DNS threat-blocking comparison: 8 DNS services

[Evjl's Rain]

I performed a test between well-known DNS-es with multiple links

OpenDNS: 208.67.222.222, 208.67.220.220
Norton ConnectSafe: 199.85.126.10, 199.85.127.10
Quad9: 9.9.9.9, 149.112.112.112
SafeDNS: 195.46.39.39, 195.46.39.40
Neustar Free Recursive: 156.154.70.2, 156.154.71.2
Comodo Shield: 8.26.56.10, 8.20.247.10
Yandex: 77.88.8.88, 77.88.8.2
Adguard: 176.103.130.130, 176.103.130.131

Links: 56, may contain some dead links

Spoiler: link

Dropbox - DNS link test - 12-4-2018.txt

10 links were collected from vxvault, malc0de, phishtank, openphish and especially 6 links from MT malware Hub. Special thanks to @Solarquest, @silversurfer and @Der.Reisende for providing the samples so I could extract some links from script files.

NOTE: 1 DNS may not be able to resolve the links while others can. Therefore, you would see 1/10, 2/9 or 3/7 in the results

Winner: Neustar Free Recursive DNS

 

[mekelek]

neustar, phishtank, 7 out of 6 ?
nonetheless thank you @Evjl's Rain , doing gods work

 

[Evjl's Rain]

neustar, phishtank, 7 out of 6 ?
nonetheless thank you @Evjl's Rain , doing gods work

sorry, it's 7/9, my mistake
I will fix it now
neustar's result dropped to 60%

 

[Digmor Crusher]

I'd be interested to see how 1.1.1.1 does in these tests.

 

[AlanOstaszewski]

I'd be interested to see how 1.1.1.1 does in these tests.

1.1.1.1 does not censor.

 

[Arequire]

I'd be interested to see how 1.1.1.1 does in these tests.

Cloudflare's DNS doesn't include malicious domain blocking.

 

[ForgottenSeer 58943]

I'd imagine my Pi-Hole is somewhere around 90%+ range.

Since my own DNS Server (Pi-Hole) not only uses Adguard's complete DNS database, but all of the other ones available that are curated for PI-Hole users. It's quite inclusive and I would highly recommend everyone spend 30-40 minutes learning how to setup a Pi-Hole, and the $40 for the Raspberry Pi from Amazon. Then you can dispense with all of these services and handle it all yourself.

Remember, Pi-Hole acts as your local DNS Filter and local DNS Cache, about 10,000 DNS entries are cached for immediate response on the LAN. Aside from that after the cache and blacklist, Pi-Hole resolves to your forwarder. So using a PI-Hole AND forwarding to Neustar? That's probably 99-100% protection without a doubt from every known threat actor in the world.

Neustar has ICMP off but I can tell that it would resolve in 20ms< by a TR reverse on it. Which is very good, at least in my location.

 

[upnorth]

This should be a sticky. Thank's for the share @Evjl's Rain .

 

[Digmor Crusher]

1.1.1.1 does not censor.

Cloudflare's DNS doesn't include malicious domain blocking.

Thanks guys, wasn't aware of that.

 

[upnorth]

Cloudflare Spectrum | Cloudflare

At the moment for Enterprise users only but hopefully they will expand it.

 

[ForgottenSeer 58943]

Take a look at this URL that hit our labs today. Fresh off the block. Only FortiGuard detects it as of 10PM EST. Even Zvelo and my Pi-Hole Databases miss it.. Ugh. Note, I SUD it to Zvelo and Google, so it should pop there any minute.

 

[HarborFront]

I maybe wrong. NeuStar logs personal info/anonymized logs and may/may not share with partners and 3rd-party affiliates

Anyone knows whether AdGuard does the same?

 

[stolikat]

^ I think you are right see here;

Privacy Policy | Neustar

Neustar is committed to the responsible use of Personal Information to help businesses make better decisions, secure their operations, and deliver personalized content while respecting personal privacy. To accomplish this goal, we adhere to Privacy by Design principles, taking personal privacy into consideration throughout the process of designing, building, and delivering information products and services.

Looks like a deal breaker for me.

 

[mekelek]

Take a look at this URL that hit our labs today. Fresh off the block. Only FortiGuard detects it as of 10PM EST. Even Zvelo and my Pi-Hole Databases miss it.. Ugh. Note, I SUD it to Zvelo and Google, so it should pop there any minute.

View attachment 186034

would there be a way for me to implement fortnite's web signatures without anything else? like installing forticlient and disabling all modules except that one?

 

[Evjl's Rain]

Since my own DNS Server (Pi-Hole) not only uses Adguard's complete DNS database,

I believe the filterlist we get from adguard doesn't contain the whole database of adguard DNS. I think adguard DNS does query the data from google safe browsing if I'm not mistaken

I opened the adguard DNS filter here:
https://filters.adtidy.org/windows/filters/15.txt

I searched the openphish domains which were blocked in my test in that adguard DNS filter. I found none => which means adguard does query its result from somewhere else
adguard blocked 6/10 openphish links in my test

 

[Arequire]

Anyone knows whether AdGuard does the same?

When you use AdGuard DNS, it sees the following information:
Your IP-address.
DNS request which contains domain name. We, in our turn, do not log or save any information. Since no information is being saved, nothing is sent to third parties.

 

[ForgottenSeer 58943]

would there be a way for me to implement fortnite's web signatures without anything else? like installing forticlient and disabling all modules except that one?

You could in theory, install FortiClient but ONLY check the Web Filtration module.

Originally, one could use FortiGuard DNS to block malware, then they pinned it to validation check with FortiGate appliances because people were using FortiGuard as a free service and abusing it. Sadly.

 

[mekelek]

You could in theory, install FortiClient but ONLY check the Web Filtration module.

Originally, one could use FortiGuard DNS to block malware, then they pinned it to validation check with FortiGate appliances because people were using FortiGuard as a free service and abusing it. Sadly.

i was asking if forticlient has modules that can't be disabled fully like in some AV.
i don't want any conflict in terms of exploit protection or anything else

 

[mekelek]

You could in theory, install FortiClient but ONLY check the Web Filtration module.

Originally, one could use FortiGuard DNS to block malware, then they pinned it to validation check with FortiGate appliances because people were using FortiGuard as a free service and abusing it. Sadly.

http://any.ac/E394n6.webm

gave a chance to Forticlient, I'm getting stomach problems from the UI and the way UI works

you can get into settings, but you can't edit it. once you find somewhere an option that asks to elevate, you can, but then its bugged.

lets not talk about how group selection works...

if you want to elevate, you can't just have a main option, you have to go to that certain option to elevate every time.

then it blocked my own domain for being new, fine, tried disabling those categories, as shown on the webm, doesn't work.

logs tab has no option to right click and exclude, you gotta go to Exclusions and manually fill it out.

and all this just with one module, I can't imagine what it's like with all the other modules....

i suggest them hiring some UI designer cause all the technology is wasted behind this catastrophy they call a console.

 

[DeepWeb]

I found out that my stupid At&t DSL/Fiber Gateways blocks the IP 1.1.1.1. If you are not able to resolve addresses, use 1.0.0.1 instead for Cloudfare.

Beware if you use DNS over TLS your local Hosts file and your AV won't kick in to block phishing/adware/malware domains because they are not programmed to check traffic over other ports, much less encrypted traffic.