The Global Cyber Alliance has given the world a new free Domain Name Service resolver, and advanced it as offering unusually strong security and privacy features.
The Quad9 DNS service, at 9.9.9.9, not only turns URIs into IP addresses, but also checks them against IBM X-Force's threat intelligence database. Those checks protect agains landing on any of the 40 billion evil sites and images X-Force has found to be dangerous.
The Alliance (GCA) was co-founded by the City of London Police, the District Attorney of New York County and the Center for Internet Security and styled itself "an international, cross-sector effort designed to confront, address, and prevent malicious cyber activity."
[...] The organisation promised that records of user lookups would not be put out to pasture in data farms: "Information about the websites consumers visit, where they live and what device they use are often captured by some DNS services and used for marketing or other purposes", it said. Quad9 won't "store, correlate, or otherwise leverage" personal information.
[...] If you're one of the lucky few whose ISP offers IPv6, there's a Quad9 resolver for you at 2620:fe::fe (the PCH public resolver).
https://www.theregister.co.uk/2017/11/20/quad9_secure_private_dns_resolver/
takyon: Do you want to give the City of London Police control of your DNS?
(Score: 5, Insightful) by The Mighty Buzzard on Tuesday November 21 2017, @01:17PM (13 children)
Am I the only one who sees this as a Bad Thing? I mean, isn't this exactly what we bitched about breaking DNSSEC during the whole SOPA mess?
My rights don't end where your fear begins.
(Score: 1, Informative) by Anonymous Coward on Tuesday November 21 2017, @01:35PM (1 child)
As long as no one forces you to use that resolver, it is not that bad. Just use another resolver (and tell others to do so, too). That's the problem with bad laws: You cannot avoid them.
If their service breaks with DNSSEC domains, well, too bad for them. If legally required measures conflict with DNSSEC, it's everyone's problem.
(Score: 2) by meustrus on Tuesday November 21 2017, @02:51PM
But this is a big organization putting out a a good free solution. The existence of 9.9.9.9 will suppress other efforts, especially if it's as good as they say, because there's no money to be made in doing better. It would be OK if this were an open solution that anybody could fork, but it's based on proprietary datasets that no open solution will ever have access to.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 3, Interesting) by c0lo on Tuesday November 21 2017, @02:42PM
Yes and no.
Yes, the SOPA provisions on DNS-redirection would break DNSSEC.
No, SOPA's provisions for filtering and consequently refusing to resolve to IP (and this quad9 as well) would be supported by the DNSSEC's authenticated denial of existence [ietf.org] (another FA (PDF) [sidnlabs.nl] which I found more comprehensible)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 4, Informative) by Whoever on Tuesday November 21 2017, @04:37PM (1 child)
No, this is clearly a bad thing.
This suggests to me that it will be used to attempt to block sites that are subject of copyright complaints made to the CoL police. Nothing to do with security.
Sorry, I don't believe this.
(Score: 0) by Anonymous Coward on Wednesday November 22 2017, @03:33AM
Doesn't that effectively translate to GCHQ and NSA? ;)
(Score: 3, Insightful) by Runaway1956 on Tuesday November 21 2017, @05:02PM (4 children)
This is obviously a Good Thing™ for everyone! We decide what is good, and what is bad, then you check with us to see if you're allowed to look at a page. If we give permission, you know that it's a Good Thing™, and if we don't give permission, you know that it's a Bad Thing™. While some try to claim that this is a form of censorship, you, a good upright Citizen, know that IBM is all about Good Thing™. Trust us, we'll keep you safe!! Best of all, this can all be done in the background, automagically, so that you never really know that you've been denied permission to view a page. Good Thing™ - configure once, then it's out of sight, and out of mind!!
(Score: 2) by bob_super on Tuesday November 21 2017, @07:47PM (3 children)
How is that different from what DNS providers already do, except for being upfront about rejecting flagged domains?
