Which Is The Best DNS for Secure Browsing: CloudFlare, Quad9, NextDNS, and AdGuard DNS [YouTube Release]

Youtube Releases
1

Additional Resources:

ZoneFiles Site with the List

SANS Notice of Suspending Domain Feed

2020 Forum Post on DNS Filtering

Zorus Web Filtering

Quad9 Being Sued By Sony

Quad9 Interview:Proving Their Commitment to Privacy

Connecting With Us

Lawrence Systems Shirts and Swag

►👕 https://lawrence.video/swag/

AFFILIATES & REFERRAL LINKS

Amazon Affiliate Store
:shopping_cart: Lawrence Systems's Amazon Page

All Of Our Affiliates that help us out and can get you discounts!
:shopping_cart: https://www.lawrencesystems.com/partners-and-affiliates/

Gear we use on Kit
:shopping_cart: Kit

Use OfferCode LTSERVICES to get 10% off your order at
:shopping_cart: Tech Supply Direct - Refurbished Tech at Unbeatable Prices

Digital Ocean Offer Code
:shopping_cart: DigitalOcean | Cloud Hosting for Builders

HostiFi UniFi Cloud Hosting Service
:shopping_cart: HostiFi - UniFi Cloud Hosting

Protect you privacy with a VPN from Private Internet Access
:shopping_cart: Buy VPN with Credit Card or PayPal | Private Internet Access

Patreon
:moneybag: lawrencesystems | creating Tech Tutorials & Reviews | Patreon

Time Stamps
00:00 - Which DNS Service is Best for Filtering Malicious Sites
00:30 - Services Tested Quad9, Cloudflare Families, NextDNS, AdGuard DNS
01:41 - The Malicious Domains List
05:09 - The DNS Results
07:07 - A Closer Look At The Malicious Sites

1 Like
2

Here is the 2023 Bash Script:

#!/bin/bash                                                                                                                                                                                                        
# Bulk DNS Lookup                                                                                                                                                                                                  
# Generates a CSV of DNS lookups from a list of domains.    
#    
# File name/path of domain list:    
domain_list='domains.txt' # One FQDN per line in file.    
#    
# IP address of the nameserver used for lookups:    
ns1_ip='1.1.1.1' # Cloudflare    
ns2_ip='9.9.9.9' # Quad9    
ns3_ip='1.1.1.2' # Cloudflare Malware    
ns4_ip='45.90.28.131' # NextDNS Free    
ns5_ip='94.140.14.14' # Adguard Free    
#    
# Seconds to wait between lookups:    
loop_wait='1' # Is set to 1 second.    
    
echo "Domain name, $ns1_ip,$ns2_ip,$ns3_ip,$ns4_ip,$ns5_ip "; # Start CSV    
for domain in `cat $domain_list` # Start looping through domains    
do    
    ip1=`dig @$ns1_ip +short $domain |tail -n1`; # IP address lookup DNS Server1    
    ip2=`dig @$ns2_ip +short $domain |tail -n1`; # IP address lookup DNS server2    
    ip3=`dig @$ns3_ip +short $domain |tail -n1`; # IP address lookup DNS server3    
    ip4=`dig @$ns4_ip +short $domain |tail -n1`; # IP address lookup DNS server4    
    ip5=`dig @$ns5_ip +short $domain |tail -n1`; # IP address lookup DNS server5    
            echo -en "$domain,$ip1,$ip2,$ip3,$ip4,$ip5\n";    
#    sleep $loop_wait # Pause before the next lookup to avoid flooding NS    
done;
3

I’m wondering if NextDNS had actually been setup with any blocklist options? The test results suggest to me that it was running without any filtering setup, given that the number of FQDNs resolved was about the same as were resolved by the unfiltered 1.1.1.1

4

Is there any way you can give us the domains.txt file you ended up using in the test? I was replicating the test using my own NextDNS setup (I may actually go back and create a new one to test.

5

The list is being updated daily from Compromised domain lists. Malware and ransom compromised domains. and If you test with an old list the data is probably loaded in the sites and you would get different results. The best way test the same way I did is to grab the file then run this to create the filtered list:

grep -E '^[a-zA-Z0-9-]+\.(com|net)$' compromised_domains_live.txt > domains.txt

I also made a new video just to Re-Test NextDNS with an account and all the blocking / filtering features turned on.

2 Likes
6

I’ll leave this here as this video inspired me a bit.

I wanted to test against the CIRA DNS as I am canadian and also wanted to get the results more easily than parse the outputs and filter them because of the way some DNS answer the blocked queries. So I built a little tool to do so and also included support for DoH and DoT as my network or ISP kept dropping some requests when in clear text.

https://github.com/Micophi/dnscheck

As of writing I am getting similar results as Tom and found that a self-hosted Adguard with Quad9 or the CIRA as the upstream gives me the best results with ~ 0.18% of domains being resolved.

I also went and tested against a few other DNS servers just for kicks, but I am also of the opinion that a non-profit most likely won’t resell my data.

It’s a bit rough around the edges, but feel free to try it out. Here is a sample of the output:

dnscheck output
dnscheck output1280×650 25.4 KB

1 Like
7

Wow, nice work! Looks much nicer than what I put together. :slight_smile:

8

@LTS_Tom Why isn’t Zorus part of the test? are they as good as quad 9?

9

Yes, Zorus is a commercial product and there is not a DNS query way to test it as there is the others.

10

Should include Control D next time as well. It’s pretty effective.

… and one of the fastest anycast DNS resolvers out there: DNS Performance - Compare the speed and uptime of enterprise and commercial DNS services | DNSPerf