0. Applicability of this Policy
This Privacy, Data Processing and Use Policy ("Policy") describes the policies of the Quad9 DNS Service (the "Service"), a recursive DNS resolver operated by the Quad9 Foundation ("Quad9"). This policy applies to Domain Name Service (DNS) transactions between Quad9's users and Quad9 under normal conditions.
This is version 1.0 of the Policy, published on Wednesday, February 17, 2021.
This policy is intended to meet or exceed the letter and spirit of Internet Engineering Task Force Request for Comment 8932, Recommendations for Privacy Service Operators, which is the applicable standard, and may be compared to Appendix 4.1, Example RPS Policy for reference.
Quad9 may amend this policy by posting a new version, with an incremented version number, at https://quad9.net/privacy/policy/.
1.0 Treatment of IP addresses
Quad9 regards Internet Protocol ("IP") addresses associated with its users to be Personally Identifiable Information ("PII"). Quad9 uses the union of the definitions of PII contained in Swiss law (Article 3 (a) FADP), United States law (2 CFR § 200.79) and European Union law (Article 4(1) GDPR), with the definition that extends the greatest protection to the user controlling in the event of any conflict between the three, and we extend that most stringent protection to all of Quad9's users, regardless of their citizenship or domicile.
When a user of the Service sends a query to Quad9, the query is transmitted across the Internet from an IP address under the control of, or in communication with, the user (the "Reply To Address"), to an IP address belonging to Quad9.
When Quad9 receives a DNS query, in very nearly every case, the IP address from which it receives the query is that of a caching/forwarding DNS resolver or the outside of a proxy or Network Address Translator ("NAT"); in any of these cases, the IP address represents a set of users, often quite a large set, sometimes numbering in the millions, and those users come and go, invisible to us, hidden behind that intermediary address. In these cases, which, to the best of our knowledge, make up nearly the entirety of the use of our systems, the IP address is not PII. But in an extraordinary case, the IP address from which we receive a query may be unique and globally routed and directly associated with an individual, in which case it is PII.
Quad9 makes no attempt to distinguish between IP addresses associated with resolvers or NATs versus those associated with individual users, because doing so would not improve our service but would simultaneously consume resources and needlessly single out individual users from the protective herd of our traffic. In short, although this practice is centrally important to those who would collect and monetize individuals' information ("cleaning the address list" in advertising terms), it is anathema to us.
When Quad9 receives the query, it is necessarily contained within an "envelope" (more precisely, an IP protocol header) that contains both of those addresses. Quad9 necessarily holds the Reply To Address in volatile random access memory ("RAM") for the few microseconds to milliseconds necessary to service the user's query. During this time, Quad9 uses the Reply To Address to increment a counter of the number of queries received from the enclosing BGP-advertised prefix of the Reply To Address and a counter of the number of queries received from a geographic region that is the smaller of a nation or a population of not less than 10,000 persons.
The Reply To Address is used for no other purposes, and is purged from RAM as soon as (in the case of a query the user delivers via User Datagram Protocol) we have transmitted the reply to the user's Reply To Address, or (in the case of a query the user delivers via the Transmission Control Protocol) the sooner of the user or Quad9 closing the TCP connection. The Reply To Address (or any representation of, or proxy for, it) is not copied to permanent storage, nor is it transmitted across the network to any destination other than the user. It leaves the machine on which we received it only in the form of a reply to the user – to no other destination, in no other form, for no other purpose.
We do not believe that this process occurs on our servers for two reasons. First, we prevent this from occurring by allocating an amount of physical RAM to each client image that exceeds the amount of RAM it believes it has access to. Second, the pages of RAM that contain live DNS query transaction endpoints are the most active ones, not the least active, and if one were swapped to disk the function of the machine would essentially halt. This would stand out as a glaring beacon in our performance-monitoring systems, so if it were to occur it would be obvious to us – and it does not occur.
2.0 Data collection and sharing
As a public-benefit not-for-profit foundation dedicated to the provision of secure, private, and performant recursive DNS, Quad9 limits its data collection solely to data that enables it to better perform its mission in the service of its users. If data doesn't make the service more secure for its users, more private for its users, or faster and more resilient for its users, we don't bother to collect it.