(Score: 2) by Runaway1956 on Wednesday November 22 2017, @02:41AM (2 children)
There's probably not much difference, except that in this case, you're relying on a single commercial entity to do all of your censorship for you. Of course, if you use Google resolvers, you have the same thing. Of the two, Google may be a bit more lenient. I certainly don't trust IBM to handle this rather sensitive bit of work. IBM has a rather sordid human rights history, after all. http://www.ibmandtheholocaust.com/ [ibmandtheholocaust.com] and http://www.ibmandtheholocaust.com/index.php?page=70127 [ibmandtheholocaust.com]
(Score: 2) by bob_super on Wednesday November 22 2017, @07:02AM (1 child)
In a country where most CEOs can't think past 8 quarters, it would be good to stop judging a company based on actions taken 75 years ago by people completely unrelated in any way, especially culture, to those currently in power.
Why would anyone do business with a country responsible of mass internal deportation of its citizens with yellow skin, and dropping atomic bombs on cities?
I'll agree with you if the nasty actions do have a continuity into the present, like the mass deportations leading to the current Apartheid mess in Israel.
(Score: 2) by Runaway1956 on Wednesday November 22 2017, @09:52AM
The sorry state of our CEO's is well known - but that doesn't mean they're all that way. IBM and Israel? https://en.wikipedia.org/wiki/IBM_Israel [wikipedia.org] Wait a second - how did I get Bing as a search engine? . . . Alright here's an IBM and apartheid link - https://www.counterpunch.org/2017/05/03/apartheid-in-the-shadows-the-usa-ibm-and-south-africas-digital-police-state/ [counterpunch.org] http://www-cs-students.stanford.edu/~cale/cs201/ [stanford.edu]
This one may be more interesting - it is certainly current - https://www.bloomberg.com/news/2014-06-03/hp-and-ibm-list-north-korea-as-a-supplier-in-conflict-mineral-reports.html [bloomberg.com]
I'll stand by my statement - IBM has a history of dark dealings with oppressive governments. Did I mention that corporate CEO's have poor ethics, and poor judgement? IBM epitomizes that fact. The "culture" at IBM is probably much different from the run-of-the-mill corporation. IBM is well known for being stable, and profitable. They seldom make the news for stupid shit, like sexual harassment, or openly polluting the environment. Their ethics are probably pretty sound, in a business sense. But, in a humanitarian sense, their ethics suck ass. IBM will comply with the law, but they care little about slave labor, apartheid, oppression of any form. If there is money in killing little brown children, you'll find IBM there, helping to categorize and round them up.
History. IBM hasn't changed in the past seventy or eighty years. People may come and go, but companies that last over 100 years aren't going to change an awful lot. They've got a winning formula, and they aren't going to give it up.
https://www.thoughtco.com/ibm-timeline-1992491 [thoughtco.com]
(Score: 3, Informative) by edIII on Tuesday November 21 2017, @08:10PM (2 children)
LOL. No. This is a joke.
That being said, I wouldn't mind trying this through TOR or something. Not for resolving, but just another DNS I can look up bad actors on and weigh the results. 40 billion evil domains sounds like an incredible amount, and nothing to scoff at. Yet... I know because it is the City of London, that it will be full pants-on-head retarded about fighting piracy and will not resolve private trackers and undesirable sites. It will be a curated and censored list of "good" domains.
Of course, all that is assuming that they respond with 127.0.0.1 most of the time. They don't, but instead resolve the address for you. That's not how a RBL works either. So how do I tell if it is an evil site, or a good site? A redirect to their servers with a landing page saying, "This is bad, mkay? You don't search for torrents mkay? P2P is evil mkay?"
Not sure I could even integrate this properly with pfsense, and could only use it as a primary resolver. No thanks.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by requerdanos on Wednesday November 22 2017, @12:53PM (1 child)
Yet, it properly resolves thepiratebay.org.
(Score: 2) by edIII on Wednesday November 22 2017, @11:04PM
Really? That's astounding given the involvement of the UK, and almost makes no sense. If the ISPs are blocking it in general, why would they allow it to resolve? Somewhat encouraging if that means the UK has a small amount of influence over the blacklist.
Technically, lunchtime is at any moment. It's just a wave function.