By Gerard Best
IBM Security, Packet Clearing House (PCH) and Global Cyber Alliance (GCA) unveiled a free Domain Name System (DNS) service designed to protect all Internet users from a wide range of common cyber threats. Launched on November 16 with simultaneous press events in London, Maputo and New York, the public DNS resolver has strong privacy and security features built-in, and can be enabled with a few changes to network settings, as outlined on the organization’s website.
Using the IP address 126.96.36.199, the aptly named Quad9 service leverages IBM X-Force threat intelligence and further correlates with more than a dozen additional threat intelligence feeds from leading cybersecurity firms, in order to help keep individual users’ data and devices safe. It automatically protects users from accessing any website or internet address identified as dangerous.
“Leveraging threat intelligence is a critical way to stay ahead of cybercriminals,” Jim Brennan, Vice President Strategy and Offering Management, IBM Security, said in a release. “Consumers and small businesses traditionally didn’t have free, direct access to the raw data used by security firms to protect big businesses. With Quad9, we’re putting that data to work for the industry in an open way and further enriching those insights via the community of users. Through IBM’s donating use of the 188.8.131.52 address to Quad9, we’re applying these collaborative defense techniques while giving users greater privacy controls.”
The open, free service became the latest to provide security to end users on a global scale by leveraging the DNS system to deliver a smart threat intelligence feed.
“Quad9 is a free layer of protection that can put the DNS to work for all Internet users,” said John Todd, executive director of Quad9. “It allows optional encryption of the query between the user and the server, and it minimises the amount of data that can leak to unknown destinations. And it uses DNSSEC to cryptographically validate the content of the DNS answers that it’s passing back to users for domain names that implement this security feature.”
It allows users to select from secure and unsecured service, the latter being for more advanced users who may have specific reasons they want to get to malware or phishing sites, or who want to perform testing against an unfiltered DNS recursive resolver. The service can also be extended to IoT devices, which face vulnerabilities such as botnet command-and-control requests.
Not only does Quad9 help Internet users avoid millions of malicious websites, but it also promises to help keep their browsing habits private. Deep-pocketed online advertisers are constantly investing in ways to take personal data from unsuspecting Internet users, in order to edge out competitors and expand markets. Frequently, low-security DNS servers are used to build extensive personal profiles of Internet users, including their browsing habits, location and identity. Many DNS providers, including many larger ISPs, are already in the lucrative business of storing personal data for resale to market research firms or digital advertising groups.
A further blow was struck in April when the US Federal Communications Commission repealed broadband privacy rules that would have required Internet service providers to get consumer consent before selling or sharing personal information with advertisers and other companies. But the fight is far from over. With the launch of Quad9, a group of Internet non-profits has made available a free service specifically designed to put Internet users back in control of their personal data.
The service is deliberately engineered to not store or analyze personally identifiable information (PII). Todd said that decision was, in part, a deliberate stance against the ingrained practice among Internet service providers (ISPs) who collect and resell private information to commercial data brokers such as online marketers.
“Our foremost goal is to protect Internet users from malicious actors, whether the threat be from malware or fraud or the nonconsensual monetization of their privacy. Quad9 doesn’t collect or store any PII, including Internet Protocol addresses. We don’t have accounts or profiles or ask who our users are. Since we don’t collect personal information, it can’t be sold or stolen,” he said.
The new service comes at a time when better protection of consumer data and Internet user privacy are being demanded by stakeholders, including governments. In May 2018, the European Union will adopt the General Data Protection Regulation (GDPR), a set of sweeping regulations meant to protect the personal data and privacy of its citizens.
Like their counterparts in Europe and USA, Caribbean stakeholders also stand to gain from these security and privacy benefits. By some estimates, global cybercrime will cost approximately $6 trillion per year on average through 2021. For businesses in developing economies of the Caribbean, cybercrime is a major concern. Around the region, legislators, law enforcement officials and security experts are locked in a struggle to keep pace with the escalating sophistication of transnational cybercriminal operations. The high cost typically involved in protecting against attacks by blocking them through DNS could explain why that technique has not been used widely by Caribbean businesses and Internet users.
“Sophisticated corporations can subscribe to dozens of threat feeds and block them through DNS, or pay a commercial provider for the service. However, small to medium-sized businesses and consumers have been left behind — they lack the resources or are not aware of what can be done with DNS. Quad9 solves these problems. It is memorable, easy to use, relies on excellent and broad threat information, protects privacy and security, and is free,” Phil Reitinger, president and CEO of GCA, said in a release.
The new Quad9 service shares the global infrastructure of PCH, a US-based non-profit which has over the last two decades established the world’s largest authoritative DNS service network, extending from heavily networked parts of North America, Europe and Asia to the less well-connected areas of sub-Saharan Africa and the Caribbean. PCH hosts multiple root letters and more than 300 TLDs on thousands of servers in 150 locations across the globe.
