Advice Request Phishing Protection — Comparing DNS Security Filters

[HarborFront]

DNS Filters Compared

In this test, I will compare these 6 free and public DNS providers that are supposed to filter access to malicious domains:

• Quad9: 9.9.9.9
• OpenDNS: 208.67.222.123 (used their free version)
• CleanBrowsing: 185.228.168.9
• Norton ConnectSafe (Malware, Phishing and Scam sites): 199.85.126.10
• Comodo Secure: 8.26.56.26
• Yandex Safe: 77.88.8.88

For the test, I divided my list of domains into 4 categories:

• 10 domains from the Openphish database. Mix of old and new bad stuff.
• 10 domains added *today* to Phishtank. Real time bad stuff.
• 10 domains added within the last week to Phishtank. Old bad stuff.
• 10 domains from some of the latest Krebs blog posts. Bad stuff.

Test 1: Openphish — Mixed bad stuff

Openphish is a popular database of malicious domains, so a great place to start. From the 10 domains tested (full dump on pastebin), these are the results:

• Quad9 and CleanBrowsing: 100% accuracy. They blocked all domains.
• Norton: 20% accuracy. Blocked 2 domains related to fake facebook logins.
• OpenDNS, Comodo, Yandex: Blocked 0 domains.

Test 2: Phishtank — Real time bad stuff

With this test, I tried to see how quickly those providers were to update their database with new domains. The dump of the tests are on pastebin as well (yeah, I screwed up my math and tested 12 domains instead of 10). Results:

• CleanBrowsing: 91% of accuracy. Only missed 1.
• Quad9: 50% of accuracy
• OpenDNS, Yandex, Comodo, Norton: 16% of accuracy. Blocked 2 domains only.

Test 3: Phishtank — Old bad stuff

In this 3rd test, I got domains that were blacklisted this month, but not today. That gives a good idea on how long they keep bad domains on their list. The results:

• CleanBrowsing: 100% accuracy
• OpenDNS: 60% accuracy
• Norton: 30% accuracy
• Quad9: 20% accuracy
• Yandex: 10%, Comodo 0%.

Test 4: Domains from Krebs blog post

This last test probably wasn't very fair, since the domains Krebs mentions on his blog post are not part of any blacklist, so none of the providers blocked them, except for CleanBrowsing. They blocked 100% of the typo squatting .cm domains, along with cardmafia and some other bad domains.
Conclusion

DNS can be an important part of your security and act as a first line of defense against phishing and other malicious activity. CleanBrowsing was the #1 provider in my tests , followed by Quad9 and OpenDNS in second (they did well in different areas). Note that I used the free version of OpenDNS and if you are an enterprise client, their Cisco Umbrella could/would probably do better. CleanBrowsing has different filters to block adult content, but I tested it with their .9 IP address that only blocks malicious domains.

On the sad side, It seems that both Comodo, Norton and Yandex are stuck in time and not updated anymore. So based on my tests, would not recommend to use them if you are looking for any type of security filtering at the DNS layer.

For the whole article please read below link

Phishing Protection — Comparing DNS Security Filters

 

[71Hemi]

@HarborFront
Just curious if there has been any comparison between Neustar and Cleanbrowsings "Security Filters" access to phishing, malware and malicious domains. How frequently they are updated ? Both are using DNSSEC and Not using "DNS over TLS" according to Browser Privacy - Test IP address, DNS, VPN leaks. Fast & no ads. Protect your online privacy. and How to find and check my IP address. Is there any other test sites that you know of ? Seems Cleanbrowsings a little faster on my rig...

 

[71Hemi]

Ignore the links...

 

[HarborFront]

@HarborFront
Just curious if there has been any comparison between Neustar and Cleanbrowsings "Security Filters" access to phishing, malware and malicious domains. How frequently they are updated ? Both are using DNSSEC and Not using "DNS over TLS" according to Browser Privacy - Test IP address, DNS, VPN leaks. Fast & no ads. Protect your online privacy. and How to find and check my IP address. Is there any other test sites that you know of ? Seems Cleanbrowsings a little faster on my rig...

From what I know

Neustar logs personal info/anonymized logs and may/may not share with partners & 3rd-party affiliates.

And CleanBrowsing has DNS over HTTPS

Parental Control with DNS Over HTTPS (DoH) Support

No idea who protects better

 

[71Hemi]

Just curious if there has been any comparison between Neustar and Cleanbrowsings "Security Filters" access to phishing, malware and malicious domains. How frequently they are updated ? Both are using DNSSEC and Not using "DNS over TLS" according to Browser Privacy - Test IP address, DNS, VPN leaks. Fast & no ads. Protect your online privacy. and How to find and check my IP address. Is there any other test sites that you know of ? Seems Cleanbrowsings a little faster on my rig... That's better... Apparently I clicked on a beer and was'nt paying enough attention to what I was doing, sigh... So I think its time to check for logging on Cleanbrowsings DNS

 

[TairikuOkami]

As I mentioned before, blocking at DNS level is questionable, because you can not click on Ignore and continue like with an extension. So unless the link is 100% malicious, it should not be blocked, but they also block PUPs and adware (driver updaters/cleaners/etc). That is the reason I stopped using Cleanbrowsings, since it even blocks webpages like image/file sharing, used to host some malware files. But as for protection, it definitely works.

DNS over HTTPS

One thing seems to be omitting, when someone uses an encrypted DNS, like Simplednscrypt, everything within Windows has DNS access, including a potential malware, it can not be blocked within the firewall, so for example it could be used to download an updated list for a trojan downloader.

 

[HarborFront]

As I mentioned before, blocking at DNS level is questionable, because you can not click on Ignore and continue like with an extension. So unless the link is 100% malicious, it should not be blocked, but they also block PUPs and adware (driver updaters/cleaners/etc). That is the reason I stopped using Cleanbrowsings, since it even blocks webpages like image/file sharing, used to host some malware files. But as for protection, it definitely works.


One thing seems to be omitting, when someone uses an encrypted DNS, like Simplednscrypt, everything within Windows has DNS access, including a potential malware, it can not be blocked within the firewall, so for example it could be used to download an updated list for a trojan downloader.

From what I know there are a few ways to protect your DNS queries

1) Using a VPN. Here the VPN provider encrypts the DNS queries. Protection is system-wide
2) Setting DNS in WIndows. Protection here is also system-wide
3) DNS over HTTPS. Here the browser offers the encryption of the DNS queries. Protection is NOT system-wide
4) Using software like SimpleDNSCrypt. Protection is system-wide
5) Configuring DNS in your router. System-wide protection
6) Hardware-based DNS protection like having your own DNS server. Protection is again system-wide

Unless the encrypted DNS queries have been hijacked (like MITM attack) I doubt malware could access your system by this route . I could be wrong here.

 

[71Hemi]

Thanks Guys ! I was trying to fix my previous post but it didn't work out well. Sorry about the double post. I have been using Neustar DNS for some time now but have it configured in my router with Windows DNS Client disabled.

 

[TairikuOkami]

Unless the encrypted DNS queries have been hijacked (like MITM attack) I doubt malware could access your system by this route .

DNS queries are protected by using an encrypted DNS, I was referring to malware, which could be within the system, like in browser's cache.

4) Using software like SimpleDNSCrypt. Protection is system-wide

By default svchost.exe makes DNS requests, simplednscrypt merely replaces it. So every software, malware included (if already infected), has DNS access to internet, it can not be blocked easily. Blocking big malware threats (botnets, ransomware) is done by blocking IPs/domains, but advanced malware updates its list using DNS. Of course DNS blocking will work only against a limited number of malware, but some of the most dangerous.

5) Configuring DNS in your router. System-wide protection

Setting DNS within Windows bypasses router's settings and malware tends to do that. I had to recommend Dns Lock v1.3 to circumvent that.

 

[Sunshine-boy]

it can not be blocked within the firewall,

with Eset firewall or Symantec endpoint protection you can.
Dns

 

[TairikuOkami]

with Eset firewall or Symantec endpoint protection you can.
Dns

That applies only if the software is making DNS requests, that is not the case when DNS is set ot Automatic or when DNS server is set to 127.0.0.1, then all DNS requests are routed back to simplednscrypt, they are actually not outgoing, so there is nothing to block, since DNS is generally allowed.

 

[yitworths]

that is not the case when DNS is set ot Automatic or when DNS server is set to 127.0.0.1, then all DNS requests are routed back to simplednscrypt

Actually, in theory dns query still should be blocked if that dns is blacklisted. Even if you port your encrypted dns,there are many ways to intercept that encrytped traffic & trust me many av or web protection suites employ those techniques. firewall sees connections as inbound & outbound so direction of data flow is immaterial.(Unless you've dedicated firewall i.e. either just inbound or just outbound firewall).


In short,dns query still can be blocked even if it's being ported.

 

[LDogg]

Some interesting results here, definitely make DNS choosing a lot easier for some people.

~LDogg

 

[yitworths]

they are actually not outgoing

dns= outbound connection but inbound data. the whole world of networking is much different than it seems.

 

[JiSingh12]

Does cloudflare 1.1.1.1 / 1.0.0.1 do the same thing or not, or is that mainly for privacy alone but not security?

 

[Ink]

Does cloudflare 1.1.1.1 do the same thing or not, or is that mainly for privacy alone but not security?

Cloudflare 1.1.1.1 DNS is privacy-focused and lightening fast.
Read more about Announcing 1.1.1.1: the fastest, privacy-first consumer DNS service and What is 1.1.1.1? | Cloudflare

Quad9 DNS includes blocking known malicious sites
Learn more at About Quad9 DNS

 

[HarborFront]

Does cloudflare 1.1.1.1 / 1.0.0.1 do the same thing or not, or is that mainly for privacy alone but not security?

But Cloudflare logs your data for 24 hrs. CleanBrowsing don't log your data.

Cloudflare's business has never been built around tracking users or selling advertising. We don't see personal data as an asset; we see it as a toxic asset. While we need some logging to prevent abuse and debug issues, we couldn't imagine any situation where we'd need that information longer than 24 hours. And we wanted to put our money where our mouth was, so we committed to retaining KPMG, the well-respected auditing firm, to audit our practices annually and publish a public report confirming we're doing what we said we would.

Announcing 1.1.1.1: the fastest, privacy-first consumer DNS service

 

[Moonhorse]

Trying out cleanbrowsing for now,

 

[Deleted member 178]

Trying out cleanbrowsing for now,

some FPS, but they can be dismissed.

 

[Moonhorse]

some FPS, but they can be dismissed.

Didnt made account on there for better conf yet, just ipv4

Edit: seems the paid option, only have dns firewall access