IBM and its partners have launched a security-enhancing and privacy-protecting DNS service.
The job of a DNS is to convert domain names such as bit.com.au to the IP address of the relevant server. Most people use the DNS provided (or sometimes selected) by their internet service provider.
That's usually OK, but there can be some problems.
If a DNS can't provide an IP address for a domain, it's supposed to say so. But some instead send the user to some kind of 'soft landing' page. That can be innocuous, but it can also be used to deliver advertising.
Apart from anything else, such redirections make it harder to correct typos. If you meant to type bit.com.au but actually entered biit.com.au, a DNS that works correctly will just send an error to the browser, which will display something like “This site can't be reached”. All you need to do is delete the extra i, and all's well.
But if the DNS sends you to a different page, you'll normally have to retype the address from scratch. That's not a huge deal, but it makes it obvious that the redirection isn't for the user's benefit.
Another issue is that most DNSes blindly deliver what is requested. That sounds reasonable, but what if the domain is known to be bad? It might be a fake replica of a bona fide site, such as an online store or a financial institution. Or it could be involved with malware or botnets. Or it might simply deliver content that has no place in a business environment.
Various types of security software and services can address this issue, but the DNS is a convenient place to provide protection – especially for IoT devices that can't run security software and that don't easily reveal whether they have been manipulated by an outsider.
Finally, some DNSes take the opportunity to collect information about users' internet activities and then use it for marketing purposes or worse.
Consequently, there are a number of DNSes with different policies and additional features.
The newest is Quad9, which started as an initiative of The Global Cyber Alliance (GCA) and has been implemented in conjunction with IBM Security and the Packet Clearing House (PCH).
This free service is designed to give consumers and businesses added privacy and security protection as they access the internet.
To start with, Quad9 “is engineered to not store, correlate or otherwise leverage any personally identifiable information (PII) from its users,” according to a spokesperson.
Perhaps more importantly, it blocks access to “millions of malicious internet sites known to steal personal information, infect users with ransomware and malware, or conduct fraudulent activity.”
The advantage of this approach is that it extends to connected items such as smart TVs and IoT devices which often go without security updates and are difficult or impossible to protect at the device level.
Quad9 also keeps you and your staff or family away from fraudulent sites aimed at collecting credentials, credit card numbers or other information.
It works by checking requests against IBM X-Force's threat intelligence database of over 40 billion analysed web pages and images, along with feeds from 18 other threat intelligence services including Abuse.ch, the Anti-Phishing Working Group, Bambenek Consulting, F-Secure, mnemonic, 360Netlab, Hybrid Analysis, Proofpoint, RiskIQ, and ThreatSTOP.
“Sophisticated corporations can subscribe to dozens of threat feeds and block them through DNS, or pay a commercial provider for the service. However, small to medium-sized businesses and consumers have been left behind – they lack the resources, are not aware of what can be done with DNS, or are concerned about exposing their privacy and confidential information,” said Global Cyber Alliance president and CEO Philip Reitinger.
“Quad9 solves these problems. It is memorable, easy to use, relies on excellent and broad threat information, protects privacy, and security and is free.
The service has launched with more than 70 points of presence in 40 countries. The number of points of presence are expected to double within 18 months.
Better still, routers can be set to use that DNS address, in which case all devices connecting through them will be protected thanks to the DHCP mechanism. The exceptions are any that have been individually set to use a DNS other than that specified by the DHCP server.
“Leveraging threat intelligence is a critical way to stay ahead of cybercriminals,” said IBM Security vice president for strategy and offering management Jim Brennan.
“Consumers and small businesses traditionally didn't have free, direct access to the intelligence used by security firms to protect big businesses. With Quad9, we're putting that data to work for the industry in an open way and further enriching those insights via the community of users. Through IBM's involvement in Quad9, we're applying these collaborative defence techniques while giving users greater privacy controls.”
Other DNS services include Google's public DNS (22.214.171.124; provides some additional security to help ensure users arrive where they intended but does not provide filtering) and Cisco Umbrella (the company has other services – some free – for home use).