This warning is being put out by Jigsaw Security analyst after reviewing public DNS server usage at customer sites. While this is guidance, customers are free to use whatever upstream DNS providers they wish but we wanted to make you aware of some potential issues. As many are aware Google provides free dns server 220.127.116.11 and 18.104.22.168 for use by anyone. This is great but is also another way for Google to specifically track what websites your organization visits. A new service reported by ARS Technica yesterday talked about sinkhole services being provided by Quad9 with the address of 22.214.171.124 as a public DNS service to help protect customers from malware and malicious content. While we agree with the concept of using RPZ and sinkhole as we use this in our offering, the fact that this sinkhole was funded by law enforcement should be a red flag as to the purpose of using it. There are very specific privacy concerns with using public DNS servers because it exposes user activity and may allow external organizations to target your organization in various types of attacks. Jigsaw Security recommends all customers have their own DNS servers and that those DNS servers are configured to use root servers to perform lookups if the lookup is not local. With that configuration there is no single server that can log all activity originating from your networks allowing for more anonymous use of Internet resources. It is known that Google uses DNS to track user behavior and to target advertising with this method. It is also believe that Quad9 will probably use this to protect the public but may also report activity to law enforcement. If you have any questions concerning this report please contact the SOC directly for recommendations.