Comparing Malware-blocking DNS Resolvers, Real World

Thursday, June 4, 2020 @ 11:37 am

As a follow-up to my first test, I’ve used a larger and more real-world blocklist to test Quad9, Canadian Shield, Cloudflare, and CleanBrowsing.

Testing Approach:

  • Important Notes:
    • The blocklist used in this test is relatively small compared to the huge blocklists these DNS services have, so please take these results with a grain of salt
    • I don’t expect any DNS service to reach a 100% block rate due to the nature of the blocklist having a diverse mix of domains (ads, analytics/trackers, malware, ransomware, phishing, malvertising, mobile ads/tracking, fake news, the Luminati/Hola network, cryptominers, scam retailers, fake COVID-19 sites, and Windows telemetry)
    • Only free DNS services are included in this test
    • As per Cisco Umbrella’s request, I have removed them from this and future tests as: “Cisco does not claim that [OpenDNS] blocks threats but only filters content.” – shown in the benefit matrix on this page
  • The blocklist used was one of my own I generate nightly for my router (visit the link for a source breakdown, the list is Chibi (strict) – compressed domains; the actual blocklist used for this test is downloadable at the end of this post)
    • Compressed = “top level domain compression” which is similar to wildcard blocking. For example, if abcd.com and subdomain.abcd.com are in the blocklist, they are “compressed” so it is only “abcd.com”
  • Total list of domains: 31,792
    • All domains were tested to see if they returned an IP address using Google DNS (which has no filtering)
  • Total resolved (“live”) domains: 28,259
    • These “live” domains were then tested against Quad9 (9.9.9.9), Cloudflare (1.1.1.2), Canadian Shield – Protected Layer (149.112.121.20), and CleanBrowsing (185.228.168.9)
  • Script started: 2020-06-03 @ 16:56
  • Script completed: 2020-06-03 @ 23:27
    • A simple spreadsheet formula was then used to count the number of non-empty cells and tabulate totals

Results in order from highest to lowest block %:

  1. Canadian Shield (42.94%)
  2. Quad9 (39.32%)
  3. CleanBrowsing (12.85%)
  4. Cloudflare (11.58%)

(I have previously tested the speeds of Cloudflare, Quad9 and CIRA’s Canadian Shield and also the blocking rates against DShield.org Suspicious Domain List.)

Important note: do not visit any of the domains in the spreadsheet.

Results Spreadsheet

Test Files .zip