How do malware-blocking DNS providers compare?

[coxhaus]

@coxhaus Quad 9 doesn't seem to have as much latency as it once had when I last tried it a while back, Cloudflare is still faster but not enough for me to notice.


You can try the combination of redirecting all DNS queries on port 53 on the firewall and additionally using pfblockerng with DNSBL & IP DoH blocklists plus the DoH/DoT block option under "DNSBL Safe Search". Then users on your network "for the most part" should be forced to go through unbound on the firewall. That's the way I do it.

If you run all those DNS servers you have listed then it defeats using QUAD9. If you are going to use QUAD9 you need to only use QUAD9 otherwise the other DNS servers will resolve the bad names. I should say any filtering DNS is defeated if you use a non-filtering DNS server also. Focus on the DNS server you choose don't list a lot of DNS servers like the old days.

The caching is so much better now and longer lasting that I don't think you need all those DNS servers like in the old days.

 

[avtella]

I ran Q9 mostly for the test in the other thread per your request that’s why there were 8 in the list including the fallback servers for Cloudflare and Q9. But yeah I agree with you, and I’m thinking of switching to Q9 now.

 

[coxhaus]

@coxhaus Quad 9 doesn't seem to have as much latency as it once had when I last tried it a while back, Cloudflare is still faster but not enough for me to notice.


You can try the combination of redirecting all DNS queries on port 53 on the firewall and additionally using pfblockerng with DNSBL & IP DoH blocklists plus the DoH/DoT block option under "DNSBL Safe Search". Then users on your network "for the most part" should be forced to go through unbound on the firewall. That's the way I do it.

I would like to block all DOH and DNS.txt.

 

[avtella]

I would like to block all DOH and DNS.txt.

Try what I mentioned and see how effective it is.
It has been effective for me but reason I said for the most part rather than a certainty is that I’m sure one can find ways get around it if they want, ie VPN.



Do the following to redirect DNS port 53 for IPv4/v6 first, I forgot to give the instructions last time:

Redirecting Client DNS Requests | pfSense Documentation

docs.netgate.com

Then:
Use the “TheGreatWall” DoH IPv4/IPv6 Blocklists and DNSBL blocklists on pfblockerng.
I can guide you through pfblockerng on the forum private chat but this should be good enough on basic pfblocker setup, one thing missing in the video is a more recent feature for DNSBL there is now a python mode which should be enabled as it’s more memory efficient and unlocks extra stuff like cname validiation, hsts etc:

 

[sfx2000]

I would like to block all DOH and DNS.txt.

DoH especially - as it's tough to block without breaking other traffic - so the only hope is to block known DoH hosts...

There's a lot of malware these days that are using DoH just for that reason - and anyone can set up a DNS server.

 

[FernandoF]

I hope it's okay to link a youtube video here: "Which Is The Best DNS for Secure Browsing: CloudFlare, Quad9, NextDNS, and AdGuard DNS". This particular one was published just a few days ago and shows similar results to those of the original post, especially regarding the significant difference between Cloudflare Security and Quad9. Results start at the 5:10 mark.

I have no previous experience with the mentioned youtube channel. I'm just linking it here as an additional data point. I hope it's helpful.

EDIT: Adding a follow-up video with revised results for NextDNS: "DNS Secure Browsing Follow Up: NextDNS Tweaked and Re-Tested".

 

[coxhaus]

If you use QUAD9 do not use any other DNS servers as they will defeat QUAD9. Do not add Cloudflare DNS as you will reduce your DNS to Cloudflare's level. QUAD9 will be defeated.

 

[jarip]

Re-tested in 2024:

Publieke DNS malware filters in 2024 getest

Hoe goed scoren de grootste publieke DNS-resolvers die je tegen malware domeinen beschermen in januari 2024? Wij deden de test!

blog.nexxwave.be