To be clear..... *DNS resolver 9.9.9.9 will check requests against IBM threat database* *Group Co-founded by City of London Police promises 'no snooping on your requests'* By Richard Chirgwin 20 Nov 2017 at 06:58 The Register (UK) <https://forums.theregister.co.uk/forum/1/2017/11/20/quad9_secure_private_dns_resolver/>https://www.theregister.co.uk/2017/11/20/quad9_secure_private_dns_resolver/
On 4/2/18 7:24 PM, Robert Mathews (OSIA) wrote:
To be clear.....
*DNS resolver 9.9.9.9 will check requests against IBM threat database*
To be clear on what? That an IBM database is queried, just like it says on their website? That doesn't mean they are recording who is making what requests.
That database could possibly be ingested and used locally. Traffic may not even be traversing to the database hosted by IBM. At least they are open about where they are getting the data that allows for blocking to certain FQDNs. On Mon, Apr 2, 2018 at 10:36 PM, Seth Mattinen <sethm@rollernet.us> wrote:
On 4/2/18 7:24 PM, Robert Mathews (OSIA) wrote:
To be clear.....
*DNS resolver 9.9.9.9 will check requests against IBM threat database*
To be clear on what? That an IBM database is queried, just like it says on their website? That doesn't mean they are recording who is making what requests.
On 4/2/18 7:43 PM, J Crowe wrote:
That database could possibly be ingested and used locally. Traffic may not even be traversing to the database hosted by IBM.
At least they are open about where they are getting the data that allows for blocking to certain FQDNs.
Even if it does traverse somewhere to ask the database, it wouldn't be the DNS user that's making that request, it would be coming from whatever anycast node is handling it decoupled from the actual user's DNS query.
On Apr 2, 2018, at 7:24 PM, Robert Mathews (OSIA) <mathews@hawaii.edu> wrote: *Group Co-founded by City of London Police promises 'no snooping on your requests’*
Note that this is _extremely_ misleading, since the group being referred to here is _not_ Quad9, but instead GCA, one of the many donors that are supporting the Quad9 project. Quad9 doesn’t have any association with the City of London Police, other than that they’re among the many tens of millions of users in the general public.
*DNS resolver 9.9.9.9 will check requests against IBM threat database*
Not exactly correct… There are nineteen threat intel providers, including Intel, Cisco, and F-Secure, which provide real-time feeds of compromised and C&C domains to Quad9. Quad9 does a bunch of reputation scoring on the data feeds to figure out which are likely problematic and which might be false-positives, before including them in the optional block-list. There’s a partial list of the threat-intel providers about halfway down this page: https://www.quad9.net/about/ And you can check at any time whether an FQDN is currently being blocked using a field on the front page of the Quad9 site.
On Apr 2, 2018, at 7:36 PM, Seth Mattinen <sethm@rollernet.us> wrote: ...an IBM database is queried, just like it says on their website? That doesn't mean they are recording who is making what requests.
Correct. All that is defined in the privacy policy. No IP addresses are recorded. No query strings are recorded, but ones that match an FQDN on the block-list are tallied, and that tally is used to improve the reputation-scoring of the threat intel providers, and is fed back to the threat intel providers to help them improve their own data quality. I believe the privacy policy that’s still up right now says that we may optionally give the threat-intel providers aggregate statistics per country, but we’re not actually doing that in practice, and it’s our intention to narrow down the policy to reflect actual practice. On 4/2/18 7:43 PM, J Crowe wrote:
That database could possibly be ingested and used locally.
Correct. The database is ingested and used locally _at each server_, so the queries never even leave the server. Anything else would be too slow and stateful to work.
Traffic may not even be traversing to the database hosted by IBM.
Correct. The threat-intel data comes from them to us, and a count of matches goes from us to them.
At least they are open about where they are getting the data that allows for blocking to certain FQDNs.
Yeah… Sorry only twelve of the nineteen are listed on the web site right now, but the project is stretched pretty thin keeping up with requests for new locations, and we haven’t had a lot of time to update the web site… There’s no intention for the list to not be public, and I can get and post the full list if anyone cares. Though it would probably be better if I spent that time hunting for someone to update the web site. :-) -Bill
On 4/3/2018 1:04 AM, Bill Woodcock wrote:
On Apr 2, 2018, at 7:24 PM, Robert Mathews (OSIA) <mathews@hawaii.edu> wrote: *Group Co-founded by City of London Police promises 'no snooping on your requests’* Note that this is _extremely_ misleading, since the group being referred to here is _not_ Quad9, but instead GCA, one of the many donors that are supporting the Quad9 project. Quad9 doesn’t have any association with the City of London Police, other than that they’re among the many tens of millions of users in the general public.
Bill: As you will have noted, the post was a reflection of that which The Register had published, and at the URL that was provided. Have you, or others at Quad9, reached out to The Register to have the details in their reporting corrected? In focus, within the Cloudflare announcement, is the subject of Privacy. Subsequently, some on the list had also spoken of Privacy needs in relation to the DNS Ops. It is solely for that reason, The Register publication was shared.
-Bill
All the best, Robert. --
On Apr 2, 2018, at 11:28 PM, Robert Mathews (OSIA) <mathews@hawaii.edu> wrote:
On 4/3/2018 1:04 AM, Bill Woodcock wrote:
On Apr 2, 2018, at 7:24 PM, Robert Mathews (OSIA) <mathews@hawaii.edu> wrote: *Group Co-founded by City of London Police promises 'no snooping on your requests’* Note that this is _extremely_ misleading, since the group being referred to here is _not_ Quad9, but instead GCA, one of the many donors that are supporting the Quad9 project. Quad9 doesn’t have any association with the City of London Police, other than that they’re among the many tens of millions of users in the general public.
Bill: As you will have noted, the post was a reflection of that which The Register had published, and at the URL that was provided.
What’s your point, though? Are you talking about Quad9, or about GCA? If you’re talking about Quad9, you’re misleading people by implying that the quote you pulled from the Register piece pertains to Quad9, when it does not. If you’re talking about GCA, you’re misleading people by implying that what you’re saying about GCA somehow applies to Quad9. If you’re talking about Quad9, John Todd or I can address any questions. If you’re talking about GCA, that’s between you and them. -Bill
On 4/3/2018 2:37 AM, Bill Woodcock wrote:
What’s your point, though? Are you talking about Quad9, or about GCA?
If you’re talking about Quad9, you’re misleading people by implying that the quote you pulled from the Register piece pertains to Quad9, when it does not.
If you’re talking about GCA, you’re misleading people by implying that what you’re saying about GCA somehow applies to Quad9.
If you’re talking about Quad9, John Todd or I can address any questions. If you’re talking about GCA, that’s between you and them.
-Bill
Bill and others: The story from The Register was posted as it was... the added words, "to be clear" was intended to focus exchanges (if there was interest) in relation to Privacy, The Register's reporting. NOTHING more. The fact that you have somehow INTERPRETED here, that I have personally taken a FOR, or AGAINST position to Quad9 operation, would be an error. Since when is it an offense, to merely share a publicly available URL? More to the point of Privacy, you have shared some information here regarding Quad9 operations that may have been beneficial to some, or many. It has been of benefit to me, and thanks for sharing that which what you have. All the best.
Since when is it an offense, to merely share a publicly available URL?
More to the point of Privacy, you have shared some information here regarding Quad9 operations that may have been beneficial to some, or many. It has been of benefit to me, and thanks for sharing that which what you have.
Ok, sorry if I was being overly persnickety. My apologies. I’ve been spending too much time answering questions on “social media” and it’s making me antisocial. -Bill
On 4/3/2018 3:15 AM, Bill Woodcock wrote:
Since when is it an offense, to merely share a publicly available URL?
More to the point of Privacy, you have shared some information here regarding Quad9 operations that may have been beneficial to some, or many. It has been of benefit to me, and thanks for sharing that which what you have. Ok, sorry if I was being overly persnickety. My apologies. I’ve been spending too much time answering questions on “social media” and it’s making me antisocial.
-Bill
Bill: No offense taken... it is quite alright... and thank you, for the information you had cared to share.... All the best, Robert.
On 4/3/18 12:15 AM, Bill Woodcock wrote:
Ok, sorry if I was being overly persnickety. My apologies. I’ve been spending too much time answering questions on “social media” and it’s making me antisocial.
Commenting on social media is like having to write a dissertation perfectly with your first draft in 5 seconds.
participants (5)
-
Bill Woodcock
-
J Crowe
-
Mathews, Robert
-
Robert Mathews (OSIA)
-
Seth Mattinen