 Tommy here from Orange Systems, and we're going to do a follow-up video here on the DNS filtering and I just wanted to make sure that I cover a few details that We're asked in that previous video when including things I got wrong which I did get a couple things wrong specifically related to Cisco and open DNS Second I wanted to cover just some overall my thoughts on a follow-up and some of the discussion that came from that whole Deep dive or I don't know how deep of a dive it was depending on your opinion, but me Testing all the efficacy of these DNS filtering systems and have a few more thoughts on there and keep the discussion going of course But first if you'd like to learn more about me or my company head over to Lawrence systems calm If you'd like to hire short project there's a hires button right at the top if you want to support this channel in other ways There's affiliate links down below to get you deals and discounts on products and services We talk about on this channel including a link to our patreon if you like become a patreon supporter We also have a swag store where you can get shirts and other items that are for sale and that changes from time to time What's available and what's not so go ahead and check that out frequently and finally our forums If you'd like to have a more in-depth discussion about this video suggestions for new videos or just reach out say hi and talk tech Our forums are a great place for that. All right now back to the content what I got wrong And this was just an oversight on my part and me not taking the time I should have taken to dive deeper into this this is a Cisco MSP counsel for Cisco umbrella What I showed was open DNS now it turns out I was unable to sign up for an account because I had an open DS account it kept bringing me back to there and Cisco because I was an open DNS user long before Cisco had purchased them Cisco reached out had a phone call great conversation and They got me set up here on the proper dashboard so I went ahead and ran the test again against the Cisco system here and Very similarly they have a dashboard much like the folks at DNS filter did and we checked the malware box Newly seen domains, etc. Just like we see here and then we go over here to networks And I set up specifically on my forums. No, that's not my IP address That is the same IP address you've seen in previous one Thank you for all of you that messaged me and we're looking out for me But that's not my office IP. I should say it is an IP address And I use my forum server because just a little bash grip so I SSH into a forum server I registered the forum server with the Cisco System here and here are the results for that so we go over here And once again for the same reasons before I have all the domain names obscured So YouTube doesn't flag me and we have the Cisco umbrella scoring a 59 percent versus 9 percent on the Open DNS now I also threw next DNS in there and I got a million messages for everyone Want me to test their favorite DNS provider? I just don't have I mean I I don't have unlimited time, but I've offered all the code up so you can test your DNS provider against this list But we're gonna get to the validity of that list So there is definitely a different and it was my mistake that I did not use truly Cisco umbrella I was using open DNS and I did verify from people that talked to it Cisco that yes There is a difference in the way the feeds are for open DNS versus Cisco umbrella Which is interesting because you use the same IP address It's not that I even changed what IP address they use you just change and it's also why I chose a different IP address rather than my Office IP I chose before I said it to the forum IP address and ran it from there I Didn't want any mistakes be made or just end up with the same results because of anything in their system That would have pulled that old address now next thing we can talk about my forum post I was really happy that this forum posted You know got a lot of attention and I like because one of the things I had said at the end of the other video This is kind of something I wanted to push through some scientific type review I wanted other people to kind of vet what I did look at my methodology and Improve upon it security is a team sport and we should all be team players in this provided You're on the side of defense now There may be other people watching this so I can't say all of you were Team players and security there may be some other person that's unhappy the fact that more people are teaming up for security But it's kind of in my opinion is that we're all in this together And I was so happy to see not just responses from you know people in my forums, but from literally quad 9 I believe we have two different people who signed up here from DNS filter and just a lot of great discussion on this and that's something it made me really happy was seeing this so Quad 9 also by the way great service in terms of they went all the way into talking about a lot of details And we have Peter here. He's from DNS filter. So this is an overall wonderful response and This has been just I really couldn't be happier with all the response and things like that It shows a commitment from those companies That they care about their product that they want people to use it want people to have a good experience and of course they care a lot about security of it now valid points and Really, I don't know how else to say this other than they're right in some ways that that list of domains I have Yeah, some of the most are old and it's hard finding good lists of malware domains It is literally the job of these security researchers to constantly be looking for the needles in a haystack They run extensive amounts of testing They don't want false positives because well no one wants angry customers calling them and saying well I can't get to the website and I can't get my job done Why do I pay you for there's enough end-user support from an IT management standpoint that we don't need to create more By blocking something valid. So they really try to keep the false positives down They also on the other side are constantly looking for and trying to find out whenever there's some new ransomware ransomware Mailware whatever that thing is that's going to be out there Whatever that latest threat is and angle that someone has on ways of extorting a business out of money Via some type of malware and are they using some type of easy to find command and control server? Are they embedding it in something else etc? So there's a real challenge in finding these and I still one thing I was hoping but didn't come from any of this was someone posting Hey, Tom. Here's a better feed. That was actually a little bit back on my head Hoping to find something better than that, but it didn't happen So I do see their point that some of these I had to remove for false positive versus quad 9 not having a business use case Just being a as they set up there a complete non-profit Organization that also has no logging information that just wants to sinkhole bad domains and Pretty simple service. So my overall on this which one should you use because that discussion, you know Was burning on and still going on in my forums comes down to a couple things one for home users Quad 9 very aggressive but works great also the fact that they don't have any