Advice Request Serious security question ... is your black hole bigger than mine?

[Lenny_Fox]

To all members adding URL blacklists in UTM-fw-router, pi-holes and u-Block-plussers I am challenging them: are you sure your black hole is bigger than mine?

Have a look at the blacklists I have piled up using a DNS - Browser build-in and just one (optional) extension.

1. Use Quad9 as DNS service (already predefined in Edge Chromium)
   Quad9 DNS has three massive DNS sources. 2 antivirus sources, 1 corporate threat detection (e.g. for ransomware/spear phishing), 1 botnet and 1 spam.
   The documentation of Quad9 I could find mentions some of the initial partners: I have made the ones with large blocklists bold: IBM’s X-Force, Abuse.ch, Anti-Phishing Working Group (APWG), Bambenek Consulting, Cisco (Umbrella DNS network), F-Secure, mnemonic, Netlab (Passive DNS), Payload Security (Crowd Strike) , Proofpoint (email protection), RiskIQ, and ThreatSTOP (MyDNS).
   
   
2. Browser build-in blocklists (Edge Smartscreen - Chrome Safe Browsing)
   Since 2019 Smartscreen does not include your SID anymore. It stils sends the URL in plain text, but because it is send over HTTPS it is encrypted. So for MT-members with a a moderate form of compulsive malware paranoia disorder (CMPD), there is no reason to disable it anymore. Chrome's Safe Browsing pushes hashed lists to clients every half-hour, so while this is better in terms of privacy, the Chrome URL-blacklist on average is 15 minutes behind Edge cloud based only Smartscreen.
   
   
3. One malware protection extension of choice
   Based on this thread (link) I will grant MT-members an additional malware protection blocklist. Personally being a "less is more" fan, I am not adding any malware protection extension. Because I I am planning to enable HomeCare on my new TP-link AC4000 router, I added this option to level the playing field (so practically using one more URL-blacklist from TrendMicro in the router). When I interpret the results published by @Evjl's Rain correctly I would suggest
   a) Bitdefender Traffic light - when your main concern is Phishing
   b) Norton Safe Web - when your main concern is malware (will probably soon also include Avira's URL blacklist)
   c) Malwarebytes Browser Guard - good overall performer with adblocker

EDIT: just received new TP-link AC4000 router with Trend Micro home care.

So I ask all paranoid UTM-wallers, Pi-holers and u-Block-plussers do you seriously think your black hole is bigger than mine?

 

[Gandalf_The_Grey]

1. Have you set up Quad9 just in Edge or also at system level?
2. For the time disadvantage of Chrome, you could use the Microsoft Defender Browser Protection extension in Chrome and that way add SmartScreen to Chrome.
3. From testing done here (@Evjl's Rain) Bitdefender TrafficLight beats all other extensions in phishing and malware protection.
His conclusion was that SmartScreen (native to Edge or as extension for Chrome) combined with Bitdefender TrafficLight is a strong and still light combo.

 

[Lenny_Fox]

1. Have you set up Quad9 just in Edge or also at system level?
2. For the time disadvantage of Chrome, you could use the Microsoft Defender Browser Protection extension in Chrome and that way add SmartScreen to Chrome.
3. From testing done here (@Evjl's Rain) Bitdefender TrafficLight beats all other extensions in phishing and malware protection.
His conclusion was that SmartScreen (native to Edge or as extension for Chrome) combined with Bitdefender TrafficLight is a strong and still light combo.

just in browser

 

[Gandalf_The_Grey]

just in browser

Thanks
I've just done the same.
Edge with Quad9 dns, uBlock Origin (optimized ad filtering), Bitdefender TraficLight and behind a TP-Link Archer AX6000 router with Trend Micro home care.

 

[sepik]

We changed all of our TP-Link devices to centralized Sophos system. Was a lot cheaper than Fortinet. The reason was quite simple. Security reason(s)

 

[Lenny_Fox]

Thanks
I've just done the same.
Edge with Quad9 dns, uBlock Origin (optimized ad filtering), Bitdefender TraficLight and behind a TP-Link Archer AX6000 router with Trend Micro home care.

AX6000 bigger is better Gandalf the Great

 

[ForgottenSeer 85179]

In my FritzBox router i add encrypted NextDNS (NextDNS default profile)
In Edge i add my own encrypted (more strict) NextDNS profile.

NextDNS use 48 sources for security: metadata/threat-intelligence-feeds.json at master · nextdns/metadata (github.com)
It also include Google Safe Browsing, see Tutorial - NextDNS: a DoH/ DoT guide | MalwareTips Community so not only Edge is protected with Safe Browsing but the whole sytem.

Beside that i only use AdGuard with default AdGuard Base filter & Kees' list and activated URL-tracking cleaning. None other filter (not even malware) is activated.
If ads (e.g. YouTube) weren't so annoying, i wouldn't even use AdGuard extension as Kees' list can be used native (little bit restricted) in Edge.

 

[TairikuOkami]

So I ask all paranoid UTM-wallers, Pi-holers and u-Block-plussers do you seriously think your black hole is bigger than mine?

Thanks for the push in the right direction. After the recent DNS test, which I refused to believe, I tested it myself and cleanbrowsing has indeed fallen behind.
So I have switched to Quad9 and enabled DNS Cache service, DoH does not work without it, but the next Windows will need it anyway, so whatever, Gru.

