DNS Malware Filtering Compared: Quad9 VS Cloudflare VS DNS Filter VS OpenDNS / Cisco Umbrella

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

Tamir for mooring systems and we're going to talk about DNS filtering and specifically scope of this talk it's going to be DNS filtering for mail where we're going to compare the CloudFlare plus the CloudFlare mail we're blocking the quad 9 DNS filter the DNS filter meshes name of the company just DNS filter comm and Cisco umbrella we're going to be putting them against a list of malware domains and making a determination of exactly how effective they are at specifically the task of blocking malware phishing or just generally bad sites now a couple things about this I do know and this is out of scope of this particular talk that there are expanded features both offered by Cisco umbrella and DNS filter to both paid services that offer more granular filtering in terms of being able to block sites by category etc but like I said we're gonna keep it narrow in scope I'm gonna leave notes in a write up over on my forums exactly my methodologies and any of the code I use and sources I had for all of this data and we're gonna dive into that in detail so you are able to at the end of this you'll have that write up so you can reproduce this yourself if you'd like to try but first if you like to learn more about me or my company head over to lawrence systems comm if you'd like to hire short project there's a highest button right at the top if you want to support this channel in other ways there's the philly eight links down below to get your deals and discounts on products and services we talked about on this channel including a link to our patreon if you like become a patreon supporter we also have a swag store where you can get shirts and other items that are for sale and that changes from time to time what's available and what's not so go ahead and check that out frequently and finally our forums if you'd like to have a more in-depth discussion about this video suggestions for new videos or just reach out say hi and talk tech our forums are a great place for that all right now back to the content dns filter I signed up for a 14 day trial and we'll get to the details of the settings on there but that's where I signed up for them that is a paid service then we have Cisco umbrella also a paid service I've got a demo account on here that allows one one user essentially one site on here so we'll get into the dashboard of that quad 9 which is internet security privacy and a few steps in free so this is just putting in the 9.99 this is the quad 9 company and this is the cloud player now cloud fair we actually using twice we're using CloudFlare one just to see if the sites resolve the one dot one dot one dot one and then one dot one dot one dot two it's like a tongue twister to me is the know may aware filtered one that we're going to be using for comparison so we're gonna break down the methodologies and how I did that now let's go over to the dashboards of each of these DNS filter I created a special policy here in DNS filter it's supposed to block by botnets crypto mining malware new domains any domain less than 30 days you're blocked phishing deception proxy and translation sites so this is the particular policy I used I'm not using safe search categories any of the other policies in here like I said beyond the scope of this particular talk they can block apparently humor sites and I don't want to block humour sites I'm specifically focusing on threats slide over here to the Open DNS dashboard blurring out my office IP but this is I can assure you that's what it is and I just chose their mail where botnet protection and phishing protection on the site of web content filtering but locked me out it's a not any set up anything sup for web content filtering I once again focusing just on the malware now where do we get a list of terrible domains we got those here the bad domains all came from this particular site and I chose this one because they seem reasonably up-to-date this feed is free and couple side notes I cannot show you this feed if I were to dump it to the screen there's a very high likelihood as I've learned from some of my friends working at security that YouTube will see a list of command to control servers and other nefarious domains listed on the screen and therefore will block me from having this video stay online so I learned this from a couple of my friends but don't worry that like I said there will be a write up with all of the links where you can get this same list and reproduce these same results yourself over on my forums so I will be blurring out anytime as we talk about the domains now back to the methodology a little bit more once we have that list of domains how do you actually look them up well a little bash script really simple that creates a CSV file so here's the domains the CloudFlare quad nine CloudFlare again with the mail where I won the 1.1.1 to DNS filter open dns Cisco umbrella and this little piece of code yes it is just commented out which is the sleep and the reason I did that was at first I thought I would need to have something like that in order to make sure the system wouldn't over run and do too many queries but that actually didn't happen when I was doing all my testing I did all the queries and I would do them more than once so I could make sure you get the same results also I threw in good domains just to make sure all of them always resolve the good domains and they consistently did all of them had like google.com YouTube and even my own domain never had a problem they all would give the right result for that so we had to do a little bit of filtering on that back to the list over here now once we created this all as a CSV file we moved it into over here LibreOffice now as I said I have to blur the domain names on the site here for YouTube reasons but the way these results are tally first the main file was downloaded and there was about just under 2,400 domains in that download link then you use that tool and I look for what the results of the resolvers were only a hundred and forty-one of those domains out of the 2300 were resolved by the 1.1.1 there was never any circumstance out of those other ones basically through way over two thousand domains the ones we threw out were not resolved by any of the other ones but resolved by CloudFlare because this is supposed to be their unfiltered service but maybe those domains that are in that list CloudFlare themselves even though they have a specific one for malware filtering some of those domains they may have expired they may have had temporary ones that may have been taken down and fallen out of the DNS servers that does happen so the list that I pulled from that is C well sometimes those domains just get removed so even though they're