> On Apr 3, 2018, at 9:38 PM, Stephen Gillies <m...@caretandstick.com.au> wrote: > There are a number of DNS servers (commercial products) out there with the > extra security integrated for blacklist/threatfeed/behavioural > analysis/anti-tunnelling which are I guess more enterprise focused security > features,
There are two that provide malware blocking, OpenDNS (now owned by Cisco and
integrated into their Umbrella managed security platform) and Quad9. OpenDNS
is principally aimed at enterprise IT. It works great. It’s primarily
security-focused. Quad9...
> whereas something like quad-1^9 is surely for end users
…is principally aimed at end-users and SMB, and is primarily privacy-focused.
It’s the only major one which doesn’t collect user data (query source IP
addresses and query payload).
> who are happy to give their passive DNS data to cloudflare and IBM?
Neither IBM nor any of the eighteen other threat-intel providers to Quad9, nor
anyone else receives DNS data from Quad9, because it’s not collected in the
first place. Which also means it’s the only one not vulnerable to breach. And
it’s the only public one which will be legal in Europe come May 25.
1.1.1.1 is a “temporary research experiment” answering as-yet-unspecified
questions, by APNIC Labs (Geoff) and Cloudflare, and collects user data. There
is no similarity between 1.1.1.1 and 9.9.9.9 other than the lengths of the IPv4
addresses.
> I find it difficult to understand why any telco would just to give away all
> that DNS browsing data to someone else to analyse and monetise?
Correct. Telcos generally all outsource their recursive resolvers to
monetization companies like Nominum, so they generally try to hijack the IP
addresses of other popular recursive resolvers. Which is why Quad9 was the
first to implement DNS-over-TLS, so users could authenticate the server and
protect themselves from having their traffic pcapped along the way.
-Bill (Also Quad9 board chair)
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ AusNOG mailing list AusNOG@lists.ausnog.net http://lists.ausnog.net/mailman/listinfo/ausnog
