From Nov 2017...

Bill Woodcock woody at pch.net
Tue Apr 3 05:04:28 UTC 2018


> On Apr 2, 2018, at 7:24 PM, Robert Mathews (OSIA) <mathews at hawaii.edu> wrote:
> *Group Co-founded by City of London Police promises 'no snooping on your requests’*

Note that this is _extremely_ misleading, since the group being referred to here is _not_ Quad9, but instead GCA, one of the many donors that are supporting the Quad9 project.  Quad9 doesn’t have any association with the City of London Police, other than that they’re among the many tens of millions of users in the general public.

> *DNS resolver 9.9.9.9 will check requests against IBM threat database*

Not exactly correct…  There are nineteen threat intel providers, including Intel, Cisco, and F-Secure, which provide real-time feeds of compromised and C&C domains to Quad9.  Quad9 does a bunch of reputation scoring on the data feeds to figure out which are likely problematic and which might be false-positives, before including them in the optional block-list.  There’s a partial list of the threat-intel providers about halfway down this page:  https://www.quad9.net/about/  And you can check at any time whether an FQDN is currently being blocked using a field on the front page of the Quad9 site.

> On Apr 2, 2018, at 7:36 PM, Seth Mattinen <sethm at rollernet.us> wrote:
> ...an IBM database is queried, just like it says on their website? That doesn't mean they are recording who is making what requests.

Correct.  All that is defined in the privacy policy.  No IP addresses are recorded.  No query strings are recorded, but ones that match an FQDN on the block-list are tallied, and that tally is used to improve the reputation-scoring of the threat intel providers, and is fed back to the threat intel providers to help them improve their own data quality.  I believe the privacy policy that’s still up right now says that we may optionally give the threat-intel providers aggregate statistics per country, but we’re not actually doing that in practice, and it’s our intention to narrow down the policy to reflect actual practice.

On 4/2/18 7:43 PM, J Crowe wrote:
> That database could possibly be ingested and used locally.

Correct.  The database is ingested and used locally _at each server_, so the queries never even leave the server.  Anything else would be too slow and stateful to work.

> Traffic may not even be traversing to the database hosted by IBM.

Correct.  The threat-intel data comes from them to us, and a count of matches goes from us to them.

> At least they are open about where they are getting the data that allows for blocking to certain FQDNs.

Yeah…  Sorry only twelve of the nineteen are listed on the web site right now, but the project is stretched pretty thin keeping up with requests for new locations, and we haven’t had a lot of time to update the web site…  There’s no intention for the list to not be public, and I can get and post the full list if anyone cares.  Though it would probably be better if I spent that time hunting for someone to update the web site.  :-)

                                -Bill

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20180402/e7628a9c/attachment.sig>


More information about the NANOG mailing list