Advice Request DNS Spoofability Test of Some Well-known Public DNS

Please provide comments and solutions that are helpful to the author of this topic.

H

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
Many DNS servers come with support for DNSSEC. However, they must pass the below 2 tests

1) DNSSEC Resolver Test

and

2) http://www.dnssec-failed.org/ (if you run this site it must show failure i.e. the site can't be reached)

I have been testing some DNS servers with DNSSEC and quite a number failed the 2 tests. I'm looking for one

1) which supports DNSSEC
2) with support for DNSCrypt (or DNS Over HTTPS or DNS Over TLS) and
3) NO logs

So far tested to pass are

1) Google DNS - logs
2) Lightning Wire Labs - not sure whether keeps logs
3) Quad9 - logs
4) CloudFlare - logs
5) CleanBrowsing - NO logs
6) Uncensored DNS (89.233.43.71) - NO logs

Edit - Added 4), 5) and 6)
 
Last edited:
  • Like
Reactions: Jack, yitworths, TairikuOkami and 1 other person
TairikuOkami

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,685
HarborFront said:
I have been testing some DNS servers with DNSSEC and quite a number failed the 2 tests.
Click to expand...
Nice, so I guess Yandex does not support DNSSEC after all. Cleanbrowsing passed both test though.

HarborFront said:
3) Quad9 - logs
Click to expand...
Funny, that SimpleDNSCrypt uses it as a backup DNS, since even according to its own filters, it logs, They should use cloudfire instead.
 
Last edited:
  • Like
Reactions: HarborFront and yitworths
yitworths

yitworths

Level 10
Thread author
Verified
Well-known
May 31, 2015
472
TairikuOkami said:
so I guess Yandex does not support DNSSEC after all
Click to expand...

that's why dns script don't show it as DNSSEC supported, but some websites show it is DNSSEC supported.

TairikuOkami said:
Funny, that SimpleDNSCrypt uses it as a backup DNS, since even according to its own filters, it logs, They should use cloudfire instead.
Click to expand...

I think,you can change it manually. but you've made a fair point regarding the default fallback resolver. They should use something which doesn't log. But that's their call to make.
 
  • Like
Reactions: TairikuOkami
A

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
Could you test Heimdal dns? You will need to install a trial of Heimdal Pro.
 
H

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
TairikuOkami said:
Nice, so I guess Yandex does not support DNSSEC after all. Cleanbrowsing passed both test though.


Funny, that SimpleDNSCrypt uses it as a backup DNS, since even according to its own filters, it logs, They should use cloudfire instead.
Click to expand...
There's no mention on CleanBrowsing site that it supports DNSSEC. It supports only DNSCrypt/DNS Over TLS/DNS Over HTTPS.

CleanBrowsing DNS - Protecting our families and kids when visiting the web. Free Parental Control and Web filter.

You are right. It did pass both tests

BTW, does CleanBrowsing keeps logs?
 
Last edited:
H

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
Just tested FF Quantum's DNS Over HTTPS

Although it showed connected to CloudFlare DNS but it flunk the 2 DNS tests in my post #21

Anyone can confirm this?

Thanks

BTW, I also tested TENTA DNS Over TLS using the ICANN DNS servers and it also flunk the tests
 
Last edited:
H

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
yitworths said:
Today, I've just tested some public dns for their susceptibility to Kaminsky-style spoofing & got some interesting results.Now,I would like to share those results to other members of MT & would like to get some analysis,comments or feedbacks. & if possible please tell what dns server you use & why?

The list of public dns servers which undergone test namely Google,Quad9,DNS.WATCH,Comodo Secure DNS,OpenDNS Home,Norton ConnectSafe,OpenNIC,FreeDNS,Alternate DNS,Yandex.DNS,Adguard dns beta,UncensoredDNS,Cloudfare.

Adguard DNS beta Alternate DNS Cloudfare Comodo Secure DNS DNS.WATCH FreeDNS Google Public DNS Norton ConnectSafe OpenDNS Home OpenNIC

Quad9 DNS UncensoredDNS Yandex.DNS

View attachment 189966
Click to expand...
One question.

Did you test the primary or secondary DNS server or both?

Thanks
 
Kuttz

Kuttz

Level 13
Verified
Top Poster
Well-known
May 9, 2015
630
HarborFront said:
Many DNS servers come with support for DNSSEC. However, they must pass the below 2 tests

1) DNSSEC Resolver Test

and

2) http://www.dnssec-failed.org/ (if you run this site it must show failure i.e. the site can't be reached)

I have been testing some DNS servers with DNSSEC and quite a number failed the 2 tests. I'm looking for one

1) which supports DNSSEC
2) with support for DNSCrypt (or DNS Over HTTPS or DNS Over TLS) and
3) NO logs

So far tested to pass are

1) Google DNS - logs
2) Lightning Wire Labs - not sure whether keeps logs
3) Quad9 - logs
4) CloudFlare - logs
5) CleanBrowsing - not sure whether keeps logs
6) Uncensored DNS (89.233.43.71) - NO logs

Edit - Added 4), 5) and 6)
Click to expand...

My Quad9 DNS passed both tests (y)
Qu9.PNGQu9a.PNG
 
  • Like
Reactions: frogboy
H

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
Last edited:
  • Like
Reactions: Kuttz
TairikuOkami

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,685
HarborFront said:
BTW, does CleanBrowsing keeps logs?
Click to expand...
According to SimpleDNS filters, no. But even its less strict version sometimes blocks legitimate pages, like file/image hosting.
When searching via DuckDuckGo, it does not display images, because it uses proxy, though Adult version should not block proxy.
 

Attachments

  • capture_06072018_101358.jpg
    capture_06072018_101358.jpg
    154.1 KB · Views: 466
  • capture_06072018_101450.jpg
    capture_06072018_101450.jpg
    85.8 KB · Views: 368
  • Like
Reactions: HarborFront
H

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
TairikuOkami said:
According to SimpleDNS filters, no. But even its less strict version sometimes blocks legitimate pages, like file/image hosting.
When searching via DuckDuckGo, it does not display images, because it uses proxy, though Adult version should not block proxy.
Click to expand...
Thanks

Since you are using Simple DNSCrypt can you help to check whether Lightning Wire Labs DNS keep logs?
 
Last edited:

Similar threads

I
    • Like
  • Locked
DNS Override for iOS - Change DNS Server settings on iPhone & iPad
Replies
2
Views
3,350
Other security for Android & iOS
Ink
I
H
    • Like
    • Applause
Advice Request Phishing Protection — Comparing DNS Security Filters
Replies
41
Views
18,053
VPN and DNS
vettejock99
V
H
    • Like
DNS Security Filters Compared: Quad9 x OpenDNS x Comodo Secure x Norton ConnectSafe x Yandex Safe
Replies
24
Views
17,139
VPN and DNS
goodjohnjr
goodjohnjr

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top