Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday November 21 2017, @12:59PM   Printer-friendly
from the promise-we-won't-peek dept.

The Global Cyber Alliance has given the world a new free Domain Name Service resolver, and advanced it as offering unusually strong security and privacy features.

The Quad9 DNS service, at 9.9.9.9, not only turns URIs into IP addresses, but also checks them against IBM X-Force's threat intelligence database. Those checks protect agains landing on any of the 40 billion evil sites and images X-Force has found to be dangerous.

The Alliance (GCA) was co-founded by the City of London Police, the District Attorney of New York County and the Center for Internet Security and styled itself "an international, cross-sector effort designed to confront, address, and prevent malicious cyber activity."

[...] The organisation promised that records of user lookups would not be put out to pasture in data farms: "Information about the websites consumers visit, where they live and what device they use are often captured by some DNS services and used for marketing or other purposes", it said. Quad9 won't "store, correlate, or otherwise leverage" personal information.

[...] If you're one of the lucky few whose ISP offers IPv6, there's a Quad9 resolver for you at 2620:fe::fe (the PCH public resolver).

https://www.theregister.co.uk/2017/11/20/quad9_secure_private_dns_resolver/

takyon: Do you want to give the City of London Police control of your DNS?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by The Mighty Buzzard on Tuesday November 21 2017, @01:17PM (13 children)

    by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Tuesday November 21 2017, @01:17PM (#599622) Homepage Journal

    Am I the only one who sees this as a Bad Thing? I mean, isn't this exactly what we bitched about breaking DNSSEC during the whole SOPA mess?

    --
    My rights don't end where your fear begins.
    Starting Score:    1  point
    Moderation   +3  
       Insightful=1, Interesting=1, Informative=1, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 1, Informative) by Anonymous Coward on Tuesday November 21 2017, @01:35PM (1 child)

    by Anonymous Coward on Tuesday November 21 2017, @01:35PM (#599629)

    As long as no one forces you to use that resolver, it is not that bad. Just use another resolver (and tell others to do so, too). That's the problem with bad laws: You cannot avoid them.

    If their service breaks with DNSSEC domains, well, too bad for them. If legally required measures conflict with DNSSEC, it's everyone's problem.

    • (Score: 2) by meustrus on Tuesday November 21 2017, @02:51PM

      by meustrus (4961) on Tuesday November 21 2017, @02:51PM (#599661)

      But this is a big organization putting out a a good free solution. The existence of 9.9.9.9 will suppress other efforts, especially if it's as good as they say, because there's no money to be made in doing better. It would be OK if this were an open solution that anybody could fork, but it's based on proprietary datasets that no open solution will ever have access to.

      --
      If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
  • (Score: 3, Interesting) by c0lo on Tuesday November 21 2017, @02:42PM

    by c0lo (156) Subscriber Badge on Tuesday November 21 2017, @02:42PM (#599653) Journal

    I mean, isn't this exactly what we bitched about breaking DNSSEC during the whole SOPA mess?

    Yes and no.

    Yes, the SOPA provisions on DNS-redirection would break DNSSEC.

    No, SOPA's provisions for filtering and consequently refusing to resolve to IP (and this quad9 as well) would be supported by the DNSSEC's authenticated denial of existence [ietf.org] (another FA (PDF) [sidnlabs.nl] which I found more comprehensible)

    --
    https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
  • (Score: 4, Informative) by Whoever on Tuesday November 21 2017, @04:37PM (1 child)

    by Whoever (4524) on Tuesday November 21 2017, @04:37PM (#599715) Journal

    No, this is clearly a bad thing.

    The Alliance (GCA) was co-founded by the City of London Police,

    This suggests to me that it will be used to attempt to block sites that are subject of copyright complaints made to the CoL police. Nothing to do with security.

    Quad9 won't "store, correlate, or otherwise leverage" personal information.

    Sorry, I don't believe this.

    • (Score: 0) by Anonymous Coward on Wednesday November 22 2017, @03:33AM

      by Anonymous Coward on Wednesday November 22 2017, @03:33AM (#600028)
      City of London police AND some US entity.

