Jump to content

Quad9 vs CleanBrowsing - Best DNS for security?


Recommended Posts

You're a little quick on the trigger finger there partner. Not everyone is a "shill", keyword pumping for the competition. I created an account and posted here because I don't think your opinion is well formed - or better, it is misplaced. 

Not that it matters, but In all likelihood, I know far more about "seo" and "spam" than you do... it (internet based marketing) is my livelihood and prior to that I owned and operated an IT consulting firm (~20 years). I have both feet firmly planted in both sides of the game.

-I never said that "major" DNS providers don't filter. Of course they do, each having their own reasons (good or nefarious). I said, if you don't want to have your results filtered, then use your OWN DNS root hints, or DNS provider that agrees to no filtering.

-I never said that search engines and DNS providers don't filter what you search for - of course they do, it is their prerogative. 

Those providers are no different than the DNS filter in your product. They intercept a query and act upon it with a filter (for whatever reason, good or nefarious). You just don't like WHERE the filters are applied (I.E. your software or somebody else's). 

I think the issue here is misplaced anger toward "censorship" and confusion about DNS architecture, or where it fits in. You appear to want to elevate DNS providers to some moral or enforced standard above that of search engines or other products. The problems is that "DNS Providers" are not a governed part of the architecture, and even if they were, only countries and entities willing to play nicely would adhere anyway-leaving us in the same boat.

You mentioned the phone book analogy - There is no "phone book".  There are "phone books" - each localized or curated for a reason, from White Pages to Yellow Pages and countless directories in between. Some specific to localities, some to business verticals, and others to carrier's own subscribers. DNS "providers" are like phone books in that sense. The difference is, that we can go a level above them and to the root servers. FWIW - there is no "phone company" analog to this, even if you collected every carriers database and centralized it!  

The cure to what ails you (as i have repeated) is that we in fact DO have the ability to see unfiltered DNS quires by starting our query at the root level. Anything in between has (will) curate the returned results. There is no jurisdictional or enforcement mechanism that could ever change this. It is not they way the system is built. To argue any differently is to be naive to how it all actually works and what can or can't be controlled. Be happy we have that at the DNS level, as from the search perspective there is no "index" of the entire "internet" to use if you don't like the filters your chosen search provider applies.

I don't disagree with your sentiment - I am just pointing out that it is misplaced. The large providers of the world are shaping the very fabric of society by carefully curating what we see and read, from politics to social behavior and everything in between. I don't like it either, but DNS itself is not the culprit.  Be angry at your provider, not the mechanism. 

 

Link to post
Share on other sites
  • 2 months later...

Hello, slightly worried that I am wading into something that I don't fully understand but I read the thread and it confused me and surprised me.

I found the thread by googling "cleanbrowsing" because my ISP recommends OpenDNS to do content filtering from the router and I wanted to see if there is an alternative. This thread is the 5th hit in that google search on my computer though I have already done some searches for 'alternatives to OpenDNS' and appreciate that google are clever in working out what you are looking for so that may not be what comes up when others search for the same thing....

I have 2 young children and want to block them from accidentally accessing any inappropriate content from any devices on our home network.  I have malwarebytes subscription (I expect you can check this 'root admin' from my email address) and have it installed on our PCs and mobiles but not on the smart TVs (can you??) or my children's kids fire tablets or the tablet we use to download netflix films to watch in the car.  I have done my best to set up parental controls on all the devices but I want an element of 'belt-and braces'.  I have just changed ISP,  the previous one included a comprehensive parental control system, the new one (which is fibre to the door and v. fast which is why I go it) doesn't.

Without installing something on every device my reading suggests that the only way to stop any inappropriate content coming into the network is to change the DNS settings on the router to use OpenDNS or Clearbrowsing or another DNS filter or to buy a router that has it's own content filtering system.

RootAdmin's statement was that "My preference is that ALL DNS providers should be mandated that they should not play in this area. All DNS providers should do what they're there for. To provide look up information and it should not be morally controlled by anyone.  Domain Name System (DNS) is the phonebook of the Internet and should be able to find any known, published site period." Hence my confusion - if that is a good sentiment as per JohnDoe's last line - what is the correct way to do what I want?

If there is another and better way of achieving what I want them please tell me as where I am at the moment is choosing between OpenDNS, Clearbrowsing etc as, without installing something on every device and setting it up and probably spending a bit of money to do it I don't know how to achieve it

Cheers

Baboo

 

Link to post
Share on other sites
  • Staff

Greetings,

If you do not wish to install software on every device, then your only choice is to use a solution that filters content at the modem/router/connection level.  The downside is that if your children are ever able to connect to any other network aside from the one(s) you have direct control over, they will have unfiltered access to the entire web.  There may be a way to prevent that, such as somehow configuring each device to only connect to the connections/networks you specify, however I know of no such solution, especially since it would need to work for any device they could leave the house with (or even connect to a neighbor's connection potentially, especially if any neighbors' networks are unsecured).