Quad 9 has 100 points of presence in 59 countries, including 12 in the Caribbean, and plans to double that location count by 2019. Leveraging the expertise and global assets of PCH, the new DNS service promises to offer security and privacy to users in the Caribbean, without compromising speed. Bill Woodcock, executive director of Packet Clearing House, said Quad9 users in those regions could actually experience noticeable improvements in performance and resiliency.
“Many DNS service providers are not sufficiently provisioned to be able to support high-volume input/output and caching, and adequately balance load among their servers. But Quad9 uses large caches, and load-balances user traffic to ensure shared caching, letting us answer a large fraction of queries from cache. Because Quad9 shares the PCH DNS infrastructure platform, all root and most TLD queries can be answered locally within the same stack of servers, without passing query onward and making it vulnerable to interception and collection by others. When Quad9 does have to pass a query onward to a server outside of our control, unlike other recursive resolvers, we use a variety of techniques to ensure that the very minimum necessary information leaves our network and users’ privacy is maximised,” he said.
“This is a service that is squarely aimed at improving the Internet security and privacy situation for the global Internet user base, not just the developed world,” he added. “The fact that we can do it faster is just icing on the cake.”
Written by Gerard Best, Development Journalist
Follow CircleID on Twitter
Read more here:: feeds.circleid.com/cid_sections/blogs?format=xml
Network Working Group J. Reynolds, Editor Request for Comments: 3232 RFC Editor Obsoletes: 1700 January 2002 Category: Informational
Assigned Numbers: RFC 1700 is Replaced by an On-line Database
Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract This memo obsoletes RFC 1700 (STD 2) "Assigned Numbers", which contained an October 1994 snapshot of assigned Internet protocol parameters. Description From November 1977 through October 1994, the Internet Assigned Numbers Authority (IANA) periodically published tables of the Internet protocol parameter assignments in RFCs entitled, "Assigned Numbers". The most current of these Assigned Numbers RFCs had Standard status and carried the designation: STD 2. At this time, the latest STD 2 is RFC 1700. Since 1994, this sequence of RFCs have been replaced by an online database accessible through a web page (currently, www.iana.org). The purpose of the present RFC is to note this fact and to officially obsolete RFC 1700, whose status changes to Historic. RFC 1700 is obsolete, and its values are incomplete and in some cases may be wrong. We expect this series to be revived in the future by the new IANA organization. Security Considerations This memo does not affect the technical security of the Internet. Reynolds Informational [Page 1]
Today is 6/6/2012, World IPv6 Launch Day. The day the Internet community permanently enables the IPv6 Internet protocol on their infrastructure. Some refer to this protocol as ‘The New Internet Protocol’. But is it new? No. Not at all.
To deal with the anticipated IPv4 address exhaustion, the Internet Engineering Task Force (IETF) developed IPv6 and described it in Internet standard document RFC 2460. This was published in December 1998. Due to the incompatibilty with the current IPv4 protocol, it was never widely adopted. Now that address exhaustion is imminent, the world is in a hurry to set things straight.
I am the proud owner of what is arguably the coolest IPv6 Internet domain name in the world: ipv6.net. I have owned it for a long time. Not too long ago I realized that 6 days after 6/6/2012, it has been exactly 15 years since the domain name was registered. Apparently, back in 1997, I envisioned that IPv6 was going to be big. I just didn’t know it would take such a long time. But are we there yet? No. Not even close.
Back then the community thought we would run out of IP addresses in just a couple of years. With some tricks we managed to stretch things out until now. We even back-ported some cool stuff from the new protocol into the old. It wasn’t until mid 2011 that we saw some serious global industry initiatives to promote adoption of IPv6: World IPv6 Day on June 8th. On that day some of the smaller as well as larger members of the global Internet community temporarily enabled IPv6 on their infrastructure. For some, just to see what would happen. For others a good test of their transition plan or chosen technology. Some ‘forgot’ to switch it off again. For most it was a big success; a final rehearsal for the big step: a global transition from IPv4 towards IPv6.
Today is the start of that transition. Content providers around the globe will provide access to their services over IPv6. Access providers will provide IPv6 access to their end-users. Hard- and software manufacturers will bring out IPv6 support for their products. This broad involvement will certainly help to solve the chicken and egg, content versus access, problem.
So what will happen after today? If all goes well, and I certainly expect so, we will have marked the beginning of the end of IPv4. It will take many years before IPv6 has become the dominant protocol and IPv4 is marked ‘legacy’. But I expect that after today more and more companies will make a start with their transition. For many it will be hard to make a good business case for it as there is not always a clear added business value. Just don’t wait too long as the landscape is rapidly changing.
Some advice for those about to take the plunge: take ample time to gather knowledge, create awareness among those involved, decide on a sound transition scenario, test and start planning.
And for me? Well, as an IT professional I will be helping out customers doing just that. Personally, I will continue to blog and tweet about IPv6 for a long time to come…