Significance of Quad9 DNS Resolver Errors using https://dnscheck.tools/

[GoldWing]

Hello,

Besides potential Email issues is there any security signficance to Quad9's resolvers reflecting an error when hovering your cursor over the ptr resolver address that is underlined in red with the error reading "PTR record (reverse DNS) for this IP Warning: The claimed hostname does not resolve to this IP." See the attached image.

I run all internet traffic through a VPN using my Asus's router's WAN settings to have all DNS queries provided by Quad9 using DoT with Quad9's malware protection. The errors are generated when I browse to the URL of "https://dnscheck.tools/" to check that my router's settings are functioning as intended. I have submitted info to Quad9's support. There reply is enclosed in the CODE below:

​

Hello,
 
As the message indicates, it's a "warning", not an "error", which is a generous log level assignment and is probably more like "info"
 
It's stating that the forward and reverse zones don't match for that IP. Getting those matching globally is on our list of things to do, but not in the next few months.
 
Since our network partners own the Unicast IP space, we cannot set this ourselves and have to ask for them to change it.
 
That is a project that will take dozens of hours to sync up globally between us and our network partners, which is a formidable task for our small nonprofit run by 8, full-time staff.

Appreciate you bringing this to our attention, and we appreciate dnscheck.tools' attention to detail.

​

I've already verified that my Linux maching is running DoT by using Quad9's Protocol Test which returns "dot." when their command is run from terminal. I've already checked with my email service which stated there is no problem with the Quad9's resolvers showing the PTR error as it pertains to my email client on my PCs. So I'm thinking I'm okay. I'm simplying trying to reduce my risk while browing the internet, and thought that I'd ask the question above.

Thanks for the help!

Regards,
GoldWing

 

[dave14305]

Besides potential Email issues

Can you explain what those issues might be? I can’t think of one.

 

[Tech9]

small nonprofit run by 8

have to ask for them to change it

This is potentially bigger issue.

 

[GoldWing]

Can you explain what those issues might be? I can’t think of one.

see https://blog.noip.com/ptr-records-and-reverse-dns-lookup-why-they-matter for an explanation on email.

Regards,
GoldWing

 

[GoldWing]

This is potentially bigger issue.

Yes I agree.

IMHO the relevant question is where or not the errors diminish security? The very reason I ask the original question.

If you look at the image you will see the DNS resolvers are on "pch.net" domain which is an abbreviation for "Packet Clearing House Inc.", and is a sponsor and "Founding Organizations" organization of Quad9.net.

Logically at a high level there 2 options. First option it is as Quad9's support stated just "probably more like info." The second option is something else which encompasses scenario(s) which may diminish security and the whole purpose of using encrypted DoT queries. Please feel free to correct me if I've erred.

Thanks for the help!

Regards,
GoldWing

 

[bbunge]

I have connection issues with DoT to Quad9 revolvers. if you need DNS security use DNSSEC to Quad9 or use another filtering or safe DNS such as Cloudflare Security 1.1.1.2 and 1.0.0.2

 

[dave14305]

There really isn’t any relation between Quad9’s backend servers and your email security. You talk to 9.9.9.9 (or one of its variants). What Quad9 does behind the scenes to resolve your DNS queries isn’t related to the fact that they don’t have forward and reverse lookups for 100% of their backend servers, for the reasons they mentioned in their support response.

That warning was only implemented on dnscheck.tools back in October. It’s not really a problem to worry about if you’ve already decided to trust Quad9.