back to article DNS resolver 9.9.9.9 will check requests against IBM threat database

The Global Cyber Alliance has given the world a new free Domain Name Service resolver, and advanced it as offering unusually strong security and privacy features. The Quad9 DNS service, at 9.9.9.9, not only turns URIs into IP addresses, but also checks them against IBM X-Force's threat intelligence database. Those checks …

  1. Anonymous Coward
    Anonymous Coward

    "GCA also said it hoped the resolver would attract users on the security-challenged Internet of Things"

    Honest question but why? It's a resolver, sure you can identify devices with URL but what exactly are you going to with that information only you are keeping?

    Oh and I don't trust this in the slightest.

    1. Dan 55 Silver badge

      Presumably it won't let the malware on compromised devices resolve their C&C server's address before phoning home. It'll return 127.0.0.1 or a honeypot or something.

      So if this becomes popular malware will evolve by not using DNS and just using IP addresses.

      But it's free. As they say, if a service is free then you're not the customer... Who's the customer?

      1. DJ Smiley

        Except you can just specify a different resolver?

      2. Ian Michael Gumby
        Boffin

        @Dan 55

        It doesn't matter if they are running on IP addresses because those addresses will have to resolve to someone.

        And there are more threats than just malware.

        As to this being free...

        Consider this a community service. The more people who use it, the better the database becomes and the more people will use it.

        They may not make money off of you, but by having a robust database, they can use it as part of their services offering. They are using you to make their database better, hence its free.

        At a later date, they could throttle or charge you for usage if the number of queries exceeds a certain threshold.

        And they will want to capture who is using their database as well. How long they retain their logs or how they will aggregate it is another matter.

      3. Ian Michael Gumby

        @Dan 55

        I would have down voted you.. but you are currently up five and down five so it fits your moniker. ;-)

      4. Anonymous Coward
        Anonymous Coward

        Who's the customer?

        The only free cheese is on the mousetrap.

      5. Jim Birch

        Who is the customer? Are you joking?

        This kind of thing would cost peanuts to run. If it works, it easily pays for itself. The organisations that have signed up to this effort are all hurt by cyber threat prevention, mitigation and cleanup as a significant cost of doing business. They have set the thing up with no data slurping because trust is important. If this approach becomes standard it clobbers a lot of cyber threats in one easy hit.

    2. Anonymous Coward
      Anonymous Coward

      "and images X-Force has found to be dangerous."

      So it's a morality filter too?

      1. Sebastian Brosig

        as long as it can resolve goatse.cx it's good enough for me...

      2. Anonymous Coward
        Anonymous Coward

        So it's a morality filter too?

        Not yet. After enough people will use it then wham! Anything the government doesn't like will be banned.

      3. Tom Samplonius

        > "and images X-Force has found to be dangerous."

        > So it's a morality filter too?

        There are quite a few ways of triggering buffer overflows in images. Plus, there are ways of wrapping executable code in an image wrapper. The image doesn't look like anything, but it is a good way to get an executable onto a system and then execute with JavaScript, Flash or Java.

        But they probably means child porn. All of the police departments have hash databases of known child porn pics. There is probably an aggregated database of these available somewhere.

        1. dvvdvv

          And they aren't logging queries for these address? Right…

    3. The Man Who Fell To Earth Silver badge
      FAIL

      Does not work very well

      Just tried it out. Took it over 10 seconds to resolve google.com.

      1. Anonymous Coward
        Anonymous Coward

        Re: Does not work very well

        $ dig @9.9.9.9 google.com A

        ;; ANSWER SECTION:

        google.com. 11 IN A 216.58.213.78

        ;; Query time: 6 msec

        ;; SERVER: 9.9.9.9#53(9.9.9.9)

        ;; WHEN: Mon Nov 20 13:11:23 GMT 2017

        6 milliseconds isn't too bad in my book. Bear in mind my PC has to traverse at least three switches, my office router/firewall cluster, my ISP and perhaps a fair bit of internet.

        1. katrinab Silver badge

          Re: Does not work very well

          theregister.co.uk takes 48ms from 9.9.9.9 vs 71ms from 8.8.8.8

        2. Ian Michael Gumby
          Boffin

          Re: Does not work very well

          ;; ANSWER SECTION:

          google.com. 153 IN A 172.217.8.174

          ;; Query time: 8 msec

          ;; SERVER: 9.9.9.9#53(9.9.9.9)

          ;; WHEN: Mon Nov 20 12:11:47 CST 2017

          ;; MSG SIZE rcvd: 55

          Of course YMMV depending on where in the world you are located.

          1. AndyD 8-)₹

            Re: Does not work very well

            "Of course YMMV depending on where in the world you are located."

            --- @Shiningest India:-

            Microsoft Windows [Version 10.0.16299.64]

            (c) 2017 Microsoft Corporation. All rights reserved.

            C:\Users\user>bash

            MeMe@Desktop-Dell:/mnt/c/Users/user$ dig @9.9.9.9 google.com A

            ; <<>> DiG 9.9.5-3ubuntu0.11-Ubuntu <<>> @9.9.9.9 google.com A

            ; (1 server found)

            ;; global options: +cmd

            ;; Got answer:

            ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33197

            ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

            ;; OPT PSEUDOSECTION:

            ; EDNS: version: 0, flags:; udp: 4096

            ;; QUESTION SECTION:

            ;google.com. IN A

            ;; ANSWER SECTION:

            google.com. 293 IN A 108.177.98.139

            google.com. 293 IN A 108.177.98.113

            google.com. 293 IN A 108.177.98.138

            google.com. 293 IN A 108.177.98.100

            google.com. 293 IN A 108.177.98.101

            google.com. 293 IN A 108.177.98.102

            ;; Query time: 311 msec

            ;; SERVER: 9.9.9.9#53(9.9.9.9)

