Time Stamps
00:00 - Which DNS Service is Best for Filtering Malicious Sites
00:30 - Services Tested Quad9, Cloudflare Families, NextDNS, AdGuard DNS
01:41 - The Malicious Domains List
05:09 - The DNS Results
07:07 - A Closer Look At The Malicious Sites
#!/bin/bash
# Bulk DNS Lookup
# Generates a CSV of DNS lookups from a list of domains.
#
# File name/path of domain list:
domain_list='domains.txt' # One FQDN per line in file.
#
# IP address of the nameserver used for lookups:
ns1_ip='1.1.1.1' # Cloudflare
ns2_ip='9.9.9.9' # Quad9
ns3_ip='1.1.1.2' # Cloudflare Malware
ns4_ip='45.90.28.131' # NextDNS Free
ns5_ip='94.140.14.14' # Adguard Free
#
# Seconds to wait between lookups:
loop_wait='1' # Is set to 1 second.
echo "Domain name, $ns1_ip,$ns2_ip,$ns3_ip,$ns4_ip,$ns5_ip "; # Start CSV
for domain in `cat $domain_list` # Start looping through domains
do
ip1=`dig @$ns1_ip +short $domain |tail -n1`; # IP address lookup DNS Server1
ip2=`dig @$ns2_ip +short $domain |tail -n1`; # IP address lookup DNS server2
ip3=`dig @$ns3_ip +short $domain |tail -n1`; # IP address lookup DNS server3
ip4=`dig @$ns4_ip +short $domain |tail -n1`; # IP address lookup DNS server4
ip5=`dig @$ns5_ip +short $domain |tail -n1`; # IP address lookup DNS server5
echo -en "$domain,$ip1,$ip2,$ip3,$ip4,$ip5\n";
# sleep $loop_wait # Pause before the next lookup to avoid flooding NS
done;
I’m wondering if NextDNS had actually been setup with any blocklist options? The test results suggest to me that it was running without any filtering setup, given that the number of FQDNs resolved was about the same as were resolved by the unfiltered 1.1.1.1
Is there any way you can give us the domains.txt file you ended up using in the test? I was replicating the test using my own NextDNS setup (I may actually go back and create a new one to test.
The list is being updated daily from Compromised domain lists. Malware and ransom compromised domains. and If you test with an old list the data is probably loaded in the sites and you would get different results. The best way test the same way I did is to grab the file then run this to create the filtered list:
I’ll leave this here as this video inspired me a bit.
I wanted to test against the CIRA DNS as I am canadian and also wanted to get the results more easily than parse the outputs and filter them because of the way some DNS answer the blocked queries. So I built a little tool to do so and also included support for DoH and DoT as my network or ISP kept dropping some requests when in clear text.
As of writing I am getting similar results as Tom and found that a self-hosted Adguard with Quad9 or the CIRA as the upstream gives me the best results with ~ 0.18% of domains being resolved.
I also went and tested against a few other DNS servers just for kicks, but I am also of the opinion that a non-profit most likely won’t resell my data.
It’s a bit rough around the edges, but feel free to try it out. Here is a sample of the output: