Kitz Forum

Internet => General Internet => Topic started by: underzone on November 17, 2017, 05:50:30 PM

Title: New DNS Service 9.9.9.9
Post by: underzone on November 17, 2017, 05:50:30 PM
A free service that helps stop consumers visiting websites known to be malicious has been set up by IBM and two other industry bodies.
The Quad 9 service requires people to change the settings on their home router so web addresses can be checked.
It uses 19 separate lists of web-based threats to spot those used by phishing gangs or other cyber-thieves.
One security expert said it could be a "challenge" getting people to adopt the filtering system.

New “Quad9” DNS service blocks malicious domains for everyone
Set DNS server to 9.9.9.9, and (known) malware and phishes won’t be able to phone home.

http://www.bbc.co.uk/news/technology-42025569 (http://www.bbc.co.uk/news/technology-42025569)

https://arstechnica.com/information-technology/2017/11/new-quad9-dns-service-blocks-malicious-domains-for-everyone/ (https://arstechnica.com/information-technology/2017/11/new-quad9-dns-service-blocks-malicious-domains-for-everyone/)

"Anyone anywhere can use it," said Phil Rettinger, GCA's president and chief operating officer, in an interview with Ars. The service, he says, will be "privacy sensitive," with no logging of the addresses making DNS requests—"we will keep only [rough] geolocation data," he said, for the purposes of tracking the spread of requests associated with particular malicious domains. "We're anonymizing the data, sacrificing on the side of privacy." - bye bye Google DNS!
Title: Re: New DNS Service 9.9.9.9
Post by: jelv on November 17, 2017, 06:27:43 PM
I've just compared the tracert to that and Google's DNS - for me it has two less hops!
Title: Re: New DNS Service 9.9.9.9
Post by: renluop on November 17, 2017, 07:02:57 PM
Google has primary and secondary DNS; quad9 just the one i.e. 9999. Is that correct?

As a less knowledgeable member I'm thinking if that could be not a good thing, as shouldn't one always have an alternative and a non-quad9 would bear risks as before.
Title: Re: New DNS Service 9.9.9.9
Post by: underzone on November 17, 2017, 07:10:11 PM
quad9 just the one i.e. 9999. Is that correct?

As a less knowledgeable member I'm thinking if that could be not a good thing, as shouldn't one always have an alternative and a non-quad9 would bear risks as before.

Nope.

"As of launch, there were clusters of DNS servers configured in 70 different locations around the world; Baykal said that the organization expects to have 100 sites up and running by the end of the year. Each cluster has at least three servers, Baykal explained, "and in some critical areas, like Chicago, we have five, seven, or nine systems behind load balancer.""
Title: Re: New DNS Service 9.9.9.9
Post by: Chrysalis on November 17, 2017, 07:13:52 PM
yeah they defenitly have geo based routing, slightly better latency for me vs google dns.

Code: [Select]
C:\Users\Chris\AppData\Local\FiveM\FiveM.app>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=9ms TTL=60
Reply from 8.8.8.8: bytes=32 time=9ms TTL=60
Reply from 8.8.8.8: bytes=32 time=9ms TTL=60
Reply from 8.8.8.8: bytes=32 time=9ms TTL=60

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 9ms, Maximum = 9ms, Average = 9ms

C:\Users\Chris\AppData\Local\FiveM\FiveM.app>ping 9.9.9.9

Pinging 9.9.9.9 with 32 bytes of data:
Reply from 9.9.9.9: bytes=32 time=7ms TTL=60
Reply from 9.9.9.9: bytes=32 time=7ms TTL=60
Reply from 9.9.9.9: bytes=32 time=6ms TTL=60
Reply from 9.9.9.9: bytes=32 time=6ms TTL=60

Ping statistics for 9.9.9.9:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 6ms, Maximum = 7ms, Average = 6ms

C:\Users\Chris\AppData\Local\FiveM\FiveM.app>
Title: Re: New DNS Service 9.9.9.9
Post by: burakkucat on November 17, 2017, 07:22:06 PM
Just for the analysts amongst us --

[Duo2 ~]$ ping -c5 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=41.2 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=40.2 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=57 time=41.6 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=57 time=40.5 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=57 time=40.7 ms

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4047ms
rtt min/avg/max/mdev = 40.205/40.891/41.635/0.507 ms
[Duo2 ~]$ ping -c5 8.8.4.4
PING 8.8.4.4 (8.8.4.4) 56(84) bytes of data.
64 bytes from 8.8.4.4: icmp_seq=1 ttl=57 time=39.6 ms
64 bytes from 8.8.4.4: icmp_seq=2 ttl=57 time=39.2 ms
64 bytes from 8.8.4.4: icmp_seq=3 ttl=57 time=39.0 ms
64 bytes from 8.8.4.4: icmp_seq=4 ttl=57 time=43.0 ms
64 bytes from 8.8.4.4: icmp_seq=5 ttl=57 time=38.0 ms

--- 8.8.4.4 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4043ms
rtt min/avg/max/mdev = 38.003/39.796/43.097/1.744 ms
[Duo2 ~]$ ping -c5 9.9.9.9
PING 9.9.9.9 (9.9.9.9) 56(84) bytes of data.
64 bytes from 9.9.9.9: icmp_seq=1 ttl=58 time=40.1 ms
64 bytes from 9.9.9.9: icmp_seq=2 ttl=58 time=38.5 ms
64 bytes from 9.9.9.9: icmp_seq=3 ttl=58 time=39.4 ms
64 bytes from 9.9.9.9: icmp_seq=4 ttl=58 time=39.7 ms
64 bytes from 9.9.9.9: icmp_seq=5 ttl=58 time=39.6 ms

--- 9.9.9.9 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4046ms
rtt min/avg/max/mdev = 38.542/39.502/40.121/0.587 ms
[Duo2 ~]$
Title: Re: New DNS Service 9.9.9.9
Post by: smf22 on November 18, 2017, 12:21:13 PM
yeah they defenitly have geo based routing, slightly better latency for me vs google dns.

It's not mentioned in the article, but I would expect the geo based routing to be based on Anycast (https://en.wikipedia.org/wiki/Anycast). The existing OpenDNS and Google Public DNS do this as described by Google in their FAQ How does Google Public DNS know where to send my queries? (https://developers.google.com/speed/public-dns/faq?csw=1#anycast). Perhaps it's Anycast to get to the nearest cluster and then as they describe, the dnsdist (https://dnsdist.org/guides/serverselection.html) to load balance across nodes of the cluster.

In terms of latency, I'd imagine the load on the servers is currently much lower than the other public DNS servers as there'll be fewer people using them.
Title: Re: New DNS Service 9.9.9.9
Post by: art37 on January 15, 2018, 12:33:05 PM
Sorry to hijack an existing thread. Does anyone know the IPv4 and IPv6 secondary servers for Quad9? I have a Fritz!Box that requires both primary and secondary before it will allow a change. I recall reading somewhere that it is unwise to mix secure with insecure.
Title: Re: New DNS Service 9.9.9.9
Post by: roseway on January 15, 2018, 01:05:04 PM
I found this: https://www.stationx.net/improve-your-security-and-privacy-check-out-the-new-quad9-dns-service/ which recommends 149.112.112.112 as the secondary IPV4 DNS server. A whois enquiry on this number shows that it's owned by the Packet Clearing House, so it should be genuine.
Title: Re: New DNS Service 9.9.9.9
Post by: dgilbert2 on February 25, 2018, 02:48:46 PM
Thanks for this info, will give it a try  :)