Preventing malware infections in your network requires a multi-layered defense strategy. One of these layers is DNS filtering. However, with new malware domains emerging daily, maintaining your own blacklist is impractical. Instead, you can rely on public DNS resolvers that block malicious domains.

In January 2024, we conducted this test for the final time. Now, eight months later, we are eager to see how the public DNS resolvers perform this time around.

List of malicious domain names

Once again we downloaded a list of 231,497 malicious domains from the CERT Poland website. CERT Poland continues to update this list daily. We have also downloaded a list of malicious domains from URLhaus, representing 2,042 domains. In total, this resulted in a list of 233539 unique rogue hosts. More than enough to get a good idea of how well or poorly the DNS resolvers are performing.

Tested DNS resolvers

We subjected the same providers to this test as we did last time.

• Google Public DNS - 8.8.8.8 (for reference, unfiltered)
• ControlD Malware - 76.76.2.1
• Quad9 - 9.9.9.9
• Cloudflare for Families - 1.1.1.2
• UltraDNS Threat Protection - 156.154.70.2
• dns0.eu - 193.110.81.0
• dns0.eu ZERO - 193.110.81.9
• CleanBrowsing Security Filter - 185.228.169.9
• Comodo Secure DNS - 8.26.56.26

How we performed the test

We used our simple Bash script for this test. This script did:

• 10 pings to each DNS resolver to get an average ping time.
• A test of 5 known websites that are definitely not in the malicious list to confirm the correctness of the DNS resolvers.
• A check of each malicious domain against the unfiltered DNS resolver 1.1.1.1 (Cloudflare) to verify that the domain has at least 1 A-record.
• If at least 1 A-record was found, the domain was tested against all DNS resolvers.
• If the tested DNS resolver returned a valid IP address, it was stored in a CSV. If the DNS resolver returned no value or the IP address 0.0.0.0 or 127.0.0.1, then no value was stored in the CSV.

If the DNS resolver returned no value or the value 0.0.0.0 or 127.0.0.1, that was a sign that it was not resolving the domain. In that case, we assume that the domain is known to the provider as 'malicious'.

Results

Cloudflare found an A-record among 47,016 hosts. These hosts were offered to all DNS resolvers. The table below shows how many hosts with a valid IP address have been resolved (not blocked) and not resolved (blocked) by the DNS resolver.

In the graph below, we have included the results from May 2023 and January 2024 for comparison.

Conclusion

ControlD, with its 'Malware filter,' remains in the lead. What stands out the most is the significant improvement from Quad9, which increased its detection rate from 84% to 98%, an impressive achievement. CleanBrowsing also shows strong progress, moving from 85% to nearly 98%. We also observe a small but notable improvement in the DNS0 filters.

Unfortunately, Cloudflare for Families continues to decline, now blocking only 4% of malware domains. This was also the last time we included UltraNDS and Comodo Secure DNS in the test, as their malware filters appear to no longer be active.

The danger of false positives

Working with third-party malware lists has the drawback that some domains might be incorrectly blocked, resulting in what are known as 'false positives.' We downloaded the 'top 1,000' domains from Cloudflare Radar. This list represents the top 1,000 globally requested domains on the Cloudflare unfiltered DNS resolver over the past 7 days. While we can't be 100% certain that these domains are free from malware, given that they are among the largest websites, we can reasonably assume they are safe. Therefore, DNS resolvers should not block these domains.

Out of the 1,000 domains, 692 were tested with all DNS resolvers. The outcome? Only a few were not resolved, which is nearly negligible and an excellent result.

Why couldn’t all 1,000 domains be tested? Some domains did not return an A-record because they use only subdomains, such as a 'CDN' or 'tracker' service.