Of all the digital glues holding the Internet together, the domain name system is probably one of the most critical, yet also the weakest. The current protocol as a whole is unencrypted, and if it goes down, or is interfered with, then that prevents communication to anything not a hard-coded IP address. But even then, SSL PKI breaks down unless the certificate in question was specifically exempted. In short, a DNS failure would break the Internet.
And it was exactly that scenario in which I found myself recently. I, the security-minded sysadmin of the home, had long since switched my DNS provider over to what at the time I determined to be the most privacy-minded and secure: Quad9. And I never had any issues since. But I made an error with my configuration: I specified two Quad9 DNS IPs, rather than using a different party as fallback. And when, for inexplicable reasons, Quad9’s DNS servers ceased to resolve my DNS queries, I found myself offline–sort of.
Certain devices bypassed DNS, notably my work laptop and the Ring cameras. Liz’s work laptop did not, however, which is an interesting aside in that mine must have a hard-coded VPN IP and hers did not.
But back to the main story. I had never experienced a DNS provider failure before, and it took some rather lengthy late-night testing to figure out the problem. Ultimately, I ended up switching back to OpenDNS with a Google fallback–not my ideal configuration, but one I’m sure won’t experience any downtime.
Yet in the end, I’m left to wonder: What happened to Quad9? The Internet community as a whole offered no information, which I’m sure would have been available anecdotally had Quad9 truly ceased to function. Perhaps Spectrum was blocking it? But why would they do that, only to allow me to use other DNS providers. If forcing customers to user their own, why didn’t they block OpenDNS and Google?
I posit this query to universe. In the meantime, know that you may have issues with a Quad9/Spectrum configuration.
–Simon