Swiss Resolver Transparency Tool · Residential ISPs vs Quad9
Not necessarily. Many large websites use GeoDNS: they return different IP addresses depending on where the DNS query originates, directing users to the nearest server for better performance. Because your ISP's resolver is located in Switzerland and Quad9 operates a global anycast network, the two resolvers may appear to be in different locations from the perspective of the authoritative name server, and can therefore receive different A records for the very same domain.
Yes. Both nslookup and dig let you specify which resolver to use. Here are examples for querying the Swisscom resolver and Quad9 directly:
dig is available on macOS and Linux by default. On Windows, you can use nslookup (built-in) or install dig via BIND tools or WSL.
Here are a few distinct reasons:
Online gambling is the most widely discussed case. The revised Federal Act on Gambling (Bundesgesetz über Geldspiele), which introduced mandatory blocking of unlicensed gambling sites, was put to a popular referendum in 2018 and approved by 72.9% of Swiss voters. Swiss ISPs are therefore legally required to redirect DNS queries for blacklisted domains to a block page.
Blocks ordered by state attorneys have been imposed by Swiss cantonal prosecution authorities (Staatsanwaltschaften) and cover another range of content beyond gambling. Their legal basis is currently being contested by Swiss ISP Init7.
Malware and phishing protection is voluntary: ISPs like Swisscom choose to block known malicious domains as a service to their customers, similar to what Quad9 does by default.
DNS-based blocking only works if your device is actually using your ISP's resolver. If your DNS traffic is going elsewhere, the block is bypassed entirely. Common reasons this happens:
Alternative DNS resolvers — If your router, browser, or operating system is configured to use a third-party resolver like Quad9 (9.9.9.9), Google (8.8.8.8), or Cloudflare (1.1.1.1), your ISP's blocklist is never consulted.
VPN — VPN services typically route your DNS queries through their own infrastructure, outside your ISP's network.
iCloud Private Relay — Apple's privacy feature routes DNS and web traffic through Apple's proxy servers, bypassing ISP-level resolution entirely.
DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) — Modern browsers and operating systems increasingly support encrypted DNS, which may route queries to a resolver of the vendor's choosing rather than your ISP's.
During the public consultation on the Federal Act on Gambling, a number of stakeholders — including civil liberties organisations and technical experts — argued that DNS blocking is both insufficient and disproportionate:
Easy to circumvent — As described above, simply changing your DNS resolver is enough to bypass the block. Technically literate users face no meaningful barrier.
Risk of overblocking — DNS blocking is a blunt instrument. When a blocked domain shares infrastructure with legitimate services (e.g. through shared hosting or CDNs), the block can inadvertently affect unrelated content — so-called collateral damage. IP-based blocking, sometimes proposed as a stronger alternative, makes this problem significantly worse.