.
• Future goals include IP-based blocking and a “Zero Trust DNS” model with EDSR (Encrypted DNS Server Redirection) to decentralize DNS.
• Located in Switzerland, Quad9 benefits from strong legal protections for user privacy and is constantly seeking funding to continue its mission.

View it on YouTube: https://www.youtube.com/watch?v=syY6cqtEyTc

Listen to the episode on your favourite podcast platform:

Apple
https://podcasts.apple.com/us/podcast/defending-the-dns-how-quad9-protects-the-internet/id1829031081?i=1000721239600

Spotify
https://open.spotify.com/episode/7wzrQ7h7ndK59vbdRiCxr1

Amazon Music
https://a.co/d/dllrGs5

ADAMnetworks
https://adamnet.works

Introduction: The Defender’s Log

Deep in the digital shadows, where threats hide behind any random byte, a fearless crew of cybersecurity warriors guards the line between chaos and order. Their epic battles are rarely spoken of, until today. Welcome to the Defender’s Log, where we crack open the secrets of top security chiefs, CISOs, and architects who faced the abyss and won. Here’s your host, David Redekop.

David Redekop: Well, hello everybody, and welcome back to another episode of the Defender’s Log. With me today, I have a gentleman by the name of John Todd, who’s played a number of roles in technology in the defender space over the years, and I’m looking forward to just chatting with you today. So John, welcome. Glad to have you.

John Todd: Thanks for having me, David.

David Redekop: What preceded this call and this invitation is that I did meet John in person and on Zoom a number of times because we are in the space of defending in the DNS world. Because of the power of DNS, it is no surprise to anyone in this space that it is being used for good and bad purposes. And so, one of the things that we have in common with John and his role at Quad9 is that we are pretty much dedicating our time and our thinking and our cognitive processes around how we can defend the world against the bad. What you’ve accomplished so far, John, is very encouraging to the world as a whole. You really stand out from everybody else that’s doing any kind of protective DNS offerings. So today is a little bit about asking you some questions. Let’s start with that, actually. What got you into this general space of being in the defensive role?

Chapter 1: The Journey to Quad9

John Todd: I want to make sure that people understand that Quad9 is mostly not me; it’s mostly the rest of my team. I just simply stand on the front of the ship and have these podcasts, but it’s everybody else’s hard work that’s really pushing things forward. Almost everyone in the organization is coming out of some kind of either infrastructure or security world.

My voyage there started back in the early ’90s with some of the first commercial internet service providers in the US, and that sort of automatically migrates you into a security mindset. If you’re working in an ISP, both delivering infrastructure and delivering services to people, there always has to be the concept of how you keep them from shooting themselves in the foot and keeping yourself from shooting yourself in the foot. So security is always a part of that thinking.

I went through a number of different roles over the years. Again, I did a number of different ISPs, worked in various colocation and Layer 1 companies doing actual server hosting or infrastructure hosting. Then, as a common thread, a lot of people went into the Voice over IP world, so I did that for a number of years as well. There seemed to be a natural transition. We went from the network itself to applications on the network, and then I did some things with gaming and then essentially went into the nonprofit space, trying to help people instead of simply trying to make money.

The thread on all of those is that the DNS was a vital component in every one of those different enterprises, even the ones that didn’t sound like it. Colocation hosting doesn’t sound like DNS is part of that, but it is. When you try to figure out, “Okay, how do you get people into a building? How do you attract people into a facility?” you have to have a set number of core services that you’re offering there, and DNS is typically one of them—DNS in various functions, whether that’s authoritative servers or root servers or whatever.

So Quad9 was an outcome of that career arc. This is a perfect place for me to be, and I’m so happy I’m here. It’s a natural place to end up.

Chapter 2: The Genesis of a Global Protector

John Todd: Quad9 started eight years ago with an initiative by Global Cyber Alliance (GCA). They got some funding and said, “Hey, we need to figure out how we’re going to protect the most amount of people possible with the least amount of dollars.” The quick summary they came up with was, “Well, let’s build a recursive resolver.” They weren’t really a technical shop; they weren’t an operations shop. So they came to Packet Clearing House (PCH), which at that time was where I was working, and they said, “Well, can you build this for us?”

I took the project on, and we very quickly realized that building a recursive resolver at scale that people would use was not simply a matter of throwing a couple of dollars at it and making it work with just a couple of servers. The first thing we figured out is this needs to be its own organization. It needs to be not GCA; it needs to be not PCH. It needs to be its own separate not-for-profit or foundation with its own board of directors, its own funding—basically, ownership of its fate. So we created that back in 2016-2017 and launched the project.

