Customers and prospects have approached us recently with questions similar to this: why should we choose Malware Patrol instead of a free DNS protection service? The question is fair, especially in a market that counts with, at least, 93 different offers of free DNS, including big players like Cloudflare, Cisco and Quad9.
We want to provide the facts so you can decide for yourself. These services present themselves as something like a “DNS platform that provides end users robust security protections, high-performance, and privacy”. Although the idea of consolidating multiple threat data sources and providing a protection service is very appealing, there are many aspects to take into account before you change your DNS settings.
First of all, remember that nothing is really free in life. The saying ‘if you’re not paying for the product, you are the product’ is true more than ever. In this case, it means you are giving away data about everything you do online.
Every time you visit a web site, use a social media app, read emails, watch a movie or do pretty much anything online, your device makes DNS queries to determine the IP addresses of the various services it needs to access. Although some of these DNS service providers say they don’t log your IP address, they do log queries and a lot of data can be derived from that. The byproducts range from “passive DNS” collection to usage patterns and present a threat to privacy.
Everybody wants your DNS queries. The service providers created complex infrastructures that use anycast and servers hosted in multiple locations, but who pays for that all? Most likely the data you passively provide when using their services.
Second, what do they protect you from, really? Many of these services mention you are protected from malware and phishing, but there is no word on the threat data sources, amount of data, how it is validated, how it is aged, and so on. You are protected, but don’t know from what. Is this really the protection you need? Does it cover the most recent malicious campaigns, the ones that affect your country and language? There is no way to know.
Third, these service providers mention they white list legitimate domains. How does that work? Who says a domain is legitimate and assures it will never host a malware? The recent years proved that no website is totally immune to attacks and been tagged as legitimate is no guarantee it won’t be invaded and used to distribute malware. In fact, the more a website is considered benign, the bigger a price it becomes to hackers who want to distribute badness.
And finally, why do companies share their threat data for free with these service providers when they sell the same data for big bucks? Thinking about that, one can clearly see a conflict of interest there. These companies either don’t share the most up-to-date data or are monetizing from the information received from the service providers, also known as your DNS queries.
At Malware Patrol, we have a different approach. We have been monitoring malicious campaigns since 2005 and that is what we do as our core business. Apart from collecting data on malware and ransomware activities, we validate the data to make sure campaigns are active. We don’t age data, entries are only removed from our feeds once we know for a fact that the threat isn’t available anymore.
Our customers can use this threat data in most industry security software/platforms, including DNS servers. For DNS, we let them download zone files that are updated every hour, or automatically and in real time synchronize zones using the RPZ mechanism, providing a reliable DNS Firewall solution. This way, customers retain total control of their DNS infrastructure and their privacy. We don’t resolve queries, we provide the data your servers need to block them. And, on top of not leaking any data from your company, you can configure a “walled garden”, redirecting employees or customers to an informative and educative website under your control, every time they try to reach a blocked address.
To further customize their security, we allow customers to control what they want to block. The threat data is divided into 4 different zones and each can be used separately:
1) domains hosting malware and ransomware
2) C2s domains
3) DGAs (domains generated via algorithms) used by malware and ransomware
4) cryptominers – domains that abuse visitor’s CPU to mine crypto currencies.
Through all these years, we have seen so many “legitimate domains” hacked to host badness and ones that simply allow users to freely upload malware to their accounts. For example, is ‘dropbox.com’ legitimate? Sure, it is. Does it host malware? Yes, and very often. Should a DNS service provider block ‘dropbox.com’? For us, it depends.
Our approach is to provide customers the complete information, informing them that ‘dropbox.com’ is hosting bad stuff. Then, they can make an informed decision about whether or not to white list it, based on their understanding of the threat as well as their internal policies. Customers can easily white list domains they don’t want blocked, even those hosting malware. We understand that sometimes it is not practical to block a very popular domain.
We believe in the idea of providing security through DNS. Most of the service providers out there are doing a good job, aligned to their proposed missions. But these services are better suited to regular Internet users who simply want some protection for themselves. On the other hand, small businesses, service providers and enterprises require more flexibility and transparency and are more than ever concerned about privacy. The solutions provided by Malware Patrol are better suited for these companies.
Please contact us to set up an evaluation period, during which you can test our DNS RPZ services.
Founder, Malware Patrol
Information Security and Threat Intelligence Professional whose qualifications include in-depth knowledge of Internet technologies, current cyber security landscape, incident response, security mechanisms and best practices. He founded the Malware Patrol project in 2005. The company is helping enterprises around the world to protect themselves from malware and ransomware attacks through some of the most comprehensive threat data feeds and block lists on the market.