Quad9 the free secure DNS service is in trouble and need our help.
If you dont know what Quad9 is, then here is a short explainer. Quad9 is a free DNS services much like Googles well known 184.108.40.206 and 220.127.116.11, Quad9 (18.104.22.168 and 22.214.171.124) however add a very cool FREE security layer to the solution (a bit like Ciscos Umbrella, just not quite as customizable). If you use Quad9s DNS as your DNS service and you get infected by malware (eg. ransomware etc.) then chances are that the malware will try to “phone home” to its command and control server – Quad9 will blocks communication to known command and control DNS addresses thus disrupting many botnets or ransomware “providers”.
Anyhow, Sony has in Germany started a court case to force Quad9 to censor DNS resolution, Sony want Quad9 to block access to pages that Sony claim contain copyright protected content. In Denmark (where I live) we have a similar DNS blocking mandatory for national DNS services, it was originally introduced to block access to child phonography (something all of us could support) – but quickly the music industry and other rights owners/lobbyists saw this as a golden opportunity to block whatever they did not like and succeeded in convincing courts to add to the blocklist.
I support working against crime and child phonography however I do not think DNS blocking is the solution (perhaps against terrorism, pedophilia and violent crimes – but not for immaterial rights), experiences have shown, that what starts as a noble initiative quickly become a tool for lobbyists and huge enterprises to suppress whatever they dont like on the internet.
In general I think that more police, and more crossborder police collaboration is the way forth – not letting Sony and other dictate what is on the internet.
I supported the DNS blocking back in the days when the goal was to protect children against misuse, but now when it is a tool for mega companies and lobbyists my respect is gone.
Did you know:
Quad 9 offers free DNS services with malware filtering – to use just set your DNS (and or DNS servers) to query 126.96.36.199 and 188.8.131.52, then block all other DNS traffic outbound and presto you added a free additional security layer to your setup (company or personal). It is important to add the blocking for other DNS queries in your firewall as malware otherwise could easily bypass your protection. Read more here: https://www.quad9.net/service/service-addresses-and-features
Backblaze has something similar – here you use 184.108.40.206 (blocks malware like Quad9) and 220.127.116.11 (blocks both malware and pornography).
Read more here; https://blog.cloudflare.com/introducing-1-1-1-1-for-families/
To whom it may concern:
We believe that the act of recursive DNS resolution is not within the justifiable legal boundaries of control by rightsholders during infringement litigation. In order for the DNS to remain a stable, secure, and trusted platform, we would urge policymakers and regulators to clarify and reiterate the long-standing understanding that recursive resolution is a neutral technical function that should not be subject to blocking demands imposed by private parties based on data that has not been ruled upon by a suitable and fair court process.
Further, we believe that systems that are designed for providing cybersecurity (be they DNS-based or otherwise) should not be made available to be repurposed for other goals against the interest and intent of the service operator or the end user. This type of corruption of core internet infrastructure risks eroding the trust in both the operators and a technology that is core to the continued well-being of the internet and that of the citizens who use it.
We support Quad9 in their objection to the ruling of the Hamburg Court of (Case 310 O 99/21), and hope that the court finds in favor of the defendant.
So, you recieve this text from someone which they for some reason or other has written in ALL CAPS – *sigh*, what to do – well if it is just a few words then its easy enough, just rewrite the darn thing. But what if it is several pages :-O
Well, there likely is some function in word or notepad++ I dont know about, but there is ALSO a site (there is almost always a site)..
I mean, who would not LOVE to get their text back in “Morse Code” 😉
As many of you may have experienced the Internet is not just filled with wonderful “things” and cute kittens, its equally filled with malware as well. Just over the past 6 months, I in my professional capacity, have experienced Cryptolocker like malware more than 5 times, in the professional scene this was mainly a nuisance as we could “just” revert to backups – however in many private homes this could often mean “pay up” or loose your family photos etc. – seeing that many home users do not have a good backup strategy.
Sure antivirus may detect and protect against many of these things, however why rely solely on that – why not add an extra and free layer of protection to the internet of your friends/family and kids? A protection that is not only free but also auto-updating thus maintenance free.
It is actually REALLY simple, all you do is to configure your DNS to use the DNS servers of Norton (and yes, it is totally free for home use). Instructions for configuration is on their site https://connectsafe.norton.com/configurePC.html – on the top right you can even select the level of protection – three levels are available, may I suggest level 3 for Aunt Mathilda.
if you administer your own network and or router (or that of family and friends), then you can setup the DHCP to hand out these Norton DNS addresses and protect each and every device in the network (even that Internet of things ;-))..
