Practical comparison of SkyDNS, YandexDNS and DansGuardian as a means of protection from the prosecutor's office

Testing algorithm

Facts, then prehistory. Testing took place on five identical virtual machines:

• The first is YandexDNS with a family one, i.e. maximum filtering;
• The second is SkyDNS in test mode with default settings;
• The third is SkyDNS in test mode with settings recommended for schools;
• The fourth is DansGuardian + SquidGuard with the SafeSearch option, which were set up 2 years ago and which occasionally showed a federal list of prohibited materials;
• Fifth - the reference machine, which checked whether there is access to information directly through the provider.

Immediately, I note that SquidGuard did not work once during testing, so its presence did not affect anything.

Since far from every item of the federal list you can think of a way to check, and indeed it is sometimes difficult to understand what is written there, the testing algorithm for it was the following:
1. Sticking to a random item on the list, we go down it until we find something that you can try to find on the Internet. For example, it may be some text, e-book, URL, IP-address, video, music, which can be somehow identified.
2. We are trying to find this information through Google or the secure search SkyDNS, if Google is blocked.
3. All that is on the first two pages of the issue, trying to open and see the results.

Federal list

In total, 30 random federal list items were checked. Result:
12 points blocked by the provider. Of the remaining 18 points:
')

• YandexDNS blocked 2;
• SkyDNS with default settings blocked 5;
• SkyDNS with settings for schools blocked 9;
• DansGuardian blocked 13, if we assume that few people can read a book in Arabic.

Roskomnadzor Register

Selected random items from those that have made over the past three or four days and which the provider has allowed. As a result, the following 15 check points are blocked:

• YandexDNS - 6;
• SkyDNS with default settings - 12;
• SkyDNS with settings for schools - 13;
• DansGuardian - 10.

Google search

The usual search for school age: "Buy smoking mixture", "Download free porn" and the same thing in several spellings. The result for the first pages of search results:

• YandexDNS allowed you to find and go to 3 sites with pornography, 7 sites for the sale of smoking mixtures;
• SkyDNS with default settings allowed viewing 7 sites with pornography, 3 stores with smoking mixtures;
• SkyDNS with settings for schools allowed to see 0 sites with pornography, 0 shops with smoking mixtures;
• DansGuardian on porn sites did not let, opened one site with a light erotica and 2 stores with smoking mixtures.

SkyDNS Setup Notes

When you configure SkyDNS, the following filters are filtered by default: Federal Ministry of Justice, drugs, proxy, phishing, websites with viruses, alcohol and tobacco, pornography, sites for adults and something else in there.
When you configure SkyDNS for schools, everything that was defaulted is filtered, plus filtering adds radio and music, file archives and p2p networks, movies and photos, entertainment, advertising, forums, social networks, news and media. The main feature here is that all unknown SkyDNS sites are blocked and a secure search is used.
Since SkyDNS in school mode uses most of its arsenal of falsification, I, testing, changed the cases, the word order, etc., did not make me the meaning of a search query. If on the third or fourth manipulation I could not find the opening sites, I would count the point in favor of SkyDNS

findings

1. With regard to filtering, as expected, SkyDNS with the default settings took the family YandexDNS, but significantly lost to DansGuardian in the field.
2. SkyDNS with settings for schools is not easy to compare, since we, in fact, get the Internet on the white list, i.e. all that unknown skydns will be blocked. At the same time, the results are good, but they still fall short of DansGuardian when searching for specific information.
3. SkyDNS is not a content filter, despite the statement of the company itself. In my understanding, the content filter should track the contents of the pages, not the addresses of Internet resources.
4. Properly configured and updated DansGuardian + SquidGuard will show the results even better, because the SquidGuard who participated in the testing knows nothing about Roskomnadzor and has not updated the blacklists for two years.
5. With all the information gathered, they are waiting for me a good weekend.

Why and for whom it is written

SkyDNS received massive messages from one municipal institution I was looking after, stating that they were the only solution for content filtering, that they were approved by government agencies, that for ridiculous money, that the Internet was clean after them, like snow in The alps. Hinted that the inspection of the prosecutor’s office, having heard their name, immediately turns around and goes to dusty offices to smell like brandy and cry from impotence. And then there was the head of automation, a woman with a difficult fate, decided to give in to persuasion and change the working DansGuardian to this magical SkyDNS. And I thought: “What if !?” But no, everything was as expected.

Dear employees of public institutions, teachers of computer science, other administrators willy-nilly and their leaders! SkyDNS features are limited by technology. SkyDNS does NOT filter IP addresses, does not filter on the content of Internet pages, does not filter on the types and names of downloaded files. This is just a white and black list of Internet addresses that you can customize and use for your needs. If it suits you, then all is well.

However, since I was an eyewitness to the prosecutor’s check of the Internet access to prohibited materials, I spoke with other victims in other organizations, and also had the pleasure of talking with prosecutors and the Justice Ministry, who organize and conduct these checks, I can assure you that the terminals blocking access according to SkyDNS blacklists, prosecutors do not check, unless you are lucky or you have a special agreement with the reviewers.

The prosecutor's office is violet, that you put yourself there, with whom you signed a contract. They check for you. Their task is to get access to materials from the federal list, and they will definitely get it with some persistence. Your only chance to pass the test is to always use the white list of addresses, or at least have time to switch to it before the test begins.

A logical question appears - how can you demand the execution of the law, which is impossible to fulfill? Unfortunately, everything is simple for the prosecutor's office: there is a law - it is necessary to comply. Do not perform - punish. In this case, everyone understands everything and can enter the position, but the prescription will still be.

The article has a practical task to show the effectiveness of different filtering methods. I respect the desire of people to make money and usually do not prevent them from earning. But in this case, I don’t like the SkyDNS guys to position themselves as a non-alternative solution, run an aggressive advertising campaign, using administrative state resources and intimidating articles of the criminal code, while not giving any, I repeat, no guarantee for the result and officially rejecting any responsibility to you or the prosecutor's office for the quality of filtering, which is written in their legal documents.

Total simple filtering recipes

If you can make this whitelist yourself and put it on a proxy, you do not need SkyDNS.
If you need a normal content filter, you have hands and a head that can customize it (not necessarily yours) - take DansGuardian and practice.
If there are no hands or heads, use SkyDNS or YandexDNS. SkyDNS, of course, is better and more convenient, but it all depends on the budget.

Just in case - a list of queries that I, as a result, used to search the federal list: Google spreadsheet

Update:

The first edition of the note was really incorrect, as I was checking, being sure that I was checking SkyDNS with school settings, while good people had already reset the settings to the default state. After a comment from a representative of SkyDNS, I doubted, made sure that I was wrong, and conducted another testing on another virtual machine. I apologize, and I hope that everyone who was interested in this material will look at the updated results.

Feelings from SkyDNS on school settings with work through secure search and with blocking unknown domains were more convincing and I am ready to confirm that an organization using this option is more likely to pass the test than it will not. There is one “but” - as mentioned in the hell0w0rd and Lerk comments , it is strange that this mode is not worth the default, since I am sure many offices will simply forget to turn it on.

It would be wrong not to mention that after the end of testing, it took me about a minute to find and test the SkyDNS bypass mechanism, without installing additional programs and without changing the settings of the operating system or browser. At the same time, I do not consider myself much smarter than a literate student.

Also, I asked my lawyers what they thought about blocking websites on the white list, and received several different opinions, one of which, for example, is that no one has yet canceled the Constitution of the Russian Federation, therefore provide access to one sites and do not provide to others, as happens when using the option “block unknown sites” - this is a good reason for litigation.