            ;; WHEN: Tue Nov 21 12:12:54 DST 2017

            ;; MSG SIZE rcvd: 135

            MeMe@Desktop-Dell:/mnt/c/Users/user$ dig @8.8.8.8 google.com A

            ; <<>> DiG 9.9.5-3ubuntu0.11-Ubuntu <<>> @8.8.8.8 google.com A

            ; (1 server found)

            ;; global options: +cmd

            ;; Got answer:

            ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40633

            ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

            ;; OPT PSEUDOSECTION:

            ; EDNS: version: 0, flags:; udp: 512

            ;; QUESTION SECTION:

            ;google.com. IN A

            ;; ANSWER SECTION:

            google.com. 294 IN A 216.58.203.206

            ;; Query time: 38 msec

            ;; SERVER: 8.8.8.8#53(8.8.8.8)

            ;; WHEN: Tue Nov 21 12:16:22 DST 2017

            ;; MSG SIZE rcvd: 55

            MeMe@Desktop-Dell:/mnt/c/Users/user$

            1. dvvdvv

              Re: Does not work very well

              TMI.

    4. Adam 1

      https://www.ebay.com/new-or-unused/bridges

      Resolved: 104.83.251.239

      Works perfectly.

  2. James Ashton
    Big Brother

    'Quad9 won't “store, correlate, or otherwise leverage” personal information.'

    And if the above is a lie our legal recourse is what? It's a free service so no contract exists. And I assume it's legal for police in the UK to lie to encourage people to incriminate themselves, the same as elsewhere in the world. I think there's going to be a large overlap between the likely users of such a service and the tinfoil hat brigade who won't be touching it with a barge pole.

    1. Adam 52 Silver badge

      If it's storing personal data (or anything linkable to an individual) then you'd have recourse via the GDPR if you can enforce against IBM's lawyers. But not in the UK against City of London Police because policing is one of the many opt outs taken by the UK government.

      As it happens I'd tend to trust these people. Whether or not I'd trust whoever ends up running it in six months time or once the inevitable request from NCA comes in is another thing.

      You could always turn if off if you're planning on doing something that the spooks might be interested in and inject random noise.

      1. Anonymous Coward
        Anonymous Coward

        "because policing is one of the many opt outs taken by the UK government"

        Partially true - the exemption in GDPR is not for police forces, but for data used for policing purposes. This system is very much subject to GDPR.

        1. Doctor Syntax Silver badge

          "the exemption in GDPR is not for police forces, but for data used for policing purposes. This system is very much subject to GDPR."

          So how do you explain the police holding DNA and other data on individuals who've been cleared. Anything will be twisted into "data used for policing purposes". Until the police forces can be trusted with data they have to be able to show themselves to have clean hands on data handling.

          1. Anonymous Coward
            Anonymous Coward

            "So how do you explain the police holding DNA and other data on individuals who've been cleared"

            That the information commissioner is toothless, the laws poorly enforced and the home secretary doesn't give a shit.

        2. Ian Michael Gumby
          Boffin

          because policing is one of the many opt outs taken by the UK government"

          Partially true - the exemption in GDPR is not for police forces, but for data used for policing purposes. This system is very much subject to GDPR.

          Actually they may disagree with that... since this is tied to security and police efforts... but I'm not going to play lawyer.

          They have the ability to log your request and that's not against the GDPR. However, if they were to combine their logs with DNS information and can identify you from your static IP address... that would be different. Assuming that you do have a static IP address and this doesn't fall in to an exception.

          1. Anonymous Coward
            Anonymous Coward

            "They have the ability to log your request and that's not against the GDPR..."

            You've misunderstood GDPR entirely.

            They can log whatever they like. GDPR says _nothing_ about what you can and cannot do. It is entirely concerned with why you do something and how you go about it. As long as you can justify data collection and as long as you do enough to warrant that justification and prevent misuse you can almost anything.

            So, for example. Logging DNS requests is fine, say, for protecting against attacks or for predicting growth. As long as you actively design the system to prevent people from doing anything else with the data, for example by discarding it when you're done and by limiting the access paths.

            Whether or not the IP is static doesn't come into it. IP addresses are PII if any person can, with reasonable effort, link the record back to a natural person. Static, dynamic, shared; doesn't matter. IP addresses are effectively always PII, and have been specifically called out within GDPR as such.

      2. Anonymous Coward
        Stop

        Privacy of DNS requests

        If it's storing personal data (or anything linkable to an individual) then you'd have recourse via the GDPR if you can enforce against IBM's lawyers. But not in the UK against City of London Police because policing is one of the many opt outs taken by the UK government.

        All Internet activity in the UK (and US) is monitored. The various state security actors probably can't routinely read encrypted content, except for some automated traffic analysis and the various protocol and implementation flaws that keep cropping up, but everything else belongs to them, including public DNS lookups regardless of whose DNS server you are using.

      3. Doctor Syntax Silver badge

        "As it happens I'd tend to trust these people."

        You might have the background to trust them. So, at one time, might I. Unfortunately, as the internet has developed, some elements of TPTB have shown themselves to be thoroughly untrustable and sufficiently powerful to be able to push their way into too many places. Trusting anyone nowadays has become increasingly risky.

        1. Anonymous Coward
          Anonymous Coward

          You might have the background to trust them. So, at one time, might I. Unfortunately,.....

          Well, you've got to trust somebody's DNS unless you're able and willing to navigate solely by IP address, which I doubt (although somewhere, in a dark, BO-scented bedroom with the curtains drawn all day, I'm sure there's people who do only navigate by IP).

          Other than my ISP's bundled one, I can't think of any that are paid for by end users. I'm aware that corporate customers will often be paying for DNS services as part of their enterprise security, but that's different.

          So whose DNS do you trust? Obviously not Google.

          1. Red Bren
            Coat

            "somewhere, in a dark, BO-scented bedroom"

            The fact that my first reading of this prompted the question, "What does Business Objects smell of?" suggests I might need to get out more...

