Comparing Malware-blocking DNS Resolvers, Redux

Sunday, May 31, 2020 @ 12:30 am

Inspired by this DNS malware-blocking comparison, I’ve slightly modified the script provided and added in CIRA’s Canadian Shield and re-ran it to see how it fares with others.

Updates:

  • 2020-06-02: important note – “Cisco does not claim that [OpenDNS] blocks threats but only filters content.” – I will be running another test with a larger blocklist and with CleanBrowsing DNS instead of OpenDNS moving forward
  • 2020-06-02: re-ran the test to account for Canadian Shield and OpenDNS/Cisco Umbrella block page IP addresses and added more details on testing approach (many thanks to Spencer of CIRA for reaching out to me and pointing this out)

Testing Approach:

  • Total list of domains (DShield.org Suspicious Domain List (High Sensitivity) List) was 2,288
    • Important Note: this is relatively small compared to the huge blocklists these DNS services have, so please take these results with a grain of salt
  • All 2,288 domains were tested to see if they returned an IP address using Google DNS (which has no filtering)
    • A total of 137 out of the 2,288 domains returned an IP address and were considered “live”
  • These “live” domains were then tested against Quad9 (9.9.9.9), Cloudflare (1.1.1.2), Canadian Shield – Protected Layer (149.112.121.20), and OpenDNS / Cisco Umbrella (208.67.222.222)
    • Block Page IP Addresses for Canadian Shield and OpenDNS / Cisco Umbrella were removed from the results
  • A simple spreadsheet formula was then used to count the number of non-empty cells and tabulate totals

Results in order from best to worst:

  1. Quad9 (97.08%)
  2. Cloudflare (56.20%)
  3. Canadian Shield (40.88%)
  4. OpenDNS / Cisco Umbrella (2.19%)

Important note: do not visit any of the domains in the spreadsheet.

(I have tested the speeds of Cloudflare, Quad9 and CIRA’s Canadian Shield in a previous blog post.)

Results Spreadsheet

Source Code (adapted from Lawrence Technology Services)

Changes I made:

  • Downloads the latest DShield.org Suspicious Domain List (High Sensitivity) List (high sensitivity chosen in order for less false positives) and ignores commented lines
  • Creates and outputs to output.csv file
  • Checks against Google (8.8.8.8) before checking against the DNS malware-blocking resolvers (speed tweak)
  • Blanks out local IP addresses as well as block page IP addresses