Quad9 Founders on the Dangers of Global DNS Blocks by Rights Holders

The founders of third-party Domain Name Service (DNS) provider Quad9, including Chief Security Officer, Danielle Deibler, and GM, John Todd, have today spoken to ISPreview about the impact of recent court rulings that will force them to block sites suspected of internet copyright infringement (piracy) at DNS level.

For context. DNS providers typically convert Internet Protocol (IP) addresses into a human-readable form and back again (e.g. 123.56.32.1 to examplezfakedomain.co.uk). Most such services tend to be provided automatically by UK broadband ISPs or mobile network operators, thus operating seamlessly in the background, without you ever really being aware.

However, it’s also possible to replace the DNS from your internet provider with one from a free third-party service, such as Quad9, Google Public DNS or Cloudflare etc. The reasons for doing this are many and varied.

For example, a good third-party DNS provider may give you better performance when resolving sites / servers, as well as additional malware filters, and they can also help users to avoid DNS related bugs that will sometimes occur on an ISPs own servers. On top of that, they can be used to circumvent DNS level search term hijacking (e.g. injecting adverts) or web blocking / filtering by your ISP (e.g. parental controls or court-ordered blocking).

Suffice to say that those with a little more IT knowledge often prefer to use a free third-party provider in order to benefit from the potential performance and security improvements. Naturally, Rights Holders are mindful of this too, since blocking at DNS level is another way for them to tackle internet piracy. Back in 2021 Sony launched somewhat of a test case against Swiss non-profit DNS-resolver Quad9 in Germany, which called on them to block access (DNS resolution) to a music piracy site.

After a precedent-setting legal battle, Sony has now largely prevailed, which means that – for now – Quad9 has no choice but to block the domain(s) in question at a global scale, as directed by the court. But history shows that such impacts could soon spread to other DNS providers, and we are keen to learn more about what this could mean for the wider industry, as well as Quad9 itself. Luckily, two of their founders were kind enough to oblige.

The Quad9 Interview

1. The recent court rulings mean that Sony can now effectively demand that Quad9 block DNS resolution for their users for a specific domain (unrelated to Quad9), on which Sony asserts there are web-based links that lead to copyright-infringing (internet piracy) content.

We note that Quad9 has not given up the fight, despite losing previous appeals, but what is now left for you to try and are you confident of any success?

Quad9’s Answer:

In terms of the court ruling, we understand that Sony is trying to protect its intellectual property rights, and we respect that. However, we believe that it is important for Internet freedom to remain neutral and provide access to open spaces. Wholesale blocking access to certain sites is not the best way to protect copyright, the DNS is not the place to enforce these controls. We will continue to work with our partners like GFF and eco to ensure that the internet remains open and free for all.

We’re still confident of ultimate success, otherwise we’d have given up the fight. We have a significant number of arguments that were left in what we think was an insufficient or unanswered condition in our previous appeal, and we believe in the strength of any of those arguments to be sufficient to turn the case in our favor when considered by the next court.

A point which we think is quite compelling (though certainly not the only strong point in our case) is the applicability of the DSA’s definition of “intermediary services” which describe how certain services like telephone networks, certificate authorities, and (specifically) “DNS servers and resolvers” can be classified as “mere conduits” with the associated protection from liability.

(start reading around section 28)

2. What kind of a cost impact does all this have for a small non-profit organization like Quad9 and will Rights Holders be helping to foot the bill?

Quad9’s Answer:

There is a significant cost impact to us, and we see zero offers from rights holders in any cost offsets. It is important to re-state that Quad9 has no commercial relationship with any of the parties involved here – there is just a demand that we censor domains for sites that we have no knowledge of the owner, the content, or the location. We are not paid by domain name operators, we are not paid by end users, we have no knowledge of any of the content on a website. We are funded by grants and sponsorships from organizations that are trying to improve the security and privacy of the internet, and censorship of domain names based on outside those intentions.

If this ruling is ultimately successful, then it would potentially open the door to any person or organization who claims to be a rightsholder to assert that we must do their bidding and prevent access to a website. So who bears the cost for the research on that to determine if the entity making the claim is actually the rightsholder? What if they aren’t, and the site is blocked? Is there any indemnification for the DNS operator in this process? So far, that hasn’t been obvious to us and the risks are piling up in a way that is looking very problematic for an open internet. If successful, we would not expect Sony to stop with Quad9. It would seem to us that there would be the ability to apply this demand for censorship on any operator of DNS recursive resolution services – ISP, enterprise, or home user. From a technical perspective, these all look the same.