I am by no means an expert in parental controls and the like, however I do use several tools for filtering content on my own system (including Malwarebytes Premium and Malwarebytes Browser Guard), but whatever solutions are chosen, they are only going to be effective as long as they are active, so either each device will have to have restricted permissions (if possible; some devices lack such capabilities) to prevent disabling and/or uninstalling whatever filtering tools you might be using for any tools installed locally, or you will have to trust your children not to disable or try to remove the tools to unblock access.

The above info may all be things you're already aware of (as I said, I'm no expert in parental controls), I just thought I'd mention it in case I could contribute anything you hadn't considered yet.

I'll have to let AdvancedSetup address his own comments that you quoted.

You might also consider creating a new topic in the same General Chat area of the forums here to start a discussion on the subject as that will be likely to attract more eyes than a reply to a 2 month old topic.  I'm sure others in our community will have knowledge to share.

Link to post
Share on other sites
  • 10 months later...

Going to have to agree with everything johndoe321 said also found this site after a google search. I realize malwarebytes is somewhat of a competing business but you don't offer DNS filtering. There are some valid reasons for DNS filtering. If you are concerned you will be censored then do not use it. It is really that simple.

I have an elderly grandparent that has been scammed multiple times and had information stolen. Even after teaching NOT to click on links they still do it. I have malwarebytes and an antivirus installed on their machine. Neither have prevented their information from getting stolen. Scammers have been able to gain access to their machine remotely and caused all sorts of problems.

I switched to DNS filtering at the router as a layered security approach. This has actually worked. There are some good DNS providers that do actually update new threats fairly quickly. DNS filtering is effective.

Link to post
Share on other sites
  • Staff

Greetings,

If you haven't already done so, I would highly recommend installing Malwarebytes Browser Guard as it has capabilities designed to target tech support scams and other unwanted web content, not only through the use of static block lists and the like (which is what a DNS filtering solution uses, similar to the Web Protection in Malwarebytes Premium), but also through more advanced behavior based blocking which can identify such unwanted content based on factors other than the URL/domain or IP address, meaning that even when the scammers change their IP or domain (a tactic they frequently use in order to try and evade static block lists, often using randomized URLs), their content will still be blocked.

It works well alongside Malwarebytes Premium and would make a good addition to the other filtering/blocking solutions you're using to protect your family's devices.  It is free and works with Chromium based browsers such as Google Chrome and the latest MS Edge Chromium as well as Mozilla Firefox.

Link to post
Share on other sites

Yes malwarebytes browser guard as well as the antivirus browser guard was installed. Neither of which caught the scam link. These folks have nothing better to do but create numerous social engineering scams which change regularly. They all are not tech support scams they can however evolve into that after they have stolen email passwords or other passwords. 

DNS services are not just static lists. A large portion of them are. However their are a few that are dynamic lists and update regularly. You can actually test this. There are sites that track the latest bad links and users can submit new links to suspected bad sites. Some DNS providers are much quicker at updating potential threats and is done on the backend. It doesn't require the user to update or wait for an update. Notice I am not specifying which DNS provider so not to be called a spammer or Troll. These sites are great at testing which tool is capable of catching what. Assuming you know how to contain potential threats. I have yet to find a tool that does it all.

Best approach is a layered approach IMO and DNS services have their place.

Link to post
Share on other sites
  • Staff

What I meant by static lists was simply that it requires for a malicious site to first be discovered or reported, then added to a block database, meaning it must first be discovered in order to be blocked.  Given how short lived such domains often are, trying to block them using such methods can be very hit or miss.

Link to post
Share on other sites
  • Root Admin
Posted (edited)

There are reasons and purposes for DNS filtering blocks. I simply do not believe that gateway DNS companies should be the ones doing it. That sets everyone up for monopoly control and management of data period. It's just like a Google search. If they don't return the results of your search then for all intensive purposes it doesn't exist when in fact it does exist they simply don't show it.

I would rather companies like NetNanny or similar be used by people that want to protect themselves. They don't control DNS they simply filter it. These other companies control DNS which is a big difference. Just like the current NEWS media. They filter and block anything they don't happen to like even though there are news sources or videos of a given subject. Sorry but I don't think the world needs yet another gatekeeper gone wild with DNS.

 

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.