The last organization to join at the last minute was IBM. They had 9/8, you know, one-256th of the internet. The timing was really great. There were some really good, clueful people at IBM that we talked to, and they allocated 9.9.9.0 to us, and so that’s a /24. So now that is part of what Quad9 is, and it’s our namesake. They’ve been a really great partner over the years as well. So those are our three founding organizations. We launched the project publicly in 2017, even though we were active before that, and we’ve been growing like gangbusters ever since.

David Redekop: And what’s amazing to me, just as you relay that a little bit around the “nine” space, is that at least in my circle, IBM got the most credit out of this sponsorship, out of this project, out of any of the sponsors. Because if you live in the IP space, it’s their number, right? It’s like, “Wow.” I’m sure somebody at the marketing department of IBM realized that there was going to be tremendous value in just giving it up.

John Todd: You know, I’m not slighting IBM here, but I don’t think they’ve done as much work as they could promoting this. IBM’s been one of our greatest sponsors, but they give us really great threat data, so that’s kind of their participation. They’ve not made hay with us the way I thought they would. Quad9 as an organization is doing really well globally. I mean, we’ve got more than 100 million users on the platform. We’re in 260 locations in 130 countries now. A lot. The protection that we’re providing—really, the service we’re providing to people for free—is absolutely fantastic. And I love IBM, but they’ve not taken this the way they could. I’d love to see more publicity on it, but they’re a big company. We’re really working with their security division, and so we see that side of things. With big companies come challenges with how you communicate that out to the rest of the place. But IBM’s done great things for us. But, you know, if IBM is listening, you could do a lot more.

Chapter 3: How the Threat Intelligence Ecosystem Works

John Todd: IBM is one of our best threat providers, but we have about 35 different threat providers as well, and we treat them all equally. There’s no one that gets any particular special preference. The way we bring threat providers onto the network is that we offer them information back. They give us domains that they know are risks—malware, phishing, C&C, stalkerware, a whole variety of different bad things. They give us the domains, and as soon as we ingest them and apply them to our system, anybody who tries to go to one of those domains that’s trying to do them harm is blocked. We essentially prevent them from connecting. It’s a very simple model—just don’t answer the DNS question—but quite powerful.

At that moment, we also send back to the threat provider a couple of pieces of information. We send them the timestamp that the event happened, we send them the fully qualified name that the person was trying to reach, and we give them a really rough geography, like a metropolitan region of where that client was. That then allows the threat intelligence providers to really improve their threat data. We’re not just improving the threat data for ourselves. You know, these companies aren’t doing this entirely altruistically, right? They’re getting really interesting data from us that then allows them to say, “Okay, is this threat increasing? Is it decreasing? What is the rough geography? Like, who are the targets for these malicious activities?” So that allows them to improve their data that they send to us, but it also allows them to improve the data that they’re sending to their paid customers. Everybody wins in this equation, and we really do, I think, a good job of serving not just our customers, but everybody who consumes threat data from many of the threat intelligence providers that we work with.

Chapter 4: The Importance of Low False Positives

David Redekop: I would also commend you on the low false positive rate because that is such an important aspect of how you bring on a new threat intel source. It’s your ranking of importance of keeping the list clean and cleaned up. I can speak to it from the perspective of doing large-scale deployments. Across our network, we do approximately 50 billion queries in a month, and it becomes very clear very quickly which threat intel sources have the highest rank of false positives. With Quad9, I just don’t get that. So I just want you to have that feedback and realization that setting that as a high level of importance has served you well from the perspective of encouraging the adoption that you want solution providers to do by default.

John Todd: Working with a free service is wonderful in some ways and terrible in others. We have zero friction for people to adopt Quad9. You just change your DNS setting to 9.9.9.9. That’s it. No email signup, no payment, nothing, no contract. With the low friction of addition comes low friction of transfer away. So we have to be really, really sensitive about false positives because as soon as there’s a false positive, we lose users, and they typically will go to some other free recursive resolver—very often a recursive resolver that has no security. You’re never going to get a false positive if you have no security. So we have to be really cautious about false positives, and we really work with all of our threat intelligence providers to keep that at a minimum.

The downside of that is that we perhaps don’t catch things that we could, meaning that we’ve asked for a very high confidence level in the data, and there might be some threats that if we asked for a lower confidence level in the data, we would catch, but at the cost of more false positives. That’s one of those constant balances that we’re trying to figure out. Maybe we offer at some point in the future a service that has a lower confidence rating on a different IP address, you know, that’s kind of the kitchen sink. You catch all the things, but you also get a bunch of false positives. There’s a lot of effort for that, and with no income per user, we have to really focus our product portfolio to kind of just the narrowest thing that we can. So right now, we haven’t decided to do anything with lower-confidence-level feeds. We’re really trying to continue with that very high-confidence, low-false-positive model.