          2. IGnatius T Foobar

            DNS

            So whose DNS do you trust? Obviously not Google.

            If you care enough about having "pure" DNS, it really isn't all that hard to run your own DNS server.

            1. JWLong

              Re: DNS

              I have my own DNS. I also have a lot of my favorite sites prepped into my host file so it doesn't have to bother the DNS server.

              The thing is, that most users don't even know what DNS is or even how to use/point it to where/what you want!

              I also use these guys: http://winhelp2002.mvps.org/hosts2.htm to get an updated list of shit sites to sinkhole.

              Let the unwashed masses deal with the likes of Google or their ISP's. Not my problem!

          3. JohnFen

            " unless you're able and willing to navigate solely by IP address, which I doubt"

            There's a middle ground between those two extremes: the hosts file. Machines I use for general-purpose internet access use DNS, but all of the other machines and devices I use don't. They use the hosts file instead.

          4. Anonymous Coward
            Anonymous Coward

            "Well, you've got to trust somebody's DNS unless you're able and willing to navigate solely by IP address"

            Why not run a local full resolver, so you just need to trust the DNS authoritative server like everybody else?

            "So whose DNS do you trust? Obviously not Google."

            Actually, I do. I believe they respect their privacy policy and don't do much nasty stuff with your requests. The Google Public DNS Team regularly joins discussion on the dns-operations mailing list and they seem to have the right mindset.

            1. Anonymous Coward
              Anonymous Coward

              Until they don't (see the China debacle).

              Anyway, I do exactly that on my home network — I run a full recursive resolver with DNSSEC enforced, intercept port 53 traffic from local devices and re-route it to said resolver. Yes, I kinda trust ISC and whoever does the builds at this point. And yes, I know DNS is clear text, and so is SNI.

    2. Anonymous Coward
      Anonymous Coward

      "And I assume it's legal for police in the UK to lie to encourage people to incriminate themselves, the same as elsewhere in the world."

      So? How well do you think undercover ops would work if the undercover officers had to tell the truth? Time for you to climb down out of your naive hippy nirvana and rejoin the real world.

      1. Anonymous Coward
        Meh

        Naive hippy nirvana

        So? How well do you think undercover ops would work if the undercover officers had to tell the truth? Time for you to climb down out of your naive hippy nirvana and rejoin the real world.

        Well, there is telling the truth, and telling the truth. "Two undercover police officers secretly fathered children with political campaigners they had been sent to spy on and later disappeared completely from the lives of their offspring" https://www.theguardian.com/uk/2012/jan/20/undercover-police-children-activists Perhaps those children and their mothers wouldn't have been so damaged if the Police had been a little more honest.

        1. Anonymous Coward
          Anonymous Coward

          Re: Naive hippy nirvana

          "Perhaps those children and their mothers wouldn't have been so damaged if the Police had been a little more honest."

          Those protestors were probably damaged goods long before the undercover cops showed up.

          1. Anonymous Coward
            Unhappy

            Re: Naive hippy nirvana

            Those protestors were probably damaged goods long before the undercover cops showed up.

            damaged goods: (noun, infomal) a person who is regarded as inadequate or impaired in some way.

            I can see you don't particularly like people protesting and expressing alternative views. But how do you think democracy works? Have you ever campaigned for or against anything? Perhaps you would really would be more comfortable living somewhere where people can't protest, like China or North Korea.

            1. Anonymous Coward
              Anonymous Coward

              Re: Naive hippy nirvana

              "I can see you don't particularly like people protesting and expressing alternative views"

              Going on a march or demonstration occasionally is one thing, spending your life protesting while claiming benefits and contributing nothing to society at large (most of whom probably don't give a rats about the issue you're protesting about) is something completely different. So yes professional protestors - damaged, feckless goods looking for some meaning in their pointless lives.

    3. dave 81

      > I assume it's legal for police in the UK to lie

      Technically they are not, "Misconduct in public office", but as the CPS are in bed with the police, they get away with it.

      1. Adam 52 Silver badge

        "police in the UK to lie ...

        Technically ... "Misconduct in public office"

        Not misconduct in a public office at all. Misconduct is:

        "wilfully neglects to perform his duty and/or wilfully misconducts himself to such a degree as to amount to an abuse of the public's trust in the office holder without reasonable excuse or justification"

        If lying were are crime the House of Commons would be a lot emptier.

        I'll give you an example:

        PC: "Billy, we know you were dealing drugs at the school, we've got you on CCTV".

        Billy: "No way, I had my hoody on..."

        PC: "Thank you for confirming it, there was no CCTV."

        1. dave 81

          Reasonable

          > wilfully neglects to perform his duty and/or wilfully misconducts himself to such a degree as to amount to an abuse of the public's trust in the office holder without reasonable excuse or justification"

          AH "reasonable", the word the wankers in power use all the fucking time to justify the increasing shitty actions of the police. I fucking hate the law.

    4. Mpeler
      Coat

      No peekee

      As Siegfried said to Maxwell Smart and his stunning colleague:

      Nein, nein, ninety-nine...

  3. Anonymous South African Coward Bronze badge

    Great, if they now can add 9.9.8.8 to filter/block out pr0nz and other unsavoury websites (kids at home) then I'll take a shufty at it.

    But it boggles the mind... 9.0.0.0/8 - and only one IP in use...

    1. Dwarf

      @ASAC

      Nowhere in he article did it say that the whole of 9.0.0.0/8 was used for this service.

      Defining /32 routes isn’t exactly rocket science, however I’d expect that they defined something like a /28

      1. Anonymous Coward
        Anonymous Coward

        route-views>sh ip bgp 9.9.9.9

        BGP routing table entry for 9.9.9.0/24, version 96920463

        Paths: (41 available, best #33, table default)

        Not advertised to any peer

        Refresh Epoch 1

        3549 42 19281

        208.51.134.254 from 208.51.134.254 (67.17.81.150)

        Origin IGP, metric 2523, localpref 100, valid, external

        rx pathid: 0, tx pathid: 0

        Refresh Epoch 1

        ...