Quad9 does not have any mechanism for users to "sign up" or create an account or otherwise disclose their identity to us, because we have no technical or business need to be able to identify users or distinguish one from another. Thus we do not have any records or data structures associated with or keyed by user, and consequently we do not have anywhere to put, or any way to retrieve, data about users.
2.1 IP addresses
Quad9 does not collect or record IP addresses, nor does it collect or hold any proxy for or representation of IP addresses, nor does it collect or hold any other unique identifier of individuals in lieu of IP addresses.
Because Quad9 does not collect or hold IP addresses, they cannot be combined or correlated with other information, such as query labels or timestamps, to violate the privacy of Quad9's users.
2.2 Data collected
Quad9's data collection is principally in the form of integer counters. At each Quad9 server, this is the full list of items we count:
- The number of queries for each Query Type, e.g., A, AAAA, NS, MX, TXT
- The number of each Response Type, e.g., SUCCESS, SERVFAIL, NXDOMAIN
- The number of queries that arrive over each transport protocol and encryption type, e.g., IPv4, IPv6, TCP, UDP, DoT, DoH, DNScrypt
- The number of queries originating in each geographic region
- The number of queries for each malicious domain originating in each geocoded region
- The number of queries originating in each BGP-advertised IP prefix
- The number of queries for each malicious domain originating in each BGP-advertised IP prefix
In addition, we record:
- The times of the first and most recent instances of queries for each query label
None of these counters contain any personally identifiable information, nor do they correlate with or specifically reference any individual query.
Where we perform counts per geographic region, we use demographic data to ensure that no region is smaller than the smaller of a nation or a population of not less than 10,000 persons.
Our purpose in keeping geographic counters is twofold: to ensure that sufficient Quad9 server capacity exists within a region to serve its population locally and well; and, when cyber threats occur, to understand the degree to which they target or disproportionately affect any particular population. We recognize that if a geographic region were too small, or too sparsely populated, it could potentially contain only a single individual and could thus be correlated with PII from other sources to create a risk to that individual's privacy.
All the above data may be kept in full or partial form in permanent archives.
2.3 Sharing of data
Quad9 does not share, sell, or rent any information that could identify an individual.
We do not share this information because we do not have this information. We do not have this information because we do not need this information. Because we do not need this information, we have built no mechanism to collect, retain, analyze, or distribute it.
Quad9 shares very limited statistical counters with the threat intelligence analysts who provide the threat intelligence feeds that allow us to protect our users from malicious attacks. This feedback allows threat intelligence analysts to refine their analyses and provide us with more accurate information, which in turn allows us to provide our users with better security. This information does not include any personally identifiable information or anything that could be correlated with other data to identify an individual or their Internet use. Specifically, with each threat intelligence analyst, we share the following three pieces of information:
- Timestamp of each query of each malicious domain they have identified to us
- The number of queries for each malicious domain they have identified to us, originating in each geocoded region
- The number of queries for each malicious domain they have identified to us, originating in each BGP-advertised IP prefix
As a convenience to the threat intelligence analysts, we also supply the originating Autonomous System Number associated with the BGP-advertised IP prefix. This is not data derived from users' queries but instead data derived independently from BGP routing tables. It does not contain PII, nor can it be combined with PII to characterize a user.
We do not share counters associated with malicious domains with threat intelligence analysts who have not identified that specific domain to us as malicious.
Quad9 provides data to a very few carefully vetted security researchers to help them better understand and better protect the public from cyber threats. This data may consist of a sparse statistical sampling of timestamped DNS responses from our cache or upstream authoritative servers, but no address, prefix, ASN, or other data related to the user or the query. It does not contain any PII or any data that we believe could be combined or correlated with PII to characterize a user or their behavior. When we provide such assistance, we do so only under a written agreement that the researcher use information we provide solely for the purpose of improving user security, and not for any other purposes. We require that researchers conduct their analysis on servers and infrastructure owned and operated by Quad9 and do not allow data to be exported from those systems in anything other than summary form.
