The Global Cyber Alliance has given the world a new free Domain Name Service resolver, and advanced it as offering unusually strong security and privacy features. The Quad9 DNS service, at 9.9.9.9, not only turns URIs into IP addresses, but also checks them against IBM X-Force's threat intelligence database. Those checks …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Page:

Monday 20th November 2017 07:26 GMT Anonymous Coward

"GCA also said it hoped the resolver would attract users on the security-challenged Internet of Things"

Honest question but why? It's a resolver, sure you can identify devices with URL but what exactly are you going to with that information only you are keeping?

Oh and I don't trust this in the slightest.

24 5 Reply
1. Monday 20th November 2017 08:58 GMT Dan 55
  
  Presumably it won't let the malware on compromised devices resolve their C&C server's address before phoning home. It'll return 127.0.0.1 or a honeypot or something.
  
  So if this becomes popular malware will evolve by not using DNS and just using IP addresses.
  
  But it's free. As they say, if a service is free then you're not the customer... Who's the customer?
  
  8 5 Reply
  1. Monday 20th November 2017 09:39 GMT DJ Smiley
    
    Except you can just specify a different resolver?
    
    3 0 Reply
  2. Monday 20th November 2017 18:09 GMT Ian Michael Gumby
    
    @Dan 55
    
    It doesn't matter if they are running on IP addresses because those addresses will have to resolve to someone.
    
    And there are more threats than just malware.
    
    As to this being free...
    
    Consider this a community service. The more people who use it, the better the database becomes and the more people will use it.
    
    They may not make money off of you, but by having a robust database, they can use it as part of their services offering. They are using you to make their database better, hence its free.
    
    At a later date, they could throttle or charge you for usage if the number of queries exceeds a certain threshold.
    
    And they will want to capture who is using their database as well. How long they retain their logs or how they will aggregate it is another matter.
    
    4 3 Reply
  3. Monday 20th November 2017 18:10 GMT Ian Michael Gumby
    
    @Dan 55
    
    I would have down voted you.. but you are currently up five and down five so it fits your moniker. ;-)
    
    1 0 Reply
  4. Monday 20th November 2017 18:29 GMT Anonymous Coward
    
    Who's the customer?
    
    The only free cheese is on the mousetrap.
    
    4 1 Reply
  5. Monday 20th November 2017 23:00 GMT Jim Birch
    
    Who is the customer? Are you joking?
    
    This kind of thing would cost peanuts to run. If it works, it easily pays for itself. The organisations that have signed up to this effort are all hurt by cyber threat prevention, mitigation and cleanup as a significant cost of doing business. They have set the thing up with no data slurping because trust is important. If this approach becomes standard it clobbers a lot of cyber threats in one easy hit.
    
    7 0 Reply
2. Monday 20th November 2017 09:50 GMT Anonymous Coward
  
  "and images X-Force has found to be dangerous."
  
  So it's a morality filter too?
  
  26 0 Reply
  1. Monday 20th November 2017 13:31 GMT Sebastian Brosig
    
    as long as it can resolve goatse.cx it's good enough for me...
    
    12 0 Reply
  2. Monday 20th November 2017 19:44 GMT Anonymous Coward
    
    So it's a morality filter too?
    
    Not yet. After enough people will use it then wham! Anything the government doesn't like will be banned.
    
    4 0 Reply
  3. Tuesday 21st November 2017 06:51 GMT Tom Samplonius
    
    > "and images X-Force has found to be dangerous."
    
    > So it's a morality filter too?
    
    There are quite a few ways of triggering buffer overflows in images. Plus, there are ways of wrapping executable code in an image wrapper. The image doesn't look like anything, but it is a good way to get an executable onto a system and then execute with JavaScript, Flash or Java.
    
    But they probably means child porn. All of the police departments have hash databases of known child porn pics. There is probably an aggregated database of these available somewhere.
    
    1 0 Reply
    1. Saturday 22nd September 2018 11:47 GMT dvvdvv
      
      And they aren't logging queries for these address? Right…
      
      0 0 Reply
3. Monday 20th November 2017 12:35 GMT The Man Who Fell To Earth
  
  Does not work very well
  
  Just tried it out. Took it over 10 seconds to resolve google.com.
  
