The Global Cyber Alliance has given the world a new free Domain Name Service resolver, and advanced it as offering unusually strong security and privacy features.
The Quad9 DNS service, at 9.9.9.9, not only turns URIs into IP addresses, but also checks them against IBM X-Force's threat intelligence database. Those checks protect agains landing on any of the 40 billion evil sites and images X-Force has found to be dangerous.
The Alliance (GCA) was co-founded by the City of London Police, the District Attorney of New York County and the Center for Internet Security and styled itself "an international, cross-sector effort designed to confront, address, and prevent malicious cyber activity."
[...] The organisation promised that records of user lookups would not be put out to pasture in data farms: "Information about the websites consumers visit, where they live and what device they use are often captured by some DNS services and used for marketing or other purposes", it said. Quad9 won't "store, correlate, or otherwise leverage" personal information.
[...] If you're one of the lucky few whose ISP offers IPv6, there's a Quad9 resolver for you at 2620:fe::fe (the PCH public resolver).
https://www.theregister.co.uk/2017/11/20/quad9_secure_private_dns_resolver/
takyon: Do you want to give the City of London Police control of your DNS?
Related Stories
http://torrentfreak.com/torrent-domain-suspensions-damage-credibility-registrar-says-140617/
When the police coerce registrars to suspend domain names there are a series of damaging knock-on effects, Iceland's top domain registry says. ISNIC says that it's difficult to repair the kind of damage suspensions cause to the credibility of top-level domains, something that could be avoided through better understanding of Internet functionality.
Private law firms will be hired by police to pursue criminal suspects for profit, under a radical new scheme to target cyber criminals and fraudsters.
In a pilot project by the City of London police, the lead force on fraud in England and Wales, officers will pass details of suspects and cases to law firms, which will use civil courts to seize the money.
The force says the scheme is a way of more effectively tackling fraud – which is now the biggest type of crime, estimated to cost £193bn a year. It is overwhelming police and the criminal justice system.
Under the shakeup being piloted, a law firm will pursue the suspect in the civil courts before any conviction and possibly even without a criminal charge. The burden of proof is lower in civil courts, and they will only have to show that the suspect stole the money on the balance of probabilities.
[...] Katie Wheatley, joint head of criminal law at Bindmans, a London law firm, expressed unease over the proposals, which she said gave police "what they would regard as an easy deterrent, without having the inconvenience of proving an offence to a criminal standard".
[...] A working group to oversee the experiment has been set up by the City of London police, officers from the National Crime Agency, and Metropolitan police, and law and private investigation firms.
Source: The Guardian
takyon: The City of London is a small county within Greater London, run by the City of London Corporation. It is well known for being a centre of evil finance.
(Score: 4, Informative) by WizardFusion on Tuesday November 21 2017, @01:13PM (6 children)
I am already blocking over 950,000 domain using a Pi-Hole install.
It covers almost everything I need
(Score: 0) by Anonymous Coward on Tuesday November 21 2017, @01:16PM (2 children)
One doesn't need a DNS as such [stackexchange.com]
(Score: 2) by ledow on Tuesday November 21 2017, @01:20PM (1 child)
Yup.
And I think if DNSSec etc. drag their feet for much longer (might be "there", but it's certainly nowhere near mainstream) then something like a DHT DNS will pop up in its stead.
I can only think that's a good thing. Maybe then all the price-gouging TLDs will stop, and you will be able to have control of your DNS records without having to run a bucket of nameservers.
But until then, DNS has a long life ahead of it, I think.
And another public DNS server that's easy to remember isn't a bad thing. Whether or not you care about snooping.
(Score: 0) by Anonymous Coward on Tuesday November 21 2017, @06:10PM
It already happened, and AFAIK is stillborn.
The idea behind it was you mined for credits which in turn could be used to register/renew domains. The limits on what you could register/renew related to how much coin you mined and as a result how much cpu/bandwidth/verification you provided to keep the rest of the network running smoothly.
A few people have talked about forking it, or re-implementing it for p2p anonymity network usage, but nothing has come from it yet.
(Score: 2) by requerdanos on Tuesday November 21 2017, @06:08PM (2 children)
I have a hosts file built by a bash script filtering several of the hosts-file.net lists with a local whitelist: 693,727 lines in the resulting /etc/hosts file. "Pretty good" if I do say so.
