About & FAQ
About EDDI
Who is EDDI, and why is his name missing the “E” at the end?
EDDI stands for Enhanced DNS and Defense for Industry and is not a person (however sometimes it feels like it to our development staff). EDDI is both a forwarding and recursive DNS resolver, which makes it unique, just like its name without the “E”. EDDI lives exclusively in U.S. Government sovereign clouds, including Amazon Web Services (AWS) GovCloud and Microsoft Azure Government.
How do I connect to EDDI?
EDDI is a recursive DNS server just like your Internet Service Provider's (ISP) may provide, such as Comcast, Cox, Verizon, AT&T, and others. Once signed up, simply change your router or firewall's DNS server from your ISP's default settings to the IP addresses provided by EDDI. That's it.
So EDDI is exclusively for use by defense contractors?
EDDI can be leveraged by any U.S. government contractor with a CAGE code and D&B number that has a relationship with the government, not just the DoD. Both commercial prime and subcontractors are welcome, as are non-profit organizations and educational institutions.
What is EDDI Open?
EDDI Open is EDDI's primary no-cost offering as an internet resolver.
EDDI Open is currently in public preview and, while fully functional, is scheduled for general availability in late 2021.
What is EDDI Premium?
EDDI Premium offers EDDI's secure networking services and adds reporting capabilities, self-service management, deployment and access options, and much more.
EDDI Premium is currently in private preview and is scheduled for release in late 2021.
What is EDDI-R?
EDDI-R (Restricted) is a highly restricted DNS service intended only for machine traffic, such as servers and container applications. While a human may need search engines and news feeds along with their other favorite websites, machines and applications do not. The goal of EDDI-R is to mitigate supply chain attacks by using an explicit allowlist only, and is highly recommended for mature, process-driven Configuration Management (CM) environments only as even the slightest software change may require a change to EDDI-R.
EDDI-R is currently in private preview and is scheduled for release in late 2021.
What is EDDI-SPR?
Details about EDDI-Special Program Restricted are available only by a fully-executed Non Disclosure Agreement (NDA). Please contact us for more information.
I spend a lot of time working in various clouds and the public IP addresses aren't typical IPs from AWS, Google, Oracle, IBM, or Microsoft. How is EDDI cloud enabled?
We own our own IP space registered with the American Registry for Internet Numbers (ARIN), both for IPv4 and IPv6. This can be verified on their website (whois.arin.net).
How do you guarantee a 100% uptime service target?
EDDI is structured with four redundant services. When all four are configured for usage (and only when), we guarantee to never have an outage. There are restrictions and fine print, but in short, AWS, Azure, Oracle, and Google datacenters would all have to suffer an outage all at the same time. Think Armageddon and Bruce Willis.
Can my organization’s cloud assets use the service, such as virtual machines and networks?
Yes, however there are some conditions and planning that must occur as every cloud environment requires communication within its own fabric. For example, see this Microsoft article.
What is the big deal about ad blocking? Are all advertisements malicious?
Not at all! The blocking of internet advertisements has been a contested debate for years within the cybersecurity community. While few particularly care for endless ads while scrolling through a particularly interesting news article, we very much realize that internet advertisements pay for that news article – and generally fund the internet. EDDI has no intention of interfering with any organization’s revenue, marketing, call to action movements, and more.
However, some advertisements are malicious and, unfortunately, there is no current way to effectively filter out the bad ones from the majority of non-malicious ones. This is especially true as these malicious advertisements – and the domains the live on – are usually short lived and designed to avoid detection. They can particularly target mobile devices since they traverse carrier native 4G and 5G networks, without the protection of an office’s firewall or other services. Since mobile devices often contain corporate email, documents, and other data, we feel that it is an unnecessary risk on DIB networks, and therefore block known malicious advertisement domains.
Rest assured if your company has an advertising campaign operating on a legitimate service such as googleadservices.com or doubleclick.net, it will be delivered to other EDDI users.
Is there a running allowlist of exceptions (ad domains that are allowed?)
Yes, and this is where EDDI varies from Ad Guard, Pi-hole, and others as we do allow reputable advertisement domains such as googleadservices.com. Again, our goal is not preventing advertisements from reaching an end user, but rather preventing malicious ones from doing so. We also explicitly allow some domains that have previously been blocked which interfered with government or government contracting business.
For example, the URL domain that sends updates via from GAO (Government Accountability Office) is not actually gao.gov, but rather lnks.gd. The .gd TLD is historically the country of Grenada, and while it’s not this cut-and-dry anymore, a domain residing in Grenada wouldn’t typically be relevant traffic, therefore it was blocked by default.
Since all of my traffic will be traversing an extra step in the process, will my internet speed slow down?
Not really. EDDI’s unofficial motto is “Performance focused. Security obsessed” and we have worked hard to minimize any hit to performance making any decrease unlikely but technically possible. In many cases, you may experience a performance increase depending on your current ISP or other DNS server attributes. If there is a slowdown, it would be by a few milliseconds at most and unnoticeable to the human eye. Occasionally, EDDI may analyze a newly entered domain with extra scrutiny, causing your browser to present an error page for anywhere from a half to one-full second. By the time an end user notices, they page is refreshed and available.
Premium customers who opt for private servers may see a noticeable lag in the first few days as their individual recursive services have no history whatsoever, and must build their cache or “bank” of domain information.
Rarely, we may teardown our recursive servers and rebuild from scratch if a situation warrants, such as a known vulnerability, suspicious activity detected, annual maintenance, etc.
My office has a local network. Can I point my clients directly to EDDI and bypass any internal DNS servers?
While you can do this, it’s not recommended due to a slight decrease in speed and, more importantly, potential lost internal functionality since it will not resolve any internal resources.
Can I opt in to block all advertisements?
No, as it would violate our policy on allowing legitimate advertisements.
What is FIPS mode and why do I or do I not need it?
EDDI believes in making all CMMC-required components available across all plan levels. FIPS-compliant mode of cryptographic operation is required at CMMC Level 3 and higher for any Controlled Unclassified Information (CUI) data and is included in EDDI Premium and EDDI-R, and a no-cost option in EDDI. However, since no data traverses EDDI, your organization does not need FIPS cryptography and its negative impact to performance. Therefore, we recommended foregoing the option unless you specifically require it, and are willing to accept a slight reduction in performance and SLA.
Privacy, Data Usage, and Transparency
How is EDDI transparent?
Since EDDI is operated by a member of the community who works with transparent information models, we aim to provide the similar. While we don't publish significant detail on the internet, we are happy to provide details on our processes, architecture (how EDDI works), open source tools used, and so on.
How does EDDI use my data, and how is it protected?
We encourage you to read our privacy policy in its entirety, however, briefly stated: we don't use or store any of your data. We do collect information you provide when you sign up as well as the DNS logs used to resolve websites, but no data that may be sent to those websites is collected (nor can it as your computers will never send to us).
Definitions
What is network-centric DNS?
Network-centric DNS are traditional DNS services that are configured for the network any number of endpoints reside on. Whether one laptop and a mobile device or hundreds of each, if they're on the same network, they utilize and inherit its DNS services.
What is endpoint-centric DNS?
Unlike network-based DNS, endpoint-centric DNS is configured specifically per device and can be set by operating system (i.e., Windows 10/11, macOS, iOS, Android) and application, such as Mozilla Firefox, Microsoft Edge, and Google Chrome.