Quad9 publishes general information, such as number of threats blocked and infrastructure uptime, to the public.
4.0 Associated entities
Quad9 supplies data to the threat intelligence analysts who provide us with the means to protect our users from malicious domains, as detailed in Section 2.3. Quad9 provides information to researchers to help them better understand and better protect the public from cyber threats, but such assistance as we offer does not contain any PII or data that we believe could be combined or correlated with PII to characterize a user or their behavior. When we provide such assistance, we do so only under a written agreement that the researcher use information we provide solely for the purpose of improving user security, and not for any other purposes. No other entities receive data from Quad9, other than that made available to the public at large.
5.0 Correlation of data
We do not correlate or combine data in our possession with data from other sources.
6.0 Result filtering
Quad9 provides both filtered and unfiltered responses to DNS queries, at the user's sole option.
Quad9 uses threat intelligence information derived from qualified threat intelligence analysts to provide optional security protection to Quad9's users. Quad9 vets threat intelligence analysts carefully and assesses the quality of the intelligence provided on a continuous basis. Threat intelligence is aggregated from these many sources into a single "block list" of domains believed with a high degree of confidence to exist principally or exclusively for the purpose of harming a user. With the acknowledgment that many of these data feeds consist of millions of malicious entities and are thus not subject to individual human review or scrutiny, Quad9 engages in continuous best-effort review of these data feeds to ensure quality and fitness-for-purpose. Quad9 engages bidirectionally with threat intelligence analysts to help them refine the quality of their analysis, and thus the degree of protection it affords Quad9's users. This engagement includes the sharing of data as defined in section 2.3.
Quad9 also allows users to query the current blocking status of any domain via a form on our web site. For every blocked domain, Quad9 discloses the identity of the threat analyst that suggested the block and provides any explanatory text they may have provided, via this mechanism.
Quad9 does not censor the answers it provides for any purpose other than the blocking of malicious domains associated with phishing, malware, vulnerability exploit, or fraud, as detailed in section 6.1. Quad9 does not accept censorship requests from governments or other entities. Quad9 specifies to its threat intelligence analysts that it does not accept domain-blocking suggestions for reasons of censorship and will reverse any such attempts we become aware of.
6.1.2 Accidental blocking
Quad9 accepts "false positive" reports from the public regarding domains users believe to be legitimate and erroneously blocked. These reports may be submitted through a form on our website or via email to
firstname.lastname@example.org. Quad9 makes a best-effort attempt to investigate each reported domain manually. Users should bear in mind that malicious actors essentially always report their malicious domains to us as being erroneously blocked, so validating false positives is a laborious process. Upon determining that a blocked domain has been blocked erroneously, Quad9 adds it to an "allow list" that overrides the malicious threat intelligence we receive from threat intelligence analysts, and the domain is permanently removed from our aggregate block list.
7.0 Your rights
You have the right to receive information about your personal data processed by us in writing and free of charge at any time. You also have the right to correct, delete and limit the processing of data, as well as the release of certain personal data for transfer to another controller. Insofar as processing is based on your consent, you have the right to withdraw this consent with effect for the future. You will find the relevant contact details in the introduction to this privacy statement.
In addition, every data subject has the right to enforce his/her rights in court or to lodge a complaint with the competent data protection authority. The competent data protection authority of Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).
If you have any privacy-related questions or comments related to this Statement, please send an email to email@example.com. You can also contact us by writing to this address:
CleanerDNS Inc. dba Quad9, 1442 A Walnut Street, Suite 501, Berkeley CA 94709.
[Coming soon: Quad9, c/o SWITCH, Werdstrasse 2, P.O. Box, CH-2021 Zurich]
This Policy is published under a Creative Commons Attribution-NonCommercial-ShareAlike license.
Request for Comment 8932 - Recommendations for Privacy Service Operators
Example RPS Policy
Article 3 (a) FADP - Swiss Federal Act on Data Protection
2 CFR § 200.79 - United States law
Article 4(1) GDPR - European Union regulations
Caching/forwarding DNS resolver - Quora
Proxy server - Wikipedia
Network Address Translator - Wikipedia