DNS privacy, legal enforcement and Quad9: a conversation with Bill Woodcock

2021-03-22 Blog

Quad9 is a free Domain Name System (DNS) service, focusing on privacy and security. In February 2021, the company reincorporated in Switzerland to provide its users even stronger privacy guarantees. The move was facilitated by SWITCH, a CENTR member and registry for the .ch and .li top level domains. To discuss this move and DNS privacy at large, CENTR interviewed Bill Woodcock, the Chairperson of the Foundation Council of Quad9. The text has been lightly edited for brevity and clarity.

GG: In terms of privacy for the users of Quad9, what does the organisation's move to Switzerland mean? Have there also been any concomitant changes to the privacy policy or practices at Quad9?

BW: There are two aspects of this move: our privacy policy (what we commit to doing) and applicable law (what the governing authority commits to holding us to). The latter is way more important than the former: if a privacy policy isn’t paired with legal enforcement, it’s just paper, and offers no real protection. That’s been the problem with tech companies hiding in the jurisdiction of the US Federal Court of Northern California where compliance with privacy policies is purely voluntary. Because of this, US companies are shielded from responsibility to their users and society, and that has produced the dystopian hyper-libertarian hellscape we now find ourselves inhabiting, while encouraging horrific hate-crimes and violence. This is, for example, what the Christchurch Call is all about.

Fundamentally, our move to Switzerland is about stepping out from behind the skirts of US jurisdiction and standing in the light of the strongest accountability law we could find. When we were domiciled in the United States, our compliance with our privacy policies was voluntary, like that of any US company. If we were domiciled in an EU country, we would be subject to GDPR, and civil penalties would apply if we were to violate GDPR with respect to an EU citizen. However, in Switzerland, criminal penalties apply if we violate Swiss privacy law with respect to anyone, anywhere in the world. It really is the best choice of location for what we wanted: the strongest possible legal protection for all of our users, regardless of country of citizenship or residence.

Quad9 has always been GDPR compliant, and Swiss privacy law is equivalent to GDPR in its protections. The difference this move brings is in enforcement. So we’re maintaining the same high standards of our privacy policy and practice as before, but now our adherence to that policy is backed by the strength of Swiss law.

On the organisation’s website, I’ve been trying to put together some building-blocks of legal findings that explain how Swiss law applies to Quad9 and the basis of these protections for users. You’ll find those documented at

GG: What should users know about the governance structure of Quad9?

BW: Quad9 has a Foundation Council of five multi-stakeholder representatives, one from industry, one from the non-profit sector, one from the Internet technical community, one from the academic research sector, and one from government.

GG: And how does Quad9 raise funds and sustain itself?

BW: Quad9 is supported entirely by donations, the vast majority of which are in-kind, rather than cash. The majority of those donations consist of datacenter space, power, servers, and bandwidth. Our base of donors is broad and diverse, and has consistently grown each year.

GG: In the last couple of years, there has been a wave of adoption of encrypted DNS protocols. DNS over TLS (DoT) was standardised in 2016. While DNS over HTTPS (DoH) was formalised only in 2018, it surged in popularity arguably because of the push from large tech companies and content delivery networks (CDNs) such as Google and Cloudflare.

Quad9, of course, became one of the first resolvers to offer these protocols. What are your thoughts on the development and deployment of these protocols?

BW: Quad9 was in fact the first resolver to offer DoT. DoT is an excellent protocol, which applies TLS, a well-understood cryptographic suite, to the DNS in a straightforward way, giving DNS users the benefit of confidentiality for their in-flight queries. DoT introduces no new vulnerabilities relative to its predecessors.

DoH, on the other hand, is something of a trojan horse. It was introduced long after DoT, and has the effect of weakening privacy, rather than strengthening it. DoH facilitates the “fingerprinting” of users as they travel between locations, allowing the party on the other end of the connection to correlate otherwise unrelated DNS queries into a single dossier uniquely identifying that user and their Internet use. Furthermore, DoH enables flagrant network neutrality violations, when a DNS operator is also a CDN operator.

We also support DNScrypt, which is a reasonable protocol which was never put through the open standards process.

