John Todd is the General Manager of Quad9, a free global open DNS recursive resolver. The following interview is one of three that dives into the struggles and achievements of nonprofit organizations for which Common Good Cyber intends to contribute transformative cybersecurity funding.
Can you explain what Quad9 does and why a non-technical person should care about it?
Quad9 is an open DNS recursive resolver. Every transaction on the Internet starts with your computer needing to talk to another computer. When presented with a name like www.amazon.com, your computer needs to figure out the IP address that’s associated with that name. A DNS recursive resolver is usually run by your Internet Service Provider (ISP), or your company, or your school. You give the name, and the DNS recursive resolver does a very complex transaction and figures out the IP address.
We replace that local resolver with a version that we operate, and we find the IP address for you. We basically do the same job, but with two interesting components. The first is cybersecurity – if you try to look up a name that we know is malicious – meaning it’s got malware or it’s a phishing site or it’s a stalkerware site – we don’t give you the IP address. By not answering the question, we prevent you from going to a site that is trying to do you harm.
The second part is privacy. When you’re online, this data set is quite valuable to advertisers and people who are trying to create a portfolio of what you as a person are doing. Even though they don’t see what’s on the web pages, they know that you’re going to certain sites, and that’s usually good enough for their privacy-invasive methods to build a profile on individuals. In contrast, we don’t collect any data about individuals’ queries, and we see it as part of our mission to protect people’s privacy. We immediately discard any association between a website and a person. In fact, we never collect email addresses or anything else. You can use our service without signing up, without a contract – you can just convert your computer to using Quad9 and we don’t even want to know who you are.
So those two things, cybersecurity and privacy, are what really drive adoption of Quad9. There are other benefits we offer such as better performance through faster query response, and that we help researchers and engineers with Internet stability and resilience.
How has Quad9 positively impacted society and enhanced our community well-being?
We do about 670 million blocking events per day where we prevent somebody’s computer from connecting to a site that we know is harmful – some days we go to 1.5 billion or more blocks depending on threat campaigns that are active. We have a huge worldwide user community. We’re in 113 countries and have 261 different locations, with a community of over 100 million users daily. This blocking of malicious events is a significant benefit to end users, especially in areas where cybersecurity infrastructure and investment has been traditionally low or entirely absent. Free services like ours are often the only protection reasonably available to the vast majority of a population in a region.
The second part is where we protect people’s privacy by not collecting information on end users. We are trying to slow this train down where the user is commodified, where their personal data, the map about where they’re going and what they’re doing is being sold and remarketed. We’re really trying to put a dent in that. And, as a secondary privacy goal, we’re trying to create a standard of privacy that others are forced by example to emulate. By Quad9’s creation of a very strict privacy guideline, we’re trying to create a standard for other organizations to develop themselves, whether those are ISPs or other large open recursive resolvers or network providers. Our intent is to say, “This is the standard to which we hold privacy. You should be doing the same thing because people now have a choice, they can go to us. Improve the protections you give to users to stay relevant.”
Has Quad9 ever faced funding challenges to stay sustainable? What kind of resources, either financial or otherwise, are essential for your survival and your continued operations?
Our query volume has been growing relatively consistently for the last several years at around 2% per week growth, which is a terrifying number if you’re a nonprofit and have a very limited budget to roll out and expand the network. Our income from sponsorships and grants is not growing at 2% per week. While there’s not a linear relationship between those two things, there needs to be some connection.
As a nonprofit, it’s really challenging and keeps me up at night to think about. We have this incredible demand for what Quad9 is doing. How do we deploy enough equipment in enough locations, and how do I have enough people on the team to manage that growth? That’s really the biggest challenge for us right now, because again, we don’t monetize the end users.
We have definitely faced significant challenges with funding over the years. We have three primary areas where our funding goes. The first is infrastructure – we have to buy servers, ship them, get them deployed into various places. The good news is that we have partners giving us sponsorships. The second is staff, the biggest line in the budget. As a network grows, you can scale to a certain degree with automation, but with huge user volumes and interesting and exotic problems, the edge cases become very expensive and require people to think about them and software solutions to get around those issues. We face significant challenges keeping the organization fully staffed in a way that doesn’t burn out the team members. The third is administrative overhead basically the cost of keeping the light on. It covers accounting, compliance, travel for conference, communications, licenses and of course legal costs. Percentage-wise it’s a small part of our annual budget, but we do face increases in legal costs as we continue to push for policy and legal efforts that promote a single Internet via a single DNS namespace.
