 I'm here from our systems and in 2020, I did some testing to figure out the best DNS service for filtering out malicious sites. Many of you requested an updated version of this video. So here in 2023, I grabbed an updated list of malicious sites, tested over 8,000 malicious domains against Cloudflare, Quad 9, Next DNS and AdGuard DNS. I'm going to go over the method I used, how you can do it to and of course the results. Let's dive into it. Now, in my last video, I was testing DNS filter and Cisco umbrella, but I'm not testing those now because they're not solutions that we use for our clients. If you're interested in what we're using for our clients, it's a tool called Zeros. You'll find a video link down below if you want to learn more about Zeros for web filtering. It is a commercial product designed for businesses, not for essentially any home users. I figured this has more of a target towards people who set this up in their home lab are looking for a free DNS service. So I focused on these ones. Next DNS hands down was one of the most popular requested ones. When I did my first video, AdGuard DNS I chose because it's also one that a lot of people have messaged me and requested. Cloudflare is the basis for just filtering versus non filtering. Cloudflare doesn't do any filtering at their 1111. They do offer their family filtering at 1112. So I tested both of those. So it's not just Cloudflare, but also what they refer to as Cloudflare for families. The too long didn't watch this video is I still prefer Quad9. I've got some videos you can find on Quad9. They are a nonprofit organization dedicated to your privacy and providing DNS. I think they're awesome. But I wanted to take a look at these other ones because many people requested it. And why not take 8,000 domains and see how they resolve. Now in my 2020 video, I was pulling from the Sands internet storm center list. This seems like a pretty relevant list, but I also did a follow-up video talking about, well, that this list wasn't that great. Matter of fact, right after I did the video in May, in June, DNS filter actually reached out to Sands. This is actually still a challenge today in 2023. There's not some incredible awesome feeds list that I'm aware of that I would say is the definitive list of this is all the bad sites. Because this is constantly a cat and mouse game and quite challenging for what's a bad site and Wednesday's site be removed. And we'll get to some of the results because there's some nuance in that. It's really kind of challenging of what a site is still on the list, but maybe shouldn't be. We'll cover that momentarily. But since the Sands list is gone, I did get the list from zone files. They have a pretty extensive compromised domain list and 17,969 is on there now. But also I needed to clean this up a little bit and let me explain why. Now, first I downloaded this list, but then I said, well, let's just throw out all the RU domains and dot top domains for reasons. Probably just because that's what spammers like to use or whatever these malicious sites were used for. Lots of dot top domains were here. So just by removing these and then removing a bunch of repetitive subdomains. That way, if a domain was blocked, all the sub domains are probably blocked, but they're all just incremental. And it just made a lot of extra noise and would have made the test take a lot longer. And also these were also sometimes domains that ended in dot top and not usually the dot com. Matter of fact, I focused the list on ending in dot com because those are the most common ones. And many of those are typosquadding ones. The list to be a little bit more serious versus yeah, great, you blanketed out this extra 8000 that pretty much were garbage looking domains. Many of the domains that did make it in once I filtered for dot com were a whole lot of typosquadding domains in that list. So you can download that list, but I can't show you the list as a creator on YouTube. I have learned if I were to show you the list for educational purposes, there's a strong chance YouTube would say, hey, look at that person showing typosquadder domains and stop me from showing it or stop this video from being seen. This is an issue of takedown. This has happened to several milder tech friends, just sometimes covering cybersecurity. But you can download the list yourself and look through the domain yourself with this methodology. I ran the same bash script as before. I'll have a link down below to that. We'll talk about the script in a moment. I use a spreadsheet to audit and clean the data. These are the result files, essentially. AdGuard always returns a block page or result. That's an important thing to realize because I'm just using the is it blank when I dump this onto a spreadsheet. Some have zero, zero, zero response and others have blank. So I made sure also if there was a zero, I changed them all to blank in the same way I changed the block page result to blank. Because what I'm doing a spreadsheet is really easy to say if these are blank to come up with the statistics and numbers out of the 8000 sites that were tested. Using the count blank option and spreadsheet easy enough to do and remove domains that had errors. Some errors were kind of weird. It just wouldn't resolve and not always consistent between any one of them. So if any one of these didn't resolve the domains, there weren't very many, maybe just a hundred of these out of the 8000. I would say I'm just going to throw out the whole result because for some reason one of the DNS as I attested just chose not to resolve it. I figured I didn't want to skew the stats that way in any way and it's such a small number, not a big anomaly. But I always want to make sure my data methodology is here. This is the script. Don't bother to screenshot it. It's way easier to go click the forum post link and you can just copy and paste this and run this yourself. But you'll see how I put it in there. Now let's talk about the results because this is where things get interesting. Domains resolved out of the 8333. Cloudflare resolved 2,750 of them. So 33% of them. Now these are all supposed to be malicious domains. Cloudflare, the 1112, which is the Cloudflare for families does 25% of the main. So 2105. And I thought this was interesting. So I started looking at which ones one would do and not the other. It seemed like some of them were gambling sites and occasionally adult sites. So things that may be filtered out and I don't know exactly what would make these sites malicious other than well, they're a million pop-ups and we'll get to that. I did spot check a lot of these and they're pretty much universally listed in things like virus total for bad URLs. Next DNS actually resolved a little bit more than Cloudflare. Nine more domains. So next DNS, the free version. I didn't have to sign up because I didn't exceed their limits for how many queries I can do from one IP. That was just resolving that most of these sites resolved. So I thought that was strange. It didn't really filter them out. Back over to quad nine point seven nine percent. So only 66 sites out of 8333 resolved and ag guard to say it only resolved 41. Now I was thinking what's the 25 domain difference and maybe there's just 25 more domains that quad nine. That's not exactly what happened. It's not that they resolved exactly 25 more domains and they were all the same except for these extra 25. They're different. The 41 and 66 resolved actually don't match between ag guard and quad nine. So they started going through the sites that they did resolve and it's a little strange, but I think this is just the way that these work and when they loaded the filter up with this list of domains or whatever, wherever they're getting their list. I don't know that they pull this list from zone files. I have no idea. But wherever they're getting their threat intelligent list, they probably match pretty close except for these small discrepancies. But that comes down to things like this, some of the domains that did resolve from quad four of that 66 from cloud player and the 41 from ag guard. Sometimes they were like this domain has been suspended. So they're actually redirected somewhere else. That's not malicious anymore. Now some of these were basic WordPress installs. I think they got flagged not because the WordPress install that I could see was infected, but probably when they set it up, they did something really basic. And then someone loaded some landing page deeper in there. I, it only gives you the DNS. I don't know exactly the full URL. So it doesn't mean there's not something embedded in this hello world website I came across, but there could be temporarily down for maintenance. I think these were and this is a common one. There were a lot of down for maintenance that are usually artists sites. And I say artists like travel bloggers and people who have a lot of graphics intensive things, which are probably a lot of WordPress plugins on their site. And probably not maintained. So a lot of these were sites like that. And some were just down for maintenance. Some were not down for maintenance. And maybe had been cleaned and maybe got after they cleaned it requested that they get delisted. And that could be why they were listed that nothing stood out as malicious on those particular sites. And a whole lot of them that were the extras that resolved by quad nine were this hosting or seems to be one of the more popular ones, but they're basically parked domains. And they looked malicious because some of these were definitely similar typosquadding had the word PayPal in it had the word Microsoft in it. One of them was actually for a Libre Libre office updates, something along those lines. So lots of typosquadding and but they landed on pages like this. So the site has been taken down. They're just back to a default domain page. Same with a lot of them are for sale from GoDaddy. This was parked courtesy of GoDaddy by this domain. But all the ones that were listed at least at some point in time, like this one was last analysis a month ago, they were just showing things like, hey, 29 days ago, this was analyzed and it's malicious. So all the different sites that were missed, if you will, by AdGuard and the quad nine were on the list at least for going to virus total. But it didn't necessarily tell me exactly what's wrong with the site and it could say could have been fixed. I mean, I've had to work with clients who've been on malicious sites. And then you have to go and try to get yourself unmarked as malicious. That was definitely a challenge sometimes because you got to figure out where to, you know, unmark it depending on where and who is flagging you. Now, the big challenge from this test is the validity of that source file. This is a challenge I had before with the sands when I used in 2020, which was completely pointed out to me from the people at DNS filter had a conversation with them just about how kind of wrong it is. And if this filtering never gets updated because of a site being temporarily marked malicious, should it still be on the list? How long should it be? If someone ends up with a malicious break in their site because someone took it over, and then they pay someone to clean it all up and get it fixed, how long should they still remain on there? Especially a lot of these travel bloggers and things like that. They're just kind of personal sites that, you know, they're not really doing typosquadding. They didn't have malicious intent. They accidentally became malicious, but then get fixed. And because a lot of them were on that list for resolved by AgGuard and Quad9, and they seem to be fine when I looked at them, nothing popped up, nothing stood out for me. Are those really invalid? And is that list the problem, not the AgGuard site or the Quad9 site? Either way, Quad9 is still my go-to over the other ones because of them being a nonprofit, because I've had good engagement interaction and understanding of what they do that they don't have any methodology for collecting other data on you. They don't have any service to sell you or anything like that. I've got some videos where I dove deep with them. They also got sued by Sony, which is a crazy story in itself because why would Sony care about DNS? Well, that video is linked down below if you want to find out. Check it out. It's definitely a wild ride of Sony trying to circumvent copyright by going after DNS. Kind of blew my mind. What it makes you realize is how awful of a company Sony is, by the way. Let me know in the comments down below which DNS is the one you like, what other things I could do to the test. And if you find my test flawed, please, there's a reason I left all the data for how I did this out there. I want one, you'd be able to do this. If you would like to test some other DNS service that I didn't, well, there's the Bash Script. You can run this yourself. You can see the rate limiting in the Bash Script, which is why I want to reduce things, because if you flood the DNS, they will start to stop responding at you. So there is a one-second pause. So even 8,000 domains takes quite a bit of time to go through. If you want to increase that list and add those RU1 backs in, yeah, knock yourself out. There's a reason, as I said, I try to focus on just the .com ones for things I think more likely people would click on. Either way, like and subscribe if you want to see more content from here. Leave your thoughts and comments down below, and I'll see you over in the forums. Thanks.