How good are public DNS providers in blocking malware & phishing?
During the last years the market of public DNS server providers has been increased a lot. Google DNS is one of the most known alternative DNS server providers and has been available since 2009.Many DNS providers on the market are only offering an alternative DNS server. Others also add protection against malware and other online threats.
Those protections are mainly done in two ways:
1) A malicious domain name is resolved with “NXDOMAIN” telling the requested system that the domain name does not exist.
2) A malicious domain name is resolved by the DNS provider with the response pointing to its own blocking site instead of the requested domain.
See the Swedish block page from AdGuard below.
Some of the DNS providers are offering different types of DNS servers to choose from. In addition to their regular ones they offer servers that block access to sites which are unsuitable for children. Those alternate DNS servers are out of scope for the review I made. I’m just looking at their “default” DNS resolver or if there was a server alternative available which explicitly is for blocking malicious and phishing sites, then I used that one. (as in the case of Neustar DNS)
Some also advertise that the usage of their DNS service is blocking Ad banners while browsing which can be a nice extra feature. (AdGuard DNS)
DNS Providers and servers selected
The DNS providers below has been selected for this test.
- Google DNS – 22.214.171.124
- Cloudflare DNS – 126.96.36.199
- Quad9 DNS – 188.8.131.52
- DNS.Watch – 184.108.40.206
- OpenDNS – 220.127.116.11
- CleanBrowsing – 18.104.22.168
- Neustart (Threat Protection) DNS – 22.214.171.124
- SafeDNS – 126.96.36.199
- AdGuard DNS – 188.8.131.52
- Alternate DNS – 184.108.40.206
- Mullvad VPN‘s DNS – 220.127.116.11
Instead of using the DNS server of my ISP, I was using the VPN providers DNS which I’m using at the moment (MullvadVPN), to get some results of what an default ISP DNS server would block.
Keep in mind that the most of those DNS providers also have a secondary DNS with another IP address. I was only testing against their primary DNS server.
There are of course more DNS providers on the market out there than the 10 which are listed above.
To compare them from a malware protection standpoint I resolved a number of currently active malicious domains while using their service.
I have selected 14 domains which where hosting malware on links which were still online. The links were 1-3 days old and collected from sites as: urlhause, malc0de, vxvault and pastbin posts from cryptolaemus to include actively used Emotet virus links as well.
Additionally I have tested the DNS providers against 6 domains hosting phishing links, which also where 1-3 days old and still active. Those were collected from Openphish and Phishtank.
I also want to mention that this was not a long time testing and by this I do not know whether any of the DNS providers sometimes is blocking links incorrectly as a so called false positive detection.
All tests were done on the 31st of march 2019.
None of the tested DNS providers blocked all 20 links used in my test.
The total results from the top to the bottom, not naming the DNS services that are not blocking any links at all:
- Neustar: 14 blocked = 70%
- CleanBrowsing: 12 blocked = 60%
- Quad9: 11 blocked = 55%
- AdGuard: 7 blocked = 35%
- SafeDNS: 1 blocked = 5%
When splitting the test results in malware link test and phishing link test, the results are as followed:
Malicious domains protection results
- Neustar = 71%
- Quad9 = 57%
- CleanBrowsing = 50%
- AdGuard = 29%
None of the other DNS providers blocked any of the tested malicious domain names.
Phishing domains protection results
- CleanBrowsing = 83%
- AdGuard = 67%
- Neustar = 67%
- Quad9 = 50%
- SafeDNS = 17%
None of the other DNS providers blocked any of the tested phishing domain names.
Going through the results you see that some DNS providers are better at blocking malicious links while others are better at blocking phishing links. At the same time we see that 50% of the tested DNS providers are blocking nothing at all.
It’s clearly showing that Neustar is the winner in this test, rather tight followed by CleanBrowsing and Quad9.
When it comes to Quad9 they are advertising their service as a malware blocking service.
Quad9 brings together cyber threat intelligence about malicious domains from a variety of public and private sources and blocks access to those malicious domains when your system attempts to contact them.
Quad9 is achieving rather equal results when it comes to blocking of malware and phishing links (57% vs 50%) , while others like CleanBrowsing (50% vs 83%) and AdGuard (29% vs 67%) are better at blocking Phishing than blocking malicious links.
Keep in mind that AdGuard is also blocking Ads on all your devices at home, when using their DNS service in your router at home. So you may want to choose this DNS provider for your personal needs.
Also our winner in this test, Neustar is similar to Quad9 achieving rather equal results in blocking both malicious and phishing domains (71% vs 67%). They are advertising their “Treat Protection” DNS as:
For users who want protection against malicious domains for security purposes.
How about the other DNS providers?
Should you choose one of the DNS providers which is not blocking any tested links at all, Google DNS, Cloudflare, DNS.Watch and so on? Well that’s up to you to decide.
Cloudflare for example is advertised as “fastest DNS resolver on Earth“. That’s maybe the truth, but whether a DNS resolving speed of 10 ms is more important for than a DNS resolving speed of 22-30 ms which at the same time is blocking about 50 – 70% of known malicious sites is up to you to decide.
See my updated test from May 2020.
2 svar på ”How good are public DNS providers in blocking malware & phishing?”
did you know that OpenDNS resolves with a blocksite-IP even for malicious sites? So a NXdomain is not the correct indicator.
This has been taken into consideration.
In non of the tested domains, OpenDNS was resolved to any of OpenDNS blockpages. See the results from AdGuard, where some sites where redirected to their blog pages. But this has never seen in any of the tested domains in the case of OpenDNS.
Kommentarer är stängda.