Advice Request DNS Spoofability Test of Some Well-known Public DNS

Please provide comments and solutions that are helpful to the author of this topic.

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Many DNS servers come with support for DNSSEC. However, they must pass the below 2 tests

1) DNSSEC Resolver Test

and

2) http://www.dnssec-failed.org/ (if you run this site it must show failure i.e. the site can't be reached)

I have been testing some DNS servers with DNSSEC and quite a number failed the 2 tests. I'm looking for one

1) which supports DNSSEC
2) with support for DNSCrypt (or DNS Over HTTPS or DNS Over TLS) and
3) NO logs

So far tested to pass are

1) Google DNS - logs
2) Lightning Wire Labs - not sure whether keeps logs
3) Quad9 - logs
4) CloudFlare - logs
5) CleanBrowsing - NO logs
6) Uncensored DNS (89.233.43.71) - NO logs

Edit - Added 4), 5) and 6)
 
Last edited:

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
I have been testing some DNS servers with DNSSEC and quite a number failed the 2 tests.
Nice, so I guess Yandex does not support DNSSEC after all. Cleanbrowsing passed both test though.

3) Quad9 - logs
Funny, that SimpleDNSCrypt uses it as a backup DNS, since even according to its own filters, it logs, They should use cloudfire instead.
 
Last edited:

yitworths

Level 10
Thread author
Verified
Well-known
May 31, 2015
472
so I guess Yandex does not support DNSSEC after all

that's why dns script don't show it as DNSSEC supported, but some websites show it is DNSSEC supported.

Funny, that SimpleDNSCrypt uses it as a backup DNS, since even according to its own filters, it logs, They should use cloudfire instead.

I think,you can change it manually. but you've made a fair point regarding the default fallback resolver. They should use something which doesn't log. But that's their call to make.
 
  • Like
Reactions: TairikuOkami

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
Could you test Heimdal dns? You will need to install a trial of Heimdal Pro.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Nice, so I guess Yandex does not support DNSSEC after all. Cleanbrowsing passed both test though.


Funny, that SimpleDNSCrypt uses it as a backup DNS, since even according to its own filters, it logs, They should use cloudfire instead.
There's no mention on CleanBrowsing site that it supports DNSSEC. It supports only DNSCrypt/DNS Over TLS/DNS Over HTTPS.

CleanBrowsing DNS - Protecting our families and kids when visiting the web. Free Parental Control and Web filter.

You are right. It did pass both tests

BTW, does CleanBrowsing keeps logs?
 
Last edited:

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Just tested FF Quantum's DNS Over HTTPS

Although it showed connected to CloudFlare DNS but it flunk the 2 DNS tests in my post #21

Anyone can confirm this?

Thanks

BTW, I also tested TENTA DNS Over TLS using the ICANN DNS servers and it also flunk the tests
 
Last edited:

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Today, I've just tested some public dns for their susceptibility to Kaminsky-style spoofing & got some interesting results.Now,I would like to share those results to other members of MT & would like to get some analysis,comments or feedbacks. & if possible please tell what dns server you use & why?

The list of public dns servers which undergone test namely Google,Quad9,DNS.WATCH,Comodo Secure DNS,OpenDNS Home,Norton ConnectSafe,OpenNIC,FreeDNS,Alternate DNS,Yandex.DNS,Adguard dns beta,UncensoredDNS,Cloudfare.

Adguard DNS beta Alternate DNS Cloudfare Comodo Secure DNS DNS.WATCH FreeDNS Google Public DNS Norton ConnectSafe OpenDNS Home OpenNIC

Quad9 DNS UncensoredDNS Yandex.DNS

View attachment 189966
One question.

Did you test the primary or secondary DNS server or both?

Thanks
 

Kuttz

Level 13
Verified
Top Poster
Well-known
May 9, 2015
625
Many DNS servers come with support for DNSSEC. However, they must pass the below 2 tests

1) DNSSEC Resolver Test

and

2) http://www.dnssec-failed.org/ (if you run this site it must show failure i.e. the site can't be reached)

I have been testing some DNS servers with DNSSEC and quite a number failed the 2 tests. I'm looking for one

1) which supports DNSSEC
2) with support for DNSCrypt (or DNS Over HTTPS or DNS Over TLS) and
3) NO logs

So far tested to pass are

1) Google DNS - logs
2) Lightning Wire Labs - not sure whether keeps logs
3) Quad9 - logs
4) CloudFlare - logs
5) CleanBrowsing - not sure whether keeps logs
6) Uncensored DNS (89.233.43.71) - NO logs

Edit - Added 4), 5) and 6)

My Quad9 DNS passed both tests (y)
Qu9.PNGQu9a.PNG
 
  • Like
Reactions: frogboy

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Last edited:
  • Like
Reactions: Kuttz

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
BTW, does CleanBrowsing keeps logs?
According to SimpleDNS filters, no. But even its less strict version sometimes blocks legitimate pages, like file/image hosting.
When searching via DuckDuckGo, it does not display images, because it uses proxy, though Adult version should not block proxy.
 

Attachments

  • capture_06072018_101358.jpg
    capture_06072018_101358.jpg
    154.1 KB · Views: 430
  • capture_06072018_101450.jpg
    capture_06072018_101450.jpg
    85.8 KB · Views: 338
  • Like
Reactions: HarborFront

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
According to SimpleDNS filters, no. But even its less strict version sometimes blocks legitimate pages, like file/image hosting.
When searching via DuckDuckGo, it does not display images, because it uses proxy, though Adult version should not block proxy.
Thanks

Since you are using Simple DNSCrypt can you help to check whether Lightning Wire Labs DNS keep logs?
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top