The non-profit DNS service Quad9 seems to be suffering from its own success: the server cluster responsible for Germany in Frankfurt is currently overflowing. At the moment, a very high percentage does not react to DNS queries at all, at times the loss reaches an exorbitant level with a third (30-35%). Answers sometimes take a second or two to appear.
If the service, which recently moved to the more data protection-friendly Switzerland, is stored in the router as the only DNS resolver, loss and high latency, for example, significantly delay the full build-up of websites. Because the DNS resolver must first have domain names such as ct.de to IP addresses (193.99.144.80 and 2a02: 2e0: 3fe: 1001: 302: 🙂 translate before browser can load page elements.
The effect also throws Fritz boxes off track, on which Quad9 is set up with the encrypting protocol DNS over TLS (DoT) as a resolver (translator between domain names and IP addresses). A reader then only helped to re-establish the Internet connection on his router – which quickly becomes annoying if 50 DoTs are aborted within a week.
The Linux tool dnsping reveals that Quad9’s server cluster in Frankfurt is currently experiencing massive load problems. Where the DNS answer comes from is revealed with a “dig + nsid @ 9.9.9.10 ct.de | grep NSID”. The name of the respective resolver is dropped, for example res720.fra.rrdns.pch.net.
The current Quad9 unreliability not only leads to an apparently very slow Internet in networks behind routers, but also when it has been set up as a DNS resolver directly on the smartphone: If there is no response, clients make their name requests after a timeout – typically 5 seconds – again. When they get an answer, they can finally reload images or embedded elements from other sites for websites, for example. The higher the loss, the slower the page is completely built up.
Too many DNS requests
The c’t editors noticed an unusually high loss in the single-digit percentage range with unencrypted DNS queries two weeks ago, and occasionally even more, and reported this to Quad9 support. He named a steadily growing volume of DNS queries as the reason for the dropouts in the Frankfurt cluster. Quad9 is working on increasing the capacity in Frankfurt and activating new servers in the vicinity of the network in order to better serve this region.
Little has improved since then. On the morning of September 29, we measured a 23 percent loss with the Linux tool dnsping with an average response time of 135 milliseconds. Other systems typically respond in less than 20 ms and with a much lower loss (maximum 0.1 percent). When we asked again, Quad9 said that new servers were being prepared for the Frankfurt cluster. As a not-for-profit non-profit organization, one is dependent on donations from its users and cannot expand the infrastructure at the same speed as commercial providers.
Anyone who is currently using Quad9 as the sole DNS resolver and notices a sluggish website structure should temporarily to another service dodge – and possibly donate to upgrade the Quad9 infrastructure (Link on the Quad9 page). The situation can also be relaxed by simply entering additional resolvers in the configuration of the respective router or software client. This is also recommended for the Stubby software client because it distributes the DNS requests to the registered resolver and thus protects privacy a little better.
(she)