GG: Mozilla has also been at the forefront of pushing for DoH deployment. To ensure that Firefox users are offered choices of DNS services that provide certain minimum privacy guarantees, they have started a Trusted Recursive Resolver program. What are your thoughts on their involvement and program?

BW: I think that Mozilla’s motivations are good, but the pitfalls of DoH are so prevalent that it’s simply difficult to do this well and safely. I think they’ve realized that, and I think you can see that they’re making an honest effort by the fact that they’ve gone back to the drawing board and solicited public input before proceeding further. Also, they need to find a way to do this in a GDPR-compliant way for European citizens, which their current effort is not, yet.

GG: Does Quad9 have any plans to join the program?

BW: We have been in contract negotiation with Mozilla on this topic for more than two years.

GG: Besides privacy, Quad9 has also publicly committed to a broad human rights framework. How do you see the organisation’s commitment to freedom of expression and right to seek information? Specifically, what is the rationale behind keeping the default service in Quad9 as the one that filters DNS responses?

BW: The filtered DNS service is optional, and it successfully protects people from more than 140,000,000 malware infections each day. We have three goals: privacy, security, and performance. Protecting people from malware and phishing is Quad9’s fulfilment of our commitment to providing security, and that’s the primary thing our users come to us for. We have a clearly-delineated human-rights policy, and have not yet had any complaints about either our policy or our implementation of it, but we’re always seeking to improve, so we welcome any suggestions people may have as regards how we might do better.

GG: Some recent research by CensoredPlanet suggested that DNS filtering services were likely to be blocking harmless content (Quad9 does not seem to have been tested there). Does Quad9 monitor the accuracy and precision of its filtering systems?

BW: Yes, we do, and we investigate every false-positive report that we receive. We currently have a fewer than one in 600,000 false positive rate, with an average of 3.4M malware and phishing domains blocked at any time, and a churn rate of roughly 300,000 per day. We could provide 100% protection by simply blocking everything, at the cost of a 1:1 false-positive rate. Or we could protect no one, and have no false positives. So this is an exercise in balance, and a 98% success rate in malware protection with a 1:600,000 false-positive rate is what we’ve been able to achieve thus far. As I said, we’re constantly striving to improve over time.

GG: And in the case there is over-blocking, do you see any tension of the default choice (of the filtered service) with freedom of expression?

BW: No. I don’t mean that to be a glib answer. In five years, we have not had anyone raise freedom of expression issues. People distributing malware will often report their domain as being a false-positive, and will sometimes put up content on it to try to paint a picture of something other than malware, but we ferret those out quickly.

And if anyone really wants malware, they’re welcome to use our unblocked service. At any given time, a bit under 1% of users are on our unblocked service. That’s generally so that they can access sites that have shot themselves in the foot by misapplying DNSSEC signatures somehow, not because they want malware.

We don’t block based on content. We do frequently get requests for spam-specific, ad-blocking, or “family friendly” options, but other people do those things well, and we have limited resources, so we stick to the most important thing that nobody else was doing well: filtering malware.

GG: It doesn't appear to be possible to query a DNSSEC-validating resolver while also not using [Quad9's] malware blocking service. Any specific rationale for this or plans to change it?

BW: There’s a vast cost to globally deploying another feature combination, and supporting it. Requests for an unfiltered DNSSEC validating service have only come up a handful of times. But the opportunity cost of implementing an entire overlay infrastructure, to support something a handful of people asked about would take resources away from the main service, which the other 99.9998% of people actually need and use. Even if we were to spend a huge amount to support this feature combination, it is not clear that it would get any significant use. But, again, we welcome all input.

GG: Thanks, Bill. I personally recommend Quad9’s DNS service to everyone! Really appreciate the move to Switzerland, the commitment to respect users’ privacy, and the transparency about the organisation’s policies and decisions. Grateful for your time and insights, and all the best!


This article was written for CENTR by Gurshabad Grover, a technologist and legal researcher based in Bangalore, India, where he is Senior Researcher at the Centre for Internet and Society. His writing focuses on network security, privacy and censorship. Gurshabad is grateful to Amelia Andersdotter, Daniel Kahn Gillmor and Mallory Knodel for their inputs.