How do malware-blocking DNS providers compare?

[Mogsy]

Interestingly according to dns check.tools Verizon on my phone seems to fail DNSSEC (not sure how accurate this is; but all other DNSs I’ve tested are green for all DNSSEC tests).

AFAIK most ISPs doesnt provide DNSSEC

 

[Paliv]

AFAIK most ISPs doesnt provide DNSSEC

Comcast fully implemented DNSSEC. It’s why they stopped redirecting typos, because the engineers told them it breaks DNSSEC.

Comcast

Verizon

Those are the ones I’ve checked since that’s what I’ve got. I think Comcast got more serious about DNSSEC after they had multiple DNS poisoning incidents several years ago.

 

[coxhaus]

I am not going to encrypt anything I don't have to. I want it out in the open so it can be scanned. I think it is safer. Why help hide bad packets?

 

[Paliv]

I am not going to encrypt anything I don't have to. I want it out in the open so it can be scanned. I think it is safer. Why help hide bad packets?

I mean a lot of people are paranoid their DNS request are being watched. My concern would be a MITM where they could be manipulated if I was encrypting DNS. But I’ve found encrypted DNS to slow things a bit.

 

[coxhaus]

I mean a lot of people are paranoid their DNS request are being watched. My concern would be a MITM where they could be manipulated if I encrypted DNS. But I’ve found encrypted DNS to slow things a bit.

I think this is silly. DNS can be spoofed by using IP addresses instead of names. What really counts is your routing information on your packets and that has to be exposed to the net because routing will not work without it being exposed. So, what they would want is where you have been, and your internet packets have that trail. It has to be for the internet to work.

It is like I said a VPN provider only protects you to their IP address. Once you access anything on the internet outside of the VPN provider's network you have an exposed internet trail which can be tracked. You miss one hop using VPN; it does not matter. So, to me it seems silly to think about any VPN provider. You only want to use VPN when you control both ends.

 

[Paliv]

I think this is silly. DNS can be spoofed by using IP addresses instead of names. What really counts is your routing information on your packets and that has to be exposed to the net because routing will not work without it being exposed. So, what they would want is where you have been, and your internet packets have that trail. It has to be for the internet to work.

It is like I said a VPN provider only protects you to their IP address. Once you access anything on the internet outside of the VPN provider's network you have an exposed internet trail which can be tracked. So, to me it seems silly to think about any VPN provider. You only want to use VPN when you control both ends.

Well VPN is a bit different from encrypted DNS. Similar point. Did I miss something where we got on VPNs?

 

[coxhaus]

People are paranoid their DNS requests being tracked. Internet routing is exposed on packets, so the info is available regardless of using a VPN or not. It is available on all internet packets as that is how routing works on the internet.

I do not want to expand this thread beyond DNS. But there is no reason to be paranoid about DNS requests. But be paranoid about DNS hacking and ending up on a malicious site.

 

[sfx2000]

I do not want to expand this thread beyond DNS. But there is no reason to be paranoid about DNS requests. But be paranoid about DNS hacking and ending up on a malicious site.

I agree - let's try to stay on topic...

 

[sfx2000]

It is like I said a VPN provider only protects you to their IP address.

quick comment - commercial VPN's are just proxy servers - there's another thread if further discussion is warranted there...

 

[Crimliar]

When it comes to people not doing what they can in order to not get hacked:

• We are all fallable
• Most on these forums are not only setting up their equipment for themselves but for others - some of those we set equipment up for don't take the same level of care about their online activities.

So many VPN advertisements I see are really seriously misselling their services!

 

[sfx2000]

So many VPN advertisements I see are really seriously misselling their services!

Slippery slope - they are providing a service, just not one of great value

 

[sfx2000]

AFAIK most ISPs doesnt provide DNSSEC

CoxHSI does

 

[bbunge]

My un-scientific comparison of Cloudflare Security vs. Quad9.

I set up a Pi-Hole with a malware only block list (https://blocklistproject.github.io/Lists/malware.txt) containing 435,266 records. For the first day the Pi-Hole was set to get queries from Cloudflare Security. The second day it used Quad9. DNSSEC was enabled. The Pi-Hole stats were cleared between tests.

First Day: Cloudflare 1.1.1.2, 1.0.0.2
Total Queries: 26,751
Queries Blocked: 227
Percentage Blocked: 0.8%

Second Day: Quad9 9.9.9.9, 149.112.112.112
Total Queries: 32,476
Queries Blocked: 359
Percentage Blocked: 1.1%

My test shows me the Cloudflare Security is not as "bad" as was stated in the article. In fact, it is 0.3% better than Quad9 which rated quite high. Sure, this was a short one day test for each upstream resolver and not scientific at all. But I feel justified in using Cloudflare Security which works best for me even using DoT and DNSSEC. Quad9 and DoT on my ISP do not play well together.

 

[L&LD]

Is this just using your normal browsing? Doesn't tell us anything at all if it is.

How are you determining that Cloudflare is 0.3% better than Quad9?

Give us (much) more details about the testing you're reporting here.

 

[Paliv]

My un-scientific comparison of Cloudflare Security vs. Quad9.

I set up a Pi-Hole with a malware only block list (https://blocklistproject.github.io/Lists/malware.txt) containing 435,266 records. For the first day the Pi-Hole was set to get queries from Cloudflare Security. The second day it used Quad9. DNSSEC was enabled. The Pi-Hole stats were cleared between tests.

First Day: Cloudflare 1.1.1.2, 1.0.0.2
Total Queries: 26,751
Queries Blocked: 227
Percentage Blocked: 0.8%

Second Day: Quad9 9.9.9.9, 149.112.112.112
Total Queries: 32,476
Queries Blocked: 359
Percentage Blocked: 1.1%

My test shows me the Cloudflare Security is not as "bad" as was stated in the article. In fact, it is 0.3% better than Quad9 which rated quite high. Sure, this was a short one day test for each upstream resolver and not scientific at all. But I feel justified in using Cloudflare Security which works best for me even using DoT and DNSSEC. Quad9 and DoT on my ISP do not play well together.

That’s a 37% difference in number of sites blocked, but still not as bad as that site suggests.

 

[bbunge]

Is this just using your normal browsing? Doesn't tell us anything at all if it is.
How are you determining that Cloudflare is 0.3% better than Quad9?

Give us (much) more details about the testing you're reporting here.

Yes, normal household browsing as this is what matters to me. Think of it as a real world test. My wife and daughter were not told told that I was doing a test.

I know that the filtering DNS providers are blocking malware sites. My goal was to see what got through by using Pi-Hole with just a malware block list to see what it blocked. If the upstream DNS providers were 100% efficient Pi-Hole should have blocked nothing. The fact that it blocked something tells me that the DNS provider was not catching everything. Based upon the malware block list I used Cloudflare missed 0.8% of the queries and Quad9 missed 1.1% of the queries. The number of queries and the number of blocked queries differs from day1 and day 2 therefore the percentage of blocks on each day is the measure of effectiveness.
As we tend to visit the same web sites daily and nothing out of the ordinary was attempted, I feel my test was a fair measure of the effectiveness of Cloudflare Security and Quad9. I'm sure that if I used an unfiltered DNS provider the Pi-Hole blocks would be quite high (no, I am not going to test that! I have garden chores that need tended to.)

 

[Piotrek]

Good job @bbunge !

with a malware only block list

I think it should be lists: Abuse, Fraud, Malware, Phishing, Ransomware, Scam.
Also, I would add: https://urlhaus.abuse.ch, https://data.phishtank.com, https://cert.pl/en/posts/2020/03/malicious_domains/ - https://hole.cert.pl/domains/domains.txt
Personally, I would like to repeat each test several times/days.
I also have an idea for a test, but I don't have time right now.

 

[Tech9]

I set up a Pi-Hole with a malware only block list (https://blocklistproject.github.io/Lists/malware.txt) containing 435,266 records

By the way, Block List Project generates false positives like crazy. You can't report them fast enough.

 

[avtella]

@coxhaus Quad 9 doesn't seem to have as much latency as it once had when I last tried it a while back, Cloudflare is still faster but not enough for me to notice.

Maybe I need IPS/IDS on my firewall to be able to look for this kind of thing. Which ones can support this? I don't think I have ever written a rule to block DNS.txt.

You can try the combination of redirecting all DNS queries on port 53 on the firewall and additionally using pfblockerng with DNSBL & IP DoH blocklists plus the DoH/DoT block option under "DNSBL Safe Search". Then users on your network "for the most part" should be forced to go through unbound on the firewall. That's the way I do it.

 

[AndreiV]

Well , I tried dns0.eu and it is now gone. Ping time is not great but it is unusable when it blocks innocent sites like banks, credit card co's, UK newspapers and many others. 50+% of the sites I would visit come up nx-domain.

Quad9 was okay when it started but now appears to have constant issues , ping time often up to 488ms on the London servers.

Better off sticking to my routers Knot resolver.