However - this approach failed miserably on a windows 8 laptop on my network. Installing this hosts file resulted in windows becoming about ten thousand times slower. I eventually had to boot rescue linux to delete the darned hosts file from the thing.
Looks like pi-hole would fix that problem nicely, as might using 9.9.9.9 for DNS.
(Score: 3, Interesting) by edIII on Tuesday November 21 2017, @07:59PM (1 child)
Windows sucks ass to begin with, but you are far better off running your own recursive DNS server with something like pfsense. I had about 5 or 6 Windows boxes I needed to manage at a relatives home, and instead of trying to manage their hosts files, I just went with stopping the shit at the router. How do you put a hosts file on an embedded device? That's primarily why I decided to do it. Then after hooking it all up, enabling the recursive DNS server, and setting up some adblocking stuff, it was reported that I was even stopping ads on their Kindles, phones, etc.
That way Windows wasn't responsible and you don't need a super slow box. It's not just a big hosts file either. I had an office machine for graphics and documentation that I loaded up at least 30,000 fonts :) Windows boot time went to something like 10 minutes and the whole box was hilariously slow.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by requerdanos on Thursday November 23 2017, @01:50PM
Well, for what it's worth, pi-hole is doing this very well, running on a tricked-out olinuxino lime2.
Day 3 problem: User complaint I received: "Honey, [my pirate video site] isn't working anymore. Can you take me off that thing?"
(Score: 5, Insightful) by The Mighty Buzzard on Tuesday November 21 2017, @01:17PM (13 children)
Am I the only one who sees this as a Bad Thing? I mean, isn't this exactly what we bitched about breaking DNSSEC during the whole SOPA mess?
My rights don't end where your fear begins.
(Score: 1, Informative) by Anonymous Coward on Tuesday November 21 2017, @01:35PM (1 child)
As long as no one forces you to use that resolver, it is not that bad. Just use another resolver (and tell others to do so, too). That's the problem with bad laws: You cannot avoid them.
If their service breaks with DNSSEC domains, well, too bad for them. If legally required measures conflict with DNSSEC, it's everyone's problem.
(Score: 2) by meustrus on Tuesday November 21 2017, @02:51PM
But this is a big organization putting out a a good free solution. The existence of 9.9.9.9 will suppress other efforts, especially if it's as good as they say, because there's no money to be made in doing better. It would be OK if this were an open solution that anybody could fork, but it's based on proprietary datasets that no open solution will ever have access to.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 3, Interesting) by c0lo on Tuesday November 21 2017, @02:42PM
Yes and no.
Yes, the SOPA provisions on DNS-redirection would break DNSSEC.
No, SOPA's provisions for filtering and consequently refusing to resolve to IP (and this quad9 as well) would be supported by the DNSSEC's authenticated denial of existence [ietf.org] (another FA (PDF) [sidnlabs.nl] which I found more comprehensible)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 4, Informative) by Whoever on Tuesday November 21 2017, @04:37PM (1 child)
No, this is clearly a bad thing.
This suggests to me that it will be used to attempt to block sites that are subject of copyright complaints made to the CoL police. Nothing to do with security.
Sorry, I don't believe this.
(Score: 0) by Anonymous Coward on Wednesday November 22 2017, @03:33AM
Doesn't that effectively translate to GCHQ and NSA? ;)
(Score: 3, Insightful) by Runaway1956 on Tuesday November 21 2017, @05:02PM (4 children)
This is obviously a Good Thing™ for everyone! We decide what is good, and what is bad, then you check with us to see if you're allowed to look at a page. If we give permission, you know that it's a Good Thing™, and if we don't give permission, you know that it's a Bad Thing™. While some try to claim that this is a form of censorship, you, a good upright Citizen, know that IBM is all about Good Thing™. Trust us, we'll keep you safe!! Best of all, this can all be done in the background, automagically, so that you never really know that you've been denied permission to view a page. Good Thing™ - configure once, then it's out of sight, and out of mind!!
(Score: 2) by bob_super on Tuesday November 21 2017, @07:47PM (3 children)
How is that different from what DNS providers already do, except for being upfront about rejecting flagged domains?
