220.127.116.11: Friend or Folly?
a CACR Security Brownbag discussion
What is DNS?
Humans like to give things meaningful names: that's how we remember things.
Computers work best with numbers: numbers are ordered and can be arranged in hierarchies, they are easy to process and make routing traffic from point A to point B easier and more reliable.
DNS, the Domain Name System, maps the names that humans like to numbers that a computer can use to find the thing a human wants.
It's also useful that a domain name can remain constant while the IP address(es) it points to may change... this makes it easy to continue finding something that has moved to a different service or data center.
How different is Quad9 from traditional DNS?
DNS (normal behavior)
DNS (Quad9 behavior)
Normal DNS image credit Wikipedia, Quad9 image from Quad9.net
- Reliable DNS service
- Prevents some compromises by keeping computers infected with malware, or users responding to a phish, from looking up domains known to be involved with malware or other malicious activity.
- False sense of security, failures not visible to normal users:
- Quad9 has whitelisted just over a million "large internet service" domains, which will keep working even when serving up malware.
- Users behind a caching proxy will still reach domain names if another user behind the proxy queries that domain without using Quad9.
- Malware changes domain names frequently.
- Malware can use its own DNS service, bypassing system settings.
- Malware can use IP addresses, avoiding DNS entirely.
- DNS protocol is not encrypted; ISPs and other third parties can edit.
- Free service funded by a court settlement: may disappear when the money runs out.
Potential Dangers ConT.:
Cannot be used with any fallback DNS services.
US-based: may face pressure from government to censor.
Any compromise at Quad9 could cause malicious censorship of a site for many users if it has its desired high adoption.
Quad9 is only as fast as traditional DNS when it has recently cached information for a particular request.
Approx. 500% slow-down otherwise.
A typical web app may have as many as 12 DNS calls in its first page load, of which 3-4 are usually local to the organization or its close partners.
This is effectively a hellban on small, niche websites.
DNSBL transparency and responsible Operations:
DNSBLs have been around since the 1990s, but traditionally they were services for service providers rather than end users. We have established best practices to protect service providers, consumers, and the internet.
- A DNSBL should publish a policy statement describing on what grounds they will or will not add a domain or IP to the block list, and how long each type of block lasts. Quad9 does not publish this information, and is said to have refused press requests for what intel sources they use and how they determine which domains are malicious.
A DNSBL should provide a web page where anyone can query their domain name to learn whether it has been blocked and why. Best practice is to also make this information available via an API friendly to automated checking.I did find a manual web form for this, after (ironically) disabling my ad blocker, which had hidden it.
- A DNSBL should provide clear instructions for requesting removal from the DNSBL in cases of erroneous additions, or when a site owner has remediated a compromise. There is a contact form for removal requests, but no information about how the decision is made.
- Use multiple, traditional DNS services: your ISP default, 18.104.22.168 (Google's free DNS service), and 22.214.171.124 (Quad9's free unfiltered service) aren't a bad mix.
- Egress filtering at the border firewall using one or more traditional DNSBL services will provide the same benefits that Quad9 promises, without the negative impact on query speed, added vulnerability to DDoS, and nontransparency issues.
- Egress filtering of this type is becoming accessible to home users as well, on some newer Netgear SOHO routers or for power users via vanilla OpenWRT
- DNS providers across the board could start using (and funding) multiple responsible DNSBLs to provide a filtered service without this attempt at centralization.
- Quad9 has suggested that they may someday make their blocklist available to other DNS providers, to make blocking with failover possible.
- End-user security suites could offer an option to check outgoing DNS queries based on a list the user selects.
Questions / Discussion
We ended up having an interesting, in-depth discussion on the future of DNS Blocklisting. I've created a blog post here to capture as much of it as possible.
Quad9: Friend or Folly?
By Susan Sons