        Or rather more easily,

        https://bgp.he.net/ip/9.9.9.9

      2. IGnatius T Foobar

        Defining /32 routes isn’t exactly rocket science, however I’d expect that they defined something like a /28

        If they are announcing it from lots of different places around the world, likely in an anycast configuration, they would have to use 9.9.9.0/24

        Almost no networks allow anything smaller than a /24 in their BGP tables

      3. Anonymous Coward
        Anonymous Coward

        They need at least /24 for anycast purposes, as anything smaller than that can usually not be announced on the Internet.

        Traceroute sampling confirms. So they only "waste" a /24 and still have the option to include other anycast services on the same nodes within it.

    2. Anonymous Coward
      Anonymous Coward

      Er no, very heavily used. Like the whole of IBM

    3. 's water music

      filter/block out pr0nz and other unsavoury websites (kids at home)

      pi-hole is very easy to set up and configure and allows you to easily add black or whitelists to the automated filter lists though a web interface. Could be run on the main home PC if that is always-on or on a dedicated low power machine in the corner. I combine it with the free tier of opendns as the upstream dns service which also offers wider category blocking (which would probably suit your use-case) as well as limited black and white listing. Both have web reporting which allows you to tune it and see what is going on on the home network. Either can be used with or without the other

      1. James12345

        Smut Blocker

        Have you tried OpenDNS Family Shield? All you need to do is point your router to 208.67.222.123 and 208.67.220.123 for DNS.

        https://www.opendns.com/home-internet-security/#benefit-matrix

        1. Aodhhan

          Re: Smut Blocker

          OpenDNS is a service worth considering; however, if you read their terms of service (Paragraph 8 - User Data), you will see Cisco is collecting data on you. They don't stipulate any particular data... which means it can be anything, such as: behavior, habits and trends.

          It doesn't matter which ISP's DNS you use, you're going to notice their terms of service include a section(s) on user data (or similar) indicating they will be collecting information.

          1. Lord_Beavis
            Linux

            Re: Smut Blocker

            And that is why I run my own DNS server... They might can still track me but I'm not going to make it easy on them.

          2. Anonymous Coward
            Anonymous Coward

            Re: Smut Blocker

            Re: Smut Blocker

            OpenDNS is a service worth considering; however, if you read their terms of service (Paragraph 8 - User Data), you will see Cisco is collecting data on you. They don't stipulate any particular data... which means it can be anything, such as: behavior, habits and trends.

            It doesn't matter which ISP's DNS you use, you're going to notice their terms of service include a section(s) on user data (or similar) indicating they will be collecting information.

            Which is why you run your own DNS service, assuming you're also willing to pay for a fixed IP address. And also are willing to cache the root servers , etc ... which really isn't worth it unless you plan on running your own domain.

            OpenDNS is really set up for those who aren't willing to pay for doing it right. (You can use forwarders to do lookups from your ISP's servers too. )

            1. Anonymous Coward
              Anonymous Coward

              Re: Smut Blocker

              "Which is why you run your own DNS service, assuming you're also willing to pay for a fixed IP address."

              A DNS resolver doesn't require a fixed public IP address. An internal address behind dynamic address NAT will do.

              As for nomadic use, 127.0.0.1 is the way to go. The cache might consume as much as a few megabytes of RAM and slightly increase first-time resolution latency but is easily installed and practically maintenance-free.

              "And also are willing to cache the root servers , etc ... which really isn't worth it unless you plan on running your own domain."

              What does caching the root servers have to do with running your own domain? A (caching) resolver and an authoritative nameserver have quite distinct tasks and the latter doesn't require any cache or root servers.

            2. dvvdvv

              Re: Smut Blocker

              Addresses on 192.168.0.0/16 are free ;)

      2. FensMan

        Thanks - a useful reminder about pi-hole, https://pi-hole.net/

    4. Anonymous Coward
      Anonymous Coward

      pr0nz

      Opendns?

    5. Anonymous Coward
      Anonymous Coward

      "Great, if they now can add 9.9.8.8 to filter/block out pr0nz and other unsavoury websites (kids at home) then I'll take a shufty at it."

      This is supposedly only to block Malware. Not to make moral and / or legal judgement on suitability of content. There are plenty of solutions out there already from that including an optional filter that must be provided by law from your ISP!

    6. Anonymous Coward
      Anonymous Coward

      @ Anonymous South African Coward

      Great, if they now can add 9.9.8.8 to filter/block out pr0nz and other unsavoury websites (kids at home) then I'll take a shufty at it.

      I've found the simple DNS blocking doesn't work very well. By default it is switched on for my home broadband (1), and the all the mobile phone access points, but it provides only the most basic protection against casual and unintentional access to adult content. And if your kids actually want to access adult content, they'll quickly find the holes in a typical DNS based approach.

      If you're not fussed about the idea of somebody watching over your shoulder which is probably the case with this new DNS, or the idea that they have to make choices about what gets blocked, then Bluecoat K9 is a really very good shield to dodgy stuff, with very good configurability, and much better than just trying to change to a safe DNS. Free, easy to install, difficult to circumvent IME,

      Some "Free Speachers" hate K9, which should tell you that it works very well. Check that you're happy with all its default blocks (some appear to appeal to a rather puritanical view of the world), but that's easy enough.

      1. phuzz Silver badge
        Devil

        Re: @ Anonymous South African Coward

        "And if your kids actually want to access adult content, they'll quickly find the holes"

        And lo, a PFY is born unto us.

