Welcome Guest ( Log In | Register )

Outline · [ Standard ] · Linear+

Official IBM launches Quad9 DNS service, for internet threat protection 9.9.9.9

views
     
TSKadaj
post Nov 17 2017, 09:41 PM, updated 7y ago

On my way
****
Junior Member
536 posts

Joined: Mar 2006
1. What is DNS?

Domain Name Servers (DNS) are the Internet's equivalent of a phone book. They maintain a directory of domain names and translate them to Internet Protocol (IP) addresses. This is necessary because although domain names are easy for people to remember, computers or machines access websites based on IP addresses.


2. Will Quad9 filter content?

No. Quad9 will not provide a censoring component and will limit its actions solely to the blocking of malicious domains around phishing, malware, and exploit kit domains.


3. How does Quad9 ensure my privacy?

When an entity or an individual is using the Quad9 infrastructure, their IP address is not logged in our system. We, however, log the geo-location of the system (city, state, country) and use this information for malicious campaign and actor analysis, as well as a component of the data we provide our threat intelligence partners.


4. What does Quad9 log/store about the DNS queries?

We store details of the DNS records queried, timestamp, and the city, state, and country from where the query came. We do not store source IP information of end user queries.


5. Does Quad9 share the DNS data that is generated with marketers?

Quad9 does not and never will share any of its data with marketers, nor will it use this data for demographic analysis. Our purpose is fighting cyber crime on the Internet and to enable individuals and entities to be more secure. We do this by increasing visibility into the threat landscape by providing generic telemetry to our security industry partners who contribute data for threat blocking.


6. Is there a service that Quad9 offers that does not have the blocklist or other security?

The primary IP address for Quad9 is 9.9.9.9, which includes the blocklist, DNSSEC, and other security features. However, there are alternate IP addresses that the service operates which do not have these security features. These might be useful for testing validation, or to determine if there are false positives in the Quad9 system.

Secure IP: 9.9.9.9 Blocklist, DNSSEC, No EDNS Client-Subnet

Unsecure IP: 9.9.9.10 No blocklist, no DNSSEC, send EDNS Client-Subnet

Note: Use only one of these two addresses. Some networking software may include terminology such as “Secondary DNS Server” in configuration windows; this can be left blank. Putting both 9.9.9.9 and 9.9.9.10 into “primary” and “secondary” fields may result in unsecure results in rare circumstances.

For more info please visit:
https://www.quad9.net/
HaN6787
post Nov 18 2017, 06:21 AM

New Member
*
Junior Member
6 posts

Joined: Oct 2011


better than 8.8.8.8 ah?
TSKadaj
post Nov 18 2017, 11:19 AM

On my way
****
Junior Member
536 posts

Joined: Mar 2006
QUOTE(HaN6787 @ Nov 18 2017, 06:21 AM)
better than 8.8.8.8 ah?
*
QUOTE
Every time you use a DNS, it records your IP address (and thus your approximate location), the domain name you looked up, the current time, and the name of your ISP. Many organizations that run DNS servers are beginning to learn that there's money to be had in those logs. Google, of course, has known that since the beginning of time.
https://www.infoworld.com/article/2608352/p...o-avoid-it.html

1. Obviouly Google is a profit-oriented company.

Quad9 is a nonprofit organization dedicated only to the operation of DNS services. There are no other secondary revenue streams for personally-identifiable data, and the core charter of the organization is to provide secure, fast, private DNS. It's funded by IBM, Packet Clearing House (PCH), Global Cyber Alliance (GCA) and supported from some intelligence partners.
https://www.quad9.net/#/about

2. Google dns doesn't protect you from phishing and malicious domains.

Quad9 brings together cyber threat intelligence about malicious domains from variety of public and private sources and blocks access to those malicious domains when your system attempts to contact them.

3. Quad9 doesn't log your IP, however, log the geo-location of the system (city, state, country) and use this information for malicious campaign and actor analysis, as well as a component of the data they provide with their threat intelligence partners.

Google Public DNS stores two sets of logs: temporary and permanent. The temporary logs store the full IP address of the machine you're using.
And here is the full list of items that are included in permanent logs:

Request domain name, e.g. www.google.com
Request type, e.g. A (which stands for IPv4 record), AAAA (IPv6 record), NS, MX, TXT, etc.
Transport protocol on which the request arrived, i.e. TCP, UDP, or HTTPS
Client's AS (autonomous system or ISP), e.g. AS15169
User's geolocation information: i.e. geocode, region ID, city ID, and metro code
Response code sent, e.g. SUCCESS, SERVFAIL, NXDOMAIN, etc.
Whether the request hit our frontend cache
Whether the request hit a cache elsewhere in the system (but not in the frontend)
Absolute arrival time in seconds
Total time taken to process the request end-to-end, in seconds
Name of the Google machine that processed this request, e.g. machine101
Google target IP to which this request was addressed, e.g. one of our anycast IP addresses (no relation to the user's IP)

------------------------
TL;DR:

Quad9 9.9.9.9 is better than Google DNS 8.8.8.8 in term of privacy and security.
fat16
post Nov 20 2017, 08:20 AM

Look at all my stars!!
*******
Senior Member
4,582 posts

Joined: Jan 2003
From: West johor


Too bad digi block 3rd party DNS but google DNS.
ping traceroute all working but website not found.
Anybody know how to bypass DiGii anti DNS thing ?
fkinmeng
post Nov 20 2017, 08:27 AM

Look at all my stars!!
*******
Senior Member
6,179 posts

Joined: May 2007
thanks for the info, will try it later tonight.