(Score: 2) by Runaway1956 on Wednesday November 22 2017, @02:41AM (2 children)
There's probably not much difference, except that in this case, you're relying on a single commercial entity to do all of your censorship for you. Of course, if you use Google resolvers, you have the same thing. Of the two, Google may be a bit more lenient. I certainly don't trust IBM to handle this rather sensitive bit of work. IBM has a rather sordid human rights history, after all. http://www.ibmandtheholocaust.com/ [ibmandtheholocaust.com] and http://www.ibmandtheholocaust.com/index.php?page=70127 [ibmandtheholocaust.com]
(Score: 2) by bob_super on Wednesday November 22 2017, @07:02AM (1 child)
In a country where most CEOs can't think past 8 quarters, it would be good to stop judging a company based on actions taken 75 years ago by people completely unrelated in any way, especially culture, to those currently in power.
Why would anyone do business with a country responsible of mass internal deportation of its citizens with yellow skin, and dropping atomic bombs on cities?
I'll agree with you if the nasty actions do have a continuity into the present, like the mass deportations leading to the current Apartheid mess in Israel.
(Score: 2) by Runaway1956 on Wednesday November 22 2017, @09:52AM
The sorry state of our CEO's is well known - but that doesn't mean they're all that way. IBM and Israel? https://en.wikipedia.org/wiki/IBM_Israel [wikipedia.org] Wait a second - how did I get Bing as a search engine? . . . Alright here's an IBM and apartheid link - https://www.counterpunch.org/2017/05/03/apartheid-in-the-shadows-the-usa-ibm-and-south-africas-digital-police-state/ [counterpunch.org] http://www-cs-students.stanford.edu/~cale/cs201/ [stanford.edu]
This one may be more interesting - it is certainly current - https://www.bloomberg.com/news/2014-06-03/hp-and-ibm-list-north-korea-as-a-supplier-in-conflict-mineral-reports.html [bloomberg.com]
I'll stand by my statement - IBM has a history of dark dealings with oppressive governments. Did I mention that corporate CEO's have poor ethics, and poor judgement? IBM epitomizes that fact. The "culture" at IBM is probably much different from the run-of-the-mill corporation. IBM is well known for being stable, and profitable. They seldom make the news for stupid shit, like sexual harassment, or openly polluting the environment. Their ethics are probably pretty sound, in a business sense. But, in a humanitarian sense, their ethics suck ass. IBM will comply with the law, but they care little about slave labor, apartheid, oppression of any form. If there is money in killing little brown children, you'll find IBM there, helping to categorize and round them up.
History. IBM hasn't changed in the past seventy or eighty years. People may come and go, but companies that last over 100 years aren't going to change an awful lot. They've got a winning formula, and they aren't going to give it up.
https://www.thoughtco.com/ibm-timeline-1992491 [thoughtco.com]
(Score: 3, Informative) by edIII on Tuesday November 21 2017, @08:10PM (2 children)
LOL. No. This is a joke.
That being said, I wouldn't mind trying this through TOR or something. Not for resolving, but just another DNS I can look up bad actors on and weigh the results. 40 billion evil domains sounds like an incredible amount, and nothing to scoff at. Yet... I know because it is the City of London, that it will be full pants-on-head retarded about fighting piracy and will not resolve private trackers and undesirable sites. It will be a curated and censored list of "good" domains.
Of course, all that is assuming that they respond with 127.0.0.1 most of the time. They don't, but instead resolve the address for you. That's not how a RBL works either. So how do I tell if it is an evil site, or a good site? A redirect to their servers with a landing page saying, "This is bad, mkay? You don't search for torrents mkay? P2P is evil mkay?"
Not sure I could even integrate this properly with pfsense, and could only use it as a primary resolver. No thanks.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by requerdanos on Wednesday November 22 2017, @12:53PM (1 child)
Yet, it properly resolves thepiratebay.org.
(Score: 2) by edIII on Wednesday November 22 2017, @11:04PM
Really? That's astounding given the involvement of the UK, and almost makes no sense. If the ISPs are blocking it in general, why would they allow it to resolve? Somewhat encouraging if that means the UK has a small amount of influence over the blacklist.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 4, Informative) by Anonymous Coward on Tuesday November 21 2017, @01:25PM (5 children)
DNS does not turn URIs into IP addresses. It turns hostnames into IP addresses.