        1. 's water music
          Coat

          Re: @ Anonymous South African Coward

          "And if your kids actually want to access adult content, they'll quickly find the holes"

          I cannot help but picture Finnbar Saunders at this juncture

          1. Anonymous Coward
            Anonymous Coward

            Re: @ 's water music

            Fnarr Fnarr !!! :)

  4. choleric

    Silent single point of failure

    Just one DNS server IP address? Single point of failure.

    And the instructions tell you to simply add 9.9.9.9 to the list of DNS servers already configured on your device, albeit as the first entry. This configuration offers no warning in the case that 9.9.9.9 has been blocked and malicious sites are now being accessed.

    IPv6 is good to have, but again, only one, and sadly not as memorable. What about 2001:c001::a1d?

    1. sitta_europea Silver badge

      Re: Silent single point of failure

      [quote]

      Just one DNS server IP address? Single point of failure.

      [/quote]

      Bollocks.

      1. Voland's right hand Silver badge

        Re: Silent single point of failure

        Bollocks.

        Concur.

        I had 100+ machines answering single IPs when running DNS in an ISP 15+ years ago. Every single one of them was answering for primary authoritative, secondary authoritative, primary resolver and secondary resolver.

        I would not trust IBM in their current state to implement anycast correctly though.

    2. TechStar

      Re: Silent single point of failure

      It's an Anycast one-to-one-of-many address, not a singular server IP.

      https://en.wikipedia.org/wiki/Anycast

      Besides, if someone has sufficient access to your network routing to spoof the 9.9.9.9 address and replace it with their own server, then you have much bigger problems to deal with.

    3. A Non e-mouse Silver badge

      Re: Silent single point of failure

      Just one DNS server IP address? Single point of failure.

      Go and learn about Anycast.

      TL;DR, it allows you to run multiple servers across multiple locations all using the same IP address.

    4. iron Silver badge

      Re: Silent single point of failure

      RTFA

      Hint: "70 points of presence in 40 countries"

  5. Anonymous Coward
    Anonymous Coward

    No thanks.

    First, I want to know in which country they're running it, next I want to know who owns it and next I want to know who physically operates it, and see if this outfit allows a full audit by any party.

    If any of that list is not kosher or OK there is no chance I'll use it.

    Don't get me wrong, I like the idea and the aspirations, but I know law enforcement has a nasty tendency to justify what it likes as "for the public good" so they have to earn my trust.

    1. Anonymous Coward
      Anonymous Coward

      Re: No thanks.

      "First, I want to know in which country they're running it, next I want to know who owns it and next I want to know who physically operates it, and see if this outfit allows a full audit by any party."

      Can you answer those questions for your current DNS(s)?

      1. Zippy's Sausage Factory

        Re: No thanks.

        Can you answer those questions for your current DNS(s)?

        Can anyone, unless you pay money for a DNS service?

        (And yes, there are some around, I believe.)

      2. Anonymous Coward
        Anonymous Coward

        Re: No thanks.

        Can you answer those questions for your current DNS(s)?

        Yes, for the exact reasons outlined. When we protect stuff, we don't just look at the top layer of the stack, we go all the way down if we find that necessary.

      3. Anonymous Coward
        Anonymous Coward

        Re: No thanks.

        I can. Because it's run on that old PC in my den.

  6. Anonymous Coward
    Anonymous Coward

    El Reg in the crapper

    "turns URIs into IP addresses"

    No, it doesn't.

    1. Nick Ryan Silver badge

      Re: El Reg in the crapper

      True, but "resolves the domain component of a URI to zero or more IP addresses" is a little less snappy.

      1. Anonymous Coward
        Anonymous Coward

        Re: El Reg in the crapper

        Or just "Resolves the Host to an IP address(es)"

    2. Warm Braw

      Re: El Reg in the crapper

      No, it doesn't

      Agreed. But it is a layer violation...

    3. Anonymous Coward
      Anonymous Coward

      Re: El Reg in the crapper

      The data is pushed through pipes to the third world where people working there have a list of all the addresses and memorise them. When they receive a request they shout it out and get told the address that they then feed back into the pipe thus allowing you to get to the webpage you requested.

      Regards,

      Stephen Fry.

  7. Anonymous Coward
    Anonymous Coward

    partner feed

    << ..including Proofpoint..

    Really? Proofpoint have been listing some of my legit ips since 2010 and they never reply to my multiple complaints. A service like that is only as good as their delisting service :)

  8. WibbleMe

    So is this going to be a force for good or just another Block you serve Mafia pretending to be an anti spam service, just because you do not pay for an office or gmail service.

    1. Anonymous Coward
  9. WibbleMe

    How to change your black ops servers IP address to Google.com or ibm.com "nano /etc/hosts" and apply new IP

    1. Anonymous Coward
    2. Ben Tasker

      Well, yes, if you configure your malware (or the host system) not to use DNS, then obviously a DNS service (however good) isn't going to offer any protection to the users/victims.

      On the other hand, you throw away a lot of flexibility for yourself, as you're no longer so easily able to periodically rotate the C&C address to evade detection (and circumvent blocking). There's a good reason why malware tends to use domain names and not simply have a hardcoded IP in there - editing /etc/hosts is essentially the same as hardcoding the IP into the payload.

      1. Sir Runcible Spoon

        How about modifying the hosts file with cnames rather than A records?

        1. Anonymous South African Coward Bronze badge

          Nope, just nope. Too much of a kludge using your HOSTS file with cnames...

          One PC - well, maybe. But two, three, or more, just no.

          1. Chris King

            People treat CNAMEs like "magic glue" - and some of the kludges I've seen implemented with CNAMEs over the years make me wonder if they've been sniffing rather too much of it.

            1. Sir Runcible Spoon

              I was referring to the potential use of cnames by the malware itself, which would create a wack-a-mole scenario for Q9 type services where they would struggle to keep up I'm sure, especially if the domains were procedurally generated somehow.