We don’t get a significant amount money from individual end users, because the DNS isn’t a web-based system where we can interact with end users regularly to do fundraising. In fact, most end users don’t even know they’re using Quad9. There’s nothing you have to click through to use the DNS, so there’s no way for us to tap the user community for donations in any real way because we can’t get in front of them – we can’t get on their screens no matter how much value we bring to them.
Therefore, we have to go to the people that we’re benefiting, and some of them understand the benefit we provide, and some of them don’t. Some funding right now comes from the threat intelligence community because they already understand the concept of what these protective events do and how much those cost.
We’re using every dollar that we get. In fact, we’re using a little bit more than every dollar we get right now. We have some grants from organizations like Open Technology Fund (OTF) and the EU, and most recently a one-time grant from Craig Newmark Philanthropies, but those alone cannot lift us up to be able to meet the demands for our services and our goal to be viable in the next five years at our steady growth rate.
We have to find organizations who understand the benefit that we provide to the global user community and who are interested in that benefit in and of itself. Stability of the Internet, trust in the network, protection of users against criminal and other threats – everyone says those are laudable goals, but finding organizations that can put funding toward specific solutions is a challenge. The grant world seems to be focused on defining a project and paying for it for a defined outcome or paper, and an operations-focused ongoing solution for end users like Quad9 has a hard time fitting into those preconceived notions and short-term projects. We are not a research organization, and we are designed to operate for many years – possibly many decades. We are extremely outcomes-focused, and the overhead of finding grants can’t overshadow the work that we need to do. All these things make the process of funding quite challenging.
What would be the consequences if Quad9 shut down?
Quad9 provides DNS services to what we estimate to be more than 100 million end users. If we shut down, chances are high that a large segment of those users would suddenly go dark; they wouldn’t be able to access the Internet. Now, that’s only for a short period of time over a couple of hours or days – they would figure it out and they would move to a different recursive resolver. But for some period of time, there would be significant outages for that user community.
Outside of those dire immediate results, the longer-term impacts would be more significant. In the long run (and more importantly) what it would mean is those 670 million block events that we’re preventing every day would become unblocked. We would see an increase in the malicious activity of a huge number of different types of campaigns. Those end users that have Quad9 today would become victims of whatever those bad events were, whether that’s ransomware or phishing or botnets or stalkerware or APTs. We would see an increase in malicious activity – a fairly significant increase in malicious activity in some cases. People’s lives would be impacted; businesses would suffer from attacks, identities would be stolen, and there would be subtle or not-so-subtle negative economic results at a regional or national level across the globe.
The impact on privacy is harder to measure or put a cost upon, but we believe is as significant. I’m not even sure how to quantify that but if we were to stop offering our services users would have to shift to a commercial service with corresponding risks or to some less-performant solution.
What would it take for someone else to fill that gap or to continue the services you provide if they were starting from scratch?
I’m actually not sure it could be done starting from scratch at this point. Quad9 is one of the few organizations that has the ability to reach all of these different geographies. We provide services in places that nobody else wants to go. We don’t focus our service in purely the places where there’s money. We are everywhere. Getting into these places that we’ve deployed with our partners, especially in sub-Saharan Africa as an example or in South America and Central Asia, it’s just not possible without massive expense for minimal return. A for-profit company would have no interest, and a nonprofit company would have no resources. There are no data centers there, or if there are, they’re not very well connected. We are on the Internet Exchange Points at most of these locations, meaning we have access to most of the citizens. It’s extremely difficult to do, if not impossible at the scale at which we have done it. It would be many tens of millions of dollars or into the 9-figure range to reproduce what we’ve done in a sustainable way. Lastly, the reputation and trust that we have developed has taken the better part of a decade to build, and that is our most valuable asset that is not possible to reproduce. Even in places where it is easy to deploy infrastructure, you still need to draw users to the platform, and that can only be done through belief that the DNS provider has a mission that aligns with the goals of the end user – something that for-profit organizations struggle with due to their very nature.
You could create another DNS recursive resolver and put it at a couple of data centers around the world relatively inexpensively, but our belief is that it would not be well used because it would be slow. The combination of the breadth of the infrastructure we’ve deployed, plus the combination of all these different threat intelligence providers that we’ve collected, plus the trust that we’ve generated in the user community because they believe that we are preventing them from leaking their private data – those are, I think, impossible to do right now. And I don’t frankly see anybody being able to do that at the same scale that we’ve accomplished.
