Menu
What's new
By:
Filters Better Search

How do malware-blocking DNS providers compare?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

avtella said:
@coxhaus Quad 9 doesn't seem to have as much latency as it once had when I last tried it a while back, Cloudflare is still faster but not enough for me to notice.


You can try the combination of redirecting all DNS queries on port 53 on the firewall and additionally using pfblockerng with DNSBL & IP DoH blocklists plus the DoH/DoT block option under "DNSBL Safe Search". Then users on your network "for the most part" should be forced to go through unbound on the firewall. That's the way I do it.
Click to expand...
If you run all those DNS servers you have listed then it defeats using QUAD9. If you are going to use QUAD9 you need to only use QUAD9 otherwise the other DNS servers will resolve the bad names. I should say any filtering DNS is defeated if you use a non-filtering DNS server also. Focus on the DNS server you choose don't list a lot of DNS servers like the old days.

The caching is so much better now and longer lasting that I don't think you need all those DNS servers like in the old days.
 
Last edited:
I ran Q9 mostly for the test in the other thread per your request that’s why there were 8 in the list including the fallback servers for Cloudflare and Q9. But yeah I agree with you, and I’m thinking of switching to Q9 now.
 
Last edited:
avtella said:
@coxhaus Quad 9 doesn't seem to have as much latency as it once had when I last tried it a while back, Cloudflare is still faster but not enough for me to notice.


You can try the combination of redirecting all DNS queries on port 53 on the firewall and additionally using pfblockerng with DNSBL & IP DoH blocklists plus the DoH/DoT block option under "DNSBL Safe Search". Then users on your network "for the most part" should be forced to go through unbound on the firewall. That's the way I do it.
Click to expand...
I would like to block all DOH and DNS.txt.
 
coxhaus said:
I would like to block all DOH and DNS.txt.
Click to expand...
Try what I mentioned and see how effective it is.
It has been effective for me but reason I said for the most part rather than a certainty is that I’m sure one can find ways get around it if they want, ie VPN.



Do the following to redirect DNS port 53 for IPv4/v6 first, I forgot to give the instructions last time:

pfSense® software Configuration Recipes — Redirecting Client DNS Requests | pfSense Documentation

docs.netgate.com docs.netgate.com

Then:
Use the “TheGreatWall” DoH IPv4/IPv6 Blocklists and DNSBL blocklists on pfblockerng.
I can guide you through pfblockerng on the forum private chat but this should be good enough on basic pfblocker setup, one thing missing in the video is a more recent feature for DNSBL there is now a python mode which should be enabled as it’s more memory efficient and unlocks extra stuff like cname validiation, hsts etc:
 
Last edited:
I hope it's okay to link a youtube video here: "Which Is The Best DNS for Secure Browsing: CloudFlare, Quad9, NextDNS, and AdGuard DNS". This particular one was published just a few days ago and shows similar results to those of the original post, especially regarding the significant difference between Cloudflare Security and Quad9. Results start at the 5:10 mark.

I have no previous experience with the mentioned youtube channel. I'm just linking it here as an additional data point. I hope it's helpful.

EDIT: Adding a follow-up video with revised results for NextDNS: "DNS Secure Browsing Follow Up: NextDNS Tweaked and Re-Tested".
 
Last edited:
If you use QUAD9 do not use any other DNS servers as they will defeat QUAD9. Do not add Cloudflare DNS as you will reduce your DNS to Cloudflare's level. QUAD9 will be defeated.
 
  • Like
Reactions: Gar
You must log in or register to reply here.

Similar threads

V
How do you block the DNS of a device
Replies
19
Views
1K
sfx2000
sfx2000
S
Another DNS Director clarification
Replies
1
Views
484
L&LD
L&LD
I
Solved How to bypass standard DNS servers for one domain and all subdomains
Replies
4
Views
468
iTyPsIDg
I
S
VPN on devices and DNS resolver on Router
Replies
0
Views
616
smodu
S
torstein
How do you protect your home network from online and local threats?
Replies
16
Views
3K
torstein
torstein
Similar threads
Thread starter Title Forum Replies Date
D News New Discord application malware General Network Security 0
PR3MIUM News Mirai DDoS malware variant expands targets with 13 router exploits [D-Link, TP-Link Archer, Yealink, Zyxel...] General Network Security 10
C AVrecon malware infects 70,000 Linux routers to build botnet General Network Security 5
sfx2000 Microsoft, DNS, and 192.168.1.0 General Network Security 4
B Which 3rd party dns filters do you use? General Network Security 19
P Threat protection / DNS filtering / Router security (on home network) General Network Security 1
C DNS changes General Network Security 8
tomasm Cloudflare DNS problems caused by Comcast? General Network Security 23

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,113 (members: 35, guests: 1,078)
Top