What's new

How do malware-blocking DNS providers compare?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

DNS Filtering doesn't help you guys in the real world. I can't believe there are a lot of people who are still believing it helps. It's just a marketing tactic. If it really helps you? you don't need Firewall and Antivirus.😆
I think most here look at DNS filtering as just another "layer" of protection, not a replacement for other tools.
 
Since we block the domain and do not support it, it means that it does not exist with us.
The DNS protocol [RFC1035] defines response code 3 as "Name Error", or "NXDOMAIN" [RFC2308], which means that the queried domain name does not exist in the DNS.
Obviously NextDNS is of a different opinion when it comes to blocking domains that do exist but are malicious. I'm not saying I agree with this technique, just that this is the reality for some DNS providers. We are not blocking anything, the DNS provider is. The test tries to account for this kind of response.
 
DNS Filtering doesn't help you guys in the real world. I can't believe there are a lot of people who are still believing it helps. It's just a marketing tactic. If it really helps you? you don't need Firewall and Antivirus.😆
Leave your front door unlocked. That lock doesn`t help since I can use a crowbar to break in anyway...

These DNS-based filtering services are actually a very good way to help secure a network. They are constantly updated (since they don't rely on your computer downloading new signatures), and they will protect all your devices, including mobile devices where you have no other way of protecting yourself against a rogue application or a rogue in-app advertisement. And some of them offer extra security if you need to protect younger childrens against online adult content.

An anitivrus and a firewall cannot protect you against a malicious website that exploits XSS vulnerabilities. A DNS-based blocklist can.
 
Obviously NextDNS is of a different opinion when it comes to blocking domains that do exist but are malicious. I'm not saying I agree with this technique, just that this is the reality for some DNS providers. We are not blocking anything, the DNS provider is. The test tries to account for this kind of response.
And I remember in the past when many ISPs would redirect you to an "helpful" website instead of returning a proper NXDOMAIN. Until someone told those idiots that, among other things, that behaviour broke SMTP checks where they relied on being able to get a proper NXDOMAIN response to validate the legitimacy of the info provided in the EHLO handshaking. Something even Network Solutions didn`t think of when they briefly applied this technique at the root tld level...
 
Should also note for those curious...

Quad9 supports DNSSEC, DNS-over-TLS, and DNS-over-HTTPS, along with eDNS on their primary resolvers - so depending on the feature set of your router, they do have the bases pretty much covered.
Privacy-anxious users might not want eDNS, but personally I favor eDNS since it helps getting better performance when dealing with CDNs and other services that have different PoP based on your location. If I recall, Cloudflare does not support eDNS.
 
Leave your front door unlocked. That lock doesn`t help since I can use a crowbar to break in anyway...

These DNS-based filtering services are actually a very good way to help secure a network. They are constantly updated (since they don't rely on your computer downloading new signatures), and they will protect all your devices, including mobile devices where you have no other way of protecting yourself against a rogue application or a rogue in-app advertisement. And some of them offer extra security if you need to protect younger childrens against online adult content.

An anitivrus and a firewall cannot protect you against a malicious website that exploits XSS vulnerabilities. A DNS-based blocklist can.
Is DNS Filtering your door? Really? Antivirus and firewalls are nothing followed by your logic. XSS? So are we safe from XSS now? The attackers change their website or servers often. They are automated these days. If those websites are blocked by DNS Filtering the websites are changed their nameserver, IP address something automatically. There are always victims before those sites are in the DNS Filter. DNS Filtering is just minimum requirement for internet service. It's not even your front or room door at all. Do you defend your home with a front door? It's easily breakable if attackers want to break it. What are real front doors? Antivirus and Firewall are real front door for consumers. They can't protect you 100%, but they can protect you a lot more than DNS Filtering. How many people get infected by Malwares everyday? A lot. How many people get attack by Attackers everyday? A lot. You may say if there is no DNS filtering we are less safe than using DNS Filtering. I don't think so. We should think about the security for consumer side. How many home users use Antivirus and Firewalls. How many home users use Hardware Firewall? How many home users can use Antivirus and Firewall properly? How many home users can configure Antivirus and Firewall options properly? They don't even know what the Firewall is. It doesn't mean 'that's why we need DNS Filtering'. I always say here in Snbforums "You are not safe".
 
DNS is just another level to the security package. I see no reason not to run it. And yes, we are not safe, but every little bit helps. I would never give up my front door firewall thinking my PC firewall and antivirus is enough. There is no one solution and there never will be.
DNS filtering is evolving fast also trying to catch up to the bad guys. Maybe some get caught but some get protected because they cannot attack everybody at the same time.

And why would you not run a DNS filtering service as it is free?
 
Very interesting. I am not too network savvy, but this is quite disturbing.

Thanks for posting.
 
The takeaway for me from that video above (thanks @coxhaus!) is that to start going down that rabbit hole, the user has to be gullible enough to click on a phishing (or other) link.

There is nothing on the web I want to see/connect to enough for me to click a link I may run across. Let alone click on a link in an email I received without asking for it previously.

When I used to ride motorcycles, I would spend a few days each season re-learning and/or practicing the skills required to ride a motorcycle at an expert level. Not because I was going to ride like that, but rather, because I wanted to have the reaction and re-learn the movements necessary to avoid potential hazards at speed. Of course, I didn't avoid all accidents during my riding days, but what I did do was survive them (and in one piece). And that was directly related to my viewing the machine for what it was: potentially, deadly.

I view online activity the same way. The 'weak' spot isn't my A/V, my OS, or my specific device (with the exceptions of phones; they are always, 100%, insecure). The biggest weak spot is always, potentially, me.

I surf with that knowledge at the top of my mind. And if I don't get to see 'something' I refuse to not click on, I don't sweat it at all.

The details of how to track down an infected machine as outlined in the video are interesting to me. However, I never want to be in that state in the first place. Which is why I find looking through logs 'boring'. It is much easier for me to spend less than 30 minutes and get a network/router in a good/known state than it is to spend a few hours/days viewing/decoding logs and having to do the same thing in the end anyways.

As I've mentioned before, it isn't surprising that we can be hacked. It would be more surprising if attempts weren't made.

What is most surprising to me is a user not doing what they can to not get infected/hacked. That's like not learning to walk on the sidewalk, always facing traffic, while actually looking at the vehicles as they go by.


 
The first thing that struct me was is using DNS port forwarding as safe as using a root server for DNS. I need more research. How safe are root servers? Can they be impersonated? If doing DNS forwarding is there a direct access in your ISP for the DNS server.

And of course, use a DNS server like QUAD9. If it gets hijacked then you are in trouble. Maybe it would be a good idea to force all users to one local DNS server. I would think DNS with any large ISP would be safe in the US.

Maybe I need IPS/IDS on my firewall to be able to look for this kind of thing. Which ones can support this? I don't think I have ever written a rule to block DNS.txt.
 
The first thing that struct me was is using DNS port forwarding as safe as using a root server for DNS. I need more research. How safe are root servers? Can they be impersonated? If doing DNS forwarding is there a direct access in your ISP for the DNS server.

And of course, use a DNS server like QUAD9. If it gets hijacked then you are in trouble. Maybe it would be a good idea to force all users to one local DNS server. I would think DNS with any large ISP would be safe in the US.

Maybe I need IPS/IDS on my firewall to be able to look for this kind of thing. Which ones can support this? I don't think I have ever written a rule to block DNS.txt.
Interestingly according to dns check.tools Verizon on my phone seems to fail DNSSEC (not sure how accurate this is; but all other DNSs I’ve tested are green for all DNSSEC tests).
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top