Advice Request Phishing Protection — Comparing DNS Security Filters

Please provide comments and solutions that are helpful to the author of this topic.

HarborFront

Level 72
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,121
DNS Filters Compared

In this test, I will compare these 6 free and public DNS providers that are supposed to filter access to malicious domains:
  • Quad9: 9.9.9.9
  • OpenDNS: 208.67.222.123 (used their free version)
  • CleanBrowsing: 185.228.168.9
  • Norton ConnectSafe (Malware, Phishing and Scam sites): 199.85.126.10
  • Comodo Secure: 8.26.56.26
  • Yandex Safe: 77.88.8.88
For the test, I divided my list of domains into 4 categories:
  • 10 domains from the Openphish database. Mix of old and new bad stuff.
  • 10 domains added *today* to Phishtank. Real time bad stuff.
  • 10 domains added within the last week to Phishtank. Old bad stuff.
  • 10 domains from some of the latest Krebs blog posts. Bad stuff.
Test 1: Openphish — Mixed bad stuff

Openphish is a popular database of malicious domains, so a great place to start. From the 10 domains tested (full dump on pastebin), these are the results:
  • Quad9 and CleanBrowsing: 100% accuracy. They blocked all domains.
  • Norton: 20% accuracy. Blocked 2 domains related to fake facebook logins.
  • OpenDNS, Comodo, Yandex: Blocked 0 domains.
Test 2: Phishtank — Real time bad stuff

With this test, I tried to see how quickly those providers were to update their database with new domains. The dump of the tests are on pastebin as well (yeah, I screwed up my math and tested 12 domains instead of 10). Results:
  • CleanBrowsing: 91% of accuracy. Only missed 1.
  • Quad9: 50% of accuracy
  • OpenDNS, Yandex, Comodo, Norton: 16% of accuracy. Blocked 2 domains only.
Test 3: Phishtank — Old bad stuff

In this 3rd test, I got domains that were blacklisted this month, but not today. That gives a good idea on how long they keep bad domains on their list. The results:
  • CleanBrowsing: 100% accuracy
  • OpenDNS: 60% accuracy
  • Norton: 30% accuracy
  • Quad9: 20% accuracy
  • Yandex: 10%, Comodo 0%.
Test 4: Domains from Krebs blog post

This last test probably wasn't very fair, since the domains Krebs mentions on his blog post are not part of any blacklist, so none of the providers blocked them, except for CleanBrowsing. They blocked 100% of the typo squatting .cm domains, along with cardmafia and some other bad domains.
Conclusion

DNS can be an important part of your security and act as a first line of defense against phishing and other malicious activity. CleanBrowsing was the #1 provider in my tests , followed by Quad9 and OpenDNS in second (they did well in different areas). Note that I used the free version of OpenDNS and if you are an enterprise client, their Cisco Umbrella could/would probably do better. CleanBrowsing has different filters to block adult content, but I tested it with their .9 IP address that only blocks malicious domains.

On the sad side, It seems that both Comodo, Norton and Yandex are stuck in time and not updated anymore. So based on my tests, would not recommend to use them if you are looking for any type of security filtering at the DNS layer.

For the whole article please read below link

Phishing Protection — Comparing DNS Security Filters
 

71Hemi

Level 2
Verified
Dec 12, 2015
82
@HarborFront
Just curious if there has been any comparison between Neustar and Cleanbrowsings "Security Filters" access to phishing, malware and malicious domains. How frequently they are updated ? Both are using DNSSEC and Not using "DNS over TLS" according to Browser Privacy - Test IP address, DNS, VPN leaks. Fast & no ads. Protect your online privacy. and How to find and check my IP address. Is there any other test sites that you know of ? Seems Cleanbrowsings a little faster on my rig...
 

HarborFront

Level 72
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,121
@HarborFront
Just curious if there has been any comparison between Neustar and Cleanbrowsings "Security Filters" access to phishing, malware and malicious domains. How frequently they are updated ? Both are using DNSSEC and Not using "DNS over TLS" according to Browser Privacy - Test IP address, DNS, VPN leaks. Fast & no ads. Protect your online privacy. and How to find and check my IP address. Is there any other test sites that you know of ? Seems Cleanbrowsings a little faster on my rig...
From what I know

Neustar logs personal info/anonymized logs and may/may not share with partners & 3rd-party affiliates.

And CleanBrowsing has DNS over HTTPS

Parental Control with DNS Over HTTPS (DoH) Support

No idea who protects better
 

71Hemi

Level 2
Verified
Dec 12, 2015
82
Just curious if there has been any comparison between Neustar and Cleanbrowsings "Security Filters" access to phishing, malware and malicious domains. How frequently they are updated ? Both are using DNSSEC and Not using "DNS over TLS" according to Browser Privacy - Test IP address, DNS, VPN leaks. Fast & no ads. Protect your online privacy. and How to find and check my IP address. Is there any other test sites that you know of ? Seems Cleanbrowsings a little faster on my rig... That's better... Apparently I clicked on a beer and was'nt paying enough attention to what I was doing, sigh... So I think its time to check for logging on Cleanbrowsings DNS
 

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,611
As I mentioned before, blocking at DNS level is questionable, because you can not click on Ignore and continue like with an extension. So unless the link is 100% malicious, it should not be blocked, but they also block PUPs and adware (driver updaters/cleaners/etc). That is the reason I stopped using Cleanbrowsings, since it even blocks webpages like image/file sharing, used to host some malware files. But as for protection, it definitely works.

