New “Quad9” DNS service blocks malicious domains for everyoneNovember 16, 2017 – 5:16 PM
The Global Cyber Alliance (GCA)—an organization founded by law enforcement and research organizations to help reduce cyber-crime—has partnered with IBM and Packet Clearing House to launch a free public Domain Name Service system. That system is intended to block domains associated with botnets, phishing attacks, and other malicious Internet hosts—primarily targeted at organizations that don’t run their own DNS blacklisting and whitelisting services. Called Quad9 (after the 126.96.36.199 Internet Protocol address the service has obtained), the service works like any other public DNS server (such as Google’s), except that it won’t return name resolutions for sites that are identified via threat feeds the service aggregates daily.
“Anyone anywhere can use it,” said Phil Rettinger, GCA’s president and chief operating officer, in an interview with Ars. The service, he says, will be “privacy sensitive,” with no logging of the addresses making DNS requests—”we will keep only [rough] geolocation data,” he said, for the purposes of tracking the spread of requests associated with particular malicious domains. “We’re anonymizing the data, sacrificing on the side of privacy.”
Intelligence on malicious domains comes from 19 threat feeds—one of which is IBM’s X-Force. Adnan Baykal, GCA’s Chief Technical Advisor, told Ars that the service pulls in these threat feeds in whatever format they are published in, and it converts them into a database that is then de-duplicated. Quad9 also generates a whitelist of domains never to block; it uses a list of the top one million requested domains. During development, Quad9 used Alexa, but now that Alexa’s top million sites list is no longer being maintained, Baykal said that GCA and its partners had to turn to an alternative source for the data—the Majestic Million daily top-million sites feed.
There’s also a “gold list”—domains that should never be blocked, such as major Internet service sites like Microsoft’s Azure cloud, Google, and Amazon Web Services. “We do realize that docs.google.com is hosting phishing attacks,” Baykal said. “But because this is DNS filtering, we cannot block that URL specifically. And we don’t ever want to completely block Google.”
The blocked sites, whitelist, and gold lists are then converted into a Response Policy Zone (RPZ) format before being pushed out to the clusters of DNS servers around the world maintained by Packet Clearing House via DNS zone transfers. The DNS server clusters, which are each load-balanced with dnsdist, use a mix of Unbound and PowerDNS servers to deliver responses. “We’re running two different variants behind a load balancer,” Baykal said, “so that if there’s an issue with one we can take it down, or if there’s a critical vulnerability, we can shut one down and patch it.”