Chapter 5: The Challenge of IP-Based Blocking

David Redekop: In that space of high confidence, low false positives, I’m guessing that is probably one of the reasons why this notion of blocking based on IP address resolution is not something that I’ve seen commonly done anywhere yet.

John Todd: IP addresses, as you said, false positives are really challenging with IP addresses because of multi-hosting. That is not to say that IP addresses are not useful; they actually are useful. We simply don’t have a model for that right now. We’ve had a couple of threat intelligence providers who have said they have IP-based lists. Our goal this year—although it’s halfway through the year already—is to actually have some proof of concept for IP-based blocking, but we’re still way away from that. There are some which you can categorically say there’s nothing good on them. There’s never been a DNS name that’s resolved to this IP address that wasn’t a threat, so we should be blocking it.

We do recognize that that’s an area that we have to solve. But again, the false positive issue is a dangerous one for us. We have been a little bit slow on the technology side implementing an IP-based blocklist because we’re also a little bit wary. Like, how much more work is this going to create for us from a false positives perspective? It’s not the top thing on our list of things to do right now, but it is there in the pipeline for some point soon.

David Redekop: Oh, that’s really good to hear, and I look forward to collaborating with you on that because we certainly have some thoughts and ideas… The path that you’re on sounds like we should definitely work on it together.

John Todd: Well, the combination of the forward DNS as well as the IP address of the destination, I think there’s some power in looking at the combination of those two things. I would say primarily, though, we’re still going to be looking at forward DNS as the method that’s the strongest of the two because, again, multi-hosting, where there are thousands of sites that are pointed to the same IP address or cluster of IP addresses, makes it very difficult, especially when you get to the large CDNs like Cloudflare or Google or AWS.

Chapter 6: A Global Network Built on Partnership

David Redekop: Speaking of local hosting providers, you have quite a distributed network. Your anycast network has many points of presence around the globe. What number does that sit at today?

John Todd: I think we’re at 260-something right now. And the great thing—I can’t speak highly enough of our partners who help us with that—is Quad9’s network comes at no cost, meaning that as a matter of course, we don’t pay for infrastructure like colocation, hosting, and power. That’s donated to us by a variety of different sponsors and partners, and we are exceptionally grateful for that because there’s no way we could have accomplished what we’re doing without that. If we were paying for that, we would have had to have been a many, many, many-million-dollar organization, and in fact, we’re a very small not-for-profit right now.

Organizations like Packet Clearing House, Eduno, I3D—we’ve got a whole slew of other organizations that partner with us for smaller, one or two locations. They’ve been fantastic. Go on our website, look at our partner page. That’s the biggest strength that we have: the scope of the network, the geography of that in places where ordinarily nobody goes. We go to places where there’s no money, essentially. And that’s kind of different than some of the other recursive resolver operators or hyperscale operators. They’re not interested in going to some of these places and providing services with low latency and geographic proximity. Some of these are very difficult to get into, and it takes quite a while to do it. So, we’re very grateful to our partners for giving us that capability.

All we’re trying to do is give people protective services. And it’s great to see so many partners kind of understand that and not just approve of our mission, but actually help us to complete that. That’s one of the things that keeps me going. Even though there’s a lot of opposition in some ways—not opposition, but there’s a lot of resistance to doing what we’re doing just because the world works on money, doesn’t work on altruism—the fact that I do see this altruistic behavior by a lot of people makes me very encouraged that we’re doing the right thing.

Chapter 7: The Most Difficult Places to Deploy

David Redekop: I’m wondering, speaking of POPs and places that are hard to get into, what would be the most remote and difficult place that you’ve stood up a POP?

John Todd: Well, a lot of the credit for the most remote places is going to go mostly to Packet Clearing House (PCH). We ride their coattails into a lot of the really more difficult places to get into—a lot of the island nations, places like Mauritius, which have a very relatively small population. We use their infrastructure in some of those locations.

Interestingly enough, the most difficult places we’ve had to get into, meaning the ones that have taken the most time, are things that you wouldn’t think should be that difficult. I’ll name Brazil and India as two countries where you would think, “Okay, it should just be easy.” It isn’t. And that’s primarily due to very restrictive tariffs on the importation of equipment. We don’t have a lot of money to pay huge import fees. All of our equipment that we utilize and ship is all used. We buy stuff off the gray market, things that are coming off lease. We buy that and we use it.

