DNS Threat-blocking comparison

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
I found this article very interested. It was updated on 23 DECEMBER 2017
comment below your opinions

How to Pick the Best Threat-blocking DNS Provider

report-diagram-23-12-2017.png
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
As I suspected, Heimdal is a bit of a rockstar in terms of traffic and DNS filtration in some categories. As to your concerns;

1) 0.9%-1.5% is trivial, virtually meaningless CPU use. This is the equivalent of a SVCHOST process in Windows. Local DNS server WILL have CPU use!
2) What's considered high memory use? I will check when I get home but never noticed any noticeable ram uses.
3) Correct, as I said it uses loopback to it's own DNS server then uses the default DNS as a forwarder. The proper way to test would be to use GoogleDNS (8.8.8.8), then install and turn on Heimdal traffic monitoring which would supplant it's own loopback and move GoogleDNS to the forwarder. OR, turn your IPv4 DNS setting to 'Auto' and resolve to whatever your router defaults to, ISP?
4) Probably caused by #3 above.
5) Heimdal is cheap. You can find it for 50-75% off. It's one of the most effective, zero impact protection systems I have found which is why I use it as part of my layered security. Heimdal blocks 'wierd' stuff as they source a LOT of DNS blocking from the Darkweb and use Heuristic Blocking.
1) for me, it's a lot. because my svchosts rarely uses that much. My laptop is bad at battery life. 1.5% can cause significant battery drain for me. When I don't use anything, no internet traffic, it must stay calmly at 0%, or it should be removed. It's just me. I care about resource usage and performance x10 than security and privacy
2) depends on its purpose. IMO, it should use =<50MB in total. It even used x2 more RAM than KIS 2018
3) I didn't know that so I didn't change the DNS to google's before the test but it didn't matter much
5) According to my test, KIS's web filter is much much better than Heimdal. Kaspersky is always one of the first vendors to block a brand new phishing on VT, even sooner than Forti and netcraft. I think KIS's web filter + Norton DNS + Google SafeBrowsing should be more than enough for most users
5*) Although we can get it for 50% off but I still think our AV's filter is good enough. Or if we are a bit more paranoid, we can install Panda safe web (though it's like an adware). Everyone can install it as system-wise malware blocker for free
 
F

ForgottenSeer 58943

1) for me, it's a lot. because my svchosts rarely uses that much. My laptop is bad at battery life. 1.5% can cause significant battery drain for me. When I don't use anything, no internet traffic, it must stay calmly at 0%, or it should be removed. It's just me. I care about resource usage and performance x10 than security and privacy
2) depends on its purpose. IMO, it should use =<50MB in total. It even used x2 more RAM than KIS 2018
3) I didn't know that so I didn't change the DNS to google's before the test but it didn't matter much
5) According to my test, KIS's web filter is much much better than Heimdal. Kaspersky is always one of the first vendors to block a brand new phishing on VT, even sooner than Forti and netcraft. I think KIS's web filter + Norton DNS + Google SafeBrowsing should be more than enough for most users
5*) Although we can get it for 50% off but I still think our AV's filter is good enough. Or if we are a bit more paranoid, we can install Panda safe web (though it's like an adware). Everyone can install it as system-wise malware blocker for free

If you are going to test then you need to make sure you understand what you are testing and apply a fairly standard methodology to the test along with controls. No offense, but you didn't do that in this case. Having Norton DNS as a manually entered IPv4 DNS on the system then installing Heimdal under those conditions wouldn't produce consistent or accurate results. The proper way to test would be to setup Heimdal as the only security product on a VM pinned to a DMZ, then run validations. Until then I don't think your results are relevant in this case. But the effort should be recognized regardless.

ForgottenSeer 58943 If I'm paranoid then I would start using Sandboxie, not Heimdal or any other DNS and web filtering services.Heimdal is expensive!you can buy Hmpa or even Kaspersky internet security with such money!Heimdal my little joke:D

Speaking from the home here, Sandboxie adds needless compability and usability issues that aren't something I care to deal with.

DNS is important to control and monitor, which is why Pi-Hole comes in to play. Sandboxie is NOT going to help you protect your IoT or non-Windows devices. In blended environments in which we all live, our first and sometimes primary line of defense is DNS. There is a reason corporate/enterprise environments all have their own DNS servers internally and/or use SaaS for DNS, it's crucial.

As for Heimdal, it's a very lightweight supplement to existing protections and offers another layer. Also the patching mechanism from safe repositories is very handy. I'm not sure I would think $20 a year for 4 PC's is expensive? I've seen Heimdal as cheap as $12 a year... It's not my job to convince anyone of anything. But I can tell you from a perspective of testing Heimdal under lab conditions, I feel it's an important layer that works in areas most AV products ignore.

A Must-Have Addition to Your Antivirus: Close Security Holes to Prevent Cyber Attacks!
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@Evjl's Rain

Thanks for the interesting link/article. What I don't understand
cryptoaustralia.org said:
Note that the total number is a bit exaggerated compared to the rest of the herd, as ConnectSafe was hijacking about 300 domains in the EXP category, even though these domains were already offline.

