DNS Malware detection with Quad9 vs pfblocker lists

Hey everyone,
Im trying to figure out if Quad9 alone is effective enough for malware blocking (home use) or should I use pfblocker blocklists that come with pfsense.

Currently, i am using pfblockerNG on pfsense to provide stringent .tld blocks for common malware domains such as (.zip , .top). I am not using any DNS blocklists that come with pfblockerNG for now as i have Quad9 as my upstream forwarder configured on pfsense.

My question is, does it make sense to use DNS blocklists and not just rely on Quad9 (or insert your chosen upstream provider)? Reviewing Toms DNS Malware test from 2023, it showed that upstream DNS providers such as Quad9 and NextDNS do a fantastic job filtering malware sites. If so then i shouldn’t need to use any external blocklists, right? Am i looking at this correctly?

1 Like

I haven’t made an evaluation of Quad 9 vs DNS blocklists provided with pfBlocker-NG, so I cannot say anything about your question per se.

However, pfBlocker-NG is also able to use IP address blocklists and geo-IP blocking. This enables you to attach any third party feed you see fit in addition to the feeds coming with pfSense by default. Just to mention some that would be worthwhile: ELLIO CE, 3CORESEC, JamesBrine
Also the default feeds may contain interesting blockworthy items like TOR nodes.

1 Like

Why not add 9.9.9.9 as the primary dns server on pfsense, then you have protection from two systems.

if you want encrypted DNS and don’t use VPN:
does Q9 do DoH?

Q9 supports SSL/TLS DNS via port 853.

Enable pfSense DNS Resolver SSL/TLS forwarding and add a rule to forward all unencryped outbound port 53 DNS queries to local DNS Resolver, which get forwarded to Q9 via port 853. As a result, all outbound DNS queries are encrypted, which you can confirm via packet capture. Works automagically!

Enable SSL/TLS Service:
 Respond to incoming SSL/TLS queries from local clients
DNS Query Forwarding:
 Enable Forwarding Mode
 Use SSL/TLS for outgoing DNS Queries to Forwarding Servers

If you have a client/browser that uses DNS over HTTPS (DoH), then it is already encrypted and free from prying :eyes: