DNS Threat-blocking comparison

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
I found this article very interested. It was updated on 23 DECEMBER 2017
comment below your opinions

How to Pick the Best Threat-blocking DNS Provider

report-diagram-23-12-2017.png
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
Adguard Family DNS blocked the most (Any Family DNS filter actually), when I was using it, considering that about 15% malware is hosted on adult webpages.
Blocking at DNS level is very dangerous, since those filters are subjective, like PUP in Malwarebytes. I use OpenDNS Family and it blocks legitimate webpages.
Most browsers include a basic filter (Sophos), which already blocks many webpages, but user can choose to ignore it. As for phishing, there is Netcratf, Avast, etc.

P.S. I wonder, whenever they have used YandexDNS or YandexSafe, the difference is obvious, since the basic version blocks only the confirmed threats, like botnets.
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Adguard Family DNS blocked the most (Any Family DNS filter actually), when I was using it, considering that about 15% malware is hosted on adult webpages.
Blocking at DNS level is very dangerous, since those filters are subjective, like PUP in Malwarebytes. I use OpenDNS Family and it blocks legitimate webpages.
Most browsers include a basic filter (Sophos), which already blocks many webpages, but user can choose to ignore it. As for phishing, there is Netcratf, Avast, etc.

P.S. I wonder, whenever they have used YandexDNS or YandexSafe, the difference is obvious, since the basic version blocks only the confirmed threats, like botnets.
according to their previous article
they use: Yandex.DNS - 77.88.8.88, 77.88.8.2
those are the Yandex Safe
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
I performed a quick test using phishtank between Quad9 and SafeDNS because these 2 got good malware blocking results. I ignored Strongarm because it didn't do well against malwares but phishing, which I'm not interested in

SafeDNS:
- Quite fast response. A bit faster than Quad9 in my region. Tested my multiple DNS benchmarks
- It redirected the blocked sites, which we can easily tell the sites have been blocked
- Very good result
Capture.PNG

Quad9:
- Blocked sites showed DNS request timed-out -> no indicator. We can only tell the sites have been blocked by switching to another DNS to see if the sites are alive or not or check the site status on quad9 website
- Quite good result
 
Last edited:

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
I tried to combine them to use together but unfortunately they can't work together in 1 network
if I put norton DNS as the primary and quad9 as secondary, the website blocked by norton would be cancelled out by quad9 and if I reversed the order, they behaved the same. Same for SafeDNS

the only DNS combo that works together is NortonDNS + AdguardDNS and both have blocked quite some malicious sites for me
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Pls Test Forti DNS too:
208.91.112.53
208.91.112.52
just quickly tested them with so so many links. ~30 links. Much more than other DNSes I tested (~10-15)
they blocked absolutely nothing even with eicar/atmso or a few days old phishtank's links

I assume they are just simple DNSes without any blocking capability
@ForgottenSeer 58943 could you please inform us about it? Why those didn't block anything for me
 
Last edited:

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
F

ForgottenSeer 58943

I tried to combine them to use together but unfortunately they can't work together in 1 network

DNS forwarding can't be combined. Top level DNS will take precedence. So if your router has for example NortonDNS, your desktop will still resolve to the top level DNS on your network which is your router. Adding 2 DNS entries only applies as a failover between unresolved DNS responders on DNS1.. DNS1->No resolution DNS2. The only way to combine DNS is to have a local DNS server on the network then a forwarder. Local DNS -> Forwarder. So the local DNS server pulls DNS entries from the forwarder then redirects clients after the local DNS filtration/cache is applied.

just quickly tested them with so so many links. ~30 links. Much more than other DNSes I tested (~10-15)
they blocked absolutely nothing even with eicar/atmso or a few days old phishtank's links. I assume they are just simple DNSes without any blocking capability
@ForgottenSeer 58943 could you please inform us about it? Why those didn't block anything for me

Sorry, Fortinet made some changes in the latest firmware. FortiDNS now validates licensing of a Fortigate device/FortiGuard account. As you can see from this photo;
dns.png


However you can still use it as a mostly anonymous, secured DNS for normal resolution. Just don't expect any major blocking or filtration. It's now a paid service for enterprise (free with any Appliance with a licensed UTM bundle) but won't deny normal DNS resolution from unknown clients.

Thanks for the Testing :)

What this test really indicates to me is how crucial a Pi-Hole has become. Remember, with Pi-Hole you can run your own blacklists from curated lists and essentially create the most powerful DNS in the world. You can add Adguard DNS list, combine it with other malware/phishing/exploit lists, then stack it to a forwarder that already filters. (Quad9 or whatever)

With Pi-Hole your DNS resolution would be plugging it in to your network (Pi3), then grabbing an IP, then point your router BACK to the local IP of the Pi-Hole for DNS resolution. Then your Pi-Hole set 9.9.9.9 or whatever as the forwarder on that. It will pull DNS entries from 9.9.9.9, then do a 'comparative' to your blacklist and deny resolution on anything in your blacklists. This setup is supremely powerful given the extensive, curated blacklists available for Pi-Hole.

The Big Blocklist Collection

$50-$60 well spent, and a one time fee, then you can stop playing DNS theater.
 
Last edited by a moderator:
F

ForgottenSeer 58943

Also test Heimdal. Since Heimdal's primary function is a local DNS resolver (encrypted client) and DNS forwarder. The loopback of Heimdal has the purpose of looping back to the 127 address of the local DNS server, then forwarding to the resolver (your router). You can stack safe DNS by using a safer DNS server (on your router, etc) combined with Heimdal and the same thing will be accomplished. Endpoint Lookup-->Heimdal Loopback-->Heimdal Forwarder-->Primary DNS Forwarder-->DNS

Evjl can you test Heimdal Pro with your same subset?
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Also test Heimdal. Since Heimdal's primary function is a local DNS resolver (encrypted client) and DNS forwarder. The loopback of Heimdal has the purpose of looping back to the 127 address of the local DNS server, then forwarding to the resolver (your router). You can stack safe DNS by using a safer DNS server (on your router, etc) combined with Heimdal and the same thing will be accomplished. Endpoint Lookup-->Heimdal Loopback-->Heimdal Forwarder-->Primary DNS Forwarder-->DNS

Evjl can you test Heimdal Pro with your same subset?
I will test it when I have time, today or tomorrow. I don't use the same links in every test because they die very quickly. I just pick randomly the latest links from phishtank and malc0de
 
Last edited:
F

ForgottenSeer 58943

I will test it when I have time, today or tomorrow. I don't use the same links for every test because they die very quickly. I just pick randomly the latest links from phishtank and malc0de

I await your test. Remember, Heimdal does other traffic and malware inspection but DNS filtration is a major part of what it does. So your test will be looking at one specific part of how it works.

I have a theory - Heimdal protects from some really nasty DNS lookups but it isn't inclusive. So I use Heimdal as a 'layer' in my package. I actually use triple-filtered DNS and my DNS resolution is still Sub-1ms because of local caching. In my case; Heimdal-->Primary DNS (router)-->Pi-Hole(local DNS cache/blacklist server)-->Quad9.

So any lookup first goes through Heimdal local loopback, gets it's forwarder from the router (local IP of Pi-Hole), then the Pi-Hole serves DNS pre-cached from Quad9 after applying it's blacklists and rules. This is a relatively bulletproof method that applies SIGNIFICANT protection without any speed degradation (in fact it's faster than any offsite DNS).
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
I await your test. Remember, Heimdal does other traffic and malware inspection but DNS filtration is a major part of what it does. So your test will be looking at one specific part of how it works.

I have a theory - Heimdal protects from some really nasty DNS lookups but it isn't inclusive. So I use Heimdal as a 'layer' in my package. I actually use triple-filtered DNS and my DNS resolution is still Sub-1ms because of local caching. In my case; Heimdal-->Primary DNS (router)-->Pi-Hole(local DNS cache/blacklist server)-->Quad9.

So any lookup first goes through Heimdal local loopback, gets it's forwarder from the router (local IP of Pi-Hole), then the Pi-Hole serves DNS pre-cached from Quad9 after applying it's blacklists and rules. This is a relatively bulletproof method that applies SIGNIFICANT protection without any speed degradation (in fact it's faster than any offsite DNS).
I just test Heimdal Pro with 50+ links from phishtank, malc0de, virustotal, hphosts EMD and EXP

Pros:
- very good blocking. It blocked a lot. Much better than DNS, obviously
- No noticeable network slowdown
- Great against >=2 day-old sites but not so good against zero-day sites
- OK against .exe links from malc0de (they are not zero-day)
- so-so against exploits from hphosts EXP
- After the uninstallation, it reverted my DNSes back to the state before installing

Cons:
- Constant CPU consumption, always 0.9-1.5% on idle/absolute 0kb/s in/out => unacceptable (i7-3630QM)
- High memory usage for this purpose
- It changed my DNS to 127.x.x.x. I didn't know how to modify my default DNS (norton) to a different one => norton DNS was blocking some sites and interfere the test. I assume Heimdal always blocked first. If it didn't block, Norton would block
- Delayed notifications sometimes. When I was doing nothing, the popups showed up for the previously blocked links. Mostly from malc0de's .exe links
- €34.00!???
 
F

ForgottenSeer 58943

I just test Heimdal Pro with 50+ links from phishtank, malc0de, virustotal, hphosts EMD and EXP

Pros:
- very good blocking. It blocked a lot. Much better than DNS, obviously
- No noticeable network slowdown
- Great against >=2 day-old sites but not so good against zero-day sites
- OK against .exe links from malc0de (they are not zero-day)
- so-so against exploits from hphosts EXP
- After the uninstallation, it reverted my DNSes back to the state before installing

Cons:
- Constant CPU consumption, always 0.9-1.5% on idle/absolute 0kb/s in/out => unacceptable (i7-3630QM)
- High memory usage for this purpose
- It changed my DNS to 127.x.x.x. I didn't know how to modify my default DNS (norton) to a different one => norton DNS was blocking some sites and interfere the test. I assume Heimdal always blocked first. If it didn't block, Norton would block
- Delayed notifications sometimes. When I was doing nothing, the popups showed up for the previously blocked links. Mostly from malc0de's .exe links
- €34.00!???

As I suspected, Heimdal is a bit of a rockstar in terms of traffic and DNS filtration in some categories. As to your concerns;

1) 0.9%-1.5% is trivial, virtually meaningless CPU use. This is the equivalent of a SVCHOST process in Windows. Local DNS server WILL have CPU use!
2) What's considered high memory use? I will check when I get home but never noticed any noticeable ram uses.
3) Correct, as I said it uses loopback to it's own DNS server then uses the default DNS as a forwarder. The proper way to test would be to use GoogleDNS (8.8.8.8), then install and turn on Heimdal traffic monitoring which would supplant it's own loopback and move GoogleDNS to the forwarder. OR, turn your IPv4 DNS setting to 'Auto' and resolve to whatever your router defaults to, ISP?
4) Probably caused by #3 above.
5) Heimdal is cheap. You can find it for 50-75% off. It's one of the most effective, zero impact protection systems I have found which is why I use it as part of my layered security. Heimdal blocks 'wierd' stuff as they source a LOT of DNS blocking from the Darkweb and use Heuristic Blocking.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top