  6 0 Reply
  1. Monday 20th November 2017 13:15 GMT Anonymous Coward
    
    Re: Does not work very well
    
    $ dig @9.9.9.9 google.com A
    
    ;; ANSWER SECTION:
    
    google.com. 11 IN A 216.58.213.78
    
    ;; Query time: 6 msec
    
    ;; SERVER: 9.9.9.9#53(9.9.9.9)
    
    ;; WHEN: Mon Nov 20 13:11:23 GMT 2017
    
    6 milliseconds isn't too bad in my book. Bear in mind my PC has to traverse at least three switches, my office router/firewall cluster, my ISP and perhaps a fair bit of internet.
    
    5 0 Reply
    1. Monday 20th November 2017 16:33 GMT katrinab
      
      Re: Does not work very well
      
      theregister.co.uk takes 48ms from 9.9.9.9 vs 71ms from 8.8.8.8
      
      4 0 Reply
    2. Monday 20th November 2017 18:13 GMT Ian Michael Gumby
      
      Re: Does not work very well
      
      ;; ANSWER SECTION:
      
      google.com. 153 IN A 172.217.8.174
      
      ;; Query time: 8 msec
      
      ;; SERVER: 9.9.9.9#53(9.9.9.9)
      
      ;; WHEN: Mon Nov 20 12:11:47 CST 2017
      
      ;; MSG SIZE rcvd: 55
      
      Of course YMMV depending on where in the world you are located.
      
      1 0 Reply
      1. Tuesday 21st November 2017 06:53 GMT AndyD 8-)₹
        
        Re: Does not work very well
        
        "Of course YMMV depending on where in the world you are located."
        
        --- @Shiningest India:-
        
        Microsoft Windows [Version 10.0.16299.64]
        
        (c) 2017 Microsoft Corporation. All rights reserved.
        
        C:\Users\user>bash
        
        MeMe@Desktop-Dell:/mnt/c/Users/user$ dig @9.9.9.9 google.com A
        
        ; <<>> DiG 9.9.5-3ubuntu0.11-Ubuntu <<>> @9.9.9.9 google.com A
        
        ; (1 server found)
        
        ;; global options: +cmd
        
        ;; Got answer:
        
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33197
        
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
        
        ;; OPT PSEUDOSECTION:
        
        ; EDNS: version: 0, flags:; udp: 4096
        
        ;; QUESTION SECTION:
        
        ;google.com. IN A
        
        ;; ANSWER SECTION:
        
        google.com. 293 IN A 108.177.98.139
        
        google.com. 293 IN A 108.177.98.113
        
        google.com. 293 IN A 108.177.98.138
        
        google.com. 293 IN A 108.177.98.100
        
        google.com. 293 IN A 108.177.98.101
        
        google.com. 293 IN A 108.177.98.102
        
        ;; Query time: 311 msec
        
        ;; SERVER: 9.9.9.9#53(9.9.9.9)
        
        ;; WHEN: Tue Nov 21 12:12:54 DST 2017
        
        ;; MSG SIZE rcvd: 135
        
        MeMe@Desktop-Dell:/mnt/c/Users/user$ dig @8.8.8.8 google.com A
        
        ; <<>> DiG 9.9.5-3ubuntu0.11-Ubuntu <<>> @8.8.8.8 google.com A
        
        ; (1 server found)
        
        ;; global options: +cmd
        
        ;; Got answer:
        
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40633
        
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
        
        ;; OPT PSEUDOSECTION:
        
        ; EDNS: version: 0, flags:; udp: 512
        
        ;; QUESTION SECTION:
        
        ;google.com. IN A
        
        ;; ANSWER SECTION:
        
        google.com. 294 IN A 216.58.203.206
        
        ;; Query time: 38 msec
        
        ;; SERVER: 8.8.8.8#53(8.8.8.8)
        
        ;; WHEN: Tue Nov 21 12:16:22 DST 2017
        
        ;; MSG SIZE rcvd: 55
        
        MeMe@Desktop-Dell:/mnt/c/Users/user$
        
        0 1 Reply
        
        Saturday 22nd September 2018 11:48 GMT dvvdvv
        
        Re: Does not work very well
        
        TMI.
        
        0 0 Reply
4. Monday 20th November 2017 22:10 GMT Adam 1
  
  https://www.ebay.com/new-or-unused/bridges
  
  Resolved: 104.83.251.239
  
  Works perfectly.
  
  2 0 Reply
Monday 20th November 2017 07:26 GMT James Ashton

'Quad9 won't “store, correlate, or otherwise leverage” personal information.'

And if the above is a lie our legal recourse is what? It's a free service so no contract exists. And I assume it's legal for police in the UK to lie to encourage people to incriminate themselves, the same as elsewhere in the world. I think there's going to be a large overlap between the likely users of such a service and the tinfoil hat brigade who won't be touching it with a barge pole.