All of these “what if” potentials have significant costs to DNS operators, and almost no cost to the submitter of the claim. We see that this mismatch will create unreasonable demands on operators and cost burdens that have no support – quite problematic. This may lead to some unexpected consequences, where ISPs may stop operating DNS recursive resolvers, or where this accelerates the shift to models that avoid the traditional DNS entirely. This last option is the most dangerous, as it may lead to rapid and uncontrolled fragmentation of the internet. We believe government and industry should work at all costs to prevent any motivations that create distrust in the internet’s foundational models, as trust and consistency in the infrastructure have been the basis on which the entire network economy has been built.

3. What kind of technical and performance implications / limitations might be required to block websites (domains) at DNS level in this way on your platform, or is this largely irrelevant given that Quad9 already has a blocking system for malware sites?

Quad9’s Answer:

There are performance costs for adding these items into our lists. Our particular model has been to create a unified list of domains that we block, which have a consistent method of reaction and associated telemetry. Introducing an additional policy model with different origins and behaviors means (by definition) that we have to create a separate, second pipeline to handle non-malicious blocked items. This doubles the number of evaluations we have to do if we are to keep them separate. We have kept response time low by adding more hardware to our infrastructure (again: costs for us that are unsupported) but this was not part of our original design for the platform. So far, by adding more equipment provided by our generous sponsors and partners we have kept a good response time overall.

In a more long-term view: If in the future we have to hire staff to evaluate incoming requests and fight legal battles with every censorship demand, then that will quickly exhaust our operational budget and performance will suffer. So, yes, indirectly if we lose this has a potential for performance problems in the future.

4. Has the case had any other negative impacts on Quad9 and related usage, such as a decline in the user base or technical performance? We can’t help but note that anybody can set up their own self-hosted DNS (e.g. Pi-hole), which Rights Holders would most likely be powerless to stop, and such things may become more common if major third-party DNS providers are viewed as censoring access – wilfully or not.

Quad9’s Answer:

It is difficult for us to say how this has had other negative impacts on Quad9’s growth, as we do not track our user base in any significant way other than observing query volumes. We continue to show steady increase in our overall daily query counts, and that growth we expect is linear with end-user growth. Would there have been more users adopting our platform if this court case wasn’t discouraging users? That is very possibly true – this case does create a negative result for us. We would expect and have heard of cases where end users have shifted from Quad9 to resolvers managed by companies whose base of operations are not within the reach of the Lugano Convention (the EU and several other nations). This seems to be counter to the general trend on the EU which would be to keep DNS queries terminating on systems located in or managed by organizations in nations which have a gold-standard privacy model such as Swiss-based Quad9.

Some users may also have moved to in-house recursive resolvers as a response to the case. That will mean that they lose the malware protection that we provide which is quite difficult to reproduce at the levels that we have achieved. Also there are unexpected results for privacy in such a shift: by moving to a self-hosted resolver, all queries are coming from within a network (unencrypted) and are visible by any intermediary as they move to and from authoritative DNS systems. With Quad9, their queries can be encrypted for the “last mile” and then are mixed with huge volumes of other users before being sent to authoritative systems.

Your use of the word “powerless” is a bit hasty when you say that rights holders could not reach into home user environments running local recursive resolvers. One bad outcome will breed others. I can imagine some rather unpleasant ways that Sony and others could take fines or other enforcement directly to end users, as they have done with other rights fights in the past. This example enforcement message might be a bit hyperbolic, but is not entirely impossible: “Your ISP reported to us that your home IP address tried connecting to a DNS server which is authoritative for ‘example.com’ – a domain that we have identified as implicated indirectly in copyright infringement. Please prove you were not trying to reach this domain, as it is currently found on the forbidden list as defined by our firm, otherwise you may be found in violation with associated penalties.”

In the long term, if there is an unfettered ability for commercial organizations to demand censorship or other blocking, this will drive users to find unambiguously unfiltered solutions. Those solutions may have significant unexpected negative consequences that everyone wants to avoid. In the fight of policy versus technology: policy always wins, but technology will get enough punches in during the scuffle such that everyone dies at the end of the last round.

5. Has Quad9 received any support in its case from other DNS providers? It seems like they should all have an interest in this, since the same demands will inevitably spread.

Quad9’s Answer:

Quad9 has had informal discussions with many other DNS recursive resolver operators, in Europe and worldwide. There is strong support (privately) for our fight against Sony’s efforts to impose controls on open internet infrastructure, but other than advice and pats on the back so far we have received what I could describe as very minor support from industry participants who have skin in the game. I can only think of one DNS-related organization who has given us anything at all. While welcome, that donation funded only a single day of legal costs.

I can only make guesses as to why this is the case, but here is my estimate: The elephants in the room are keeping fairly quiet in any public setting, because almost every other DNS recursive resolver operator is a for-profit entity with other business lines, many of which cross into the content areas or which have telecom-provider strings attached. They have challenges with other European-based legal issues involving their other products, and they may not be interested in raising their profile when they have other battles to wage.