logging or dashboards if you're into privacy Which hey privacy matters quite a bit makes a lot of sense and quad 9 is a great choice Next which one should you use for your business? Well, that's tricky quad 9 Testing it myself. I didn't find the internet broke when I used it here at her office or when I set it up at home My internet experience was much the same good. So using quad 9 from a business or a Home user standpoint both worked well, but why would you need logging? What about these other companies? Well, as I said scope of this was specifically filtering out malware not such things as gambling sites or People who are spend their day at work job hunting and then you need some type of filtering to apply to a specific group or department in your business To try to keep them from going to sites. You don't want them to second logging Quad 9 although I really like them the logging the reason you need it very frequently is what if what if you had a system? That's just banging away at one of those bad domains. You see it making calls and it's getting sinkhole. That's great but Why is it making all those calls as referred to as an indicator of compromise and once you have an indicator of compromising your network That should trigger an investigation so quad 9 by not providing any type of threat intelligence logging back to you kind of Does not have that piece of information of why your system is making all these calls By the way if that particular malware has a list of sites and maybe one of those was not blocked And it slowly goes through a methodically goes things or by some weird happenstance the URL That's going through goes from being sinkhole to white listed later Well, now you have a problem where it finally got out and did the thing and you didn't have any Notifications that it was doing that so once you start getting into this. Yes, this is going to be complicated now two last things I'm going to address is like piehole and pf blocker one thing about pf blocker and piehole They both use very common lists and those lists once again comes back to our threat intelligence problem of finding good Quality lists and the sands one I literally pulled from pf blocker. I don't have a use piehole in a long time But I know I believe I should say that it's still pulling from some of the same list and most of the list because the way the list Are formatted should be cross compatible to put one list or the other in now You're going to get a slightly different experience with those because now you're doing it at the level Locally as before it leaves and goes out to an external DNS resolver So yeah, there's a really good chance of using those that you'll have that logging that you're looking for if You're using pf since if you're using it in those particular scenarios So those are a couple of things to think about and of course those were Questions asked is can you run this against piehole and challenges? I mean it it it comes down to what list you're using and feed you're using and then if you pad that because defense in depth You want the piehole list compared to the pf blocker list or you take the pf blocker list And then you think about the resolver that's going out behind it And you know you can kind of see where this gets complicated and you should have more than just this This is all kind of basic sinkhole filtering not in-depth filtering So these are my follow-up thoughts one I wanted to cover and clear up that I got the Cisco one wrong that there was a better score When it was run against the actual Cisco umbrella not open DNS to I'm disappointed and not in anyone just in the fact that it's so hard Disappointing maybe it's not the right word just I don't know Realizing the challenge and maybe hopefully some of you realize the challenge at any threat researcher at any of these companies face trying to get good threat intelligence It's a grueling I mean there's a people have a passion for doing it, but you know digging into this is not easy There's not this magic list Building these threat intelligence things as hard and of course as we see in the internet frequently Something gets through something gets missed and these guys are working their butts off not to miss something But it still happens, but I did achieve the goal of getting a conversation started about this Having a more open discussion getting amazing feedback from the people at these companies so we can all learn more about their product and Overall, I think this was a success in terms of science testing and things like that And I guess my at least my methodology didn't get too many holes poked in it The last little thing is I will comment on Is there was a reddit post as well here and it was just reiterating because someone asked me if I'd seen the reddit post Actually, I hadn't until today And I just didn't notice it and I was like oh cool And they go back and forth in more discussion on this particular topic and talking about the issues with some of the things on there So it's still an interesting discussion I want people to be ever-villageant in their fight against malware like I said before it's all a team sport We're all hopefully on the same team everyone watching this maybe a few of you aren't like I said But for the most part, I believe most of you watching this are on the same team You want better threat protection for yourself. You want better threat protection for your clients No one really wants to see anyone getting hacked But that's what this follow-ups about is just keeping your eyes open and once again This is just one little piece of the security stack. There's so much more to it You have layers of you know, whether or not you have to run antivirus other types of web or content filtering especially for particularly lockdown environments and So much more user training being one of the big ones spam filtering because most things come in through spam I will probably expand to be doing a list of you know Some of the other things that we do in talking about how you build out your threat stack and how you monitor for things and That'll be a future video. I do plan on doing But it's also ever-changing. I've talked about it before but you'll find that it's Keeping up with it. It's a challenge. It's something we do all the time is something We're always working to be better at and that's also why I throw these videos out there So I love hearing back from you and I love all this participation in the forums so we can all work together to make you know Security better. All right, thanks And thank you for making it to the end of the video if you like this video Please give it a thumbs up if you'd like to see more content from the channel hit the subscribe button and hit the bell icon if you like YouTube to notify you when new videos come out if you'd like to hire us head over to Lawrence systems calm fill out our contact page and let us know what we can help you with and what projects you'd like us to Work together on if you want to carry on the discussion head over to forums not Lawrence systems calm Or we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos They're accepted right there on our forums, which are free Also, if you like to help the channel in other ways head over to our affiliate page We have a lot of great tech offers for you and once again, thanks for watching and see you next time