36 1 Reply
1. Monday 20th November 2017 08:58 GMT Adam 52
  
  If it's storing personal data (or anything linkable to an individual) then you'd have recourse via the GDPR if you can enforce against IBM's lawyers. But not in the UK against City of London Police because policing is one of the many opt outs taken by the UK government.
  
  As it happens I'd tend to trust these people. Whether or not I'd trust whoever ends up running it in six months time or once the inevitable request from NCA comes in is another thing.
  
  You could always turn if off if you're planning on doing something that the spooks might be interested in and inject random noise.
  
  7 2 Reply
  1. Monday 20th November 2017 09:48 GMT Anonymous Coward
    
    "because policing is one of the many opt outs taken by the UK government"
    
    Partially true - the exemption in GDPR is not for police forces, but for data used for policing purposes. This system is very much subject to GDPR.
    
    3 1 Reply
    1. Monday 20th November 2017 10:08 GMT Doctor Syntax
      
      "the exemption in GDPR is not for police forces, but for data used for policing purposes. This system is very much subject to GDPR."
      
      So how do you explain the police holding DNA and other data on individuals who've been cleared. Anything will be twisted into "data used for policing purposes". Until the police forces can be trusted with data they have to be able to show themselves to have clean hands on data handling.
      
      15 0 Reply
      1. Monday 20th November 2017 10:15 GMT Anonymous Coward
        
        "So how do you explain the police holding DNA and other data on individuals who've been cleared"
        
        That the information commissioner is toothless, the laws poorly enforced and the home secretary doesn't give a shit.
        
        30 1 Reply
    2. Monday 20th November 2017 18:17 GMT Ian Michael Gumby
      
      because policing is one of the many opt outs taken by the UK government"
      
      Partially true - the exemption in GDPR is not for police forces, but for data used for policing purposes. This system is very much subject to GDPR.
      
      Actually they may disagree with that... since this is tied to security and police efforts... but I'm not going to play lawyer.
      
      They have the ability to log your request and that's not against the GDPR. However, if they were to combine their logs with DNS information and can identify you from your static IP address... that would be different. Assuming that you do have a static IP address and this doesn't fall in to an exception.
      
      1 2 Reply
      1. Monday 20th November 2017 19:06 GMT Anonymous Coward
        
        "They have the ability to log your request and that's not against the GDPR..."
        
        You've misunderstood GDPR entirely.
        
        They can log whatever they like. GDPR says _nothing_ about what you can and cannot do. It is entirely concerned with why you do something and how you go about it. As long as you can justify data collection and as long as you do enough to warrant that justification and prevent misuse you can almost anything.
        
        So, for example. Logging DNS requests is fine, say, for protecting against attacks or for predicting growth. As long as you actively design the system to prevent people from doing anything else with the data, for example by discarding it when you're done and by limiting the access paths.
        
        Whether or not the IP is static doesn't come into it. IP addresses are PII if any person can, with reasonable effort, link the record back to a natural person. Static, dynamic, shared; doesn't matter. IP addresses are effectively always PII, and have been specifically called out within GDPR as such.
        
        3 0 Reply
  2. Monday 20th November 2017 09:53 GMT Anonymous Coward
    
    Privacy of DNS requests
    
    If it's storing personal data (or anything linkable to an individual) then you'd have recourse via the GDPR if you can enforce against IBM's lawyers. But not in the UK against City of London Police because policing is one of the many opt outs taken by the UK government.
    
    All Internet activity in the UK (and US) is monitored. The various state security actors probably can't routinely read encrypted content, except for some automated traffic analysis and the various protocol and implementation flaws that keep cropping up, but everything else belongs to them, including public DNS lookups regardless of whose DNS server you are using.
    
    11 0 Reply
  3. Monday 20th November 2017 10:04 GMT Doctor Syntax
    
    "As it happens I'd tend to trust these people."
    
    You might have the background to trust them. So, at one time, might I. Unfortunately, as the internet has developed, some elements of TPTB have shown themselves to be thoroughly untrustable and sufficiently powerful to be able to push their way into too many places. Trusting anyone nowadays has become increasingly risky.
    
    15 0 Reply
    1. Monday 20th November 2017 10:40 GMT Anonymous Coward
      
      You might have the background to trust them. So, at one time, might I. Unfortunately,.....
      
      Well, you've got to trust somebody's DNS unless you're able and willing to navigate solely by IP address, which I doubt (although somewhere, in a dark, BO-scented bedroom with the curtains drawn all day, I'm sure there's people who do only navigate by IP).
      