They promised? Unless they make that promise legally binding, it can be safely ignored.
(Score: 3, Informative) by c0lo on Tuesday November 21 2017, @01:35PM
The only promise worth to consider is the "promise not to record the lookups, just service them" and this only if legally binding.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0, Interesting) by Anonymous Coward on Tuesday November 21 2017, @02:24PM (3 children)
We should keep in mind just how obviously clueless the El Reg writer is the next time a journalist wants to write about astronomy, physics, gender, or politics.
(I happen to be an expert in one of those areas, and I can assure you that pretty much everything I read in that subject area sounds exactly like the assertion that DNS turns URIs into IP addresses. Close enough that it may sound plausible to a layman with no practical experience, yet it represents a fundamental gap in the writer's knowledge.)
(Score: 2) by edIII on Tuesday November 21 2017, @08:51PM (2 children)
To be completely fair, this might be on of those nitpicking [wikipedia.org] debates [danielmiessler.com].
Technically, a hostname is a URN. From the perspective of the user, a URL is split apart into its URN, and then resolved. So it's not entirely incorrect for a journalist to say that DNS resolves URLs, or URIs, or URNs. Yes, it represents a lack of knowledge and sophistication, but it is not incorrect, but incomplete.
A URI encompasses both URNs and URLs. This would be like saying you need a human to reproduce, when it's more correct to say you need a human female to reproduce. Although, for the audience here, maybe a car analogy would be more preferred ;)
IMO, the most correct and clear statement is that DNS resolves URNs, but is not incorrect to say it resolves URIs either. The most widely accepted and understood statement would be that it resolves URLs, because URL is the most widely understood term. The other two are almost always exclusively used by technical people. I've read documentation from different companies, and some of them have used URIs everywhere, and the some use URLs. I've almost never seen URN in a technical document.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by maxwell demon on Wednesday November 22 2017, @07:16AM (1 child)
No, it isn't. A hostname also is no URI, and no URL (although URLs tend to contain hostnames, but that is not required). Indeed, hostnames are much older than URLs/URIs/URNs.
Also, a hostname doesn't identify a resource, but a host. There may or may not be a resource hosted on that host. Or there may be several resources hosted there. It doesn't matter.
Here comes the nitpicking:
Actually we are talking about FQDNs (Fully Qualified Domain Names). Strictly speaking, the hostname is only the first component of that, and while there can be arbitrary many hosts with the same hostname, the FQDN should be unique.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by edIII on Wednesday November 22 2017, @07:26AM
FUCK!!! I hate it when I'm out-pedant'd :)
Didn't notice that hostname part. I was *thinking* about FQDN too, but didn't use the term. The way I've been setting up servers lately is to use a FQDN for the hostname, so you caught me getting lazy...
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2, Insightful) by Anonymous Coward on Tuesday November 21 2017, @01:38PM (8 children)
and we are here to help?
Smells pretty fishy to me.
(Score: 3, Informative) by takyon on Tuesday November 21 2017, @01:52PM
City of London [wikipedia.org] is a quasi-government corporate thing. Worse?
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 5, Insightful) by isostatic on Tuesday November 21 2017, @02:13PM (4 children)
Randians love to trot that line out. The rest of the world actually trusts the governments we vote in far more than corporations that actually own our lives.
(Score: 3, Insightful) by DannyB on Tuesday November 21 2017, @03:18PM (3 children)
The governments we vote for are wholly owned, recently acquired subsidiaries of the corporations that own our lives. Regardless of how or whether you vote.
The corps don't have precise control. There's a lot of play in the steering wheel. But it steers well enough to get where we're going.
Any good circus has three rings: executive, legislative, judicial.
People today are educated enough to repeat what they are taught but not to question what they are taught.
(Score: 2, Interesting) by Anonymous Coward on Tuesday November 21 2017, @03:35PM (1 child)
So you think giving the corporations the control directly is better than at least having some influence on those who make the policies?
Maybe you represent one of those corporations and are angry that you don't have precise control over the rules imposed on the
citizensconsumers?(Score: 2) by DannyB on Tuesday November 21 2017, @07:47PM
I don't advocate giving corporations control. I merely assert that they already own the government whores who will do literally anything for money. The laws be damned. The Constitution be damned. If they get paid to do it, they will find a way.
