On a recent post, I tried to compare the performance of a few DNS resolvers. However, as some people pointed out, the results were not really fair. I can not compare Google’s 8.8.8.8 against Quad9’s 9.9.9.9 or Norton ConnectSafe, as they do things very differently.

Yes, they are both DNS resolvers, but Google’s goal is to provide an unfiltered DNS. Nothing is blocked or restricted.

Quad9 and OpenDNS, on the other hand, filter out malicious content to help protect their users. Services like CleanBrowsing and Yandex, also remove pornography from the DNS responses. The level of complexity increases as you try to do more.

So today, I decide to test a few of the most popular filtered DNS resolvers that restrict access to malicious content. How good are they? Do they really improve the security of someone browsing the web? Are they worth the trouble?

We will find out…

I chose those popular (and free) services that are supposed to block access to malware, phishing and bad stuff in general:

Quad9 : 9.9.9.9

: 9.9.9.9 OpenDNS : 208.67.222.123

: 208.67.222.123 Norton ConnectSafe (Malware, Phishing and Scam sites): 199.85.126.10

(Malware, Phishing and Scam sites): 199.85.126.10 Comodo Secure : 8.26.56.26

: 8.26.56.26 Yandex Safe: 77.88.8.88

I am not looking to test their performance. Or how fast they are. But I am trying to see how well they block access to malicious domains.

TLDR

All these providers do very little to block access to malicious content. On a list with 30 random known-malicious domains, OpenDNS blocked 3 of them (10% success rate) and Comodo blocked other 4 (~10% success rate).

These domains were all blacklisted by Google Safe Browsing, some major antivirus engines and most of them on phishtank. Still, almost none of them got blocked.

Quad9 did not block any of those malicious domains. Read more for details.

Testing

To test the usefulness of these providers, I spent a few hours trying to find malicious domains. I researched a few sites from security providers, malware lists, phishing lists and sites like that. I also went to my own email looking for malicious links.

On each one, I visited the site itself to confirm that the phishing (or malware) was still active and live. After that, I did a DNS lookup using the specific service to check if the domain was blocked or allowed. Pretty simple.

Enough introductions, let's see how it went.

Test 1: New phishing (recently added to phishtank).

*Blocked by Google SafeBrowsing as deceptive. URL: aosieuuw[.]com[/]bigmoneydoc/new/home/

Quad9: Not Blocked

OpenDNS: Not Blocked

Norton Connect Safe: Not Blocked

Comodo Secure: Not Blocked

Yandex Safe: Not Blocked

None of them blocked the domain.

Test 2: Day-old phishing (paypal fake login page).

*Blocked by Google SafeBrowsing as deceptive. URL: pkgzmt[.]com/signin/

OpenDNS: Blocked

Quad9: Not Blocked

Norton Connect Safe: Not Blocked

Comodo Secure: Not Blocked

Yandex Safe: Not Blocked

Only OpenDNS blocked the domain.

Test 3: Fake Facebook Login page

*Blocked by Google SafeBrowsing as deceptive. URL: 0-facebook[.]com[/]

Comodo Secure: Blocked

OpenDNS: Not Blocked

Norton Connect Safe: Not Blocked

Quad9: Not Blocked

Yandex Safe: Not Blocked

Only Comodo Secure blocked the domain.

Test 4: Old Phishing page (still active)

*Blocked by Google SafeBrowsing as deceptive. URL: www[.]bhargavi.org[/]mainpayuk[/]

Comodo Secure: Blocked

OpenDNS: Not Blocked

Norton Connect Safe: Not Blocked

Quad9: Not Blocked

Yandex Safe: Not Blocked

Only Comodo Secure blocked the domain.

Test 5: Malicious domain distributing malware (still active)

*Blocked by Google SafeBrowsing, SiteAdvisor and Norton SafeWeb. URL: ibtrainings[.]com

Quad9: Not Blocked

OpenDNS: Not Blocked

Norton Connect Safe: Not Blocked

Comodo Secure: Not Blocked

Yandex Safe: Not Blocked

None of them blocked the domain (surprising that Norton did not block it as Norton SafeWeb API flags as malicious).

Test 6: Foreign bank phishing (still active)

*Blocked by Sophos, Kaspersky, Fortinet. URL: santandernetweb[.]com

Quad9: Not Blocked

OpenDNS: Not Blocked

Norton Connect Safe: Not Blocked

Comodo Secure: Not Blocked

Yandex Safe: Not Blocked

None of them blocked the domain.

Test 7: Phishing / fake Download domain

*Blocked by Google & ESET. URL: upgradepc[.]centraloperatingupgradesalways[.]stream

Quad9: Not Blocked

OpenDNS: Not Blocked

Norton Connect Safe: Not Blocked

Comodo Secure: Not Blocked

Yandex Safe: Not Blocked

None of them blocked the domain.

Test 8: Malware / Drive by Download domain

*Blocked by Google & ESET and Sophos. URL: adultpro[.]xyz

Quad9: Not Blocked

OpenDNS: Not Blocked

Norton Connect Safe: Not Blocked

Comodo Secure: Not Blocked

Yandex Safe: Not Blocked

None of them blocked the domain.

Summary

I was not happy with the results. The more domains I tested, the more disappointed I got with the results. I had more than 30 random malicious domains for my informal research, but only reported the first 8 above because almost all others had the same result: "not blocked".

I think the lesson here is clear: Google Safe Browsing does a lot better than almost any of the DNS-based filters and they can not be used alone for security. In fact, they seem to do very little to help block access to malicious domains.