Advice Request VPN vs DNS: which is better for protection against malicious domains and attackers?

Please provide comments and solutions that are helpful to the author of this topic.

SohanRay

SohanRay

Level 5
Thread author
Mar 19, 2022
246
Considering that the VPN service does have a DNS firewall(blocking ads and malware) , but the DNS firewall (only) service maybe better at filtering malicious domains.The DNS firewall service is an encrypted DNS filtering service and also has the option to block all newly registered domains.
 
n8chavez

n8chavez

Level 17
Well-known
Feb 26, 2021
818
SohanRay said:
Considering that the VPN service does have a DNS firewall(blocking ads and malware) , but the DNS firewall (only) service maybe better at filtering malicious domains.The DNS firewall service is an encrypted DNS filtering service and also has the option to block all newly registered domains.
Click to expand...

Stop using the term "DNS firewall" when you have no idea what it means. You're going to confuse people.
 
  • Like
Reactions: Guilhermesene and byronbytes
F

ForgottenSeer 77194

VPNs are only relevant in unsecured public wifi in terms of protection, nowhere else. Applications using encrypted tunnels (TLS) are much more important.
In terms of protection from malware or phishing, blocking all newly registered domains is great addition since new phishing domains are short lived to evade detection.
 
  • Like
Reactions: SohanRay
n8chavez

n8chavez

Level 17
Well-known
Feb 26, 2021
818
Azriel said:
VPNs are only relevant in unsecured public wifi in terms of protection, nowhere else. Applications using encrypted tunnels (TLS) are much more important.
In terms of protection from malware or phishing, blocking all newly registered domains is great addition since new phishing domains are short lived to evade detection.
Click to expand...

You assume all people need is HTTPS protection, but how does that hide your IP? It doesn't. How does that help with p2p? It doesn't. How does that circumvent geo-location restrictions? It doesn't.
 
  • Like
Reactions: Nevi, Kongo and upnorth
SohanRay

SohanRay

Level 5
Thread author
Mar 19, 2022
246
n8chavez said:
Because all your coments so far have demonstrated that you don't. You seem to be jamming to words and concepts together hoping no one notices. DNS and firewall are two seperate things, thus DNS firewall does not exist. Don't use marketing terms.
Click to expand...
So encrypted dns filtering service sounds ok?
 
  • Like
Reactions: n8chavez
SohanRay

SohanRay

Level 5
Thread author
Mar 19, 2022
246
n8chavez said:
You assume all people need is HTTPS protection, but how does that hide your IP? It doesn't. How does that help with p2p? It doesn't. How does that circumvent geo-location restrictions? It doesn't.
Click to expand...
Why do you consider hiding your IP so important? To keep your activity hidden from ISP?
What about dns over TLS and https?
P2P file transfers are secure from external threats while in transit right? because data sent and received in this scenario stays within peers network only
 
F

ForgottenSeer 77194

n8chavez said:
You assume all people need is HTTPS protection, but how does that hide your IP? It doesn't. How does that help with p2p? It doesn't. How does that circumvent geo-location restrictions? It doesn't.
Click to expand...
The question was "which is better for protection against malicious domains and attackers?" .I answered in terms of protection. All these examples that you provided are usabilities.
 
  • Like
Reactions: SohanRay
n8chavez

n8chavez

Level 17
Well-known
Feb 26, 2021
818
SohanRay said:
Why do you consider hiding your IP so important? To keep your activity hidden from ISP?
Click to expand...

Because I prefer to make it hard to take me, electronically or physically. I prefer to make sure my shopping or any other transaction is secure after T-Mobile let people steal my information. In that case, a VPN might just be a sugar pill but it makes me feel better.

SohanRay said:
P2P file transfers are secure from external threats while in transit right? because data sent and received in this scenario stays within peers network only
Click to expand...

Why would you assume that? Define external threats. And, no, data sent/received does not stay only in the peer network. In the case of torrents the tracker get announced. In the case of usenet, the central server as well as the usenet service your using both have your connecting IP. Why risk it?

SohanRay said:
What about dns over TLS and https?
Click to expand...

What about them? They have nothing to do with whether or not to use or not use a VPN. That being said, I use DoH system-wide on Windows 11 via paid NextDNS and will recommend that everyone do the same.
 
SohanRay

SohanRay

Level 5
Thread author
Mar 19, 2022
246
Azriel said:
VPNs are only relevant in unsecured public wifi in terms of protection, nowhere else. Applications using encrypted tunnels (TLS) are much more important.
In terms of protection from malware or phishing, blocking all newly registered domains is great addition since new phishing domains are short lived to evade detection.
Click to expand...
In unsecured public WiFi, what extra protection would a vpn offer than an encrypted dns filtering?apart from privacy?
 
n8chavez

n8chavez

Level 17
Well-known
Feb 26, 2021
818
Azriel said:
The question was "which is better for protection against malicious domains and attackers?" .I answered in terms of protection. All these examples that you provided are usabilities.
Click to expand...

