Evjl's Rain

Level 43
Verified
Trusted
Content Creator
Malware Hunter
I performed a test between well-known DNS-es with multiple links

OpenDNS: 208.67.222.222, 208.67.220.220
Norton ConnectSafe: 199.85.126.10, 199.85.127.10
Quad9: 9.9.9.9, 149.112.112.112
SafeDNS: 195.46.39.39, 195.46.39.40
Neustar Free Recursive: 156.154.70.2, 156.154.71.2
Comodo Shield: 8.26.56.10, 8.20.247.10
Yandex: 77.88.8.88, 77.88.8.2
Adguard: 176.103.130.130, 176.103.130.131


Links: 56, may contain some dead links
10 links were collected from vxvault, malc0de, phishtank, openphish and especially 6 links from MT malware Hub. Special thanks to @Solarquest, @silversurfer and @Der.Reisende for providing the samples so I could extract some links from script files.

NOTE: 1 DNS may not be able to resolve the links while others can. Therefore, you would see 1/10, 2/9 or 3/7 in the results

Capture.PNG


Winner: Neustar Free Recursive DNS
 
Last edited:

Slyguy

Level 42
Verified
I'd imagine my Pi-Hole is somewhere around 90%+ range.

Since my own DNS Server (Pi-Hole) not only uses Adguard's complete DNS database, but all of the other ones available that are curated for PI-Hole users. It's quite inclusive and I would highly recommend everyone spend 30-40 minutes learning how to setup a Pi-Hole, and the $40 for the Raspberry Pi from Amazon. Then you can dispense with all of these services and handle it all yourself.

Remember, Pi-Hole acts as your local DNS Filter and local DNS Cache, about 10,000 DNS entries are cached for immediate response on the LAN. Aside from that after the cache and blacklist, Pi-Hole resolves to your forwarder. So using a PI-Hole AND forwarding to Neustar? That's probably 99-100% protection without a doubt from every known threat actor in the world.

Neustar has ICMP off but I can tell that it would resolve in 20ms< by a TR reverse on it. Which is very good, at least in my location.
 
Last edited:

Slyguy

Level 42
Verified
Take a look at this URL that hit our labs today. Fresh off the block. Only FortiGuard detects it as of 10PM EST. Even Zvelo and my Pi-Hole Databases miss it.. Ugh. Note, I SUD it to Zvelo and Google, so it should pop there any minute.

Phish.png
 
Last edited:

HarborFront

Level 46
Verified
Content Creator
I maybe wrong. NeuStar logs personal info/anonymized logs and may/may not share with partners and 3rd-party affiliates

Anyone knows whether AdGuard does the same?
 
Last edited:
  • Like
Reactions: upnorth

stolikat

Level 1
^ I think you are right see here;

Privacy Policy | Neustar

Neustar is committed to the responsible use of Personal Information to help businesses make better decisions, secure their operations, and deliver personalized content while respecting personal privacy. To accomplish this goal, we adhere to Privacy by Design principles, taking personal privacy into consideration throughout the process of designing, building, and delivering information products and services.
Looks like a deal breaker for me.
 

mekelek

Level 28
Take a look at this URL that hit our labs today. Fresh off the block. Only FortiGuard detects it as of 10PM EST. Even Zvelo and my Pi-Hole Databases miss it.. Ugh. Note, I SUD it to Zvelo and Google, so it should pop there any minute.

View attachment 186034
would there be a way for me to implement fortnite's web signatures without anything else? like installing forticlient and disabling all modules except that one?
 
  • Like
Reactions: upnorth

Evjl's Rain

Level 43
Verified
Trusted
Content Creator
Malware Hunter
Since my own DNS Server (Pi-Hole) not only uses Adguard's complete DNS database,
I believe the filterlist we get from adguard doesn't contain the whole database of adguard DNS. I think adguard DNS does query the data from google safe browsing if I'm not mistaken

I opened the adguard DNS filter here:
https://filters.adtidy.org/windows/filters/15.txt

I searched the openphish domains which were blocked in my test in that adguard DNS filter. I found none => which means adguard does query its result from somewhere else
adguard blocked 6/10 openphish links in my test
 

Slyguy

Level 42
Verified
would there be a way for me to implement fortnite's web signatures without anything else? like installing forticlient and disabling all modules except that one?
You could in theory, install FortiClient but ONLY check the Web Filtration module.

Originally, one could use FortiGuard DNS to block malware, then they pinned it to validation check with FortiGate appliances because people were using FortiGuard as a free service and abusing it. Sadly.
 

mekelek

Level 28
You could in theory, install FortiClient but ONLY check the Web Filtration module.

Originally, one could use FortiGuard DNS to block malware, then they pinned it to validation check with FortiGate appliances because people were using FortiGuard as a free service and abusing it. Sadly.
i was asking if forticlient has modules that can't be disabled fully like in some AV.
i don't want any conflict in terms of exploit protection or anything else
 

mekelek

Level 28
You could in theory, install FortiClient but ONLY check the Web Filtration module.

Originally, one could use FortiGuard DNS to block malware, then they pinned it to validation check with FortiGate appliances because people were using FortiGuard as a free service and abusing it. Sadly.
http://any.ac/E394n6.webm

gave a chance to Forticlient, I'm getting stomach problems from the UI and the way UI works

you can get into settings, but you can't edit it. once you find somewhere an option that asks to elevate, you can, but then its bugged.

lets not talk about how group selection works...

if you want to elevate, you can't just have a main option, you have to go to that certain option to elevate every time.

then it blocked my own domain for being new, fine, tried disabling those categories, as shown on the webm, doesn't work.

logs tab has no option to right click and exclude, you gotta go to Exclusions and manually fill it out.

and all this just with one module, I can't imagine what it's like with all the other modules....

i suggest them hiring some UI designer cause all the technology is wasted behind this catastrophy they call a console.
 

DeepWeb

Level 24
Verified
I found out that my stupid At&t DSL/Fiber Gateways blocks the IP 1.1.1.1. If you are not able to resolve addresses, use 1.0.0.1 instead for Cloudfare. (y)

Beware if you use DNS over TLS your local Hosts file and your AV won't kick in to block phishing/adware/malware domains because they are not programmed to check traffic over other ports, much less encrypted traffic.