I was reading an article from Brian Krebs about the Real Jokers Stash and the crazy stuff that goes into the darkweb / cybercrime forums that sell and buy credit cards and personal information online.

Reading through his site, I also found an interesting article about typo domains redirecting visitors to a "crap load of bad content" (if I have to say it nicely). A group of criminals registered domains from popular brands under the .cm TLD and are abusing victims that forget the "o" on .com and visit those sites under the .cm TLD. Things like remax dot cm , bmw dot cm, cox dot cm are all being abused.

That reminded me of an old test I did to see how well DNS-based security filters were, when blocking access to malicious domains. DNS is a powerful first defense against client-based attacks and I decided to re-do it and include a new batch of malicious domains and see how well they do now.

DNS Filters Compared

In this test, I will compare these 6 free and public DNS providers that are supposed to filter access to malicious domains:

Quad9 : 9.9.9.9

: 9.9.9.9 OpenDNS : 208.67.222.123 (used their free version)

: 208.67.222.123 (used their free version) CleanBrowsing : 185.228.168.9

: 185.228.168.9 Norton ConnectSafe (Malware, Phishing and Scam sites): 199.85.126.10

(Malware, Phishing and Scam sites): 199.85.126.10 Comodo Secure : 8.26.56.26

: 8.26.56.26 Yandex Safe: 77.88.8.88

For the test, I divided my list of domains into 4 categories:

10 domains from the Openphish database. Mix of old and new bad stuff.

10 domains added *today* to Phishtank. Real time bad stuff.

10 domains added within the last week to Phishtank. Old bad stuff.

10 domains from some of the latest Krebs blog posts. Bad stuff.

And I verified that the phishing page (or malware) was still live and ran the test against those 6 DNS servers. I randomly selected the domains and removed the ones were offline, suspended or had a valid content with the phishing hidden deep down on a sub directory (like sites.google.com). I did that until the 10 domains on each category looked like a valid malicious entry.

Test 1: Openphish — Mixed bad stuff

Openphish is a popular database of malicious domains, so a great place to start. From the 10 domains tested (full dump on pastebin), these are the results:

Quad9 and CleanBrowsing : 100% accuracy . They blocked all domains.

and : . They blocked all domains. Norton : 20% accuracy. Blocked 2 domains related to fake facebook logins.

: 20% accuracy. Blocked 2 domains related to fake facebook logins. OpenDNS, Comodo, Yandex: Blocked 0 domains.

First, I have to say that I am impressed with Quad9. Last time I tested them (a few months ago), they didn't do very well and someone from their team contacted me saying that they added more feeds to their databases. And now, they improved significantly.

Test 2: Phishtank — Real time bad stuff

With this test, I tried to see how quickly those providers were to update their database with new domains. The dump of the tests are on pastebin as well (yeah, I screwed up my math and tested 12 domains instead of 10). Results:

CleanBrowsing : 91% of accuracy. Only missed 1.

: 91% of accuracy. Only missed 1. Quad9 : 50% of accuracy

: 50% of accuracy OpenDNS, Yandex, Comodo, Norton: 16% of accuracy. Blocked 2 domains only.

CleanBrowsing did very well and it seems they update their blacklist pretty often. Quad9 got close in second, missing a few.

Test 3: Phishtank — Old bad stuff

In this 3rd test, I got domains that were blacklisted this month, but not today. That gives a good idea on how long they keep bad domains on their list. The results:

CleanBrowsing : 100% accuracy

: 100% accuracy OpenDNS : 60% accuracy

: 60% accuracy Norton : 30% accuracy

: 30% accuracy Quad9 : 20% accuracy

: 20% accuracy Yandex: 10%, Comodo 0%.

Again, CleanBrowsing impressed me. They blocked 100% of the domains , followed very close by OpenDNS. I was expecting OpenDNS to be close to 100% since they themselves founded Phishtank. Quad9 surprised me negatively here, so I hope they can explain why they are not blocking those old, but active phishing pages.

Test 4: Domains from Krebs blog post

This last test probably wasn't very fair, since the domains Krebs mentions on his blog post are not part of any blacklist, so none of the providers blocked them, except for CleanBrowsing. They blocked 100% of the typo squatting .cm domains, along with cardmafia and some other bad domains.

Conclusion

DNS can be an important part of your security and act as a first line of defense against phishing and other malicious activity. CleanBrowsing was the #1 provider in my tests , followed by Quad9 and OpenDNS in second (they did well in different areas). Note that I used the free version of OpenDNS and if you are an enterprise client, their Cisco Umbrella could/would probably do better. CleanBrowsing has different filters to block adult content, but I tested it with their .9 IP address that only blocks malicious domains.

On the sad side, It seems that both Comodo, Norton and Yandex are stuck in time and not updated anymore. So based on my tests, would not recommend to use them if you are looking for any type of security filtering at the DNS layer.