The more cynical side of me also suspects some organizations simply don’t care about this court case. They don’t have any interest in the defense of a trustworthy and open internet because there’s no immediate demonstrable proof of value to shareholders for taking a stand, but there is risk. This is in our opinion a catastrophic oversight in the long view.

Quad9 is unique in that there is no other line of business that we offer. We are not a content network, not a hardware provider, not a telco, not a search engine, not an ad network. We only do recursive DNS, and this is our weakness as well as our strength. We are in need of financial sponsorship to support this ongoing court case – this is eating into our operational budget of which we have very little. eco and GFF, among a few other rights organizations have given us in-kind and some capital support for which we are immensely grateful. We have seen great contributions from individual users which have moved the needle and boosted our morale, but even the aggregated large number of small donations is not enough to meet the full costs of a legal fight against one of the world’s largest companies. It would be great to see some other donations at an appropriate scale that could help us keep moving forward.

6. Moving away from the case and speaking more generally, what kind of future advancements can we expect from third-party DNS providers like Quad9?

Quad9’s Answer:

Public and ISP-based DNS providers are becoming more secure, and that seems to be the focus of quite a bit of energy in the industry right now. Now that there are two big encryption protocols (DNS-over-TLS, and DNS-over-HTTPS) that are widely available, there is more interest in how clients automatically connect with these secure methods. I’d expect even more encryption protocols in the near future, which perhaps is a bit confusing but gives more options to end users.

We’ll be keeping a close eye on emerging standards and trying to implement the new protection methods when they’re stable and feasibly useful. We’re also continuing to watch how encryption proceeds in other parts of the DNS chain which are invisible to end users, such as recursive-to-authoritative encryption, so that the whole DNS ecosystem becomes more resistant to surveillance, interception, and hijack attempts.

7. Do you think there’s any chance that Quad9 might enhance its current offerings by adding personalized (custom) DNS filtering and improving responsiveness?

Quad9’s Answer:

Customized DNS service is not currently on our development horizon. While we haven’t ruled out such a service in the future, it does require quite a bit of back-end infrastructure to make an effective product, and it would require us to start processing user personal data. Currently, we don’t ever collect anything about end user identity, but to offer a personalized service would require that information to be kept even if only for configuration.

We’re constantly working on better responsiveness by adding both locations and hardware to our network. Quad9 now is in more than 200 locations worldwide, and we have a long list of new locations that are soon to appear on the map. By bringing our service nodes closer to end users, we can reduce latency and improve resiliency for everyone.

Our largest locations are still located within IX-based facilities, meaning that we are directly adjacent to the largest interconnection sites in the world, rather than being exclusively at server-hosting data centers. This is an even comparison in high-density areas (in fact, datacenter and IX positioning have tradeoffs in some ways depending on circumstances in major metropolitan locations) but our IX-based deployments are exceptionally good towards the edge of the network where populations are less dense and who tend to be less well-served by traditional datacenter-based solutions.

Quad9 is sometimes the only anycast DNS resolver operator within a nation, which may mean tens or hundreds of milliseconds faster than other solutions. As an example: Our footprint in Africa is unmatched, and brings cybersecurity to areas where there are few (if any) other DNS resolver options with security benefits.

8. When you look across at rival DNS providers, which one would you say is your closest competitor and why?

Quad9’s Answer:

Quad9 isn’t really in a competition with anyone. In fact, the more users we have, the more it costs us! Most of the team here comes from startups of some form or another, so the DNA that we all have had is difficult to re-engineer to the concept of a non-profit – myself most of all. Framing Quad9 as a competitor in the market is not quite what we’d probably want to do. Quad9 has the goals of improving end-user security without compromising individual user privacy. If by existing and offering that option we push other organizations to meet the same standards as we have ourselves, then we consider that a “win”, and so far, we’ve done that.

Our intention is to keep improving our services that we give to end users. There is currently no other DNS service that has the combination of breadth and depth of security, the scale of the network, and the foundationally-assured privacy guarantees that Quad9 delivers, so for the moment we are in a class by ourselves.

Certainly, there are larger DNS recursive resolvers, or services that offer more features for advanced users. We do not consider these as competition and we encourage a more diverse set of solutions for DNS resolution as long as they meet the same criteria as we have built. Until the majority of DNS systems meet those thresholds, we’ll continue to offer an option at no cost as a method to encourage changes in the market that favor security and privacy.

With the most recent filing for an appeal, Quad9 and its legal counsel must now await a decision from the Dresden Higher Regional Court in Germany. Quad9 are asking that anyone capable consider donating to help support their service.