[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

From Nov 2017...

> On Apr 2, 2018, at 7:24 PM, Robert Mathews (OSIA) <mathews at hawaii.edu> wrote:
> *Group Co-founded by City of London Police promises 'no snooping on your requestsâ??*

Note that this is _extremely_ misleading, since the group being referred to here is _not_ Quad9, but instead GCA, one of the many donors that are supporting the Quad9 project.  Quad9 doesnâ??t have any association with the City of London Police, other than that theyâ??re among the many tens of millions of users in the general public.

> *DNS resolver will check requests against IBM threat database*

Not exactly correctâ?¦  There are nineteen threat intel providers, including Intel, Cisco, and F-Secure, which provide real-time feeds of compromised and C&C domains to Quad9.  Quad9 does a bunch of reputation scoring on the data feeds to figure out which are likely problematic and which might be false-positives, before including them in the optional block-list.  Thereâ??s a partial list of the threat-intel providers about halfway down this page:  https://www.quad9.net/about/  And you can check at any time whether an FQDN is currently being blocked using a field on the front page of the Quad9 site.

> On Apr 2, 2018, at 7:36 PM, Seth Mattinen <sethm at rollernet.us> wrote:
> ...an IBM database is queried, just like it says on their website? That doesn't mean they are recording who is making what requests.

Correct.  All that is defined in the privacy policy.  No IP addresses are recorded.  No query strings are recorded, but ones that match an FQDN on the block-list are tallied, and that tally is used to improve the reputation-scoring of the threat intel providers, and is fed back to the threat intel providers to help them improve their own data quality.  I believe the privacy policy thatâ??s still up right now says that we may optionally give the threat-intel providers aggregate statistics per country, but weâ??re not actually doing that in practice, and itâ??s our intention to narrow down the policy to reflect actual practice.

On 4/2/18 7:43 PM, J Crowe wrote:
> That database could possibly be ingested and used locally.

Correct.  The database is ingested and used locally _at each server_, so the queries never even leave the server.  Anything else would be too slow and stateful to work.

> Traffic may not even be traversing to the database hosted by IBM.

Correct.  The threat-intel data comes from them to us, and a count of matches goes from us to them.

> At least they are open about where they are getting the data that allows for blocking to certain FQDNs.

Yeahâ?¦  Sorry only twelve of the nineteen are listed on the web site right now, but the project is stretched pretty thin keeping up with requests for new locations, and we havenâ??t had a lot of time to update the web siteâ?¦  Thereâ??s no intention for the list to not be public, and I can get and post the full list if anyone cares.  Though it would probably be better if I spent that time hunting for someone to update the web site.  :-)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20180402/e7628a9c/attachment.sig>