      2. Chris King

        "Well, yes, if you configure your malware (or the host system) not to use DNS, then obviously a DNS service (however good) isn't going to offer any protection to the users/victims."

        Some malware changes DNS settings, to point to resolvers under the control of the malware author. That way, they can create false zones for whatever sites they want to impersonate.

        Lots of folks still allow unrestricted DNS outbound to any host, but locking it down to

        (a) Outbound Queries FROM your local resolvers only, and

        (b) (optionally) Outbound Queries FROM local systems TO specific "known-good" [1] DNS services (e.g. Google, OpenDNS, your ISP's servers etc)

        usually cripples such malware. (It also breaks your connectivity because you can't resolve anything else, so your support folks need to be aware of this)

        Allowing (b) can be a pain if you have split-horizon DNS in your organisation though.

        Some sites with their own anti-malware DNS protection (RPZ feeds, forwarding to commercial DNS provider) etc have gone as far as forcing *all* DNS traffic through their own resolvers to enforce local security policy. (You want to talk to 8.8.8.8 or 9.9.9.9, but you get redirected to their local resolvers instead)

        [1] "Known-good" in this case meaning "We know who's running them and we don't consider them to be a risk", rather than any moral considerations. YMMV.

  10. Ben Tasker

    It claimed users wouldn't suffer a performance penalty for using the service, but added it plans to double the Quad9 PoPs over the next 18 months.

    They're both right and wrong.

    You won't suffer a performance penalty on your DNS lookups, they'll come back nice and quickly.

    But, the service doesn't support the EDNS Client_Subnet extension, so most CDN's will wind up geo-locating you to wherever the resolver you've hit is located. If it's a US DNS server that answer's your query, you'll get a CDN cache in the US even if you're the other side of the ocean.

    IMO, it's a pretty big feature to be launching without on today's internet, and it's likely going to cause various CDN's lots of tickets from users/operators claiming that delivery is slow and they're being routed to machines in the wrong country.

    The lack fo EDNS is deliberate - to preserve the user's privacy (so that they're not spurting your source subnet out to each authoritative nameserver you require records from). On the other hand, that "privacy" pretty much vanishes the second you use the received records to establish a connection to their servers, so *shrug*.

    Definitely nice to see a new competitor to OpenDNS/Google pop-up, but I'm not going to be using them until they've got working ECS support in place. It's claimed that 9.9.9.10 does support ECS, but a packet capture on my authoritative servers suggests that either this isn't the case, or their using a whitelist of authoritative nameservers (which I'm not on).

  11. TrumpSlurp the Troll

    IoT?

    I assume the home user would have to reconfigure the home router to use 9.9.9.9 as first in the list.

    Nice idea. Wonder what the real world take up will be?

    1. Khaptain Silver badge

      Re: IoT?

      "I assume the home user would have to reconfigure the home router to use 9.9.9.9 as first in the list."

      A lot of the home routeurs, or at least those supplied by the ISPs have removed the possibility of changing the routers DNS, they force you to point to their own DNS servers. But, luckily it doesn't stop you from specifying your the DNS on your PC/devices..

      1. Sir Runcible Spoon

        Re: IoT?

        Really? I've never come across a (supplied) router yet that doesn't allow me to modify the DNS settings.

        1. TonyJ

          Re: IoT?

          "...Really? I've never come across a (supplied) router yet that doesn't allow me to modify the DNS settings..."

          BT Business Hub 3 never used to let you. PoS device all round.

        2. Boothy

          Re: IoT?

          Sky broadband (UK) also don't allow changing of the DNS settings within their routers, it's hard coded to their own DNS servers.

          Last time I checked, Sky had ~25% of the UK market, with only BT (including EE and plusnet) being bigger.

          1. Nick Ryan Silver badge

            Re: IoT?

            Pretty sure that BT and/or Sky routers also get narky if you configure a DNS other than the ISP's own DNS on a system.

            While I can appreciate that they may have done this for security reasons - as in to help prevent hijacking of systems used by the majority of Internet users who really don't care and shouldn't have to care about such things, I'd rather have the option thank you.

        3. Khaptain Silver badge

          Re: IoT?

          The large majority here in France no longer allow any modifications to the (supplied) routers either.. It's annoying because the routers here are actually quite complete and offer a lot of other options as standard, NAT/PAT,DDNS, reasonable Firewall rules etc.

        4. Dan 55 Silver badge

          Re: IoT?

          Spanish fibre routers usually don't allow you to modify DNS either.

      2. JohnFen

        Re: IoT?

        "A lot of the home routeurs, or at least those supplied by the ISPs have removed the possibility of changing the routers DNS"

        I've never seen this, personally, but it seems like a trivial thing to fix -- just use a different router.

        1. Anonymous Coward
          Anonymous Coward

          Re: IoT?

          JohnFen,

          Many ISP's mandate what router you can use and will not support 'other' routers.

          i.e. you have a problem and the nice CS person says "Not Supported router .... therefore not our problem. Have a Nice Day."

          Been there and bought the Tee-shirt. !!!

          Hence the old 'Openreach Shuffle' where you swap the Supplied Openreach Modem/Router back when there is a problem or an OR Engineer visits :)

          Same mentality is responsible for 'locked down' firmware being installed to protect the ISP from customers who may be too clever/stupid [Select One] !!! :)

          1. JohnFen

            Re: IoT?

            "Many ISP's mandate what router you can use and will not support 'other' routers."

            I don't see how that affects anything. If the ISP requires a specific router, then use that. But what's stopping you from hooking up a second router that is the only device talking to the ISP's router? Then you use that router for your LAN rather than the ISP's. You can use whatever DNS server you like that way.

            1. Nick Ryan Silver badge

              Re: IoT?

              I don't see how that affects anything. If the ISP requires a specific router, then use that. But what's stopping you from hooking up a second router that is the only device talking to the ISP's router? Then you use that router for your LAN rather than the ISP's. You can use whatever DNS server you like that way.

              Unfortunately that doesn't really solve anything. The DNS requests will still go through the ISP router and be blocked or redirect there. DNS is easy to detect on a network as it's just a case of monitoring TCP/UDP port 53 and if the destination address isn't the one that the ISP wants you to use then the packet can be rerouted or dropped. Secure DNS extensions will make rewriting the packet (diverting it) pretty much a no-go however they can still be dropped.

              1. TheVogon

                Re: IoT?

                "Unfortunately that doesn't really solve anything. The DNS requests will still go through the ISP router and be blocked or redirect there. "

                Simply not true. Using your own router after the ISP one does allow you to control DNS resolvers, and you could use DNSSEC to prevent tampering if you had any remaining concerns.

  12. Panicnow

    Flavoured DNS

    At last! been going on about this since I set up Internet Watch Foundation, Better, would be a wide range of DNS resolvers with different selection criteria. Then one could select one appropriate for the situation. A Kosher one, a Halal one, a Left wing one, a Right wing one....

    Watch out for the first Sueball where businesses or users complain about type A or type B errors.

    I give it 3 month

    The legal dodge is to offer multiple edited DNS that make few claims, other than "they are the choice of the editor in relation to various factors"

  13. SniperPenguin

    Lets be honest here, what will basically happen is the following:

    Is it a test network / Home Lab with no self-installed DNS service or daemon / running on a flaky ISP / for use in failover / IoT device you want nowhere near your own network?

    If Yes, then:

    Primary DNS : 9.9.9.9

    Secondary DNS : 8.8.8.8

  14. Daniel Hall
    Meh

    Consufed

    From - https://www.opendns.com/home-internet-security/#benefit-matrix

    "Our DNS nameservers are always:"

    So... Our domain name server name servers are always"?

    err..

    1. Sandtitz Silver badge
      FAIL

      Re: Consufed @Daniel Hall

      "Our DNS nameservers are always:

      208.67.222.222

      208.67.220.220"

      Perhaps you're just consufed and either didn't scroll one line further. Or you have some weirdo adblocking shit going on.

      1. Sir Runcible Spoon

        Re: Consufed @Daniel Hall

        DNS can also mean Domain Name Services, as well as Domain Name Servers.

        So the sentence could read "Our domain name service nameservers", which is fine really.

        'DNS Servers' iteration questions died from boredom at least 20 years ago.

  15. This post has been deleted by its author

  16. Christian Berger

    One should note that running DNS resolvers is rather cheap

    So I wouldn't rule out that this all comes out of the marketing budget, or in fact even the education budget as running a DNS resolver is so easy it's a rather ideal task for someone who wants to get started with running their own servers.

    1. dirkjumpertz
      Boffin

      Re: One should note that running DNS resolvers is rather cheap

      Running resolver domain name services is not that cheap anymore and has become a tad more complex than 15 years ago.

      15 years ago it sufficed to have a medium sized box, gig ethernet, some Linux distro and bind (or whatever is your fancy) and off you went. Monitor memory and disk space and that was it.

      Today we're talking about DNSSEC and preventive measures to protect your DN server to become part of a DDOS amplification attack. Preferably you go the ANYCAST way and that is anything but cheap nor simple.

      So NO, running a resolver for mass consumption is NOT cheap nor EASY.

  17. Anonymous Coward
    Facepalm

    Forty billion evil sites?

    "Those checks protect agains landing on any of the 40 billion evil sites and images X-Force has found to be dangerous" only if you're browsing under Microsoft Windows.

  18. Anonymous Coward
    Big Brother

    All your DNS queries are belong to us

    Probably just a proxy for the NCSC DNS - https://www.ncsc.gov.uk/information/uk-public-sector-dns-service

  19. unwarranted triumphalism

    'no snooping on your requests'

    It's certainly an interesting experience being insulted so blatantly.

    Anyone believing this lunatic proposal is an idiot and anyone not blocking that IP address at the perimeter deserves to be pwned.

    1. teknopaul

      Re: 'no snooping on your requests'

      I'm with you, its amazing how little respect the peeps on this forum have for the old bill.

      Police run DNS, the only positive thing I can see coming out of this is a whisleblower leaking stats on police use of banned p0rn n wareZ sites. Noone other than the police are going to use this.

      Until they make it obligatory.

      1. Anonymous Coward
        Anonymous Coward

        Re: 'no snooping on your requests'

        "its amazing how little respect the peeps on this forum have for the old bill"

        Respect has to be earned, and the police have repeatedly proven untrustworthy.

  20. TheRealRoland

    >2620:fe::fe (the PCH public resolver)

    FE FE?

    CovFE FE ?

    Hm...

  21. EnviableOne

    hmm...

    9.9.9.9 > 8.8.8.8 > 4.2.2.2 ?

    now who's playing oneupmanship?

    soon apple will launch 17.17.17.17 followed by DXC on 20.20.20.20 and AT&T on 32.32.32.32 untill daimler drop 53.53.53.53 FTW

  22. IGnatius T Foobar
    Megaphone

    10.10.10.10 security problem

    So we've got 8.8.8.8 for Google DNS and 9.9.9.9 for Quad9 secure.

    I'm more concerned with 10.10.10.10 ... somehow, this service has access to my home network.

    1. captain_solo

      Re: 10.10.10.10 security problem

      And routing appears to be broken on it too!

  23. Anonymous Coward
    Anonymous Coward

    The organisation promised that records of user lookups would not be put out to pasture in data farms

    Until they do...

  24. NonSSL-Login

    City of London Police and Piracy

    The City of London police are well known as being corporate police for the media cartels. I'm assuming piracy sites and any site that upsets Hollywood will be blocked by this service at some point. In fact it wouldn't surprise me if this was one of the main reasons for it but the cyber crime and nasties angle tacked on to sell the service and get it used.