1. Quad9 as ordered, System and Browser, Cloudflare came close, but not close enough, cleanbrowsing did not block a single link this time (even days old).
2.-3. Yandex uses its own pathetic blocklist, so I installed Netcraft again, mostly for blocking malicious scripts and XSS, blocking port 80 might help as well.

Personally I would prefer Neustar DNS (Ultra DNS), but without a secure DNS, that is just unacceptable these days, regardless of the speed and filtering.

 

[ForgottenSeer 85179]

blocking port 80 might help as well.

This block all HTTP traffic which may break stuff. Aren't you confusing it with port 53 ?

 

[TairikuOkami]

This block all HTTP traffic which may break stuff. Aren't you confusing it with port 53 ?

No, I am blocking port 80 for almost a year, no serious problems whatsoever (a blocked webpage here and there and that is about it).

 

[Lenny_Fox]

@TairikuOkami

blocking port 80 also prevents people to log into the router's console via wifi on HTTP

I have not dared to take that step having the same reservation as @security123, but I applaude your bravery in best practices.

 

[Lenny_Fox]

NextDNS use 48 sources for security: metadata/threat-intelligence-feeds.json at master · nextdns/metadata (github.com)
It also include Google Safe Browsing, see Tutorial - NextDNS: a DoH/ DoT guide | MalwareTips Community so not only Edge is protected with Safe Browsing but the whole sytem.

It is great NextDNS uses Google and 48 sources, but URL blocking is a numbers game, so good sources monitor many requests, typically
a) large DNS networks (e.g. Cisco Umbrella)
b) Search engines (they see with their crawlers and search engine a massive volume of web requests)
c) Devices with OS-related/provided malware protection (e.g. Windows)
d) UTM corporate router vendors associated with an AV (e,g, Fortinet and Sophos)
e) Antivirus companies with many installs (e.g. Bitdefender, Norton/Avira and Avast/AVG).

These are the sources which really beef up the URL blacklist and Traffic Intrusion protection, so the NextDNS URL blocklist protection probably comes from 99% of 1 source (Google) and 1% of the other 48 sources.

I told you so and will do it again: my URL black hole is bigger than yours

@security123 I am using your list in Edge, inspired by @oldschool . I just added a youtube adblocker which i only enabled on https://*.youtube.com Works okay so far.

 

[Lenny_Fox]

PS

I don't bite, just seeking a healthy discussion on different viewpoints with UTM-wallers, PI-holers and uBlockPlussers

Just killing Covid19 time, better having a friendly discussion with forum members than an argument with my girlfriend (I loose the majority of those discussions anyway and even the ones I seem to win feel like a loss).

So come on MT-forum compadres, hit me..

 

[oldschool]

So come on MT-forum compadres, hit me..

Nothing to contribute here as modem controlled by IP and can't change it without some work, which I'd rather not since I'm lazy even during CoronaTime.
Then again, maybe somebody posts easy bridging instructions, like for dummies!

 

[Lenny_Fox]

Nothing to contribute here as modem controlled by IP and can't change it without some work, which I'd rather not since I'm lazy even during CoronaTime.
Then again, maybe somebody posts easy bridging instructions, like for dummies!

Your lean more towards simplism (like me), I am seeking discussions with 1 million plus rules UTM-wallers, PI-holers and uBlockPlussers

 

[ForgottenSeer 85179]

Before NextDNS i used PiHole (with Unbound) and ~2 million block list but the maintenance was really painful

 

[oldschool]

Your lean more towards simplism (like me)

Indeed!

 

[Lenny_Fox]

Before NextDNS i used PiHole (with Unbound) and ~2 million block list but the maintenance was really painful

So your a converted PI-holer? How long are off your blacklist addiction? Was it hard to hand over the managemen of the blocklists to NextDNS?

Never had a weak moment to add blocklists to uBlock? Since PI-stopped facilitating ABP like blocklist many PI-holers changed to uBlockPlussers.

Did you get threatening private messenges on security forums when you turned into a "simpler is better" activist? (Being a maintainer of Kees1958 most prevalent list qualifies as a " less is more " activist ).

 

[ForgottenSeer 85179]

Wow a lot of questions

So your a converted PI-holer? How long are off your blacklist addiction? Was it hard to hand over the managemen of the blocklists to NextDNS?

Yeah i use PiHole a long time.
The blacklist addiction increased over time with PiHole but decreased with NextDNS.
The switch was very easy and relieving.

Never had a weak moment to add blocklists to uBlock? Since PI-stopped facilitating ABP like blocklist many PI-holers changed to uBlockPlussers.

Before my PiHole times i use some extra blocklists in uBlock Origin but my goal was network wide blocking with less performance loose on desktop/ in browser.
The stopped ABP compatibility start me thinking about the whole move to something else but at the time my uBlock Origin lists wasn't much nor i wanted change that.

Did you get threatening private messenges on security forums when you turned into a "simpler is better" activist? (Being a maintainer of Kees1958 most prevalent list qualifies as a " less is more " activist ).

I moved to different forums and finally found MT as best and also leave other's. I never get any threatening messages but some unwanted or annoying answers directly from lists maintainer at mainly GitHub and PiHole forums.
Most annoying was fighting against nonsense blocking like Windows telemetry.

 

[Lenny_Fox]

@security123

I am glad you changed insights, I am a happy user of your Edge blocklist. I don't mind the fact that the other list is occasionally overwritten.

As posted I only use Blank tab and Youtube Adblock extension (the first only allowed on new tab, the last only on youtube.com).

Your list fits perfectly in Occam Razor's principle of simple is better


thanks