HarborFront

Level 46
Verified
Content Creator
On a recent post, I tried to compare the performance of a few DNS resolvers. However, as some people pointed out, the results were not really fair. I can not compare Google’s 8.8.8.8 against Quad9’s 9.9.9.9 or Norton ConnectSafe, as they do things very differently.

Yes, they are both DNS resolvers, but Google’s goal is to provide an unfiltered DNS. Nothing is blocked or restricted.

Quad9 and OpenDNS, on the other hand, filter out malicious content to help protect their users. Services like CleanBrowsing and Yandex, also remove pornography from the DNS responses. The level of complexity increases as you try to do more.

So today, I decide to test a few of the most popular filtered DNS resolvers that restrict access to malicious content. How good are they? Do they really improve the security of someone browsing the web? Are they worth the trouble?

We will find out…

I chose those popular (and free) services that are supposed to block access to malware, phishing and bad stuff in general:

  • Quad9: 9.9.9.9
  • OpenDNS: 208.67.222.123
  • Norton ConnectSafe (Malware, Phishing and Scam sites): 199.85.126.10
  • Comodo Secure: 8.26.56.26
  • Yandex Safe: 77.88.8.88
I am not looking to test their performance. Or how fast they are. But I am trying to see how well they block access to malicious domains.

TLDR
All these providers do very little to block access to malicious content. On a list with 30 random known-malicious domains, OpenDNS blocked 3 of them (10% success rate) and Comodo blocked other 4 (~10% success rate).

These domains were all blacklisted by Google Safe Browsing, some major antivirus engines and most of them on phishtank. Still, almost none of them got blocked.

Quad9 did not block any of those malicious domains. Read more for details.

Testing
To test the usefulness of these providers, I spent a few hours trying to find malicious domains. I researched a few sites from security providers, malware lists, phishing lists and sites like that. I also went to my own email looking for malicious links.

On each one, I visited the site itself to confirm that the phishing (or malware) was still active and live. After that, I did a DNS lookup using the specific service to check if the domain was blocked or allowed. Pretty simple.

Enough introductions, let's see how it went.

Test 1: New phishing (recently added to phishtank).
*Blocked by Google SafeBrowsing as deceptive. URL: aosieuuw[.]com[/]bigmoneydoc/new/home/

Quad9: Not Blocked
OpenDNS: Not Blocked
Norton Connect Safe: Not Blocked
Comodo Secure: Not Blocked
Yandex Safe: Not Blocked
None of them blocked the domain.

Test 2: Day-old phishing (paypal fake login page).
*Blocked by Google SafeBrowsing as deceptive. URL: pkgzmt[.]com/signin/

OpenDNS: Blocked
Quad9: Not Blocked
Norton Connect Safe: Not Blocked
Comodo Secure: Not Blocked
Yandex Safe: Not Blocked
Only OpenDNS blocked the domain.

Test 3: Fake Facebook Login page
*Blocked by Google SafeBrowsing as deceptive. URL: 0-facebook[.]com[/]

Comodo Secure: Blocked
OpenDNS: Not Blocked
Norton Connect Safe: Not Blocked
Quad9: Not Blocked
Yandex Safe: Not Blocked
Only Comodo Secure blocked the domain.

Test 4: Old Phishing page (still active)
*Blocked by Google SafeBrowsing as deceptive. URL:www[.]bhargavi.org[/]mainpayuk[/]

Comodo Secure: Blocked
OpenDNS: Not Blocked
Norton Connect Safe: Not Blocked
Quad9: Not Blocked
Yandex Safe: Not Blocked
Only Comodo Secure blocked the domain.

Test 5: Malicious domain distributing malware (still active)
*Blocked by Google SafeBrowsing, SiteAdvisor and Norton SafeWeb. URL:ibtrainings[.]com

Quad9: Not Blocked
OpenDNS: Not Blocked
Norton Connect Safe: Not Blocked
Comodo Secure: Not Blocked
Yandex Safe: Not Blocked
None of them blocked the domain (surprising that Norton did not block it as Norton SafeWeb API flags as malicious).

Test 6: Foreign bank phishing (still active)
*Blocked by Sophos, Kaspersky, Fortinet. URL: santandernetweb[.]com

Quad9: Not Blocked
OpenDNS: Not Blocked
Norton Connect Safe: Not Blocked
Comodo Secure: Not Blocked
Yandex Safe: Not Blocked
None of them blocked the domain.

Test 7: Phishing / fake Download domain
*Blocked by Google & ESET. URL:upgradepc[.]centraloperatingupgradesalways[.]stream

Quad9: Not Blocked
OpenDNS: Not Blocked
Norton Connect Safe: Not Blocked
Comodo Secure: Not Blocked
Yandex Safe: Not Blocked
None of them blocked the domain.

Test 8: Malware / Drive by Download domain
*Blocked by Google & ESET and Sophos. URL: adultpro[.]xyz

Quad9: Not Blocked
OpenDNS: Not Blocked
Norton Connect Safe: Not Blocked
Comodo Secure: Not Blocked
Yandex Safe: Not Blocked
None of them blocked the domain.

Summary
I was not happy with the results. The more domains I tested, the more disappointed I got with the results. I had more than 30 random malicious domains for my informal research, but only reported the first 8 above because almost all others had the same result: "not blocked".

I think the lesson here is clear: Google Safe Browsing does a lot better than almost any of the DNS-based filters and they can not be used alone for security. In fact, they seem to do very little to help block access to malicious domains.

DNS Security Filters Compared: Quad9 x OpenDNS x Comodo Secure x Norton ConnectSafe x Yandex Safe
 

Evjl's Rain

Level 42
Verified
Trusted
Content Creator
Malware Hunter
some of them are very old phishing domains but not many vendors have flagged it according to VT after I performed a re-scan
it means those domains may or may not be malicious or they or not obviously malicious to be flagged
for example, softonic.com

many of these DNS servers are not good against phishing
DNS is a supplement to AV and google safe browsing in case they miss they malicious URLs. Moreover, it can help you protect against scripts from wscript, cmd, powershell where the primary malwares already bypass Google safe browsing. DNS can protect system-wide
 

TairikuOkami

Level 23
Verified
Content Creator
DNS is not good in blocking phishing (extensions are better). Before the URL is distributed to servers and DNS flushed (server/client side), URL is ussually dead. Blocking malware downloads via DNS is problematic, they are ussually hosted on legitimate webpages, blocking infected webpages is another matter.

UltraDNS/Neustar has an effective threat filter - Try Our Free Recursive DNS Service | Neustar
 

Evjl's Rain

Level 42
Verified
Trusted
Content Creator
Malware Hunter
DNS is not good in blocking phishing (extensions are better). Before the URL is distributed to servers and DNS flushed (server/client side), URL is ussually dead. Blocking malware downloads via DNS is problematic, they are ussually hosted on legitimate webpages, blocking infected webpages is another matter.

UltraDNS/Neustar has an effective threat filter - Try Our Free Recursive DNS Service | Neustar
how is it compared to norton or quad9? have you test all of them?
I have not tested neustar but I have tested norton and quad9. Norton >>>>> quad9
quad9 focuses on blocking old domains based on filter list from other services such as openphish and cleanmx. Not sure if they have their own database since I haven't seen any
 

Slyguy

Level 41
Verified
DNS isn't that good for blocking unless you run a local DNS server w/blacklists, like Pi-Hole. Then DNS blocking becomes a potent layer of security. Quad9 is garbage by the way, don't use it.

Anyone can setup a Pi-Hole and point their router DNS back to the IP of the local Pi-Hole. I use these blacklists on my Pi-Hole and it provides near absolute protection at the DNS level for anything within my network;

