New free public DNS service blocks malicious domains

Talk about internet security, computer security, personal security, your social security number...
Post Reply
barbaz
Senior Member
Posts: 8907
Joined: Sat Aug 03, 2013 5:45 pm

New free public DNS service blocks malicious domains

Post by barbaz » Thu Nov 16, 2017 11:56 pm

https://www.quad9.net/

Sounds like a great way to enhance security of a single computer or an entire network. Especially if the network has devices that can't use tools like NoScript.
*Always* check the changelogs BEFORE updating that important software!
-

morganism
Senior Member
Posts: 115
Joined: Tue Nov 26, 2013 9:44 pm

Quad 9 DNS whitelisting server

Post by morganism » Fri Nov 17, 2017 6:53 am

Looks like a good service, and less lookup than OpenDNS ?

https://www.quad9.net/#/faq

"The service, he says, will be "privacy sensitive," with no logging of the addresses making DNS requests—"we will keep only [rough] geolocation data," he said, for the purposes of tracking the spread of requests associated with particular malicious domains. "We're anonymizing the data, sacrificing on the side of privacy."

Will Quad9 filter content?

No. Quad9 will not provide a censoring component and will limit its actions solely to the blocking of malicious domains around phishing, malware, and exploit kit domains."

How will Quad9 prevent the accidental blocking of legitimate domains?

Quad9 implements whitelisting algorithms to make sure legitimate domains are not blocked by accident. However, in the rare case of blocking a legitimate domain, Quad9 works with the users to quickly whitelist that domain."
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130410 Firefox/23.0

barbaz
Senior Member
Posts: 8907
Joined: Sat Aug 03, 2013 5:45 pm

Re: New free public DNS service blocks malicious domains

Post by barbaz » Fri Nov 17, 2017 2:41 pm

Threads merged.
*Always* check the changelogs BEFORE updating that important software!
-

yes_noscript

Re: New free public DNS service blocks malicious domains

Post by yes_noscript » Fri Nov 17, 2017 3:18 pm

Crap.
USA service with untrusted sponsors and a way to sniff all logs.

dont use this!
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.1

barbaz
Senior Member
Posts: 8907
Joined: Sat Aug 03, 2013 5:45 pm

Re: New free public DNS service blocks malicious domains

Post by barbaz » Fri Nov 17, 2017 3:24 pm

yes_noscript wrote:with untrusted sponsors
Can you please expand on this?
yes_noscript wrote: a way to sniff all logs.
All DNS providers have "a way to sniff all logs", no?

Haven't we been over this before? - https://forums.informaction.com/viewtop ... 839#p80839
*Always* check the changelogs BEFORE updating that important software!
-

yes_noscript

Re: New free public DNS service blocks malicious domains

Post by yes_noscript » Sat Nov 18, 2017 6:32 pm

Lets start.
USA lost DNS "Highness" and provide a free DNS service for public.

sponsors are london & new york police, IBM (which isnt good too) and others

Yeah, DNS providers can log but on Quad9 front page they say "Quad9 is a free, recursive, anycast DNS platform that provides end users robust security protections, high-performance, and privacy."
But look at https://quad9.net/#/policy:
What Information Do We Collect?
Temporary Logs
# The temporary logs store the full IP address of the machine you are using

Permanent Logs
We do keep some location information (at the city/metro level)
Request domain name, e.g. www.globalcyberalliance.org
Record type of requested domain, e.g. A (which stands for IPv4 record), AAAA (IPv6 record), NS, MX, TXT, etc.
Transport protocol on which the request arrived, i.e. TCP, UDP, or HTTPS
Client’s AS (autonomous system or ISP), e.g. AS1111
User’s geolocation information: i.e. geocode, region ID, city ID, and metro code, type of IP address.
Response code sent, e.g. SUCCESS, SERVFAIL, NXDOMAIN, etc.
Absolute arrival time in seconds
Name of the machine that processed this request, e.g. quad9dns001
Quad9 target IP to which this request was addressed, e.g. one of our anycast IP addresses (no relation to the user’s IP)

They store your whole behavior
Not very privacy isnt it
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.1

barbaz
Senior Member
Posts: 8907
Joined: Sat Aug 03, 2013 5:45 pm

Re: New free public DNS service blocks malicious domains

Post by barbaz » Sat Nov 18, 2017 6:58 pm

Thanks yes_noscript for clarifying about the logging. :)
yes_noscript wrote:USA lost DNS "Highness" and provide a free DNS service for public.

sponsors are london & new york police, IBM (which isnt good too) and others
Sorry but I still don't understand why these groups are untrusted?
Also where did you see that London & New York police are sponsors?
*Always* check the changelogs BEFORE updating that important software!
-

yes_noscript

Re: New free public DNS service blocks malicious domains

Post by yes_noscript » Sat Nov 18, 2017 8:13 pm

barbaz wrote:Also where did you see that London & New York police are sponsors?
At german heise forum
Maybe because the info at bottom: https://www.globalcyberalliance.org/
And at the forum I read IBM works with NSA

But even if that with the police isnt true, i wouldnt trust that DNS provider. Its USA based and thats definitively NSA
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.1

barbaz
Senior Member
Posts: 8907
Joined: Sat Aug 03, 2013 5:45 pm

Re: New free public DNS service blocks malicious domains

Post by barbaz » Sat Nov 18, 2017 8:41 pm

Thanks yes_noscript,
yes_noscript wrote:But even if that with the police isnt true,
FWIW - https://www.globalcyberalliance.org/about.html#history
*Always* check the changelogs BEFORE updating that important software!
-

morganism
Senior Member
Posts: 115
Joined: Tue Nov 26, 2013 9:44 pm

Re: New free public DNS service blocks malicious domains

Post by morganism » Thu Jan 18, 2018 12:03 am

ugh, you guys were right.

Here is a DNS lookup over HTTPS that may help

https://github.com/curl/curl/wiki/DNS-over-HTTPS

Do DNS resolves over HTTPS for privacy, performance and security. Also makes it easier to use a name server of your choice instead of the one configured for your system.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130410 Firefox/23.0

Post Reply