Page 1 of 1

New free public DNS service blocks malicious domains

Posted: Thu Nov 16, 2017 11:56 pm
by barbaz
https://www.quad9.net/

Sounds like a great way to enhance security of a single computer or an entire network. Especially if the network has devices that can't use tools like NoScript.

Quad 9 DNS whitelisting server

Posted: Fri Nov 17, 2017 6:53 am
by morganism
Looks like a good service, and less lookup than OpenDNS ?

https://www.quad9.net/#/faq

"The service, he says, will be "privacy sensitive," with no logging of the addresses making DNS requests—"we will keep only [rough] geolocation data," he said, for the purposes of tracking the spread of requests associated with particular malicious domains. "We're anonymizing the data, sacrificing on the side of privacy."

Will Quad9 filter content?

No. Quad9 will not provide a censoring component and will limit its actions solely to the blocking of malicious domains around phishing, malware, and exploit kit domains."

How will Quad9 prevent the accidental blocking of legitimate domains?

Quad9 implements whitelisting algorithms to make sure legitimate domains are not blocked by accident. However, in the rare case of blocking a legitimate domain, Quad9 works with the users to quickly whitelist that domain."

Re: New free public DNS service blocks malicious domains

Posted: Fri Nov 17, 2017 2:41 pm
by barbaz
Threads merged.

Re: New free public DNS service blocks malicious domains

Posted: Fri Nov 17, 2017 3:18 pm
by yes_noscript
Crap.
USA service with untrusted sponsors and a way to sniff all logs.

dont use this!

Re: New free public DNS service blocks malicious domains

Posted: Fri Nov 17, 2017 3:24 pm
by barbaz
yes_noscript wrote:with untrusted sponsors
Can you please expand on this?
yes_noscript wrote: a way to sniff all logs.
All DNS providers have "a way to sniff all logs", no?

Haven't we been over this before? - https://forums.informaction.com/viewtop ... 839#p80839

Re: New free public DNS service blocks malicious domains

Posted: Sat Nov 18, 2017 6:32 pm
by yes_noscript
Lets start.
USA lost DNS "Highness" and provide a free DNS service for public.

sponsors are london & new york police, IBM (which isnt good too) and others

Yeah, DNS providers can log but on Quad9 front page they say "Quad9 is a free, recursive, anycast DNS platform that provides end users robust security protections, high-performance, and privacy."
But look at https://quad9.net/#/policy:
What Information Do We Collect?
Temporary Logs
# The temporary logs store the full IP address of the machine you are using

Permanent Logs
We do keep some location information (at the city/metro level)
Request domain name, e.g. www.globalcyberalliance.org
Record type of requested domain, e.g. A (which stands for IPv4 record), AAAA (IPv6 record), NS, MX, TXT, etc.
Transport protocol on which the request arrived, i.e. TCP, UDP, or HTTPS
Client’s AS (autonomous system or ISP), e.g. AS1111
User’s geolocation information: i.e. geocode, region ID, city ID, and metro code, type of IP address.
Response code sent, e.g. SUCCESS, SERVFAIL, NXDOMAIN, etc.
Absolute arrival time in seconds
Name of the machine that processed this request, e.g. quad9dns001
Quad9 target IP to which this request was addressed, e.g. one of our anycast IP addresses (no relation to the user’s IP)

They store your whole behavior
Not very privacy isnt it

Re: New free public DNS service blocks malicious domains

Posted: Sat Nov 18, 2017 6:58 pm
by barbaz
Thanks yes_noscript for clarifying about the logging. :)
yes_noscript wrote:USA lost DNS "Highness" and provide a free DNS service for public.

sponsors are london & new york police, IBM (which isnt good too) and others
Sorry but I still don't understand why these groups are untrusted?
Also where did you see that London & New York police are sponsors?

Re: New free public DNS service blocks malicious domains

Posted: Sat Nov 18, 2017 8:13 pm
by yes_noscript
barbaz wrote:Also where did you see that London & New York police are sponsors?
At german heise forum
Maybe because the info at bottom: https://www.globalcyberalliance.org/
And at the forum I read IBM works with NSA

But even if that with the police isnt true, i wouldnt trust that DNS provider. Its USA based and thats definitively NSA

Re: New free public DNS service blocks malicious domains

Posted: Sat Nov 18, 2017 8:41 pm
by barbaz
Thanks yes_noscript,
yes_noscript wrote:But even if that with the police isnt true,
FWIW - https://www.globalcyberalliance.org/about.html#history

Re: New free public DNS service blocks malicious domains

Posted: Thu Jan 18, 2018 12:03 am
by morganism
ugh, you guys were right.

Here is a DNS lookup over HTTPS that may help

https://github.com/curl/curl/wiki/DNS-over-HTTPS

Do DNS resolves over HTTPS for privacy, performance and security. Also makes it easier to use a name server of your choice instead of the one configured for your system.

Re: New free public DNS service blocks malicious domains

Posted: Fri Apr 15, 2022 4:49 pm
by barbaz
Bringing this back up because I was alerted in viewtopic.php?p=105527#p105527 that a lot has changed about Quad9 since the above posts were written:

- If I'm reading Quad9's current service privacy policy correctly, they no longer log all the detailed data they used to as noted above. Now, they only log very aggregate counts of only some of those things, without ever storing any details.

- Regarding Global Cyber Alliance + IBM, AFAICT Quad9 no longer "is" those groups. Now those organizations are only sponsors. This is who Quad9 is now - https://www.quad9.net/about/foundation-council/

- Regarding "USA based", Quad9 is legally moving from USA to Switzerland, for purpose of putting themselves under legal enforcement of GDPR - https://www.quad9.net/news/blog/quad9-p ... rotection/

I'm re-evaluating my whole DNS filtering setup and wondering again about Quad9, now that they seem to no longer have the logging policy that put me off using it before. Any reason not to use Quad9 in 2022?