http://someonewhocares.org/hosts/zero/hosts
http://sysctl.org/cameleon/hosts
http://winhelp2002.mvps.org/hosts.txt
https://adaway.org/hosts.txt
https://adblock.mahakala.is
https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt
https://gist.githubusercontent.com/anudeepND/adac7982307fec6ee23605e281a57f1a/raw/5b8582b906a9497624c3f3187a49ebc23a9cf2fb/Test.txt
https://gist.githubusercontent.com/BBcan177/b6df57cef74e28d90acf1eec93d62d3b/raw/f0996cf5248657ada2adb396f3636be8716b99eb/MS-4
https://gist.githubusercontent.com/CheckYourSix/52d2b122aa216e944641b4e1665a92a3/raw/d76d12c8909b8921d0d7cb0cc1a96b4498a68772/gistfile1.txt
https://raw.githubusercontent.com/CHEF-KOCH/Canvas-Font-Fingerprinting-pages/master/Canvas.txt
https://raw.githubusercontent.com/CHEF-KOCH/WebRTC-tracking/master/WebRTC.txt
https://raw.githubusercontent.com/CHEF-KOCH/Audio-fingerprint-pages/master/AudioFp.txt
https://raw.githubusercontent.com/CHEF-KOCH/Canvas-fingerprinting-pages/master/Canvas.txt
https://hostsfile.mine.nu/hosts0.txt
https://hosts-file.net/ad_servers.txt
https://hosts-file.net/emd.txt
https://hosts-file.net/exp.txt
https://hosts-file.net/fsa.txt
https://hosts-file.net/grm.txt
https://hosts-file.net/psh.txt
https://hostsfile.org/Downloads/hosts.txt
https://isc.sans.edu/feeds/suspiciousdomains_Low.txt
https://mirror1.malwaredomains.com/files/immortal_domains.txt
https://mirror1.malwaredomains.com/files/justdomains
https://osint.bambenekconsulting.com/feeds/dga-feed.txt
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
https://raw.githubusercontent.com/anudeepND/youtubeadsblacklist/master/domainlist.txt
https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt
https://raw.githubusercontent.com/piwik/referrer-spam-blacklist/master/spammers.txt
https://raw.githubusercontent.com/quidsup/notrack/master/malicious-sites.txt
https://raw.githubusercontent.com/quidsup/notrack/master/trackers.txt
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Spam/hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.2o7Net/hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Risk/hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/KADhosts/hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/SpotifyAds/hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/tyzbit/hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/UncheckyAds/hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://raw.githubusercontent.com/vokins/yhosts/master/hosts
https://raw.githubusercontent.com/ZeroDot1/CoinBlockerLists/master/hosts
https://raw.githubusercontent.com/ZeroDot1/CoinBlockerLists/master/hosts_browser
https://reddestdream.github.io/Projects/MinimalHosts/etc/MinimalHostsBlocker/minimalhosts
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://v.firebog.net/hosts/AdguardDNS.txt
https://v.firebog.net/hosts/Airelle-hrsk.txt
https://v.firebog.net/hosts/Airelle-trc.txt
https://v.firebog.net/hosts/BillStearns.txt
https://v.firebog.net/hosts/Easylist.txt
https://v.firebog.net/hosts/Easyprivacy.txt
https://v.firebog.net/hosts/Kowabit.txt
https://v.firebog.net/hosts/Prigent-Ads.txt
https://v.firebog.net/hosts/Prigent-Malware.txt
https://v.firebog.net/hosts/Prigent-Phishing.txt
https://v.firebog.net/hosts/Shalla-mal.txt
https://v.firebog.net/hosts/static/SamsungSmart.txt
https://v.firebog.net/hosts/static/w3kbl.txt
https://www.dshield.org/feeds/suspiciousdomains_Low.txt
https://www.joewein.net/dl/bl/dom-bl-base.txt
https://www.malwaredomainlist.com/hostslist/hosts.txt
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
 

Terry Ganzi

Level 24
Verified
You can review this list,if you need proof in the pudding.
 

L0ckJaw

Level 10
Verified
Malware Tester
Just tested the Phising sites in the first post, some links are dead and all the others were blocked by Chrome and G-Data.
No one of them passed. Cool score :)
 
  • Like
Reactions: CodaPG and upnorth

Slyguy

Level 41
Verified

128BPM

Level 2
I remember that some years ago there were applications that analyzed the webpages code in real time to detect malware. Currently they only use blocklists, why would they discard those technologies?
 
  • Like
Reactions: Sunshine-boy

Slyguy

Level 41
Verified
I remember that some years ago there were applications that analyzed the webpages code in real time to detect malware. Currently they only use blocklists, why would they discard those technologies?
Heuristic Analysis proved to be a bit too slow for modern day speeds and the growing complexity of pages. Some AV products still offer heuristic scanning of web pages, but it can result in a noticeable slowdown on page loads.
 

Spawn

Administrator
Verified
Staff member
It's not garbage.

They have a comprehensive FAQ which should answer most your questions and concerns about privacy.
Quad9 Frequently Asked Questions

If you want to see what sites are blocked and by which provider, see the example below:
Result • Quad 9

From the compared DNS in this thread (via medium), my choice is the IBM-backed Quad9 DNS. Couple it with a content blocker for even better results. I have used it on my laptop for a few months without any issues, but I'll let you know once I do.

Setup - Quad9
Preferred DNS: 9.9.9.9
Alt. DNS: 149.112.112.112