Q&A Serious security question ... is your black hole bigger than mine?

Lenny_Fox

Level 22
Verified
Oct 1, 2019
1,125
@harlan4096

In the above post secrity123 provides all the arguments why blocking at DNS level combined with browser build in works so well.

Maybe you would be so kind to end this discussion with your thoughts on the added value of adding extra Antivirus extentions in your browser.

This to show readers of this forum, that it is a thought also endorsed by seasoned members of this forum :)
 

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Apr 28, 2015
7,357
Maybe you would be so kind to end this discussion with your thoughts on the added value of adding extra Antivirus extentions in your browser.
This is a big responsibility :sick: 😅

To be completely honest, I still haven't spent much time to do a deep research about ads blocking lists/services... personally I use AdGuard Desktop in my main (except when I'm beta testing a KTS build, then I disable it to check Kaspersky Anti-Banner + Safe Browsing modules), in my mobile I use also AdGuard App... but in my old lap I use KTS + Ublock Origing, in all of them with FireFox...

In general I use standard lists, but from time to time I may add some rules/lists to block specific ads...

About security and number of browser extensions, here I use as less as possible: just Kaspersky Protection add-on (which can detect malware, phishing and other types of URL threats), AdGuard browser assistant add-on, and finally the integrated tracking feature in FireFox (set to default)...

Sorry if these are not the thoughts You were expecting :p
 
F

ForgottenSeer 85179

I also moved off PiHole and into NextDNS but I find that Pihole blocked more of the ads...especially Pihole blocked my ATT TV ads that play when the program is Paused. I never knew those ads existed until I took Pihole out, now when I pause a program on ATT TV (the fibre based TV service with Android Box as the TV box) I see ads playing. Very annoying.
You can add filterlists and add domains to your blocklist in NextDNS account.
 

Lenny_Fox

Level 22
Verified
Oct 1, 2019
1,125
@Arias

Have a look at Sybu JavaScript Blocker This extensions is a simplified No-Script which also allows regex to be used or parts of domain names. Its block/allow options are more point and click like uBO in advanced mode (its rule creator looks like more like AdGuard) . This extension also blocks scripts in (i)frames and Ajax et cetera, so its scope is a wider than its names suggest. The author has used some best practices from other script blockers to make it easy to use. It is my preferred precision knife when dissecting a website.
 

Jan Willy

Level 7
Jul 5, 2019
285
@Arias

Have a look at Sybu JavaScript Blocker This extensions is a simplified No-Script which also allows regex to be used or parts of domain names. Its block/allow options are more point and click like uBO in advanced mode (its rule creator looks like more like AdGuard) . This extension also blocks scripts in (i)frames and Ajax et cetera, so its scope is a wider than its names suggest. The author has used some best practices from other script blockers to make it easy to use. It is my preferred precision knife when dissecting a website.
Very nice. The extension blocks at default four third party trackers on their own site. ;)
 

Slyguy

Level 44
Jan 27, 2017
3,322
Pretty sure I have the largest blocklist of anyone here.

My local DNS server has 3,000,000 blocks. My Gryphon dataset is sourced from ESET's enterprise offerings, which I think is around 15,000,000. I use another linux based blocklist program from a private IT security firm on the network which has about 12,000,000 additional ones. (in transparent mode) Then my upstream DNS uses a private Fortinet DNS server which has about 52,000,000 lists and is legendary in quality. Add to whatever uBlock has and my AV solution has on desktops, it's pretty massive.

It's almost impossible for me to purposely hit a malicious domain or phishing site when I get the urge to attempt it. I also have significant US and FORN intelligence domains in the linux system too, which is handy.
 

Lenny_Fox

Level 22
Verified
Oct 1, 2019
1,125
When I wrote this post, I expected the master of all UTM-wallers to reply soon (well although you 'only' use a Gryphon, I consider you an UTM-waller class member :) ) Thanks for joining in (y)

Still, I would not be so sure about your victory

The mighty Fortinet finds its match in the Umbrella network (Cisco is larger than Fortinet and with Fortinet, Palo Alto, Sophos and Checkpoint a leader in UTM-market).
The two other DNS services of the Quad9 combinaton (Passive DNS and MyDNS) are also a good match for your local DNS and your Linux based blocklist.
Your ESET blocklist is probably not larger than the TrendMicro HomeCare blocklist used by my humble AC4000 router.
Your Chrome SafeBrowsing is matched by my Edge Smartscreen
Your uBO blocklists with Avira safe browsing are no match for the combined lists of IBM X-force, F-secure, Crowd Strike, Proofpoint and Abuse.ch (the other blockist providers of Quad9)

So I dare to repeat: My black hole is bigger than yours :)


Note to other members
There is a natural hiërarchie within the 'blocklist besties' scene. The youBlockPlussers typically range up to 500-750 K blacklisted domains, the average PI-holer manages somethere between 500K to 2 million blocked domains, while most UTM-wallers easily have over two million blocked domains. Our resident master waller (@Slyguy) beats those numbers hands down (in Dutch we say SlyGuy beats all 'forum blocklists besties' in numbers with one hand tied on his back and his eyes closed).
 
Last edited:

Nagisa

Level 7
Verified
Jul 19, 2018
337
As a person whose yet to know what techniques do the most advanced server-side attacks use, I don't know any reason to use a bigger filter list. Using an up-to-date Chromium-based browser - as it's architecturally more secure than Firefox-based ones and has stronger sandbox - looks like enough to prevent my system being compromised. Most malware sites just downloads a malicious PE.
 

Slyguy

Level 44
Jan 27, 2017
3,322
As a person whose yet to know what techniques do the most advanced server-side attacks use, I don't know any reason to use a bigger filter list. Using an up-to-date Chromium-based browser - as it's architecturally more secure than Firefox-based ones and has stronger sandbox - looks like enough to prevent my system being compromised. Most malware sites just downloads a malicious PE.

1) The strongest of networks control outbound/egress of every IP/FQDN. That is - default deny of all outbound, unless explicitly allowed. This is the best, but hardest to manage since you have to spend a long time whitelisting, then have to routinely whitelist based on user/product changes as time goes on. It's quite annoying.

2) The next strongest is a deep, widespread, extensive blocklist covering millions of domains/IPs to the extent that you blacklist the vast majority of bad sites/CDN's/adservers, and other things while still allowing full user activity.

3) The weakest is just to allow anything, and rely on browser blocks or whatever your AV blocks, and using a non-filtering, weak public DNS.

Take your pick. I'm pretty close to being between 1 and 2. I disallow a whole lot of IP addresses and FQDN's. Many many millions. I have a personal blacklist that covers other sites I don't want anyone accessing (Like Google Searches, Facebook, Tiktok, etc). Hybrid I guess...
 
F

ForgottenSeer 85179

3) The weakest is just to allow anything, and rely on browser blocks or whatever your AV blocks, and using a non-filtering, weak public DNS.
And even this is enough for most user and "default".
I also wouldn't call it weak as Chromium browser's use strong protection - no matter if Google's SafeBrowsing or Microsoft's SmartScreen is used. Both provide a good base protection and also e.g. Edge include a tracking protection so even a normal user, without doing anything, enjoy a good balance of protection (y)
 

Nagisa

Level 7
Verified
Jul 19, 2018
337
Security from using filter lists and from the browser's architecture itself are two separate things. I guess, a filter can prevent possible data exfiltration to 3rd parties if there is a code injection present on the site. But other than that I don't know (yet) of any possible way a malicious site can harm my system, so using huge filter lists seems unneccessary to me. I doubt blacklists too can do something against zero-day browser exploits.
 
Top