IBM HAS PARTNERED with the Global Cyber Alliance (GCA), an organisation founded by law enforcement and research firms to help reduce cyber-crime, to launch a free public Domain Name Service (DNS) system.
While that might not sound so fascinating, the interesting thing is that the new DNS system, named Quad9, will block domains associated with botnets, phishing attacks, and other malicious internet hosts. This is especially good news for businesses that don’t run their own DNS blacklisting and whitelisting services, as it will make them much safer.
Quad9, which is named as such du to its 220.127.116.11 Internet Protocol address, works in the same way as any other public DNS server, such as Google’s, but the difference is it won’t return name resolutions for sites that are identified via threat feeds the service aggregates daily.
“Anyone, anywhere can use it,” said GCA’s president and chief operating officer, Phil Rettinger, in an interview with Ars Technica, adding that the service will be “privacy-sensitive” with no logging of the addresses making DNS requests.
“We will keep only [rough] geolocation data,” he said, explaining that this will be used to track the spread of requests associated with particular malicious domains. “We’re anonymising the data, sacrificing on the side of privacy,” he added.
So where does IBM come in? According to GCA, the computer giant will provide the power behind one of Quad9’s major threat feeds, one of which is IBM’s X-Force. This converts the feeds into a database that is then de-duplicated.
So whenever a Quad9 user clicks on a website link or types an address into a web browser, Quad9 checks the site against IBM X-Force’s threat intelligence database of over 40 billion analysed web pages and images. The other 18 feeds the service taps from include threat intelligence partners including Abuse.ch, the Anti-Phishing Working Group, Bambenek Consulting, F-Secure, mnemonic, 360Netlab, Hybrid Analysis GmbH, Proofpoint, RiskIQ, and ThreatSTOP.
Quad9 then generates a whitelist of domains never to block, using a list of the top one million requested domains, as well as a “gold list” of safe providers, such as major Internet service sites like Microsoft’s Azure cloud, Google, and Amazon Web Services.
The blocked sites, whitelist, and gold lists are then converted into a Response Policy Zone (RPZ) format before being pushed out to the clusters of DNS servers around the world maintained by Packet Clearing House via DNS zone transfers. The DNS server clusters, which are each load-balanced with dnsdist, use a mix of Unbound and PowerDNS servers to deliver responses.
As of launch, there were clusters of DNS servers configured in 70 different locations around the world, and Quad9 expects to have 100 sites up and running by the end of the year. It’s also free, but will need to be continually funded as the GCA is a non-profit.
IBM said that telemetry data on blocked domains from Quad9 will be shared with threat intelligence partners for the improvement of their threat intelligence responses for their customers and Quad9. µ
Source : Inquirer