      Other than my ISP's bundled one, I can't think of any that are paid for by end users. I'm aware that corporate customers will often be paying for DNS services as part of their enterprise security, but that's different.
      
      So whose DNS do you trust? Obviously not Google.
      
      7 6 Reply
      1. Monday 20th November 2017 15:46 GMT Red Bren
        
        "somewhere, in a dark, BO-scented bedroom"
        
        The fact that my first reading of this prompted the question, "What does Business Objects smell of?" suggests I might need to get out more...
        
        11 0 Reply
      2. Monday 20th November 2017 18:19 GMT IGnatius T Foobar
        
        DNS
        
        So whose DNS do you trust? Obviously not Google.
        
        If you care enough about having "pure" DNS, it really isn't all that hard to run your own DNS server.
        
        2 0 Reply
        
        Tuesday 21st November 2017 00:31 GMT JWLong
        
        Re: DNS
        
        I have my own DNS. I also have a lot of my favorite sites prepped into my host file so it doesn't have to bother the DNS server.
        
        The thing is, that most users don't even know what DNS is or even how to use/point it to where/what you want!
        
        I also use these guys: http://winhelp2002.mvps.org/hosts2.htm to get an updated list of shit sites to sinkhole.
        
        Let the unwashed masses deal with the likes of Google or their ISP's. Not my problem!
        
        1 1 Reply
      3. Monday 20th November 2017 22:53 GMT JohnFen
        
        " unless you're able and willing to navigate solely by IP address, which I doubt"
        
        There's a middle ground between those two extremes: the hosts file. Machines I use for general-purpose internet access use DNS, but all of the other machines and devices I use don't. They use the hosts file instead.
        
        0 1 Reply
      4. Tuesday 21st November 2017 22:49 GMT Anonymous Coward
        
        "Well, you've got to trust somebody's DNS unless you're able and willing to navigate solely by IP address"
        
        Why not run a local full resolver, so you just need to trust the DNS authoritative server like everybody else?
        
        "So whose DNS do you trust? Obviously not Google."
        
        Actually, I do. I believe they respect their privacy policy and don't do much nasty stuff with your requests. The Google Public DNS Team regularly joins discussion on the dns-operations mailing list and they seem to have the right mindset.
        
        0 0 Reply
        
        Saturday 22nd September 2018 12:05 GMT Anonymous Coward
        
        Until they don't (see the China debacle).
        
        Anyway, I do exactly that on my home network — I run a full recursive resolver with DNSSEC enforced, intercept port 53 traffic from local devices and re-route it to said resolver. Yes, I kinda trust ISC and whoever does the builds at this point. And yes, I know DNS is clear text, and so is SNI.
        
        0 0 Reply
2. Monday 20th November 2017 11:10 GMT Anonymous Coward
  
  "And I assume it's legal for police in the UK to lie to encourage people to incriminate themselves, the same as elsewhere in the world."
  
  So? How well do you think undercover ops would work if the undercover officers had to tell the truth? Time for you to climb down out of your naive hippy nirvana and rejoin the real world.
  
  3 27 Reply
  1. Monday 20th November 2017 16:40 GMT Anonymous Coward
    
    Naive hippy nirvana
    
    So? How well do you think undercover ops would work if the undercover officers had to tell the truth? Time for you to climb down out of your naive hippy nirvana and rejoin the real world.
    
    Well, there is telling the truth, and telling the truth. "Two undercover police officers secretly fathered children with political campaigners they had been sent to spy on and later disappeared completely from the lives of their offspring" https://www.theguardian.com/uk/2012/jan/20/undercover-police-children-activists Perhaps those children and their mothers wouldn't have been so damaged if the Police had been a little more honest.
    
    9 0 Reply
    1. Tuesday 21st November 2017 09:43 GMT Anonymous Coward
      
      Re: Naive hippy nirvana
      
      "Perhaps those children and their mothers wouldn't have been so damaged if the Police had been a little more honest."
      
      Those protestors were probably damaged goods long before the undercover cops showed up.
      
      1 9 Reply
      1. Tuesday 21st November 2017 10:36 GMT Anonymous Coward
        
        Re: Naive hippy nirvana
        
        Those protestors were probably damaged goods long before the undercover cops showed up.
        
        damaged goods: (noun, infomal) a person who is regarded as inadequate or impaired in some way.
        