What about for ipv6?

This post has been edited by fkinmeng: Nov 20 2017, 03:21 PM
TSKadaj
post Nov 20 2017, 09:26 PM

On my way
****
Junior Member
536 posts

Joined: Mar 2006
QUOTE(fat16 @ Nov 20 2017, 08:20 AM)
Too bad digi block 3rd party DNS but google DNS.
ping traceroute all working but website not found.
Anybody know how to bypass DiGii anti DNS thing ?
*
I'm able to use 3rd party DNS with DNSCrypt on Digi network.
Which is another story.

FYI:
https://dnscrypt.org/
QUOTE(fkinmeng @ Nov 20 2017, 08:27 AM)
thanks for the info, will try it later tonight.

What about for ipv6?
*
Q: Is there IPv6 support for Quad9?

Yes. Quad9 operates identical services on a set of IPv6 addresses, which are on the same infrastructure as the 9.9.9.9 systems.

Secure IPv6: 2620:fe::fe Blocklist, DNSSEC, No EDNS Client-Subnet

Unsecure IPv6: 2620:fe::10 No blocklist, no DNSSEC, send EDNS Client-Subnet

https://www.quad9.net/#/faq
fkinmeng
post Nov 20 2017, 09:29 PM

Look at all my stars!!
*******
Senior Member
6,179 posts

Joined: May 2007
QUOTE(Kadaj @ Nov 20 2017, 09:26 PM)
I'm able to use 3rd party DNS with DNSCrypt on Digi network.
Which is another story.

FYI:
https://dnscrypt.org/

Q: Is there IPv6 support for Quad9?

Yes. Quad9 operates identical services on a set of IPv6 addresses, which are on the same infrastructure as the 9.9.9.9 systems.

Secure IPv6: 2620:fe::fe Blocklist, DNSSEC, No EDNS Client-Subnet

Unsecure IPv6: 2620:fe::10 No blocklist, no DNSSEC, send EDNS Client-Subnet

https://www.quad9.net/#/faq
*
thanks, trying it now. find that google dns is faster but since this is safer, will keep using this instead.
TSKadaj
post Nov 21 2017, 06:25 PM

On my way
****
Junior Member
536 posts

Joined: Mar 2006
QUOTE(fkinmeng @ Nov 20 2017, 09:29 PM)
thanks, trying it now. find that google dns is faster but since this is safer, will keep using this instead.
*
You might want to take a look at DNSCrypt which is more secure but require additional settings.
QUOTE
DNSCrypt wraps unmodified DNS queries between a client and a DNS resolver in a SSL wrapper and responses in a cryptographic construction (elliptic-curve cryptography) in order to detect forgery. Though it doesn't provide end-to-end security, it protects the local network against man-in-the-middle attacks.

It also mitigates UDP-based amplification attacks by requiring a question to be at least as large as the corresponding response. Basically, using DNSCrypt helps to prevent DNS spoofing.
https://en.wikipedia.org/wiki/DNSCrypt

TSKadaj
post Dec 25 2017, 01:03 PM

On my way
****
Junior Member
536 posts

Joined: Mar 2006
The Alliance (GCA) was co-founded by the City of London Police, the District Attorney of New York County and the Center for Internet Security and styled itself "an international, cross-sector effort designed to confront, address, and prevent malicious cyber activity."

Use OpenNIC instead.
https://www.opennic.org/

For more comparative:
https://medium.com/@nykolas.z/dns-security-...fe-a00ace3bf21f

------------------------------

After some research I actually go against Quad9 DNS now.
Avoid any corporation or government's DNS.
KKTECHHUB
post Dec 30 2017, 07:20 PM

Getting Started
**
Junior Member
133 posts

Joined: Dec 2017


QUOTE(fat16 @ Nov 20 2017, 08:20 AM)
Too bad digi block 3rd party DNS but google DNS.
ping traceroute all working but website not found.
Anybody know how to bypass DiGii anti DNS thing ?
*
you can try opendns, 208.67.222.222

 

Change to:
| Lo-Fi Version
0.0154sec    0.49    5 queries    GZIP Disabled
Time is now: 29th March 2024 - 07:48 PM