How do malware-blocking DNS providers compare?

[RMerlin]

I always wondered how the various DNS-based malicious website blockers compared. Finally someone tested a few of them against a list of known malicious domains:

Public DNS malware filters tested

How well do public DNS resolvers that claim to block malware domains really score? Which provider is the safest? We did the test!

techblog.nexxwave.be

 

[dave14305]

Bad news for @bbunge who prefers Cloudflare for Families.

Belts and suspenders to avoid being caught with your pants down.

 

[RMerlin]

Maybe Cloudflare focussed more on blocking adult content than malicious content.

I only used these filtering servers once for a customer, who needed to secure a public computer accessible by kids, and I went with Cleanbrowsing for it.

 

[Tech9]

I always use Cleanbrowsing in places with no extra DNS filtering. Didn’t know about dns0.eu, this is something new from 2022.

 

[Crimliar]

Have been using Cloudflare 1.0.0.2 and 1.1.1.2 for quite a while now, but following that article gave Cleanbrowsing a go. I'm well aware that DNS lookups only take a fraction of the time used when accessing a website, but DNS bench seems to suggest the Cleanbrowsing servers are incredibly fast!

 

[bbunge]

Bad news for @bbunge who prefers Cloudflare for Families.

Belts and suspenders to avoid being caught with your pants down.

I second that! Switched back to Quad9 this morning and immediately had DNS lookup errors. Am now on Cleanbrowsing.

And it is not Cloudflare for Families but Cloudflare Security. Cloudflare for Families is 1.1.1.3 and 1.0.0.3

 

[Tech9]

From free DNS servers this is my choice:

Unfiltered - Google
Customizable - OpenDNS
Secure - CleanBrowsing

All pretty fast and popular. Other free DNS servers? Sure, but why? Especially the ones with unclear funding...

 

[Justinh]

Sorry for being dunce, but can someone break this down for me?

Cloudflare found an A record at 44.542 hosts. These hosts were then tested against the public DNS resolvers. The table below shows in numbers how many hosts with a valid IP address the DNS resolver returned and what percentage was therefore blocked. So the less valid hosts are routed, the better.​

I interpret this as Cloudflare knows of 44k hosts (e.g., www.domain.tld) in the Internet. If this is true, then some of the providers are saying only a tiny % of domains are safe/good/valid (like only 6%??). That does not seem plausible. It makes me think they can't resolve some domains (unknown to them, opposite of Cloudflare) or they are way too aggressive in what they block.

By this simple metric, I could stand up a DNS service that blocks all but 100 domains and I'd look like the premiere secure DNS provider, because "the less valid hosts are routed, the better".

 

[ColinTaylor]

@Justinh What they're saying is that they took their combined list of 130,525 malicious hosts and checked them against unfiltered Cloudflare to see if they had a corresponding DNS record. Basically, they're filtering out old malicious hosts that no longer have a DNS record. That resulted in a "good" dataset of 44,542 malicious hosts with an active DNS record. These 44,542 hosts were then used for the testing.

 

[sfx2000]

For most - sounds like Quad9 seems to be quite good if one needs/wants that functionality...

Just my opinion... everyone has to make their own choices

 

[coxhaus]

QUAD9 works well for me. I have been using it since its inception. It works fine on Spectrum for me.

 

[Quoc Huynh]

Quad9 gave a faulty DNSSEC check on https://dnscheck.tools/ to me before. However, after reading the article and switching to Quad9 and CleanBrowsing last night, everything works flawlessly.

Regarding dns0.eu, I came across a post on Malware tips (https://malwaretips.com/threads/public-dns-malware-filters-tested.123684/ ) and found this interesting information:

 

[Piotrek]

I'm afraid that this test contains some errors.
The test should check the NXDOMAIN block, not DNS record A.

How to Create Block Pages with CleanBrowsing

This articles shows how to create custom block pages with the CleanBrowsing DNS filtering platform.

cleanbrowsing.org

https://support.quad9.net/hc/en-us/articles/360050642431-What-does-a-block-from-Quad9-look-like-

Also keep in mind that some DNS providers work with CERT.PL (Quad9 and dns0.eu for sure, not sure about CleanBrowsing), so it's obvious that they block almost all tested domains.

Partners | Quad9

Quad9's partners

www.quad9.net

Other test:

Polecane serwery DNS - które z nich są najszybsze? - AVLab.pl

Polecane serwery DNS przez AVLab! Zestawienie polecanych serwerów DNS pod kątem szybkości, ochrony przed phishingiem i malware.

avlab.pl

It's worth trying to run your own test, but I don't have much time for it.

 

[Piotrek]

and found this interesting information

The CERT Polska team operates within the structures of NASK (Research and Academic Computer Network) — a research institute which conducts scientific studies, operates the national .pl domain registry and provides advanced IT services.

About us

The CERT Polska team operates within the structures of NASK (Research and Academic Computer Network) — a research institute which conducts scientific studies, operates the national .pl domain registry and provides advanced IT services. CERT Polska is the first Polish computer emergency response...

cert.pl

It is Polish National Research Institute

NASK - Sense of telecommunications

en.nask.pl

In Europe, many companies and institutions obtain funds from the European Union, but this does not mean that they are related to each other.

 

[ColinTaylor]

I'm afraid that this test contains some errors.
The test should check the NXDOMAIN block, not DNS record A.

The test is whether "the tested DNS resolver returned a valid IP address". If they only check for NXDOMAIN the test wouldn't work for resolvers that returned, for example 0.0.0.0 instead of NXDOMAIN. They're only using A records to verify the existence of the malicious domain against the unfiltered DNS resolver before performing the test.

 

[follower]

DNS Filtering doesn't help you guys in the real world. I can't believe there are a lot of people who are still believing it helps. It's just a marketing tactic. If it really helps you? you don't need Firewall and Antivirus.

 

[Piotrek]

resolvers that returned, for example 0.0.0.0 instead of NXDOMAIN

This practice violates the RFC standard for DNS NXDOMAIN responses (DNS hijacking or DNS redirection, redirecting the resolution of DNS names to other DNS servers or web servers, phishing etc.).

They're only using A records to verify the existence of the malicious domain against the unfiltered DNS resolver before performing the test.

So we check if it works in CloudFlare and later we show that CloudFlare is bad because their domains work.
At the same time, we do not check domains that may work for others and are blocked by CloudFlare.
In addition, the fact that record A is defined does not mean that the domain is working - maybe then we can check the servers response codes, etc.?

 

[Piotrek]

DNS Filtering doesn't help you guys in the real world.

This is one of the simplest, fastest and least invasive methods of protection for regular users.

 

[ColinTaylor]

This practice violates the RFC standard for DNS NXDOMAIN responses (DNS hijacking or DNS redirection, redirecting the resolution of DNS names to other DNS servers or web servers, phishing etc.).

There's no RFC standard (that I'm aware of) that says you have to return NXDOMAIN if you're blocking a valid domain. This whole process could be regarded as DNS hijacking by the DNS companies. NextDNS returns 0.0.0.0 for blocked domains.

So we check if it works in CloudFlare and later we show that CloudFlare is bad because their domains work.
At the same time, we do not check domains that may work for others and are blocked by CloudFlare.

The assumption is that the CloudFlare unfiltered results are truly unfiltered and do not contain any blocked domains. In theory you could use any other resolver provided it was truly unfiltered and it should return exactly the same set of results.

In addition, the fact that record A is defined does not mean that the domain is working - maybe then we can check the servers response codes, etc.?

True. But then it gets slow, complicated and unreliable.

 

[Piotrek]

if you're blocking a valid domain

Since we block the domain and do not support it, it means that it does not exist with us.
The DNS protocol [RFC1035] defines response code 3 as "Name Error", or "NXDOMAIN" [RFC2308], which means that the queried domain name does not exist in the DNS.

In theory you could use any other resolver provided it was truly unfiltered and it should return exactly the same set of results.

The world is not black and white. If 44,542 has been checked out of the list of 130,525 then I think there may be a lot of variables along the way.
DNS could also not respond at all and it was considered a threat recognition (because it did not return an A record).
The answer NXDOMAIN is clear - it works and knows how to behave.