 Tom here from one systems and we're going to talk about DNS filtering and specifically scope of this talk It's going to be DNS filtering for malware. We're going to compare the cloud flare plus the cloud flare malware blocking the quad nine DNS filter the DNS filter by she has name of the company just DNS filter calm and Cisco umbrella we're going to be putting them against a list of malware domains and making a determination of exactly how effective They are at specifically the task of blocking malware phishing or just really bad sites now couple things about this I do know and this is out of scope of this particular talk that there are Expanded features both offered by Cisco umbrella and DNS filter to both paid services that offer more granular filtering in terms of Being able to block sites by category, etc. But like I said, we're going to keep it narrow in scope I'm going to leave notes in a write-up over on my forums Exactly my methodologies and any of the code I use and sources I had for all of this data And we're going to dive into that in detail So you are able to at the end of this you'll have that write up so you can reproduce this yourself if you'd like to try But first If you'd like to learn more about me or my company head over to Lawrence systems comm if you'd like to hire short project There's a hires button right at the top if you want to support this channel in other ways There's affiliate links down below to get you deals and discounts on products and services We talk about on this channel including a link to our patreon if you like become a patreon supporter We also have a swag store where you can get shirts and other items that are for sale and that changes from time to time What's available and what's not so go ahead and check that out frequently and finally our forums If you'd like to have a more in-depth discussion about this video suggestions for new videos or just reach out say hi and talk tech Our forums are a great place for that. All right now back to the content DNS filter I signed up for a 14-day trial and we'll get to the details of the settings on there But that's where I signed up for them. That is a paid service Then we have Cisco umbrella also a paid service. I've got a demo account on here That allows one one user essentially one site on here So we'll get into the dashboard of that quad nine which is internet security privacy in a few steps and free So this is just putting in the nine dot nine dot nine This is the quad nine company and this is the Cloudflare now Cloudflare. We're actually using twice We're using Cloudflare one just to see if the sites resolve the one dot one Dot one and then one dot one dot one dot two. It's like a tongue twister to me is the no-mailware Filtered one that we're going to be using for comparison. So we're gonna break down the methodologies and how I did that now Let's go over to the dashboards of each of these DNS filter I created a special policy here in DNS filter It's supposed to block bot botnets crypto mining mailware or new domains any domain less than 30 days. You're blocked phishing deception proxy and translation sites So this is the particular policy I used I'm not using safe search categories any of the other policies in here Like I said beyond the scope of this particular talk They can block apparently humor sites and I don't want to block humor sites. I'm specifically focusing on threats Slide over here to the open DNS dashboard Blurring out my office IP, but this is I can assure you that's what it is And I just chose their mailware botnet protection and phishing protection on the side of web content filtering But log me out It's not any setup anything set up for web content filtering I once again focusing just on the mailware now. Where do we get a list of terrible domains? We got those here the bad domains all came from this particular site And I chose this one because they seem reasonably up to date This feed is free and couple side notes I cannot show you this feed if I were to dump it to the screen There's a very high likelihood as I've learned from some of my friends working in security that YouTube will see a list of command-to-control servers and other Nefarious domains listed on the screen and therefore will block me from Having this video stay online. So I've learned this from a couple of my friends But don't worry that like I said There will be a write-up with all of the links where you can get this same list and reproduce these same results yourself Over on my forums, so I will be blurring out anytime as we talk about the domains Now back to the methodology a little more once we have that list of domains. How do you actually look them up? Well, a little bash script really simple that creates a CSV file. So here's the domains the cloudflare quad 9 Cloudflare again, but the mailware one the 1.1.1.2 DNS filter open DNS Cisco umbrella and This little piece of code. Yes It is just commented out which is the sleep and the reason I did that was at first I thought I would need to have something like that in order to Make sure the system wouldn't overrun and do too many queries, but that actually didn't happen When I was doing all my testing I did all the queries and I would do them more than once so I can make sure I get the same results Also, I threw in good domains just to make sure all of them always resolve the good domains and they Consistently did all of them had like Google.com YouTube and even my own domain never had a problem They all would give the right result for that. So we had to do a little bit of filtering on that Back to the list over here now once we created this all as a CSV file. We moved it into Over here LibreOffice now as I said, I have to blur the domain names on the site here for YouTube reasons But the way these results are tallyed first the main file was downloaded and there was about just under 2,400 domains in that download link then you use that tool and I look for what the results of the resolvers were only a 141 of those domains out of the 2300 were resolved by the 1.1.1 There was never any circumstance out of those other ones basically threw away over 2000 domains the ones we threw out were not resolved by any of the other ones but Resolved by Cloudflare because this is supposed to be their unfiltered service But many those domains that are in that list Cloudflare themselves even though they have a specific one for malware filtering Some of those domains they may have expired They may have had temporary ones that may have been taken down and fallen out of the DNS servers That does happen. So