Word of caution..
If you configure this setting manually (like shown below) and have a laptop you carry with you, then you MAY run into problems at schools/workplaces – in my company we ONLY allow our own DNS servers access to the internet and subsequently if you set your own DNS addresses these requests are blocked in the firewall. This is not a problem for Aunt Mathilda or the toddlers using the home desktop computer, but keep it in mind if using laptops – the VERY best solution is to setup your DHCP to hand out the Norton DNS addresses..
How good is it?
That is a difficult question to answer, as you get no statistics it would be pure guesswork – but seeing it is free and MIGHT protect you and your loved ones, why not just go with it.
This sounds really cool, but are there no alternatives?
Well sure there are alternatives, not sure if they are better but to mention a few;
https://www.comodo.com/secure-dns/ – Equally free, but give you adds for non-existing domains.
https://www.opendns.com/enterprise-security/threat-enforcement/packages/ – OpenDNS is a great and old player in this field, you can customize things and it even works in corporate environments – however it’s not free, you will need the “Umbrella Prosumer uses” license which is a bit hard to find on their site, however it will give you 3 devices for 20US$.
http://www.securly.com/parent-signup – This one I just read about, it sounds cool though even though the purpose seem more parental control than security – by using Google accounts you keep track of your loved ones internet use and you get to see cool graphs etc. But this one is equally not free.
Now I have for the longest time been way to occupied to do a lot of reading on Reddit – which is actually a shame as there is lots of good info flowing around in there.. But anyhow, I came across a neat little trick which might be wellknown to you Reddit sharks out there, but I did not know it so I’ll share 😀
See the thing I hated was that in order to get to the groups that interests me I had to logon and then do several mouse clicks afterwards.. Might not sound like a major undertaking, but if you are busy then everything that takes mouse clicks may put you off..
Then I discovered that you could actually embed the groups you wanted to see in the URL and hence bookmark it!? Now I have one bookmark with the mail groups I want to read and thats it… Nice..
A few examples;
First one group;
Now a bunch of groups, you see you just add a “+” sign and the groupname..
As mentioned, this is likely childsplay to Reddit know-it-all’s but to me it is a real neat trick.
What it does is basically to cache incomming requests in order to reply rapidly to repeated requests, thus taking a load of your servers and possibly reduce the need for a clustered solution.
Again there are many aspects on solutions like this, but if you “need more power” (as Cpt. Kirk always said to Scotty in Star-Trek then this may be a possible road to go down).
Header from website;
Varnish Cache is a web application accelerator also known as a caching HTTP reverse proxy. You install it in front of any server that speaks HTTP and configure it to cache the contents. Varnish Cache is really, really fast. It typically speeds up delivery with a factor of 300 - 1000x, depending on your architecture. A high level overview of what Varnish does can be seen in the video attached to this web page.
Link to video that explain what it’s all about (in VERY general terms 😀 but still)..
Link to website;
If you use Microsoft SCOM for system management in your company then this is worth a look, Live maps from SAVision – it’s cool yet slightly expensive..
What it will can do is to allow you to create simple visual representations (Dashboards) of your system, you can even “publish” these dashboards as webpages and “drill-down” into these.
Not only does it allow to represent servers, routers and other equipment but it allow you to group different servers, services, equipment etc. into one (Dynamic objects) – eg. your CRM system may rely on some SQL databases and perhaps an active internet connection – in one icon you can represent the status of your CRM based upon internet being available, SQL running, Server Running etc. etc. Clever…
But as I mentioned it’s not the cheapest solution 🙁 a starter package with 25 dashboards/views should set you back $7000 I have heard – I also heard that a demo version with 5 views should be available upon request – but this is all hearsay so do check yourself.
You are likely familiar with WordPress, if not well – interesting 😉 anyhow, you may also have heard about the recent attacks on wordpress blogs by a worm like virus/malware? Attacks on WordPress installations is not something new, it has always been there as it’s such a popular platform however time has revealed some not so smart features with wordpress security, one thing is that you can try to log in as many times as you like without any action being taken – hence there is nothing to stop a brute force attack on your wordpress installation’s login!?
Well Wordfence to the rescue, a simple plugin you install on your wordpress installation that all of a sudden offers you a ton of cool security features, I will just mention a few here – for the complete listing visit their website..