Well, Brazil, you can’t even ship used equipment at all. It’s just not allowed. Okay, now we have to find new equipment. New equipment has a huge cost to it. It’s very, very expensive to buy anything new in Brazil. And same in India; they also have the same kind of import duties. That has been a big resistance for getting larger locations into both of those nations.

If anyone from Brazil or India is listening, this is setting your countries back. You are less resistant to being able to get equipment into the country, you know, for some reason. Brazil might be saying that they’re trying to generate their own homegrown technology industry. Well, okay, it’s 2025. What can I buy in Brazil? The answer is nothing. So they’re just holding their economies back by not allowing this kind of free trade.

The most difficult places to get into are not the ones that are the farthest places to ship; it’s the places that present the most resistance to deploying our stuff there, even though there might be people in the country who are like, “Yes, please bring your systems here. Let’s get something deployed.” We still have to get gear, and that’s the resistance.

Chapter 8: An Origin Story in Communications

David Redekop: Before you started your career down this path, was there some aspect of your upbringing that had you leaning towards the defensive posture side?

John Todd: I’m firmly a Gen X, so this put me in my teen years right at the crux of telecommunications actually happening as a common thing that mortals could do. When I was in my early teens, I had a BBS, if you recall that, a good modem-based BBS. This was 1982 or ’83 with Apple II systems.

I think the thing that drove me always was curiosity. I probably did things that were on the border of legality, trying to figure out what things did and what they did not do, like trying to dial into various systems. I was not a script kiddie, but I was always very interested in communications itself. How do people communicate? By what mechanism do they communicate? So CB radios have always been interesting, or ham radio has been interesting. The internet, of course, was turbocharging my interest in communications once I got to university.

How people communicate is more interesting to me than what people communicate about. I’m interested in how people connect. I’m not particularly interested in the content of what they’re doing. I’m interested in the mechanisms by which you get messages from place to place. And so, that has always interested me from a very early age.

From the defender space, DNS is interesting. There’s always an implicit defense concept because any communication that I have, I would assume I want to have that be private. I would assume I want to have that be with the person that I intended, meaning that both integrity and obscurity are built into any communications model. There are a bunch of people who disagree with that, right? They’d like to observe what you’re talking about, and they’d like to intercept and potentially fool you into doing something that you shouldn’t. The defender stance comes naturally, I think, in any communications model, at least on the internet using data.

Chapter 9: The Philosophy of Privacy, Encryption, and Control

David Redekop: You reminded me of a somewhat provocative statement that I heard Moxie Marlinspike say some time ago… “In order for liberty to flourish, it must be possible to commit a crime and get away with it.”

John Todd: That’s interesting that that quote exists. I’d not ever heard that from him before. I actually had the same argument in one of my papers in university. I took a course, actually an excellent course on corruption… My thesis for the paper was that corruption at a certain level must always be possible, even though it may still be illegal. If you have a system that is perfectly tuned, that has no flexibility in it whatsoever, then you create a recipe for arbitrary and immoral outcomes at a large scale. So there always needs to be some flexibility in the system, meaning that there always needs to be the ability to pay off the border guard to allow you and your friends to escape the tyrannical country, right? Because if there isn’t that flexibility, then you have a recipe for perfect immoral conditions.

David Redekop: As a dad or as a business owner, I have certain responsibilities to protect my network, and hence we are in the defensive world. But when it floats across the internet in the form of a packet, then I don’t want the transit provider to have any insight into it.

John Todd: I think one of the core problems that we’re facing is identification of the actor. If traffic emanates from my handheld device or my laptop, who is the actor that is generating that traffic, and what is its intent? You don’t actually know who is the operator of that code. You don’t know its intentions. You actually have to be much more rigid in your security posture.

This question comes up a lot because Quad9 is used in some schools. We don’t have a “school safe” where we block sites that are inappropriate. The question of who is generating the traffic becomes the question, and who’s actually got control? Those are really difficult ones to answer. Does the network administrator have the right to control content, or is it the end user?

In my opinion, it should always be the case that the end user, if they’re clever enough, should be able to get to the content that they want if they so intend. But they should be blocked. They should understand that they are being blocked. There should be resistance. They should have to knowingly circumvent the resistance to get to the content that is forbidden by the local operator. As a parent, that might be okay. As a country, that’s probably not okay.

I’m a privacy absolutist, meaning I think that people have absolutely the right to not be observed. I’m not an access absolutist. I think that it is okay to block people from doing certain things. If the laws in your country require that, or if as a parent you don’t want your children seeing certain things, you should be able to block them. Should you be able to absolutely block them? I’m not quite as convinced on that.