the list that I pulled from that ISC well, sometimes those domains just get removed. So even though they're in there They may not have been alive for a while. So they've expired their DNS records So I wanted to narrow it down to live DNS records and I bring it up because it's important because it would be Untruthful to say that all those domains got resolved by these other ones over here, but we'll get into that in a second So here's that list of domains now if you noticed I had and I can't show it again, but I can at least show That yes, I have all these virus totals over here one of the things I wanted to make sure is we weren't seeing a bunch of false positives So I grabbed quite a few domains and it turns out virus total will rate limit you if you grab too many of them and Query these domains against virus totals domain list to make sure that yes, they were shown as having malware So you will be able to do that because of the links. I leave on my Forum where you can go and actually see the domains But with that being said now that we understand methodology this is a count right here for the totals This is a count of number of domains resolved. So this is just a full list of them here There's a hundred and forty one second What does this mean for only four out of the hundred and forty one that were resolved by one dot one dot one We're also resolved by that that means 97% of these bad sites were blocked by Quad nine, which is great. Then we move over to cloud flare one dot one dot one dot two and we find that 56% of the sites were blocked now This is where things go downhill very quickly DNS filter and their AI enabled system only blocked 15% of the sites that cloud flared in and these Domains and even some of these IP addresses are on bad reputation list So I just was spot checking around here and looking their bad reputation Definitely bad domains Sometimes you can get good reputation IPs because of the way multi-hosting works where there's a malware domain hosted on IP But then there's other good sites hosted on there So it's not necessarily something you always find the answer by looking up IP also sometimes malware domains will move amongst Different IP addresses, you know as they get discovered and maybe someone blocks that IP address So it is best to do this by domain name because frequently That's what malware will do is reach out to and phishing sites They usually have a link to a proper URL to many of these different sites that are in here And then we get over to the Cisco umbrella, which only blocked 9% So quad 9 by a long shot is really Head of the pack here followed by the filtered Mailware filtering that cloud flare offers with their 1.1.2 I'm just really disappointed that only 15% of the sites blocked with DNS filter and Cisco umbrella Because if you're thinking about things from a security it only takes one site to get through Great if you were trying to do this as a marketing spin, let's say a marketing spend and how would they do it? Well, we downloaded those 2,300 sites time and we only found a hundred and nineteen of 2,300 sites resolved that for that's a really small number I'm not a marketing person here. I'm telling you out of the hundred and forty one resolved on cloud flare 119 of those resolved now cloud flare does not consider this 1.1.1 a filtered site But they do consider their 1.1.2 So I think also cloud flare could probably use some improvements on here and at least do some comparisons to that Free publicly available feed that was downloaded from as mentioned before from the sand site So if they would have done it my guess would be that Quad 9 does do that type of filtering because the sites that are in here were only marked as suspicious So all four sites that quad 9 still did resolve were suspicious but not necessarily flagged as malware So I was actually really impressed overall with quad 9 so go back over here though And these two numbers right here just shocked me the fact that this much got through with the Cisco and Bell and DNS filter So my overall disappointment with them is for being a paid service. You're Mentally, I would say thinking you're going to get something above and beyond and better what some free service could provide But that simply didn't hold up to this particular test But as I said, I'll be leaving links to all this in my forums so you can do the results yourself I want to make sure that if I'm doing something wrong once I'm I can go through this reproduce it because well That's called peer review in the world of science and this is essentially a science We're doing some testing and investigation and all this is relatively easy to use It's a simple bash script and just a simple link to a Download of bad malware sites from that particular site and then just some DNS resolving going on and really anyone with an email Address and you don't mind being hounded by some salespeople potentially and getting some emails can sign up for those free services and also Reproduce those tests they both offer free trials of their service So a few different things to think about there if you'd like to reproduce this and if I'm wrong I would like to have a discussion. I mean not So far I don't really find anything wrong with my methodology. I'm also double-checked my work quite a bit and it doesn't mean I'm not Saying there's not some flaw I did but the numbers are staggering How does quad 9 do such a good job of doing this and the other companies don't so the results a little bit surprising to me But maybe there's some other sites than another list that you may find is even more effective than this But that's why I'm putting all this code out there for you to try Like to know your thoughts on this leave your comments below or head over to the forums and let's have a more in-depth discussion Thanks And thank you for making it to the end of the video If you liked this video Please give it a thumbs up if you'd like to see more content from the channel hit the subscribe button and hit the bell icon If you like YouTube to notify you when new videos come out if you'd like to hire us head over to Lawrence systems comm Fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums that Lawrence systems comm where we can carry on the discussion about this Video other videos or other tech topics in general even suggestions for new videos They're accepted right there on our forums, which are free also if you like to help the channel in other ways head over to our affiliate page We have a lot of great tech offers for you and once again. Thanks for watching and see you next time