I noticed that Quad 9 is not able to respond to the spy.pet query:
$ dig spy.pet @9.9.9.9 +short
;; communications error to 9.9.9.9#53: timed out
But Cloudflare DNS is able to do it:
$ dig spy.pet @1.1.1.1 +short
104.26.0.165
104.26.1.165
172.67.74.73
And to be sure, I checked another domain with the same TLD to rule out the option that Quad9 is unable to handle the .pet TLD, but I received a correct answer…
$ dig hello.pet @9.9.9.9 +short
3.64.163.50
Does Quad9 censor DNS queries?
You must log in or # to comment.
spy.net harvested Discord data. Quad9 is probably not amused. https://en.wikipedia.org/wiki/Quad9#Security_and_privacy
Okay. I figured it out.
9.9.9.9has something they call Threat Blocking. I need to use 9.9.9.10 to keep using their DNS without Threat Blocking.But why are they blocking it?
Because it is a website created by a Kiwifarm transphobic individual who is scalping data from discord and selling access under the disguise of “seeing what your friends are up to” when in reality it is used to harass people.
Yo is this whole post a self-report?
Because:
Quad9 blocks lookups of malicious host names from an up-to-the-minute list of threats. (…) If the system detects that the site you want to reach is known to be infected, you’ll automatically be blocked from entry – keeping your data and computer safe.
If you query their “unsecure” servers, it works:
dig spy.pet "@9.9.9.10" +short 104.26.1.165 172.67.74.73 104.26.0.165I would never use a provider that has the means in place / likes to filter the DNS - you never know when a govt will ask them to kill a certain domain (even for the “unsecure” servers) or redirect things.
Don’t all providers have the ability to filter things?
Personally I have very few problems with DNS providers filtering out malware, that sounds like a benefit to me.
Don’t all providers have the ability to filter things?
It depends on what you can consider “the ability”. If by ability you mean have to deploy a team of engineers working for a week to make it happens, that’s okay, if they’ve their system built for it things are different.
I can do this in like 5 seconds with my PiHole and not only am I not a network engineer, I would encourage people to never employ me as such.
So for an actual business that has a bigger budget than me ($0) and more hours to devote to it than me (.02), shouldn’t it be less of a problem?
I can do this in like 5 seconds with my PiHole and not only am I not a network engineer,
Exactly and consider Cloudflare for instance, adding an “if domain block” is easy but then once you’ve thousands of servers running the same piece of software across the globe deploying updates and features becomes way slower and way harder. You’ve to consider tests, regressions, a way to properly store and sincronize the blocklists across nodes etc…
I’m not saying it can be done, because it can. But it will take longer and it will be a problem for someone. Besides you only have that point and click interface in your PiHole that allows you to do it in .02 because someone spend a few hours developing the feature. :)
Making a DNS server not respond to queries for a specific name is trivial for any DNS provider to implement, this is not a situation where they would have to develop months worth of new features to support that if the government asked.
Making a DNS server not respond to queries for a specific name is trivial for any DNS provider to implemen
It might not be that easy, you’re thinking about one single server running some kind of DNS server you’re familiar with. When we’re talking about Quad9, Cloudflare etc. were talking about hundreds of servers across the planet, highly distributed solutions that rely on multicast and other non-trivial techniques. If you’ve to change a system like that to add the ability to block something, trust me, it won’t take a few hours.
It would literally be easier to add that capability to your own custom DNS server software. After all it is literally an “if query.name in blocklist then drop connection”. Even replacing results would be simple as long as DNSSEC is not involved. You wouldn’t have to add it though since all major DNS servers already include it because it is so simple and has legitimate uses, such as blocking malware control server names or ad blocking.
Yes, it is likely that most providers running custom generic or custom stacks already have the functionally built in and also yes, adding an “if” is easy but then once you’ve thousands of servers running the same piece of software across the globe deploying updates and features becomes way slower and way harder. You’ve to consider tests, regressions, a way to properly store and sincronize the blocklists across nodes etc…
Governments don’t ask. They order. And it happens on a regular basis.
Yes, but if the provider doesn’t have the capabilities baked in they’ll take more time to comply or just not do it at all.
You really don’t want to ignore an order from a judge. And blocking websites is trivial.
And blocking websites is trivial.
Nothing is trivial at scale. When we’re talking about Quad9, Cloudflare etc. were talking about hundreds of servers across the planet, highly distributed solutions that rely on multicast and other non-trivial techniques. If you’ve to change a system like that to add the ability to block something, trust me, it won’t take a few hours and a LOT of testing will be required before pushing into production.