      Doesn't that effectively translate to GCHQ and NSA? ;)
  • (Score: 3, Insightful) by Runaway1956 on Tuesday November 21 2017, @05:02PM (4 children)

    by Runaway1956 (2926) Subscriber Badge on Tuesday November 21 2017, @05:02PM (#599721) Journal

    This is obviously a Good Thing™ for everyone! We decide what is good, and what is bad, then you check with us to see if you're allowed to look at a page. If we give permission, you know that it's a Good Thing™, and if we don't give permission, you know that it's a Bad Thing™. While some try to claim that this is a form of censorship, you, a good upright Citizen, know that IBM is all about Good Thing™. Trust us, we'll keep you safe!! Best of all, this can all be done in the background, automagically, so that you never really know that you've been denied permission to view a page. Good Thing™ - configure once, then it's out of sight, and out of mind!!

    • (Score: 2) by bob_super on Tuesday November 21 2017, @07:47PM (3 children)

      by bob_super (1357) on Tuesday November 21 2017, @07:47PM (#599816)

      How is that different from what DNS providers already do, except for being upfront about rejecting flagged domains?

      • (Score: 2) by Runaway1956 on Wednesday November 22 2017, @02:41AM (2 children)

        by Runaway1956 (2926) Subscriber Badge on Wednesday November 22 2017, @02:41AM (#600017) Journal

        There's probably not much difference, except that in this case, you're relying on a single commercial entity to do all of your censorship for you. Of course, if you use Google resolvers, you have the same thing. Of the two, Google may be a bit more lenient. I certainly don't trust IBM to handle this rather sensitive bit of work. IBM has a rather sordid human rights history, after all. http://www.ibmandtheholocaust.com/ [ibmandtheholocaust.com] and http://www.ibmandtheholocaust.com/index.php?page=70127 [ibmandtheholocaust.com]

        • (Score: 2) by bob_super on Wednesday November 22 2017, @07:02AM (1 child)

          by bob_super (1357) on Wednesday November 22 2017, @07:02AM (#600076)

          In a country where most CEOs can't think past 8 quarters, it would be good to stop judging a company based on actions taken 75 years ago by people completely unrelated in any way, especially culture, to those currently in power.

          Why would anyone do business with a country responsible of mass internal deportation of its citizens with yellow skin, and dropping atomic bombs on cities?

          I'll agree with you if the nasty actions do have a continuity into the present, like the mass deportations leading to the current Apartheid mess in Israel.

  • (Score: 3, Informative) by edIII on Tuesday November 21 2017, @08:10PM (2 children)

    by edIII (791) on Tuesday November 21 2017, @08:10PM (#599842)

    LOL. No. This is a joke.

    That being said, I wouldn't mind trying this through TOR or something. Not for resolving, but just another DNS I can look up bad actors on and weigh the results. 40 billion evil domains sounds like an incredible amount, and nothing to scoff at. Yet... I know because it is the City of London, that it will be full pants-on-head retarded about fighting piracy and will not resolve private trackers and undesirable sites. It will be a curated and censored list of "good" domains.

    Of course, all that is assuming that they respond with 127.0.0.1 most of the time. They don't, but instead resolve the address for you. That's not how a RBL works either. So how do I tell if it is an evil site, or a good site? A redirect to their servers with a landing page saying, "This is bad, mkay? You don't search for torrents mkay? P2P is evil mkay?"

    Not sure I could even integrate this properly with pfsense, and could only use it as a primary resolver. No thanks.

    --
    Technically, lunchtime is at any moment. It's just a wave function.
    • (Score: 2) by requerdanos on Wednesday November 22 2017, @12:53PM (1 child)

      by requerdanos (5997) Subscriber Badge on Wednesday November 22 2017, @12:53PM (#600148) Journal

      it will be full pants-on-head retarded about fighting piracy and will not resolve private trackers

      Yet, it properly resolves thepiratebay.org.

      • (Score: 2) by edIII on Wednesday November 22 2017, @11:04PM

        by edIII (791) on Wednesday November 22 2017, @11:04PM (#600404)

        Really? That's astounding given the involvement of the UK, and almost makes no sense. If the ISPs are blocking it in general, why would they allow it to resolve? Somewhat encouraging if that means the UK has a small amount of influence over the blacklist.

        --
        Technically, lunchtime is at any moment. It's just a wave function.