in there they may not have been alive for a while so they've expired their DNS records so I wanted to narrow it down to live DNS records and I bring it up because it's important because it would be untruthful to say that all those domains got resolved by these other ones over here but we'll get into that in a second so here's that list of domains now if you noticed I had and I can't show it again but I can at least show that yes I have all these virus totals over here one of the things I wanted to make sure is we weren't seeing a bunch of false positives so I grabbed quite a few domains and it turns out virus total rate limit you if you grab too many of them and query these domains against virus totals domain list to make sure that yes they were shown as having malware so I you will be able to do that because of the links I leave on my forum where you can go and actually see the domains but with that being said now that we understand a methodology this is a count right here for the totals this is a count of number of domains resolved so this is just a full list of them here there's 141 second what does this mean for only 4 out of the 141 that were resolved by 1.1.1 we're also resolved by that that means 97% of these bad sites were blocked by quad 9 which is great then we move over to CloudFlare 1.1 1.2 and we find that 56% of the sites were blocked now this is where things go downhill very quickly dns filter and their AI enabled system only blocked 15% of the sites that CloudFlare did and these domains and even some of these IP addresses are on bad reputation list so I suppose spot checking around here and looking there bad reputation definitely bad domains sometimes you can get good reputation IDs because of the way multi hosting works where there's a male where domain hosted on IP but then there's other good sites hosted on there so it's not necessarily something you always find the answer by looking up IP also sometimes malware domains will move amongst different IP addresses you know as they get discovered and maybe some one blocks that IP address so it is best to do this by domain name because it's frequently that's what malware will do is reach out to and phishing sites they usually have a link to a proper URL to many of these different sites that are in here and then we get over to the Cisco umbrella which only blocked nine percent so quad nine by a longshot is really ahead of the pack here followed by the filtered malware filtering that CloudFlare offers with their 1.1.2 I'm just really disappointed that only 15 percent of the site spoke with dns filter and Cisco umbrella because if you're thinking about things from a secure only takes one sight to get through great if you were trying to do this as a marketing spin let's say a marketing spend and how would they do it well we downloaded those 2300 sights time and we only found 119 of 2,300 sight trees off that four that's a really small number I'm not a marketing person here I'm telling you out of the hundred and forty-one resolved on CloudFlare 119 of those resolved now CloudFlare does not consider this 1.1.1 a filtered sight but they do consider their 1.1.2 so I think also CloudFlare could probably use some improvements on here and at least do some comparisons to that free publicly available feed that was downloaded from as mentioned before from the sand site so if they would have done it my guess would be that quad 9 does do that type of filtering because the site center in here were only marked as suspicious so all four sites that quad nine still did resolve were suspicious but not necessary to flag does malware so I was actually really impressed overall with quad nine so go back over here though and these two numbers right here just shocked me the fact that this much got through with the Cisco and bail and DNS filter so my overall disappointment with them is for being a paid service you're mentally I would say thinking you're going to get something above and beyond and better what some free service could provide but that simply didn't hold up to this particular test but as I said I'll be leaving links to all this in my front so you can do the results yourself I want to make sure that if I'm doing something wrong one so I can go through this reproduce it because well that's called peer review in the world of science and this is essentially a science we're doing some testing and investigation and all this is relatively easy to use it's a simple batch script and just a simple link to a download of bad malware sites from that particular site and then just some DNS resolving going on in really anyone with an email address and you don't mind being hounded by some salespeople potentially and getting some emails can sign up for those free services and also reproduce those tests they both offer free trials of their service so a few different things to think about there if you'd like to reproduce this and if I'm wrong I would like to have a discussion I mean not so far I don't really find anything wrong with my methodology I'm also double-checked my work quite a bit and it doesn't mean I'm not saying there's not some flaw did but the numbers are staggering how does quad 9 do such a good job of doing this and the other companies don't so there's a little bit surprising to me um but maybe there's some other sites than another list that you may find is even more effective than this but that's why I'm putting all this code out there for you to try like to know your thoughts on this leave your comments below or head over to the forums and let's have a more in-depth discussion Thanks and thank you for making it to the end of the video if you liked this video please give it a thumbs up if you'd like to see more content from the channel hit the subscribe button and hit the bell icon if you like YouTube to notify you when new videos come out if you'd like to hire us head over to Lauren system's comm fill out our contact page and let us know what we can help you with in what projects you like us to work together on if you want to carry on the discussion hetero to forum style or insistence comm where we can carry on the discussion about this video other videos or other tech topics and general even suggestions for new videos they're accepted right there on our forums which are free also if you like to help the channel on other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time

Info

Channel: Lawrence Systems

Views: 51,728

Rating: undefined out of 5

Keywords: lawrencesystems, DNS FILTERING COMPARED, dns, dns filtering, dns filter, firewall, content filter, web filtering, quad9 vs cloudflare, dns quad9 vs cloudflare, cisco umbrella vs dnsfilter, opendns vs dnsfilter, opendns vs dns filter, internet filter

Id: imlFubYv8YY

Channel Id: undefined

Length: 12min 26sec (746 seconds)

Published: Fri May 29 2020