Getting Started with DoH and Quad9
We’re happy to announce Quad9 now has support for DNS over HTTPS (aka DoH).
DoH is a secure DNS protocol that is getting a lot of traction lately. Mozilla announced support for it in their Firefox browser and Google recently announced support for developers and Alphabet through Jigsaw released the Intra app for Android.
DoH is not supported at an operating system level therefore right now it requires the installation of additional software.
Already using a DoH client and want to test out Quad9? Use https://dns.quad9.net/dns-query
We will be updating this post with additional configuration guides as they become available.
DoH requires either use of the system resolver or an IP address to perform the initial lookup for a hostname based query string. If you want to use the name to access it you need to be able to perform a lookup for that name. You can also point to the IP address.
Quad9 supports two flavors of DNS currently. A secured version and a unsecured or “vanilla” version.
|Service||DOH Address/Name1||DNSSEC||Malicious Blocking||Encryption||IP Addresses|
|Recommended (Secure)2||https://dns.quad9.net/dns-query||YES||YES||YES||220.127.116.11, 18.104.22.168, 2620:fe::fe, 2620:fe::fe:9|
|Secured||https://dns9.quad9.net/dns-query||YES||YES||YES||22.214.171.124, 126.96.36.199, 2620:fe::9, 2620:fe::fe:9|
|Unsecured||https://dns10.quad9.net/dns-query||NO||NO||YES||188.8.131.52, 184.108.40.206, 2620:fe::10, 2620:fe::fe:10|
1: This is what you enter as the DNS server to use, exactly as shown. Be careful to not add a trailing ‘/ ‘after dns-query or your client may have issues connecting.
2: Our Recommend service is currently identical to our secure service, intended to be slightly easier to remember and more friendly for configuration. If you don’t know what to use, use this!
An easy way to test without changing anything in your favorite DoH client is to just perform the following query right from your browser:
You can also use the IP address instead of the name anywhere you see it when it comes to DoH – our certificates have all our common IPs, so this works too:
Tested Client Implementations
Additional client implementations and information can be found on (wikipedia).
Other Options for DNS Privacy and Encryption
Download the Intra App for Android.
Launch the app and go to Settings:
Touch ‘Select DNS over HTTPS Server’:
Select Custom server URL and enter: https://dns.quad9.net/dns-query and click ‘OK’:
You will see the following confirmation screen:
For more stats and info scroll down:
Once you exit the app you will see the following confirmation modal:
DNS over HTTPS (DoH) is not enabled by default, so you have to type about:config in your browser bar to open up the settings page.
In Settings, you can modify 3 items related to the Trusted Recursive Resolver (aka network.trr):
trr.mode controls when and how DoH should be used. By default it is set to 0, meaning it is disabled. If you change it it will enable it.
- 0 — Off (default). To use operating system resolver.
- 1 — Race native against TRR. Do both in parallel and go with the one that returns a result first. Most likely the native one will win.
- 2 — First. Use TRR first, and only if the secure resolution fails use the operating system resolver.
- 3 — Only. Only use TRR. Never use the native (after the initial setup).
- 4 — Shadow. Runs the TRR resolves in parallel with the native for timing and measurements but uses only the native resolver results.
- 5 — Off by choice This is the same as 0 but marks it as done by choice and not done by default.
We recommend trr.mode of ‘2’ so it will fall back to the default resolver if the connection to the DoH server fails. If you only ever want to use DoH you can set it to 3 – You will be unable to resolve DNS names if your DoH server goes down and you won’t have a back-up using your system resolver.
- network.trr.uri (this is where you specify the resolver you want to use)
- network.trr.bootstrapAddress (you can forgo setting this and it will use the native system resolver for the initial query for https://dns.quad9.net/dns-query)
You can check out the logs by typing about:networking#dns into your browser bar. Look for TRR ‘true’ entries to see what is being looked up via DNS over HTTPS.