        I can see you don't particularly like people protesting and expressing alternative views. But how do you think democracy works? Have you ever campaigned for or against anything? Perhaps you would really would be more comfortable living somewhere where people can't protest, like China or North Korea.
        
        7 1 Reply
        
        Wednesday 22nd November 2017 09:39 GMT Anonymous Coward
        
        Re: Naive hippy nirvana
        
        "I can see you don't particularly like people protesting and expressing alternative views"
        
        Going on a march or demonstration occasionally is one thing, spending your life protesting while claiming benefits and contributing nothing to society at large (most of whom probably don't give a rats about the issue you're protesting about) is something completely different. So yes professional protestors - damaged, feckless goods looking for some meaning in their pointless lives.
        
        0 0 Reply
3. Monday 20th November 2017 12:56 GMT dave 81
  
  > I assume it's legal for police in the UK to lie
  
  Technically they are not, "Misconduct in public office", but as the CPS are in bed with the police, they get away with it.
  
  3 3 Reply
  1. Monday 20th November 2017 19:30 GMT Adam 52
    
    "police in the UK to lie ...
    
    Technically ... "Misconduct in public office"
    
    Not misconduct in a public office at all. Misconduct is:
    
    "wilfully neglects to perform his duty and/or wilfully misconducts himself to such a degree as to amount to an abuse of the public's trust in the office holder without reasonable excuse or justification"
    
    If lying were are crime the House of Commons would be a lot emptier.
    
    I'll give you an example:
    
    PC: "Billy, we know you were dealing drugs at the school, we've got you on CCTV".
    
    Billy: "No way, I had my hoody on..."
    
    PC: "Thank you for confirming it, there was no CCTV."
    
    1 1 Reply
    1. Tuesday 13th March 2018 15:36 GMT dave 81
      
      Reasonable
      
      > wilfully neglects to perform his duty and/or wilfully misconducts himself to such a degree as to amount to an abuse of the public's trust in the office holder without reasonable excuse or justification"
      
      AH "reasonable", the word the wankers in power use all the fucking time to justify the increasing shitty actions of the police. I fucking hate the law.
      
      0 0 Reply
4. Tuesday 21st November 2017 23:02 GMT Mpeler
  
  No peekee
  
  As Siegfried said to Maxwell Smart and his stunning colleague:
  
  Nein, nein, ninety-nine...
  
  0 0 Reply
Monday 20th November 2017 07:34 GMT Anonymous South African Coward

Great, if they now can add 9.9.8.8 to filter/block out pr0nz and other unsavoury websites (kids at home) then I'll take a shufty at it.

But it boggles the mind... 9.0.0.0/8 - and only one IP in use...

0 35 Reply
1. Monday 20th November 2017 07:44 GMT Dwarf
  
  @ASAC
  
  Nowhere in he article did it say that the whole of 9.0.0.0/8 was used for this service.
  
  Defining /32 routes isn’t exactly rocket science, however I’d expect that they defined something like a /28
  
  11 0 Reply
  1. Monday 20th November 2017 12:33 GMT Anonymous Coward
    
    route-views>sh ip bgp 9.9.9.9
    
    BGP routing table entry for 9.9.9.0/24, version 96920463
    
    Paths: (41 available, best #33, table default)
    
    Not advertised to any peer
    
    Refresh Epoch 1
    
    3549 42 19281
    
    208.51.134.254 from 208.51.134.254 (67.17.81.150)
    
    Origin IGP, metric 2523, localpref 100, valid, external
    
    rx pathid: 0, tx pathid: 0
    
    Refresh Epoch 1
    
    ...
    
    Or rather more easily,
    
    https://bgp.he.net/ip/9.9.9.9
    
    2 1 Reply
  2. Monday 20th November 2017 18:19 GMT IGnatius T Foobar
    
    Defining /32 routes isn’t exactly rocket science, however I’d expect that they defined something like a /28
    
    If they are announcing it from lots of different places around the world, likely in an anycast configuration, they would have to use 9.9.9.0/24
    
    Almost no networks allow anything smaller than a /24 in their BGP tables
    
    0 0 Reply
  3. Tuesday 21st November 2017 22:57 GMT Anonymous Coward
    
    They need at least /24 for anycast purposes, as anything smaller than that can usually not be announced on the Internet.
    
    Traceroute sampling confirms. So they only "waste" a /24 and still have the option to include other anycast services on the same nodes within it.
    
    0 0 Reply
2. Monday 20th November 2017 07:57 GMT Anonymous Coward
  
  Er no, very heavily used. Like the whole of IBM
  
  15 0 Reply