- Login limiter – limit how many incorrect passwords/usernames are accepted
- Site and theme scanner – scan your wordpress blog for changes
- Block unwanted IP’s from accessing your site
- Manage crawlers (search engine index bots)
- and many many many more cool features
You can define what the reaction to different attacks, eg. block IP/Lock account for xx min/throttle traffic.
Now a thing like that must cost a fortune you say!? well no, there is a TOTALLY FREE version with basic functionality (enough for most I would say) and the deluxe version which cost a bit.
Now after adding this you should also add Two Factor Authentication, eg using “WordPress Google Authenticator Plugin” – http://wordpress.org/extend/plugins/google-authenticator/screenshots/ Or one of the other TwoFactor authentication solutions out there.
So, what are you waiting for 🙂 protect your WordPress blog now 🙂
Www.Crackle.Com is a fully Free (yes I don’t get the business model either) streaming service (USA only, but this can be fixed with either www.witopia.net eller www.unblock-us.com), not quite as good selection as www.netflix.com but FREE 😀
Today my Roku2 set top box arrived from the USA (my first order via www.shopusa.com which seem to have workd fine), I had ordered this to be able to watch Netflix in my bedroom and the Roku2 box seemed the easiest and cheapest way.
The device which comes with remote and build-in wifi seemed nice, small and elegant and I did not expect many issues connecting it, I had read in advance that the service www.unblock-us.com was supporting this unit so everything should be a brease.
Well things did not go acording to plan 🙁
First things first, www.unblock-us.com works by you replacing your DNS servers with servernames (or rather IP’s) they provide, well the darn box has no network settings it gets it’s configuration from DHCP and that is it. Well no problem, I run a Windows 2008R2 server with DHCP so I just created a new reservation for the MAC address of the Roku 2 box and setup the Unblock-us DNS server ip’s for this reservation – and sure enough this part worked like a charm (note you have to follow the instructions on the www.unblock-us.com site and activate the service before starting to use it, I’m not 100% sure how they register you, likely by your external IP – but how do they deal with dynamic IP’s then??).
So now I had the device connected to my WLAN and tv. The first thing is then to link the Roku box to an account, you need you computer for this – so I created an account and entered the ID-code from the Roku 2 box (it displays a code you need to enter into your new Roku account to link the device to your account), and everything worked like a charm (I used a P.O.Box address in the USA as my postal address and my American Express as credit card, everything was fine). But now began my trouble, see the device somehow knew that it was not in the USA and only showed a few totally uninteresting streaming channels (no Netflix, no Hulu etc. etc.), and now began a lot of googling – I found these two threads that seemed to give some insight to the matter;
And the issue appears to be that the account somehow is not accepted as a fully valid USA account, now I tried deleting the account and recreating it via a USA vpn as some suggested, I tried different credit cards, I tried creating a USA Paypal account but nothing solved the issue. It was suggested that by using a verified USA creditcard you might overcome the problem, however USA credit cards are hard to come by in Europe :-/ I only know of a few places where you can obtain these and these are not free so a streaming service would end up being fairly expensive 😐
Link to obtaining a USA credit card;
https://readmydamnblog.com/?p=1860 (might also work)
I did however in the end find a liveable solution to my torment, once the device is fully configured and setup you unlink it from your Roku account – then you wait a few minutes and either restart the Roku or refresh your channels – this strangely enough caused the device to remove all channels BUT at the same time restore the Netflix launch button to the frontpage – and now Netflix works (and possibly also Hulu) – you still need Unblock-us not to forget, however all other channels are gone… Ok, my objective was to get Netflix so I’m happy with this, but at the same time it’s a shame to not be able to try out all the other stuff – but I guess there is no winning every time 🙁
Btw; the powersupply supports both 110v and 220v so no problems there other than the wall jack which a universal adapter took care off
So status at the moment is; Got Netflix working (by unlinking the Roku from my Roku account) but now that is all the device can do….. Hrmpf I am not totally satisfied, but guess this will have to do…
Streaming and Netflix navigation seem to work fine, quality is not fully as good as when I stream from a PC but quite acceptable. Do let me know if anyone figures out a way around this messy situation.
Another odd thing about the Roku 2 box, there is no standby? you need to unplug the darn thing to shut it down, acording to Roku it is because it uses so little power, now I don’t know in these days where we all are suposed to be thinking about the environment :-/
UPDATE March 8th 2012;
Found this site that appear to offer a workaround for any non USA credit card problems, I have not had the need to test it myself but it looks like a workable solution: