Stories
Slash Boxes
Comments

SoylentNews is people

DNS Resolver 9.9.9.9 Will Check Requests Against IBM Threat Database

posted by Fnord666 on Tuesday November 21 2017, @12:59PM   Printer-friendly
from the promise-we-won't-peek dept.

mrpg writes:

The Global Cyber Alliance has given the world a new free Domain Name Service resolver, and advanced it as offering unusually strong security and privacy features.

The Quad9 DNS service, at 9.9.9.9, not only turns URIs into IP addresses, but also checks them against IBM X-Force's threat intelligence database. Those checks protect agains landing on any of the 40 billion evil sites and images X-Force has found to be dangerous.

The Alliance (GCA) was co-founded by the City of London Police, the District Attorney of New York County and the Center for Internet Security and styled itself "an international, cross-sector effort designed to confront, address, and prevent malicious cyber activity."

[...] The organisation promised that records of user lookups would not be put out to pasture in data farms: "Information about the websites consumers visit, where they live and what device they use are often captured by some DNS services and used for marketing or other purposes", it said. Quad9 won't "store, correlate, or otherwise leverage" personal information.

[...] If you're one of the lucky few whose ISP offers IPv6, there's a Quad9 resolver for you at 2620:fe::fe (the PCH public resolver).

https://www.theregister.co.uk/2017/11/20/quad9_secure_private_dns_resolver/

takyon: Do you want to give the City of London Police control of your DNS?

Original Submission

 
This discussion has been archived. No new comments can be posted.
DNS Resolver 9.9.9.9 Will Check Requests Against IBM Threat Database | Log In/Create an Account | Top | 83 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Informative) by requerdanos on Tuesday November 21 2017, @03:35PM (2 children)

    by requerdanos (5997) Subscriber Badge on Tuesday November 21 2017, @03:35PM (#599693) Journal

    There's a lot of information missing here... it doesn't say what kind of result indicates it "blocked" a site, or what it actually does, besides "protecting" you.

    In their FAQ [quad9.net], they say that

    If a site is blocked, users receive an “NXDOMAIN” response so the end use system acts like the domain does not exist.

    Though they do say that in the future they may or may not decide to redirect the response to an explanatory page of their own.

    It also doesn't say how they determine what constitutes a "malicious" site?

    Here, the FAQ is not that specific...

    Quad9 will not provide a censoring component and will limit its actions solely to the blocking of malicious domains around phishing, malware, and exploit kit domains. ... Quad9 gathers threat intelligence from all its providers and public sources and updates the Quad9 infrastructure with this information.

    Like you, I'd like to see more transparency with respect to what's being blocked. Otherwise, it's "Were blocking bad stuff, you guess what." The FAQ does mention that they also have an alternate service at 9.9.9.10 with no blocking.

    Starting Score:    1  point
    Moderation   +2  
       Informative=2, Total=2
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4  

  • (Score: 3, Interesting) by c0lo on Tuesday November 21 2017, @04:36PM (1 child)

    by c0lo (156) Subscriber Badge on Tuesday November 21 2017, @04:36PM (#599713) Journal

    Though they do say that in the future they may or may not decide to redirect the response to an explanatory page of their own.

    Which will break DNSSEC.
    The more will choose to break it, the more likely to a distributed-DNS solution (as opposed to a hierarchical one) to appear/take hold.

    --
    https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford

    • (Score: 2) by requerdanos on Tuesday November 21 2017, @05:37PM

      by requerdanos (5997) Subscriber Badge on Tuesday November 21 2017, @05:37PM (#599741) Journal

      they may... decide to redirect the response...

      Which will break DNSSEC.

      I do give them credit for not doing that (but rather returning a negative result), and for supporting DNSSEC in the first place.

      Returning bogus results would seem to be like the #1 feature that the world would *not* want in a DNS resolver, and looking up the nonexistent foo.bar returning instead the IP for www.adspage.quad9.whatever is the very definition of returning a bogus result.