Comparing Malware-blocking DNS Resolvers

Friday, April 3, 2020 @ 9:41 pm

With the release of two DNS resolvers: Cloudflare 1.1.1.1 for Families and CIRA Canadian Shield, I decided to do a quick test of these two in addition to Quad9.

Updates:

  • 2020-04-07: Added response to this blog post from CIRA

Quad9 posted a blog article which goes into detail on the usefulness of protecting your networks with a DNS resolver with built-in malware protection:

“As physical offices and schools shut down worldwide, people are rapidly relying more and more on a home-based telecommuting environment. Security protections once provided by enterprise or school network administrators must be available to the home network.”

Within the past week I became aware that Cloudflare launched two DNS resolvers with built-in protections, as well as CIRA Canadian Shield.

Overall average speeds:

  1. Cloudflare (1.1.1.2): 17.34ms
  2. Quad9 (9.9.9.9): 31.89ms
  3. Canadian Shield (149.112.121.20): 36.08ms

Full breakdown and a quick chart thrown in:

Notes:

  • Each run tested 20 randomly selected domains, so with 22 runs a total of 440 domains were tested against.
  • Testing location: Toronto, Ontario, Canada
  • Bash script can be found here

About Cloudflare 1.1.1.1 for Families

Launched April 1, 2020, two new addresses were added to the iconic “1.1.1.1” (and 1.0.0.1) which was launched back in April 1, 2018: 1.1.1.2 and 1.1.1.3. “Today, we process more than 200 billion DNS requests per day making us the second largest public DNS resolver in the world behind only Google.”

1.1.1.2 features malware blocking and 1.1.1.3 features malware blocking and adult content blocking.

In addition to their DNS resolver, Cloudflare also offers WARP, a free VPN using their extensive infrastructure set up worldwide (launched April 1, 2019).

Short, easy-to-remember, and very fast. Notably Cloudflare had their 1.1.1.1 DNS resolver audited by KPMG (audit found here).

Cloudflare goes into deep detail here on how they work to respect the privacy of their users.

IP Address Policy:

A public resolver user’s IP address (referred to as the client or source IP address) will not be stored in non-volatile storage. Cloudflare will anonymize source IP addresses via IP truncation methods (last octet for IPv4 and last 80 bits for IPv6). Cloudflare will delete the truncated IP address within 25 hours. (source)

Configuration Guide

IPs (IPv4, IPv4 secondary, IPv6, IPv6 secondary, DoH, DoT):

  • Malware Blocking: 1.1.1.2, 1.0.0.2, 2606:4700:4700::1112, 2606:4700:4700::1002, https://security.cloudflare-dns.com/dns-query/, DoT pending
  • Malware + Adult Content Blocking: 1.1.1.3, 1.0.0.3, 2606:4700:4700::1113, 2606:4700:4700::1003, https://family.cloudflare-dns.com/dns-query/, DoT pending

Note: DoT for uncensored 1.1.1.1 is 1dot1dot1dot1.cloudflare-dns.com

About Quad9

Quad9 is another memorable address to remember: 9.9.9.9

Recently they’ve reported that they’re blocking at least 60 million requests daily to “hosts, which contain malware, phishing, botnets, spyware, and a variety of other risks that try to defraud end-users, or harm their computers or networks”.

They work with 19 threat intelligence agencies and have servers “distributed worldwide in more than 145 locations in 88 nations, with 160 locations on deck for 2019”. (source)

A cool thing Quad9 offers is an online tool that lets you check if a domain is blocked or not.

Anonymized data on specific domains (such as domain, timestamp, geolocation, number of hits, first seen, last seen) are shared with threat intelligence partners; this does not include the user’s IP address.

IP Address Policy:

The reason @Quad9DNS doesn’t say that it keeps IP addresses is because it doesn’t collect IP addresses in the first place. If the goal is user-privacy, collecting IP addresses is self-defeating. (source)

Configuration Guide

IPs (IPv4, IPv4 secondary, IPv6, IPv6 secondary, DoH, DoT):

  • Recommended: 9.9.9.9, 149.112.112.112, 2620:fe::fe, 2620:fe::fe:9, https://dns.quad9.net/dns-query, dns.quad9.net
  • Secured w/ ECS support 9.9.9.11, 149.112.112.11, 2620:fe::11, 2620:fe::fe:11, https://dns11.quad9.net/dns-query, dns11.quad9.net

About CIRA Canadian Shield

Similar to Cloudflare 1.1.1.1 for Families, and launched in the past few weeks, CIRA Canadian Shield offers three different “layers”:

  • Private: DNS resolution service that keeps your DNS data private from third-parties.
  • Protected: Includes Private features and adds malware and phishing blocking.
  • Family: Includes Protected and Private features and blocks pornographic content.

Quick snippets from their site:

IP Address Policy:

d. Your detailed DNS query data that includes your IP address will be retained by CIRA for up to twenty-four (24) hours, in order to identify and protect the Service from any malicious behaviour, after which time it will be deleted. Beyond 24 hours only aggregated data will be retained in which your domain name queries will no longer be attributable to your IP address. (source)

Configuration Guide

IPs (IPv4, IPv4 secondary, IPv6, IPv6 secondary, DoH, DoT):

  • Protected: 149.112.121.20, 149.112.122.20, 2620:10A:80BB::20, 2620:10A:80BC::20, https://protected.canadianshield.cira.ca/dns-query, protected.canadianshield.cira.ca
  • Family: 149.112.121.30, 149.112.122.30, 2620:10A:80BB::30, 2620:10A:80BC::30, https://family.canadianshield.cira.ca/dns-query, family.canadianshield.cira.ca

Updates from CIRA (2020-04-07):

  • CIRA keeps IP addresses for 24 hours strictly to identify abuse of the system (i.e DDoS attacks)
  • “We meet Mozilla’s requirements for DoH resolver policy which specifies a maximum of 24 hours of data retention”
  • “Finally, we are comfortable that our privacy policy meets or exceeds industry standards but we are always open to feedback and doing even better”
  • Source

Which do I recommend?

Cloudflare has speed and an audit backing their privacy promises, Quad9 has an extensive blocklist and many threat intelligence partners, and CIRA Canadian Shield exclusively uses Canadian data centres which does appeal to me as a Canadian.

All three offer essential protection to networks and I would leave it to you to read through the above links (and privacy policies) and decide what would be best for your situation (e.g. if you’re outside of Canada you’d likely exclude CIRA Canadian Shield).

The fact that CIRA Canadian Shield stores users’ IP addresses for 24 hours does concern me – it is contrasting to Cloudflare and Quad9 which anonymize user data. However, CIRA Canadian Shield is a new service and further improvements could/may be made.

Because of this, I’d currently recommend Cloudflare or Quad9.

Honourable mention: on the horizon is NextDNS which is currently in beta. NextDNS would be comparable to AdGuard DNS: both focus on blocking ads in addition to malware. This may lead to false positives, so in this post I only looked at DNS resolvers that target malware.