Free, filtered alternative DNS leverages threat-intelligence data to raise security baseline

Quad9 ( blocks IP addresses linked to ransomware, typosquatting, botnets, IoT threats and other malware by threat-intelligence services from IBM and others

Faced with a growing volume of ransomware, fraud and malware attacks, the introduction of a free alternative-DNS service called Quad9 is being hailed as a way of offering IT administrators an easy way to raise baseline protections against online attacks.

The Quad9 service – developed through a partnership between Packet Clearing House (PCH), the Global Cyber Alliance and IBM – has been established at IP address, offering an open DNS resolver that leverages data from IBM’s X-Force threat-intelligence service to automatically block IP addresses affiliated with malware attacks, botnets, distributed denial of service (DDoS) attacks, and other threats.

Queries to flagged IP addresses will simply not be resolved – providing, IBM master inventor and executive IT specialist Chris Hockings told CSO Australia, blanket protection against malware whether related to networked computers, email attachments, mobile devices, or even compromised Internet of Things (IoT) devices.

“Forming this group to provide this service guarantees the privacy elements that are becoming more and more important for people as they go about their business on the Internet,” Hockings explained. “IBM, through our X-Force security intelligence data, already know where a lot of these malicious sites exist – so being able to prevent any activity that we know about is a great first step before other tools kick in to deal with other, more sophisticated attacks.”

Businesses and individuals can tap into Quad9’s security protections by changing the DNS address on their networks and devices to – providing instant protection from a host of cybersecurity compromises.

The service is initially launching through points of presence in more than 70 locations in 40 countries, but will double this in the next 18 months. Anonymised telemetry data will be used by threat-intelligence partners to measure the service’s effectiveness over time, but Hocking stressed that Quad9 does not collect or distribute any personally identifiable information.

Proofpoint’s recent Q3 Email Fraud Threat Report highlighted cybercriminals’ frequent attempts to exploit the DNS system for their own purposes, with 89 percent of organisations targeted by at least one domain spoofing attempt during the quarter and typosquatting – directing users to malicious domains registered with text substitutions or transpositions that make it look like a legitimate domain – proving endemic.

A filtered DNS service can block such domains as soon as they are discovered, potentially stopping exploits that use them dead in their tracks. Such a service is also effective against attacks that use explicit numerical IP addresses that have been associated with malicious activity – but might otherwise slip under users’ radars.

“Protecting against attacks by blocking them through DNS has been available for a long time, but has not been used widely,” Global Cyber Alliance president and CEO Philip Reitinger said in a statement. “Sophisticated corporations can subscribe to dozens of threat feeds and block them through DNS, or pay a commercial provider for the service.”

“However, small to medium-sized businesses and consumers have been left behind – they lack the resources, are not aware of what can be done with DNS, or are concerned about exposing their privacy and confidential information. Quad9 solves these problems. It is memorable, easy to use, relies on excellent and broad threat information, protects privacy, and security and is free.”

Economies of scale can rapidly escalate the volumes of malware activity to plaque proportions: one Malwarebytes analysis of activity by the Coinhive drive-by mining attack, for example, found the company’s services were blocking the malware’s API 248 million times per month.

IBM has been bolstering its threat-intelligence efforts in recent years, extending its utilisation of its Watson artificial intelligence technology and partnering with the likes of Carbon Black and Cisco Systems to add even more inputs to its analytics capabilities. The Quad9 service also draws on data from 18 other threat-intelligence providers including, F-Secure, 360NetLab, Proofpoint, RiskIQ, and others.

Filtering Web usage with the fruits of that analysis – which, IBM says, includes more than 40 billion analysed sites – offers every online user a new baseline for cybersecurity that will allow security administrators to refocus their efforts on dealing with new and more complex threats.

“If a model like this is adopted broadly, it becomes a bit more personal because a simple configuration change can provide protections even for people who are incapable of understanding some of the issues that we see in cybersecurity. Keeping it simple, and providing those types of mechanisms in a free manner, is a good thing for society.”

Tags DNSIT administratorInternet of Things (IoT)ransomware attacksCarbon Black

Show Comments