  25. Anonymous Coward
    Anonymous Coward

    Testing X-Force

    This is interesting as I want to test some DNS-client software and checking for malware host.

    I suppose there is a list of malware domain I can use to test against? I found little info at the IBM site.

  26. dirkjumpertz
    Meh

    what's the answer when looking for something is a threat

    I tried some queries on Domain Names that are DGA - quite interesting. Querying for google.com and other well knows DNs makes little sense IMHO if you want to have an impression of the quality of the service.

    If the DN is considered problematic, it returns NXDOMAIN and omits the AUTHORITY section.

    Here are some examples, enjoy - queried against 8.8.8.8 and 9.9.9.9

    ; <<>> DiG 9.10.6 <<>> NS drohppbkxj.com @8.8.8.8 +multi

    ;; global options: +cmd

    ;; Got answer:

    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61557

    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:

    ; EDNS: version: 0, flags:; udp: 512

    ;; QUESTION SECTION:

    ;drohppbkxj.com. IN NS

    ;; AUTHORITY SECTION:

    com. 872 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. (

    1536574009 ; serial

    1800 ; refresh (30 minutes)

    900 ; retry (15 minutes)

    604800 ; expire (1 week)

    86400 ; minimum (1 day)

    )

    ;; Query time: 19 msec

    ;; SERVER: 8.8.8.8#53(8.8.8.8)

    ;; WHEN: Mon Sep 10 12:07:41 CEST 2018

    ;; MSG SIZE rcvd: 116

    ----------------------------------------------------------------------------------------

    ; <<>> DiG 9.10.6 <<>> NS drohppbkxj.com @9.9.9.9 +multi

    ;; global options: +cmd

    ;; Got answer:

    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47957

    ;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

    ;; WARNING: recursion requested but not available

    ;; OPT PSEUDOSECTION:

    ; EDNS: version: 0, flags:; udp: 4096

    ;; QUESTION SECTION:

    ;drohppbkxj.com. IN NS

    ;; Query time: 17 msec

    ;; SERVER: 9.9.9.9#53(9.9.9.9)

    ;; WHEN: Mon Sep 10 12:07:53 CEST 2018

    ;; MSG SIZE rcvd: 43

    ----------------------------------------------------------------------------------------

    ----------------------------------------------------------------------------------------

    ; <<>> DiG 9.10.6 <<>> NS ngdvmtwodjjuovsnfj.ru @8.8.8.8 +multi

    ;; global options: +cmd

    ;; Got answer:

    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51420

    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:

    ; EDNS: version: 0, flags:; udp: 512

    ;; QUESTION SECTION:

    ;ngdvmtwodjjuovsnfj.ru. IN NS

    ;; AUTHORITY SECTION:

    ru. 1799 IN SOA a.dns.ripn.net. hostmaster.ripn.net. (

    4035250 ; serial

    86400 ; refresh (1 day)

    14400 ; retry (4 hours)

    2592000 ; expire (4 weeks 2 days)

    3600 ; minimum (1 hour)

    )

    ;; Query time: 69 msec

    ;; SERVER: 8.8.8.8#53(8.8.8.8)

    ;; WHEN: Mon Sep 10 12:08:45 CEST 2018

    ;; MSG SIZE rcvd: 111

    ----------------------------------------------------------------------------------------

    ; <<>> DiG 9.10.6 <<>> NS ngdvmtwodjjuovsnfj.ru @9.9.9.9 +multi

    ;; global options: +cmd

    ;; Got answer:

    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27399

    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:

    ; EDNS: version: 0, flags:; udp: 4096

    ;; QUESTION SECTION:

    ;ngdvmtwodjjuovsnfj.ru. IN NS

    ;; AUTHORITY SECTION:

    ru. 1113 IN SOA a.dns.ripn.net. hostmaster.ripn.net. (

    4035250 ; serial

    86400 ; refresh (1 day)

    14400 ; retry (4 hours)

    2592000 ; expire (4 weeks 2 days)

    3600 ; minimum (1 hour)

    )

    ;; Query time: 15 msec

    ;; SERVER: 9.9.9.9#53(9.9.9.9)

    ;; WHEN: Mon Sep 10 12:09:04 CEST 2018

    ;; MSG SIZE rcvd: 111

    ----------------------------------------------------------------------------------------

    ----------------------------------------------------------------------------------------

    ; <<>> DiG 9.10.6 <<>> NS e70ae5a2.eu @8.8.8.8 +multi

    ;; global options: +cmd

    ;; Got answer:

    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21315

    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:

    ; EDNS: version: 0, flags:; udp: 512

    ;; QUESTION SECTION:

    ;e70ae5a2.eu. IN NS

    ;; ANSWER SECTION:

    e70ae5a2.eu. 299 IN NS ns1.honeybot.us.

    e70ae5a2.eu. 299 IN NS ns2.honeybot.us.

    ;; Query time: 135 msec

    ;; SERVER: 8.8.8.8#53(8.8.8.8)

    ;; WHEN: Mon Sep 10 12:12:21 CEST 2018

    ;; MSG SIZE rcvd: 87

    ----------------------------------------------------------------------------------------

    ; <<>> DiG 9.10.6 <<>> NS e70ae5a2.eu @9.9.9.9 +multi

    ;; global options: +cmd

    ;; Got answer:

    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41743

    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:

    ; EDNS: version: 0, flags:; udp: 4096

    ;; QUESTION SECTION:

    ;e70ae5a2.eu. IN NS

    ;; ANSWER SECTION:

    e70ae5a2.eu. 300 IN NS ns1.honeybot.us.

    e70ae5a2.eu. 300 IN NS ns2.honeybot.us.

    ;; Query time: 118 msec

    ;; SERVER: 9.9.9.9#53(9.9.9.9)

    ;; WHEN: Mon Sep 10 12:12:44 CEST 2018

    ;; MSG SIZE rcvd: 87

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like