You can elect different whores, an in the absence of corporate bribes might actually carry out the policy you want. But if what you want is not what the corporations want, then guess who's policy is going to get carried out, no matter who you voted for?
People today are educated enough to repeat what they are taught but not to question what they are taught.
(Score: 0) by Anonymous Coward on Wednesday November 22 2017, @02:57PM
Well, assuming you're American, yours is, but only because you would rather indulge yourself than actually work towards improving government.
(Score: 3, Interesting) by stretch611 on Tuesday November 21 2017, @04:04PM (1 child)
Even if they log your activities... What are your other choices?
Use OpenDNS? Which logs you and shares the data with Cisco
Use Google's 8.8.8.8 Which logs you but promises to clear identifying information
Use your ISP... Well, we know how honest these guys are... and with the FCC promising the ISPs to remove all restrictions on consumer privacy, this is obviously the worse choice.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 0) by Anonymous Coward on Tuesday November 21 2017, @06:03PM
why are so many people so afraid to set up their own server?
YES it has to go look up stuff on occasion, but the DNS root servers can be used as, you know, your own servers root.
and not even bypass your alternatives, because they too are checking the same DNS root servers. Heck even windows 2003 came with a list of them that are mostly still valid.
(Score: 4, Insightful) by nobu_the_bard on Tuesday November 21 2017, @01:54PM (14 children)
There's a lot of information missing here. I've seen these kinds of things before and there's definitely a place for them, but the scale of this one seems impressive. All of the articles I've seen seem to be parroting the press releases they've got going though.
I was looking for what it actually does, and was lead here: https://quad9.net/#/ [quad9.net]
It's still light on information. I know how DNS works, but it doesn't say what kind of result indicates it "blocked" a site, or what it actually does, besides "protecting" you. I presume it's going to replace the IP address of a blocked site with its own, driving traffic to their own system. Some ISPs have done this in the past; they'd push you from a "malicious" website to their ad-served web page.
It also doesn't say how they determine what constitutes a "malicious" site?
It's probably fine that there are such services but I'd feel more comfortable if they gave more actual information up front instead of the heavy focus on mobile-friendly graphics and assurances you're protected.
(Score: 2) by inertnet on Tuesday November 21 2017, @02:22PM (8 children)
It could become a data collecting giant, like Google with its 8.8.8.8 DNS. But it could also gradually start blocking interesting parts of the internet, like VPN services, or TOR. And move on to blocking "fake news". Or any country that's on some axis of evil list.
(Score: 2) by meustrus on Tuesday November 21 2017, @03:05PM (6 children)
If it did, customers would complain and/or uninstall. The nightmare scenario you describe requires either that:
1. The service be mandated via China-style government intervention
2. The blocks be subtle enough to not be noticed
#2 is not really possible with a DNS service. How do you delete only the "fake news" without eliminating access to entire web sites we know should exist? And also delete search results pointing to the same? It would really be a neat trick to do content filtering with DNS.
As for China-style government intervention, you can bet that the right wing will protect big business from the hazards of dealing with such heavy handed regulation right up to the point where it becomes necessary to "protect our freedoms". Unless you're in Australia where apparently heavy handed regulation is not a concern to anybody.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 0) by Anonymous Coward on Tuesday November 21 2017, @05:48PM (5 children)
Hohohoho... hahahaha... oh wow... good joke.
The majority of customers is too complacent to even pick up the phone and cut the cord. They can't even be bothered to call their congress critter which literally is nothing more but picking up the phone and dialing a number (which you could add to your contacts so you don't have to look it up).
But no... the Market works... Voting with your wallet works... The Governement is your friend... and rocks fly unaided...
Is there another attempt you'd like to make?
(Score: 2) by meustrus on Tuesday November 21 2017, @06:47PM (3 children)
You misunderstand. "Complain" means making an angry tweet. We all know how easily people take to the 'tubes to complain.
As for uninstalling, the ISP would be glad to handle that for you and get their sweet ad money back from your missed DNS lookups. They might not even wait for you to complain.
