The Global Cyber Alliance has given the world a new free Domain Name Service resolver, and advanced it as offering unusually strong security and privacy features.
The Quad9 DNS service, at 9.9.9.9, not only turns URIs into IP addresses, but also checks them against IBM X-Force's threat intelligence database. Those checks protect agains landing on any of the 40 billion evil sites and images X-Force has found to be dangerous.
The Alliance (GCA) was co-founded by the City of London Police, the District Attorney of New York County and the Center for Internet Security and styled itself "an international, cross-sector effort designed to confront, address, and prevent malicious cyber activity."
[...] The organisation promised that records of user lookups would not be put out to pasture in data farms: "Information about the websites consumers visit, where they live and what device they use are often captured by some DNS services and used for marketing or other purposes", it said. Quad9 won't "store, correlate, or otherwise leverage" personal information.
[...] If you're one of the lucky few whose ISP offers IPv6, there's a Quad9 resolver for you at 2620:fe::fe (the PCH public resolver).
https://www.theregister.co.uk/2017/11/20/quad9_secure_private_dns_resolver/
takyon: Do you want to give the City of London Police control of your DNS?
(Score: 2, Informative) by crb3 on Tuesday November 21 2017, @05:37PM (10 children)
Tried it, then dumped it and went back to OpenDNS when Quad9 stopped resolving soylentnews.org.
(Score: 3, Interesting) by requerdanos on Tuesday November 21 2017, @05:52PM (9 children)
Well, I'd say that's a problem that on the good-bad spectrum leans markedly towards "bad."
Sure enough, no response on 9.9.9.9 for soylentnews.org...
However, if you try with their 9.9.9.10 server that does not have blocking nor DNSSEC, it resolves soylentnews.org just fine.
Conclusion: They are blocking soylentnews.org because of either blacklisting or DNSSEC failure (no way to tell which one).
(Score: 0) by Anonymous Coward on Tuesday November 21 2017, @06:05PM (1 child)
what else did it fail to look up that you tested? did you make a capture to see if the query came back with a specific error code? user applications dont always show what went across the network.
not that nslookup is some glitzy flash in the pan that doesnt do its job, but the error is generic.
(Score: 2) by requerdanos on Tuesday November 21 2017, @06:40PM
Nothing. I only tested a handful of sites, but that's the only one that didn't resolve for me (and for at least some others, apparently). Some of the tries are posted elsewhere in the comments for this article.
(Score: 2) by NewNic on Tuesday November 21 2017, @06:23PM
Not sure what you are doing:
$ dig @9.9.9.9 soylentnews.org
; > DiG 9.11.1-P3 > @9.9.9.9 soylentnews.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER server 9.9.9.9
Default server: 9.9.9.9
Address: 9.9.9.9#53
> soylentnews.org
Server: 9.9.9.9
Address: 9.9.9.9#53
Non-authoritative answer:
Name: soylentnews.org
Address: 45.56.123.192
Name: soylentnews.org
Address: 2600:3c00::f03c:91ff:fe98:b8fe
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 2) by NewNic on Tuesday November 21 2017, @06:26PM (4 children)
$ dig @9.9.9.9 soylentnews.org
; <<>> DiG 9.11.1-P3 <<>> @9.9.9.9 soylentnews.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27649
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;soylentnews.org. IN A
;; ANSWER SECTION:
soylentnews.org. 300 IN A 45.56.123.192
;; Query time: 106 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Tue Nov 21 10:21:28 PST 2017
;; MSG SIZE rcvd: 60
And using the deprecated tool:
$ nslookup
> server 9.9.9.9
Default server: 9.9.9.9
Address: 9.9.9.9#53
> soylentnews.org
Server: 9.9.9.9
Address: 9.9.9.9#53
Non-authoritative answer:
Name: soylentnews.org
Address: 45.56.123.192
Name: soylentnews.org
Address: 2600:3c00::f03c:91ff:fe98:b8fe
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 3, Informative) by requerdanos on Tuesday November 21 2017, @06:53PM (3 children)
Open a ticket with them, is what I did. My entire nslookup conversation is below. Even though it's "The Deprecated Tool," I learned it first and like it.
Dig returns the same, if you prefer (emphasis added):
They responded almost immediately to the trouble ticket (even though I'm just some random person) and asked me for the output of "dig +short @9.9.9.9 chaos txt id.server" and of "traceroute 9.9.9.9" from my location, which I reproduce below for your perusal.
They immediately acknowledged receipt of above info, responding with "Thanks for this, I will get back to you once we have an update". For a free service, their customer service sure is better so far than some services I pay for.
(Score: 2) by NewNic on Tuesday November 21 2017, @07:40PM
My guess is that you are hitting a different server. The end of my traceroute looks like this:
...
7 router.pao.woodynet.net (204.61.214.66) 16.949 ms 16.803 ms 16.806 ms
8 dns.quad9.net (9.9.9.9) 32.717 ms !X 16.494 ms !X 15.445 ms !X
Note 7 above is very different to the penultimate hop in your traceroute.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 0) by Anonymous Coward on Wednesday November 22 2017, @08:41AM (1 child)
That's probably just an auto-responder.
I got a similar message immediately when I sent a support ticket to my ISP about not being able to log into their self service to set up automatic payments. They have yet to get back to me, and that was probably a year ago.
(Score: 2) by requerdanos on Wednesday November 22 2017, @12:48PM
I got one of those, too, upon my initial ticket submission. All following messages looked more likely to have been written by a person. No fix yet, still not resolving for me, by the way.
(Score: 2) by maxwell demon on Wednesday November 22 2017, @07:36AM
Strange, I didn't find soylentnews.org on either:
The Tao of math: The numbers you can count are not the real numbers.