Not necessarily. Define attacker. Anyone that can get your true IP can do things with that address that cannot be thwarted by DNS filtering.
 
  • Like
Reactions: upnorth
SohanRay

SohanRay

Level 5
Thread author
Mar 19, 2022
246
n8chavez said:
Not necessarily. Define attacker. Anyone that can get your true IP can do things with that address that cannot be thwarted by DNS filtering.
Click to expand...
Well knowing my IP can only lead to tracking my online activities to some extent. Like which website I am visiting.
 
n8chavez

n8chavez

Level 17
Well-known
Feb 26, 2021
818
SohanRay said:
How can there be MiM attacks with dns over tls and https?
Click to expand...

Of course. That assumes you trust the cert that site happens to be using. What happens if that cert, and thuds https, was installed maliciously? Highly unlikely. But possible. What about network sniffers. Highly unlikely, but possible as well. My point is, why not be prepared for anything? Is it needed, no. But for me it's preferable to user a vpn.
 
SohanRay

SohanRay

Level 5
Thread author
Mar 19, 2022
246
n8chavez said:
Of course. That assumes you trust the cert that site happens to be using. What happens if that cert, and thuds https, was installed maliciously? Highly unlikely. But possible. What about network sniffers. Highly unlikely, but possible as well. My point is, why not be prepared for anything? Is it needed, no. But for me it's preferable to user a vpn.
Click to expand...
If there's such a behaviour in a site its simply a malicious site. So if you visit such a site you are at risk even if you are using a VPN. If you reveal any sensitive info that is. Now if you say that the website may hack you by knowing your ip address, its not that easy. Knowing the ip address its just a starting point. A lot more its needed to hack.
Again as I said earlier network sniffer can view like the website the user is visiting if he isn't using a VPN. But that's all. He cannot manipulate data transfers of the destination site supports encryption. If it doesn't however, then he can steal any info that is entered here. But that would happen even with a VPN in Play.
 
SohanRay

SohanRay

Level 5
Thread author
Mar 19, 2022
246
n8chavez said:
Because I prefer to make it hard to take me, electronically or physically. I prefer to make sure my shopping or any other transaction is secure after T-Mobile let people steal my information. In that case, a VPN might just be a sugar pill but it makes me feel better.



Why would you assume that? Define external threats. And, no, data sent/received does not stay only in the peer network. In the case of torrents the tracker get announced. In the case of usenet, the central server as well as the usenet service your using both have your connecting IP. Why risk it?



What about them? They have nothing to do with whether or not to use or not use a VPN. That being said, I use DoH system-wide on Windows 11 via paid NextDNS and will recommend that everyone do the same.
Click to expand...
Have you ever researched the Nextdns github repository? 35% of the threat feeds they use are outdated and of no use actually.Frankly speaking just 12 to 13 of the sources of their threat intelligence feeds are reliable out of the whooping 49 that they use. And reliable as in not as reliable as giving a zero day protection.Most of them are updated like once in a day or once in two days or even less than that.
NRD and AI are the only thing keeping the service afloat I think. It just shows from the outside that its very good and all,but it isn't. The cryptojacking protection that they have is useless actually. They use 2 sources for it. Both are outdated and are like not updated any more. Typosquatting protection only works for the domains they have in list. So for India, there's just one banking domain that is protected.All the rest aren't.And protection while banking is the most important.
 
blackice

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,781
SohanRay said:
Have you ever researched the Nextdns github repository? 35% of the threat feeds they use are outdated and of no use actually.Frankly speaking just 12 to 13 of the sources of their threat intelligence feeds are reliable out of the whooping 49 that they use. And reliable as in not as reliable as giving a zero day protection.Most of them are updated like once in a day or once in two days or even less than that.
NRD and AI are the only thing keeping the service afloat I think. It just shows from the outside that its very good and all,but it isn't. The cryptojacking protection that they have is useless actually. They use 2 sources for it. Both are outdated and are like not updated any more. Typosquatting protection only works for the domains they have in list. So for India, there's just one banking domain that is protected.All the rest aren't.And protection while banking is the most important.
Click to expand...
I’ve seen your discussions on the NextDNS help section and it seems that despite the old feeds their protection is relatively decent in testing. DNS isn’t the most efficient way to block threats anyway and is kind of a nice extra layer. For the other features NextDNS is a pretty good service with a good level of protection thrown in, though as you note there are better solutions for a sole focus on security. All-in-all I’d say it’s a good service, for security on Quad9 is better. But if you are that concerned about security a router or device level solution is going to be more effective.
 

Similar threads

n8chavez
    • Like
Question VPN DNS Filtering
Replies
29
Views
1,741
VPN and DNS
n8chavez
n8chavez
Moonhorse
    • Like
New Update AdGuard DNS v2.4
Replies
1
Views
848
AdGuard
Back3
B
Trident
    • Like
    • +Reputation
New Update Control D Completes Anycast Upgrade to Reduce Latency
Replies
1
Views
1,051
VPN and DNS
Trident
Trident

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top