You can crank all you want about "what if this were imposed by the government", but it's not. Stop acting like it would take an act of Congress to switch 9.9.9.9 back to 8.8.8.8 or your ISP's default.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 0) by Anonymous Coward on Tuesday November 21 2017, @07:47PM
And that is why, when net neutrality is dead, you will be able to pay for premium access to Twatter. Without your Twatter-enabled subscription, you will still be able to read twats (at 0.5kbps) but you won't be able to twat yourself. Want to twat, please pay MultiMONIE$ so we can 'innovate'.
(Score: 0) by Anonymous Coward on Tuesday November 21 2017, @07:51PM (1 child)
Conscious people actually use 8.8.8.8? People actually take active steps to put themselves under surveillance like that? These 'people' you speak of must be morons...
(Score: 2) by meustrus on Tuesday November 21 2017, @08:27PM
It's funny that you think you can escape Google's surveillance machine by not using their DNS service. It's even funnier that you think Google's surveillance machine is worse than any ISP's surveillance machine, which is much more likely to feed the NSA directly.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 2) by maxwell demon on Wednesday November 22 2017, @07:24AM
Those customers will continue to use whatever DNS their ISP provides, therefore what this new DNS does is completely irrelevant unless some ISPs start using it as their default DNS server (which I consider unlikely, as that would mean them giving up control). If you are using that alternate DNS server, you are the type of person who actively decides what DNS server you use, and are willing to actually change your computers configuration. And that demogrpahic is exactly the one that will not put up with such measures. No, they probably won't pick up the phone. Instead they will just once again change the DNS settings of their computer or router, to use whatever DNS they then consider the best replacement.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by c0lo on Tuesday November 21 2017, @04:27PM
I don't see how a DNS can block TOR, given that TOR doesn't use DNS. [stackexchange.com] (but DHT to resolve the services and a rendez-vous to establish the circuit)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Interesting) by rob_on_earth on Tuesday November 21 2017, @02:49PM (1 child)
I remember a horrible time when ISPs would "helpfully" resolve DNS failures for requested hostnames to their own servers. Broke so man tools where I worked at the time.
But of course, they Adverts they showed the user on the resolved address were targeted!
(Score: 3, Interesting) by DannyB on Tuesday November 21 2017, @03:22PM
I remember that and it was infuriating! Outrageous! A failed DNS lookup should be a failed DNS lookup!
The sudden realization that I had to run bind (back then) or use a different resolver.
People today are educated enough to repeat what they are taught but not to question what they are taught.
(Score: 4, Informative) by requerdanos on Tuesday November 21 2017, @03:35PM (2 children)
In their FAQ [quad9.net], they say that
Though they do say that in the future they may or may not decide to redirect the response to an explanatory page of their own.
Here, the FAQ is not that specific...
Like you, I'd like to see more transparency with respect to what's being blocked. Otherwise, it's "Were blocking bad stuff, you guess what." The FAQ does mention that they also have an alternate service at 9.9.9.10 with no blocking.
(Score: 3, Interesting) by c0lo on Tuesday November 21 2017, @04:36PM (1 child)
Which will break DNSSEC.
The more will choose to break it, the more likely to a distributed-DNS solution (as opposed to a hierarchical one) to appear/take hold.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by requerdanos on Tuesday November 21 2017, @05:37PM
I do give them credit for not doing that (but rather returning a negative result), and for supporting DNSSEC in the first place.
Returning bogus results would seem to be like the #1 feature that the world would *not* want in a DNS resolver, and looking up the nonexistent foo.bar returning instead the IP for www.adspage.quad9.whatever is the very definition of returning a bogus result.
(Score: 0) by Anonymous Coward on Tuesday November 21 2017, @02:54PM (12 children)
At least OpenDNS gives you options.
(Score: 3, Funny) by DannyB on Tuesday November 21 2017, @03:21PM (11 children)
The US Presidential Election gives you options.
A vending machine full of heavily salted junk food gives you options.
People today are educated enough to repeat what they are taught but not to question what they are taught.
(Score: 0, Flamebait) by Anonymous Coward on Tuesday November 21 2017, @03:24PM (10 children)
"The US Presidential Election gives you options" Yeah right. Hellary buys out the DNC effectively bumping Bernie out, leaving us the choice between a fucking crazy liar or a Trump. Nice choice!