Chapter 10: Future Innovations: Zero Trust DNS and EDSR

David Redekop: Are there any key innovations that you think are worthy of noting over the past year or two?

John Todd: I am very interested in Zero Trust DNS. For those who don’t know, the quick summary is that you have a device at the edge of your network. It functions as a forwarding cache and a firewall. If clients have not received a valid A or AAAA record as part of a request, they can’t get through the firewall. It dynamically opens ports on the firewall based on the results you get back from lookups. This essentially means that the firewall and the DNS resolver become your control point for defining firewall rules. I think it’s a really great idea. It offloads an enormous amount of work from a firewall administrator. It makes Quad9 more powerful because it means that as long as we’re resolving everything for you, as long as it’s not on our blocklist, you’re going to get business as usual.

My world is becoming very, very focused and narrow these days. I’m working on a draft to try to get rid of anycast as the lynchpin of DNS, and so that’ll take a while.

David Redekop: Tell us a little bit about that. What’s involved?

John Todd: There’s the concept of discovery, which is really a very powerful one. What discovery does is it allows you to migrate from an unencrypted connection to Quad9 and move up to an encrypted connection. So that’s discovery. Now, bigger recursive resolvers operate on what’s called anycast. We announce the same address from 260 locations around the world, and that means you get routed to the nearest one. But that’s not actually true. A lot of our clients are in China and they get sent to Amsterdam because that’s the way the internet has routed them.

The draft that I’m working on, called EDSR (Encrypted DNS Server Redirection), allows the recursive resolver to say, “Hey, you’ve connected to me. We’ve got an encrypted connection going, and that’s great, but you know what? I’m not the best place for you to talk, Mr. Client. You should talk to this other system, this unicast system.” It’s a way of using anycast as a rendezvous protocol but actually ending up and pointing the client to a different place based on latency, maintenance mode, traffic volume, or any number of other criteria.

The goal here is actually to put Quad9 out of business. The problem right now is in order to start a global anycast resolver, you’ve got to have a lot of resources. That closes the door on a lot of smaller organizations. I would like to see that barrier brought down. With this technology, you can have a rendezvous server that gets the first request but then distribute that out across your network. It’s basically a way to operationalize DNS in a way that hasn’t been done before and balance it out a little bit better at the application layer rather than at the network layer.

Chapter 11: The Legal Stance and Final Thoughts

John Todd: The thing that sets Quad9 a little bit apart from everybody else is that we don’t just provide the security. We also have a built-in policy model that prevents people from getting your private data. We’re located in Switzerland, which is very different than anybody else at the moment. We have a legal regimen around what we can do with data. What we’re allowed to do with data and the legal repercussions if we don’t do what we say we’re doing are very strict. It also gives us some defense in that Swiss law is extremely good for keeping others from demanding data from us. We don’t collect anything about end users, but it prevents countries or courts in different jurisdictions from getting their claws into us, which is a very, very powerful and important component of what we do.

We’re trying to defend the DNS both on an individual level, meaning preventing bad things from happening to individuals, but we’re also trying to prevent bad things from happening to the DNS as a whole, where the DNS could be used as an attack method for a variety of different economic activities. We’re paddling very furiously, as they say. The duck looks calm on the surface, even though it’s paddling like crazy to keep up. And we’re always looking for sponsors and people who can help us with that because we’re desperately in need of funding as a tiny organization in a room full of elephants.

David Redekop: From what I’ve observed over the past eight years, you are punching well above your weight and continuing to sustain the growth. When we use DNS benchmarking tools, we consistently see you at the top. You’re doing things right, and you’re doing the right things. Kudos to your leadership at Quad9 and everyone else there.

John Todd: It’s the team that gets the credit. I just do the talking.

David Redekop: Thanks again, John. I look forward to seeing you at a Defender’s event very soon.

John Todd: Appreciate the time. Thank you.

Outro

The Defender’s Log requires more than a conversation. It takes action, research, and collective wisdom. If today’s episode resonated with you, we’d love to hear your insights. Join the conversation and help us shape the future together. We’ll be back with more stories, strategies, and real-world solutions that are making a difference for everyone. In the meantime, be sure to subscribe, rate, write a review, and share it with someone you think would benefit from it, too. Thanks for listening, and we’ll see you on the next episode.

1 post – 1 participant

Read full topic

*** This is a Security Bloggers Network syndicated blog from The ADAM Blog - ADAMnetworks authored by Carly_Engelbrecht. Read the original post at: https://support.adamnet.works/t/tdl-002-defending-the-dns-how-quad9-protects-the-internet-with-john-todd/1463