DNS over HTTPS
One thing seems to be omitting, when someone uses an encrypted DNS, like Simplednscrypt, everything within Windows has DNS access, including a potential malware, it can not be blocked within the firewall, so for example it could be used to download an updated list for a trojan downloader.
 

HarborFront

Level 72
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,121
As I mentioned before, blocking at DNS level is questionable, because you can not click on Ignore and continue like with an extension. So unless the link is 100% malicious, it should not be blocked, but they also block PUPs and adware (driver updaters/cleaners/etc). That is the reason I stopped using Cleanbrowsings, since it even blocks webpages like image/file sharing, used to host some malware files. But as for protection, it definitely works.


One thing seems to be omitting, when someone uses an encrypted DNS, like Simplednscrypt, everything within Windows has DNS access, including a potential malware, it can not be blocked within the firewall, so for example it could be used to download an updated list for a trojan downloader.

From what I know there are a few ways to protect your DNS queries

1) Using a VPN. Here the VPN provider encrypts the DNS queries. Protection is system-wide
2) Setting DNS in WIndows. Protection here is also system-wide
3) DNS over HTTPS. Here the browser offers the encryption of the DNS queries. Protection is NOT system-wide
4) Using software like SimpleDNSCrypt. Protection is system-wide
5) Configuring DNS in your router. System-wide protection
6) Hardware-based DNS protection like having your own DNS server. Protection is again system-wide

Unless the encrypted DNS queries have been hijacked (like MITM attack) I doubt malware could access your system by this route . I could be wrong here.
 
Last edited:

71Hemi

Level 2
Verified
Dec 12, 2015
82
Thanks Guys ! I was trying to fix my previous post but it didn't work out well. Sorry about the double post. I have been using Neustar DNS for some time now but have it configured in my router with Windows DNS Client disabled.
 

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,611
Unless the encrypted DNS queries have been hijacked (like MITM attack) I doubt malware could access your system by this route .
DNS queries are protected by using an encrypted DNS, I was referring to malware, which could be within the system, like in browser's cache.

4) Using software like SimpleDNSCrypt. Protection is system-wide
By default svchost.exe makes DNS requests, simplednscrypt merely replaces it. So every software, malware included (if already infected), has DNS access to internet, it can not be blocked easily. Blocking big malware threats (botnets, ransomware) is done by blocking IPs/domains, but advanced malware updates its list using DNS. Of course DNS blocking will work only against a limited number of malware, but some of the most dangerous.

5) Configuring DNS in your router. System-wide protection
Setting DNS within Windows bypasses router's settings and malware tends to do that. I had to recommend Dns Lock v1.3 to circumvent that.
 
Last edited:

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,611
with Eset firewall or Symantec endpoint protection you can.
Dns
That applies only if the software is making DNS requests, that is not the case when DNS is set ot Automatic or when DNS server is set to 127.0.0.1, then all DNS requests are routed back to simplednscrypt, they are actually not outgoing, so there is nothing to block, since DNS is generally allowed.
 

Attachments

  • capture_09022018_133649.jpg
    capture_09022018_133649.jpg
    234.7 KB · Views: 530
  • Like
Reactions: Sunshine-boy

yitworths

Level 10
Verified
Well-known
May 31, 2015
472
that is not the case when DNS is set ot Automatic or when DNS server is set to 127.0.0.1, then all DNS requests are routed back to simplednscrypt
Actually, in theory dns query still should be blocked if that dns is blacklisted. Even if you port your encrypted dns,there are many ways to intercept that encrytped traffic & trust me many av or web protection suites employ those techniques. firewall sees connections as inbound & outbound so direction of data flow is immaterial.(Unless you've dedicated firewall i.e. either just inbound or just outbound firewall).


In short,dns query still can be blocked even if it's being ported.
 

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
Some interesting results here, definitely make DNS choosing a lot easier for some people.

~LDogg
 
  • Like
Reactions: bribon77

Ink

Administrator
Verified
Jan 8, 2011
22,490

HarborFront

Level 72
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,121
Does cloudflare 1.1.1.1 / 1.0.0.1 do the same thing or not, or is that mainly for privacy alone but not security?
But Cloudflare logs your data for 24 hrs. CleanBrowsing don't log your data.

Cloudflare's business has never been built around tracking users or selling advertising. We don't see personal data as an asset; we see it as a toxic asset. While we need some logging to prevent abuse and debug issues, we couldn't imagine any situation where we'd need that information longer than 24 hours. And we wanted to put our money where our mouth was, so we committed to retaining KPMG, the well-respected auditing firm, to audit our practices annually and publish a public report confirming we're doing what we said we would.

Announcing 1.1.1.1: the fastest, privacy-first consumer DNS service
 
  • Like
Reactions: harlan4096

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top