New free public DNS service blocks malicious domains

Talk about internet security, computer security, personal security, your social security number...
Post Reply
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

New free public DNS service blocks malicious domains

Post by barbaz »

https://www.quad9.net/

Sounds like a great way to enhance security of a single computer or an entire network. Especially if the network has devices that can't use tools like NoScript.
*Always* check the changelogs BEFORE updating that important software!
-
morganism
Senior Member
Posts: 134
Joined: Tue Nov 26, 2013 9:44 pm

Quad 9 DNS whitelisting server

Post by morganism »

Looks like a good service, and less lookup than OpenDNS ?

https://www.quad9.net/#/faq

"The service, he says, will be "privacy sensitive," with no logging of the addresses making DNS requests—"we will keep only [rough] geolocation data," he said, for the purposes of tracking the spread of requests associated with particular malicious domains. "We're anonymizing the data, sacrificing on the side of privacy."

Will Quad9 filter content?

No. Quad9 will not provide a censoring component and will limit its actions solely to the blocking of malicious domains around phishing, malware, and exploit kit domains."

How will Quad9 prevent the accidental blocking of legitimate domains?

Quad9 implements whitelisting algorithms to make sure legitimate domains are not blocked by accident. However, in the rare case of blocking a legitimate domain, Quad9 works with the users to quickly whitelist that domain."
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130410 Firefox/23.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: New free public DNS service blocks malicious domains

Post by barbaz »

Threads merged.
*Always* check the changelogs BEFORE updating that important software!
-
yes_noscript

Re: New free public DNS service blocks malicious domains

Post by yes_noscript »

Crap.
USA service with untrusted sponsors and a way to sniff all logs.

dont use this!
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.1
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: New free public DNS service blocks malicious domains

Post by barbaz »

yes_noscript wrote:with untrusted sponsors
Can you please expand on this?
yes_noscript wrote: a way to sniff all logs.
All DNS providers have "a way to sniff all logs", no?

Haven't we been over this before? - https://forums.informaction.com/viewtop ... 839#p80839
*Always* check the changelogs BEFORE updating that important software!
-
yes_noscript

Re: New free public DNS service blocks malicious domains

Post by yes_noscript »

Lets start.
USA lost DNS "Highness" and provide a free DNS service for public.

sponsors are london & new york police, IBM (which isnt good too) and others

Yeah, DNS providers can log but on Quad9 front page they say "Quad9 is a free, recursive, anycast DNS platform that provides end users robust security protections, high-performance, and privacy."
But look at https://quad9.net/#/policy:
What Information Do We Collect?
Temporary Logs
# The temporary logs store the full IP address of the machine you are using

Permanent Logs
We do keep some location information (at the city/metro level)
Request domain name, e.g. www.globalcyberalliance.org
Record type of requested domain, e.g. A (which stands for IPv4 record), AAAA (IPv6 record), NS, MX, TXT, etc.
Transport protocol on which the request arrived, i.e. TCP, UDP, or HTTPS
Client’s AS (autonomous system or ISP), e.g. AS1111
User’s geolocation information: i.e. geocode, region ID, city ID, and metro code, type of IP address.
Response code sent, e.g. SUCCESS, SERVFAIL, NXDOMAIN, etc.
Absolute arrival time in seconds
Name of the machine that processed this request, e.g. quad9dns001
Quad9 target IP to which this request was addressed, e.g. one of our anycast IP addresses (no relation to the user’s IP)

They store your whole behavior
Not very privacy isnt it
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.1
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: New free public DNS service blocks malicious domains

Post by barbaz »

Thanks yes_noscript for clarifying about the logging. :)
yes_noscript wrote:USA lost DNS "Highness" and provide a free DNS service for public.

sponsors are london & new york police, IBM (which isnt good too) and others
Sorry but I still don't understand why these groups are untrusted?
Also where did you see that London & New York police are sponsors?
*Always* check the changelogs BEFORE updating that important software!
-
yes_noscript

Re: New free public DNS service blocks malicious domains

Post by yes_noscript »

barbaz wrote:Also where did you see that London & New York police are sponsors?
At german heise forum
Maybe because the info at bottom: https://www.globalcyberalliance.org/
And at the forum I read IBM works with NSA

But even if that with the police isnt true, i wouldnt trust that DNS provider. Its USA based and thats definitively NSA
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.1
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: New free public DNS service blocks malicious domains

Post by barbaz »

Thanks yes_noscript,
yes_noscript wrote:But even if that with the police isnt true,
FWIW - https://www.globalcyberalliance.org/about.html#history
*Always* check the changelogs BEFORE updating that important software!
-
morganism
Senior Member
Posts: 134
Joined: Tue Nov 26, 2013 9:44 pm

Re: New free public DNS service blocks malicious domains

Post by morganism »

ugh, you guys were right.

Here is a DNS lookup over HTTPS that may help

https://github.com/curl/curl/wiki/DNS-over-HTTPS

Do DNS resolves over HTTPS for privacy, performance and security. Also makes it easier to use a name server of your choice instead of the one configured for your system.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130410 Firefox/23.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: New free public DNS service blocks malicious domains

Post by barbaz »

Bringing this back up because I was alerted in viewtopic.php?p=105527#p105527 that a lot has changed about Quad9 since the above posts were written:

- If I'm reading Quad9's current service privacy policy correctly, they no longer log all the detailed data they used to as noted above. Now, they only log very aggregate counts of only some of those things, without ever storing any details.

- Regarding Global Cyber Alliance + IBM, AFAICT Quad9 no longer "is" those groups. Now those organizations are only sponsors. This is who Quad9 is now - https://www.quad9.net/about/foundation-council/

- Regarding "USA based", Quad9 is legally moving from USA to Switzerland, for purpose of putting themselves under legal enforcement of GDPR - https://www.quad9.net/news/blog/quad9-p ... rotection/

I'm re-evaluating my whole DNS filtering setup and wondering again about Quad9, now that they seem to no longer have the logging policy that put me off using it before. Any reason not to use Quad9 in 2022?
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply