What's new

How do malware-blocking DNS providers compare?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@coxhaus Quad 9 doesn't seem to have as much latency as it once had when I last tried it a while back, Cloudflare is still faster but not enough for me to notice.


You can try the combination of redirecting all DNS queries on port 53 on the firewall and additionally using pfblockerng with DNSBL & IP DoH blocklists plus the DoH/DoT block option under "DNSBL Safe Search". Then users on your network "for the most part" should be forced to go through unbound on the firewall. That's the way I do it.
If you run all those DNS servers you have listed then it defeats using QUAD9. If you are going to use QUAD9 you need to only use QUAD9 otherwise the other DNS servers will resolve the bad names. I should say any filtering DNS is defeated if you use a non-filtering DNS server also. Focus on the DNS server you choose don't list a lot of DNS servers like the old days.

The caching is so much better now and longer lasting that I don't think you need all those DNS servers like in the old days.
 
Last edited:
I ran Q9 mostly for the test in the other thread per your request that’s why there were 8 in the list including the fallback servers for Cloudflare and Q9. But yeah I agree with you, and I’m thinking of switching to Q9 now.
 
Last edited:
@coxhaus Quad 9 doesn't seem to have as much latency as it once had when I last tried it a while back, Cloudflare is still faster but not enough for me to notice.


You can try the combination of redirecting all DNS queries on port 53 on the firewall and additionally using pfblockerng with DNSBL & IP DoH blocklists plus the DoH/DoT block option under "DNSBL Safe Search". Then users on your network "for the most part" should be forced to go through unbound on the firewall. That's the way I do it.
I would like to block all DOH and DNS.txt.
 
I would like to block all DOH and DNS.txt.
Try what I mentioned and see how effective it is.
It has been effective for me but reason I said for the most part rather than a certainty is that I’m sure one can find ways get around it if they want, ie VPN.



Do the following to redirect DNS port 53 for IPv4/v6 first, I forgot to give the instructions last time:

Then:
Use the “TheGreatWall” DoH IPv4/IPv6 Blocklists and DNSBL blocklists on pfblockerng.
I can guide you through pfblockerng on the forum private chat but this should be good enough on basic pfblocker setup, one thing missing in the video is a more recent feature for DNSBL there is now a python mode which should be enabled as it’s more memory efficient and unlocks extra stuff like cname validiation, hsts etc:
 
Last edited:
I hope it's okay to link a youtube video here: "Which Is The Best DNS for Secure Browsing: CloudFlare, Quad9, NextDNS, and AdGuard DNS". This particular one was published just a few days ago and shows similar results to those of the original post, especially regarding the significant difference between Cloudflare Security and Quad9. Results start at the 5:10 mark.

I have no previous experience with the mentioned youtube channel. I'm just linking it here as an additional data point. I hope it's helpful.

EDIT: Adding a follow-up video with revised results for NextDNS: "DNS Secure Browsing Follow Up: NextDNS Tweaked and Re-Tested".
 
Last edited:
If you use QUAD9 do not use any other DNS servers as they will defeat QUAD9. Do not add Cloudflare DNS as you will reduce your DNS to Cloudflare's level. QUAD9 will be defeated.
 
  • Like
Reactions: Gar

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top