undefined | Better HN

Skip to content

Top New Best Ask Show Jobs

undefined | Better HN

0 pointsmoontear8mo ago0 comments

Just pair 1.1.1.1 with 9.9.9.9 (Quad9) so you have fault tolerance in terms of provider as well.

0 comments

Aachen8mo ago

I became a bit disillusioned with quad9 when they started refusing to resolve my website. It's like wetransfer but supporting wget and without the AI scanning or interstitials. A user had uploaded malware and presumably sent the link to a malware scanner. Instead of reporting the malicious upload or blocking the specific URL¹, the whole domain is now blocked on a DNS level. The competing wetransfer.com resolves just fine at 9.9.9.9

I haven't been able to find any recourse. The malware was online for a few hours but it has been weeks and there seems to be no way to clear my name. Someone on github (the website is open source) suggested that it's probably because they didn't know of the website, like everyone heard of wetransfer and github and so they don't get the whole domain blocked for malicious user content. I can't find any other difference, but also no responsible party to ask. The false-positive reporting tool on quad9's website just reloads the page and doesn't do anything

¹ I'm aware DNS can't do this, but with a direct way of contacting a very responsive admin (no captchas or annoying forms, just email), I'd not expect scanners to resort to blocking the domain outright to begin with, at least not after they heard back the first time and the problematic content has been cleared swiftly

Quad98mo ago

What is your ticket #? Let's see if we can get this resolved for you.

Aachen8mo ago

Oh hey, didn't expect this to actually be seen by many people, let alone you guys!

There was no ticket number yet because I was mainly trying to resolve it upstream (whoever made it get into uBlock's default block list, Quad9, and probably other places) and then today when I checked your site specifically, the link in "False Positive? <Please contact us>" (when you do a lookup for a blocked domain) just links back to itself so I couldn't open a case there either. Now that I look at the page again, with the advice in mind from a sibling comment to just email you, I now see that maybe this is supposed to go to the generic contact form and I needn't go through this domain status page. Opening the contact page now, I see that removal from blocklist is a selectable option so I'll use that :)

The ticket number I just submitted is 41905. Not that I'd want you to now apply preferential treatment, I didn't expect my post above to be seen by many people though I very much appreciate that you've reached out here. Makes me think you're actually interested in resolving this type of issue for small website operators, where the complete block without so much as a heads up felt a bit, well, like that might not get me anywhere. If the process just works as it normally should, that's good enough for me! Thanks for encouraging me to actually open a ticket!

dmitrygr8mo ago

Why not address the REAL issue:

> I haven't been able to find any recourse. [...] there seems to be no way to clear my name.

mnordhoff8mo ago

You should email them about the form and about your domain. Their email address is listed on the website. <https://quad9.net/support/contact/>

Sometimes the upstream blocklist provider will be easy to contact directly as well. Sometimes not so much.

ajdude8mo ago

I've been the victim of similar abuse before, for my mail servers and one of my community forums that I used to run. It's frustrating when you try to do everything right but you're at the mercy of a cold and uncompromising rules engine.

You just convinced me to ditch quad9.

Aachen8mo ago

In the ticket I just opened (see sibling thread), I asked which blocklist my domain was on. Maybe let's see what comes out of it, perhaps they can improve the process (e.g. drop that blocklist, or notify the abuse record of domains which they're blocking so that domain owners are at least aware of where they can go to fix things)

I don't see contact info on your profile or website/blog, but I can post here what the outcome is

Edit: I love your blog's theme btw!

baobabKoodaa8mo ago

Windows 11 does not allow using this combination

antonvs8mo ago

You can use it, you just need to set the DNS over HTTPS templates correctly, since there's an issue with the defaults it tries to use when mixing providers.

The templates you need are:

1.1.1.1: https://cloudflare-dns.com/dns-query

9.9.9.9: https://dns.quad9.net/dns-query

8.8.8.8: https://dns.google/dns-query

See https://learn.microsoft.com/en-us/windows-server/networking/... for info on how to set the templates.

baobabKoodaa8mo ago

Awesome! Thank you!

snickerdoodle128mo ago

Huh? Did they break the primary/secondary DNS server setup that has been present in all operating systems for decades?

antonvs8mo ago

DNS over HTTPS adds a requirement for an additional field - a URL template - and Windows doesn't handle defaulting that correctly in all cases. If you set them manually it works fine.

lxgr8mo ago

How so? Does it reject a secondary DNS server that’s not in the same subnet or something similar?

antonvs8mo ago

It's using DNS over HTTPS, and it doesn't default the URL templates correctly when mixing (some) providers. You can set them manually though, and it works.

rvnx8mo ago

Quad9 is reselling the traffic logs, so it means if you connect to secret hosts (like for your work), they will be leaked

daneel_w8mo ago

Could you show a citation? Your statement completely opposes Quad9's official information as published on quad9.net, and what's more it doesn't align at all with Bill Woodcock's known advocacy for privacy.

gruez8mo ago

See: https://quad9.net/privacy/policy/

It doesn't say they sell traffic logs outright, but they do send telemetry on blocked domains to the blocklist provider, and provides "a sparse statistical sampling of timestamped DNS responses" to "a very few carefully vetted security researchers". That's not exactly "selling traffic logs", but is fairly close. Moreover colloquially speaking, it's not uncommon to claim "google sells your data", even they don't provide dumps and only disclose aggregated data.

Quad98mo ago

We are fully committed to end-user privacy. As a result, Quad9 is intentionally designed to be incapable of capturing end-users' PII. Our privacy policy is clear that queries are never associated with individual persons or IP addresses, and this policy is embedded in the technical (in)capabilities of our systems.

rvnx8mo ago

It is about the hostnames themselves like: git.nationalpolice.se but I understand that there is not much choice if you want to keep the service free to use so this is fair

Demiurge8mo ago

Is this true? They claim that they don't keep any logs. Do you have a source?

jeffbee8mo ago

They don't claim that. Less than a week ago HN discussed their top resolved domains report. Such a report implies they have logs.

sophacles8mo ago

Im sorry... what is a secret hostname that is publicly resolvable?

The very idea strikes me as irresponsible and misguided.

notpushkin8mo ago

It could be some subdomain that’s hard to guess. You can’t (generally) enumerate all subdomains through DNS, and if you use a wildcard TLS certificate (or self-signed / no cert at all), it won’t be leaked to CT logs either. Secret hostname.

j / k navigate · click thread line to collapse