When I subtract that from the results they would 'only' block a total of 140 URL's which would put Norton DNS behind SafeSurfer. :unsure:
 
  • Like
Reactions: GonzitoVir

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
@Evjl's Rain

Thanks for the interesting link/article. What I don't understand


When I subtract that from the results they would 'only' block a total of 140 URL's which would put Norton DNS behind SafeSurfer. :unsure:
I downloaded the xlsx files from the website and started calculating myself. I used google DNS as the reference for dead links => I deleted all the sites which showed "DNS Lookup Error" and "255.255.255.255" from google DNS because I assumed they were dead

here is the result. EXP had the most dead links so only 180 links were alive. Sorry, my excel skill is bad
2.PNG
 
Last edited:

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Bonus: I tested Quad9 and Norton DNS using links from malc0de
- Quad9 only blocked 2 links out of ~15
- Norton: blocked 6-7 links

I noticed Quad9 get their database from Cleanmx and malwaredomain, phishtank, xforce, Openphish,...
 
F

ForgottenSeer 58943

I downloaded the xlsx files from the website and started calculating myself. I used google DNS as the reference for dead links => I deleted all the sites which showed "DNS Lookup Error" and "255.255.255.255" from google DNS because I assumed they were dead

here is the result. EXP had the most dead links so only 180 links were alive. Sorry, my excel skill is bad
View attachment 178174

Dang, hideous performance from all of them except Quad9 for raw malware domains.

Once again, this is why I don't consider DNS blocking with external, free solutions to be a very good solution. Some of the paid services (SaaS type) would offer superior protection but also increase the false positives. I have an account at zVelo and let me tell you, it's a constant thing to get stuff whitelisted. They have great support, but are aggressive in blocking. I think most of the 'safe' DNS type services for free generally are low grade and offer public sourced lists and limited protection.

This comes back to Pi-Hole, which allows you to do your own blacklist/whitelist management, and load up curated lists from a wealth of sources without relying on an external forwarder to handle the intricacies. I'd love to see a test like this done with Pi-Hole and all of the good curated/formatted/parsed lists loaded onto it. I bet it would totally wipe out these other so-called secure DNS services.
 
F

ForgottenSeer 58943

Actually a Pi-Hole would probably score 90-100% filtration in all categories on your test because the lists you source are already included in some of the curated Pi-Hole blacklists;

The Big Blocklist Collection

Note - Pi-Hole now effectively blocks all coin mining on your entire network with curated coin list. Given we've found Coin Miners being pushed to Fire Sticks, this is probably a huge thing.
 
  • Like
Reactions: Oxygen
F

ForgottenSeer 58943

Just recently followed this thread. So Heimdal did perform some kind of DNS Blocking? Sufficient enough?

Heimdal is good for this. It creates a local encrypted DNS client and loops back your DHCP served DNS to the client, runs DNS validation/blacklisting, then forwards it to your DNS forwarder. In a nutshell, it provides some valuable protection to your DNS resolution on a local machine.
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
I tested Yandex browser beta. Entered the settings and enabled phishing protection. Tested with ~20 links. OMG! It blocked nothing. Tried again with some 2-3 day-old links, nothing was blocked
I doubt the effectiveness of yandex browser and yandex DNS despite they have Sophos's and their own databases. This can partially explain why it performed so poorly in the DNS test
 
F

ForgottenSeer 58943

I tested Yandex browser beta. Entered the settings and enabled phishing protection. Tested with ~20 links. OMG! It blocked nothing. Tried again with some 2-3 day-old links, nothing was blocked
I doubt the effectiveness of yandex browser and yandex DNS despite they have Sophos's and their own databases. This can partially explain why it performed so poorly in the DNS test

Did you enable all of the features in the Protect Module?

It's possible Yandex offers more regional protection. But the Sophos/Yandex/Agnitum technology seems to be focused on malicious file downloads/malicious links, and system/browser modifications and less about protecting from bad sites.
 
  • Like
Reactions: Handsome Recluse

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Did you enable all of the features in the Protect Module?

It's possible Yandex offers more regional protection. But the Sophos/Yandex/Agnitum technology seems to be focused on malicious file downloads/malicious links, and system/browser modifications and less about protecting from bad sites.
I installed, left everything as default + just enabled phishing protection, which was disabled by default
malware protection is checked.
OK I will test it again with malwares
1.PNG 2.PNG
 
  • Like
Reactions: Sunshine-boy
F

ForgottenSeer 58943

I installed, left everything as default + just enabled phishing protection, which was disabled by default
malware protection is checked.
OK I will test it again with malwares
View attachment 178274 View attachment 178275

From what I read, Yandex Phishing protection is exclusively limited to banking and financial activity. It places the browser in a type of lockdown mode. The protect module based on Sophos/Yandex/Agnitum is more for malware protection (keyloggers, malicious files, browser tampering). I wasn't ever under the impression Yandex had any effective web filtration but they aren't totally clear on that.
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
From what I read, Yandex Phishing protection is exclusively limited to banking and financial activity. It places the browser in a type of lockdown mode. The protect module based on Sophos/Yandex/Agnitum is more for malware protection (keyloggers, malicious files, browser tampering). I wasn't ever under the impression Yandex had any effective web filtration but they aren't totally clear on that.
tested Yandex beta vs. slimjet's google SafeBrowsing (GSB)
3.PNG
20 links tested
it worked very well. It blocked almost everything except 5 malwares. Yandex ignored dead links, which can be a good thing
meanwhile, with the exact same set of links, GSB only missed 2 malwares + some dead links were also blocked

The problem with yandex is it downloads everything and then analyzes the files as soon as the downloads finish. If there is infection, the files are rename to [name].infected
GBS sometimes blocks the downloads before they happen or blocks after they finish downloading. No file is present unless we click "Keep"

I know 1 test is not conclusive enough
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top