(Score: 2) by requerdanos on Tuesday November 21 2017, @03:38PM
Classic sales tactic... Give them only a few options, make them think it's their decision.
(Score: 2) by tangomargarine on Tuesday November 21 2017, @03:42PM (1 child)
#yesthatwasthepoint
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Tuesday November 21 2017, @04:34PM
In one ear and out the other... just like when my wife talks to me.
(Score: 4, Touché) by meustrus on Tuesday November 21 2017, @06:50PM (1 child)
I'm not seeing the difference. Can you help me figure out which one is which?
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 1, Insightful) by Anonymous Coward on Tuesday November 21 2017, @07:36PM
One has a vagina, the other grabs vaginas.
(Score: 2) by DannyB on Tuesday November 21 2017, @07:51PM (3 children)
Maybe I was too subtle. But what I was really sarcastically saying is that the two options you get in an election are really no options at all. You get a choice of:
[x] Crazy Liar
[_] Lying lunatic
Pick one
Similarly a junk food vending machine gives you options, which really are no options at all. Inedible crap no matter which button you push.
People today are educated enough to repeat what they are taught but not to question what they are taught.
(Score: 0) by Anonymous Coward on Tuesday November 21 2017, @09:45PM (1 child)
I see you marked Crazy Liar.
(Score: 2) by DannyB on Wednesday November 22 2017, @02:11PM
I would proudly vote for the cray liar than the lying lunatic. People who would pick the lying lunatic are ignorant uneducated morons while those who pick the crazy liar are bright and well educated. Furthermore, the lying lunatic voters are violent and need to be pre-emptively resisted by violent means.
People today are educated enough to repeat what they are taught but not to question what they are taught.
(Score: 2) by maxwell demon on Wednesday November 22 2017, @07:32AM
Of course there were other options, too, it's just that Americans didn't vote for them out of fear of "wasting their vote".
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Wednesday November 22 2017, @04:03PM
Congratulations on choosing the greater of two evils.
(Score: -1, Offtopic) by Anonymous Coward on Tuesday November 21 2017, @03:35PM
asl?
(Score: 2) by stretch611 on Tuesday November 21 2017, @03:47PM (3 children)
Will it let me access pirate sites that the MAFIAA doesn't like...
The EU has handed out quite a few injunctions to block pirate sites trough ISPs and DNS, does this private DNS block any?
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 2) by takyon on Tuesday November 21 2017, @03:53PM
See my line in the summary.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by vux984 on Tuesday November 21 2017, @05:18PM
"The EU has handed out quite a few injunctions to block pirate sites trough ISPs and DNS, does this private DNS block any?"
Given that they often are malicious or underhanded perhaps a more nuanced consideration of that question is in order.
If it blocks pirate site because the MAFIAA got an injunction in some backwater surveillance state I think we're in agreement that would be bad.
If it blocks pirate site because it routinely serves up malicious malware in its ad stream, that might be good.
If it blocks pirate site because it is running a cryptominer on the page that might also be good.
(Score: 3, Informative) by requerdanos on Tuesday November 21 2017, @05:44PM
Upon first reading TFS, I tried "piratebay.org" in nslookup with both 8.8.8.8 and 9.9.9.9. Both returned a proper result.
In their FAQ [quad9.net] they say they will not do censorship:
(Score: 2, Informative) by crb3 on Tuesday November 21 2017, @05:37PM (10 children)
Tried it, then dumped it and went back to OpenDNS when Quad9 stopped resolving soylentnews.org.
(Score: 3, Interesting) by requerdanos on Tuesday November 21 2017, @05:52PM (9 children)
Well, I'd say that's a problem that on the good-bad spectrum leans markedly towards "bad."
Sure enough, no response on 9.9.9.9 for soylentnews.org...
However, if you try with their 9.9.9.10 server that does not have blocking nor DNSSEC, it resolves soylentnews.org just fine.
Conclusion: They are blocking soylentnews.org because of either blacklisting or DNSSEC failure (no way to tell which one).
(Score: 0) by Anonymous Coward on Tuesday November 21 2017, @06:05PM (1 child)
what else did it fail to look up that you tested? did you make a capture to see if the query came back with a specific error code? user applications dont always show what went across the network.
not that nslookup is some glitzy flash in the pan that doesnt do its job, but the error is generic.
