DNS Security Review

[Kuttz]

Content source

https://www.youtube.com/watch?v=wSAWCMTwPiU

In this video we test NextDNS, Quad9, Cloudflare, DNS by COMODO, and Google Public DNS against 50 malicious URLs. Will there claims of malware and phishing protection stand up?

 

[marksti64]

Interesting video. I'm surprised how much cloudflare missed.

 

[zkSnark]

It's a one year old video. Lots have changed since then. Can you please do a fresh comparison?

 

[upnorth]

The first example of additional techniques we’ve observed uses legitimate services to query IP assignments for malicious domains. By using these services, Trident Ursa is effectively bypassing DNS and DNS logging for the malicious domains.

Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine

Ukraine and its cyber domain has faced ever-increasing threats from Russia. We give an update on APT group Trident Ursa (aka Gamaredon).

unit42.paloaltonetworks.com

 

[TairikuOkami]

By using these services, Trident Ursa is effectively bypassing DNS and DNS logging for the malicious domains.

Bypassing DNS Through a Messaging Service
Once opened, this .lnk shortcut uses mshta.exe
a loader that drops two files and eventually runs them as VBScripts using the wscript application.

I am pretty sure that DNS would block C&C server, but still, I block social media on my main browser, mshta.exe is disallowed and WSH is disabled. Pretty lame malware.

 

[brambedkar59]

Problem with a test having such a little data set is that the winner is already decided when source for those malware links are picked.

 

[upnorth]

Abuse of legit services is nothing brand new as for example Google Firebase is one of those.

Firebase Cloud Messaging

Firebase Cloud Messaging (FCM) is a cross-platform messaging solution that lets you reliably send messages.

firebase.google.com

Here's a bit deeper analysis on the use of Firebase and this was already being done by attackers in 2020.

DoNot’s Firestarter abuses Google Firebase Cloud Messaging to spread

By Warren Mercer, Paul Rascagneres and Vitor Ventura. * The newly discovered Firestarter malware uses Google Firebase Cloud Messaging to notify its authors of the final payload location. * Even if the command and control (C2) is taken down, the DoNot team can still redirect the malware to...

blog.talosintelligence.com

 

[Scupper]

I recognize that this service only applies to Canadians, but would really welcome your including it in future tests if possible.

CIRA Canadian Shield | Free public DNS for Canadians

Free malware and phishing protection for Canadian households

www.cira.ca

Thanks