Re: From Nov 2017...

[Bill Woodcock <woody () pch net>]

> On Apr 2, 2018, at 7:24 PM, Robert Mathews (OSIA) <mathews () hawaii edu> wrote:
> *Group Co-founded by City of London Police promises 'no snooping on your requests’*

Note that this is _extremely_ misleading, since the group being referred to here is _not_ Quad9, but instead GCA, one 
of the many donors that are supporting the Quad9 project.  Quad9 doesn’t have any association with the City of London 
Police, other than that they’re among the many tens of millions of users in the general public.

> *DNS resolver 9.9.9.9 will check requests against IBM threat database*

Not exactly correct…  There are nineteen threat intel providers, including Intel, Cisco, and F-Secure, which provide 
real-time feeds of compromised and C&C domains to Quad9.  Quad9 does a bunch of reputation scoring on the data feeds to 
figure out which are likely problematic and which might be false-positives, before including them in the optional 
block-list.  There’s a partial list of the threat-intel providers about halfway down this page:  
https://www.quad9.net/about/  And you can check at any time whether an FQDN is currently being blocked using a field on 
the front page of the Quad9 site.

> On Apr 2, 2018, at 7:36 PM, Seth Mattinen <sethm () rollernet us> wrote:
> ...an IBM database is queried, just like it says on their website? That doesn't mean they are recording who is making 
> what requests.

Correct.  All that is defined in the privacy policy.  No IP addresses are recorded.  No query strings are recorded, but 
ones that match an FQDN on the block-list are tallied, and that tally is used to improve the reputation-scoring of the 
threat intel providers, and is fed back to the threat intel providers to help them improve their own data quality.  I 
believe the privacy policy that’s still up right now says that we may optionally give the threat-intel providers 
aggregate statistics per country, but we’re not actually doing that in practice, and it’s our intention to narrow down 
the policy to reflect actual practice.

On 4/2/18 7:43 PM, J Crowe wrote:
> That database could possibly be ingested and used locally.

Correct.  The database is ingested and used locally _at each server_, so the queries never even leave the server.  
Anything else would be too slow and stateful to work.

> Traffic may not even be traversing to the database hosted by IBM.

Correct.  The threat-intel data comes from them to us, and a count of matches goes from us to them.

> At least they are open about where they are getting the data that allows for blocking to certain FQDNs.

Yeah…  Sorry only twelve of the nineteen are listed on the web site right now, but the project is stretched pretty thin 
keeping up with requests for new locations, and we haven’t had a lot of time to update the web site…  There’s no 
intention for the list to not be public, and I can get and post the full list if anyone cares.  Though it would 
probably be better if I spent that time hunting for someone to update the web site.  :-)

                                -Bill

Attachment: signature.asc
Description: Message signed with OpenPGP