(Score: 2) by requerdanos on Tuesday November 21 2017, @06:40PM
Nothing. I only tested a handful of sites, but that's the only one that didn't resolve for me (and for at least some others, apparently). Some of the tries are posted elsewhere in the comments for this article.
(Score: 2) by NewNic on Tuesday November 21 2017, @06:23PM
Not sure what you are doing:
$ dig @9.9.9.9 soylentnews.org
; > DiG 9.11.1-P3 > @9.9.9.9 soylentnews.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER server 9.9.9.9
Default server: 9.9.9.9
Address: 9.9.9.9#53
> soylentnews.org
Server: 9.9.9.9
Address: 9.9.9.9#53
Non-authoritative answer:
Name: soylentnews.org
Address: 45.56.123.192
Name: soylentnews.org
Address: 2600:3c00::f03c:91ff:fe98:b8fe
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 2) by NewNic on Tuesday November 21 2017, @06:26PM (4 children)
$ dig @9.9.9.9 soylentnews.org
; <<>> DiG 9.11.1-P3 <<>> @9.9.9.9 soylentnews.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27649
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;soylentnews.org. IN A
;; ANSWER SECTION:
soylentnews.org. 300 IN A 45.56.123.192
;; Query time: 106 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Tue Nov 21 10:21:28 PST 2017
;; MSG SIZE rcvd: 60
And using the deprecated tool:
$ nslookup
> server 9.9.9.9
Default server: 9.9.9.9
Address: 9.9.9.9#53
> soylentnews.org
Server: 9.9.9.9
Address: 9.9.9.9#53
Non-authoritative answer:
Name: soylentnews.org
Address: 45.56.123.192
Name: soylentnews.org
Address: 2600:3c00::f03c:91ff:fe98:b8fe
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 3, Informative) by requerdanos on Tuesday November 21 2017, @06:53PM (3 children)
Open a ticket with them, is what I did. My entire nslookup conversation is below. Even though it's "The Deprecated Tool," I learned it first and like it.
Dig returns the same, if you prefer (emphasis added):
They responded almost immediately to the trouble ticket (even though I'm just some random person) and asked me for the output of "dig +short @9.9.9.9 chaos txt id.server" and of "traceroute 9.9.9.9" from my location, which I reproduce below for your perusal.
They immediately acknowledged receipt of above info, responding with "Thanks for this, I will get back to you once we have an update". For a free service, their customer service sure is better so far than some services I pay for.
(Score: 2) by NewNic on Tuesday November 21 2017, @07:40PM
My guess is that you are hitting a different server. The end of my traceroute looks like this:
...
7 router.pao.woodynet.net (204.61.214.66) 16.949 ms 16.803 ms 16.806 ms
8 dns.quad9.net (9.9.9.9) 32.717 ms !X 16.494 ms !X 15.445 ms !X
Note 7 above is very different to the penultimate hop in your traceroute.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 0) by Anonymous Coward on Wednesday November 22 2017, @08:41AM (1 child)
That's probably just an auto-responder.
I got a similar message immediately when I sent a support ticket to my ISP about not being able to log into their self service to set up automatic payments. They have yet to get back to me, and that was probably a year ago.
(Score: 2) by requerdanos on Wednesday November 22 2017, @12:48PM
I got one of those, too, upon my initial ticket submission. All following messages looked more likely to have been written by a person. No fix yet, still not resolving for me, by the way.
(Score: 2) by maxwell demon on Wednesday November 22 2017, @07:36AM
Strange, I didn't find soylentnews.org on either:
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Informative) by xpda on Tuesday November 21 2017, @06:25PM
The City of London has a history of shutting down sites at the behest of the recording and movie industry. I do not want them censoring my internet, and will definitely not allow it voluntarily.
https://www.techdirt.com/blog/?tag=city+of+london [techdirt.com]
(Score: 2) by hendrikboom on Wednesday November 22 2017, @01:03PM (1 child)
40 billion evil sites? With only about 4 billion possible IPv4 addresses? IPv6 must be in much more widespread use than I thought.
(Score: 0) by Anonymous Coward on Wednesday November 22 2017, @04:09PM
Virtual hosting? What's that?