Advice Request CleanBrowsing DNS vs NextDNS vs ControlD DNS

Please provide comments and solutions that are helpful to the author of this topic.

CleanBrowsing DNS vs NextDNS vs ControlD DNS

  • CleanBrowsing DNS

    Votes: 0 0.0%

  • NextDNS

    Votes: 9 45.0%

  • ControlD DNS

    Votes: 2 10.0%

  • Other

    Votes: 9 45.0%
  • Total voters
    20
SohanRay

SohanRay

Level 5
Thread author
Mar 19, 2022
246
silversurfer said:
NextDNS as 2nd best, it's close to Quad9.
Click to expand...
Are you sure? If you check this link from my post... Nextdns uses poor quality threat intelligence feeds I think.
github.com

Update/replace Threat Intelligence feeds not updated since very long · Issue #959 · nextdns/metadata

https://malc0de.com/bl/ZONES --hasn't been updated since december 2019 https://rescure.me/rescure_domain_blacklist.txt --hasn't been updated since 2 months eventhough it says feed update frequency ...
github.com github.com
 
  • Like
Reactions: Nevi, [correlate], Kongo and 1 other person
S

ScandinavianFish

Level 7
Verified
Dec 12, 2021
319
SohanRay said:
Are you sure? If you check this link from my post... Nextdns uses poor quality threat intelligence feeds I think.
github.com

Update/replace Threat Intelligence feeds not updated since very long · Issue #959 · nextdns/metadata

https://malc0de.com/bl/ZONES --hasn't been updated since december 2019 https://rescure.me/rescure_domain_blacklist.txt --hasn't been updated since 2 months eventhough it says feed update frequency ...
github.com github.com
Click to expand...
It still has AI powered protection and Google Safe Browsing, aswell as Block Newly Registered Domains and the ability to add more filter lists
 
Last edited:
  • Like
Reactions: Nevi, simmerskool, [correlate] and 6 others
silversurfer

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,282
SohanRay said:
Are you sure? If you check this link from my post... Nextdns uses poor quality threat intelligence feeds I think.
github.com

Update/replace Threat Intelligence feeds not updated since very long · Issue #959 · nextdns/metadata

https://malc0de.com/bl/ZONES --hasn't been updated since december 2019 https://rescure.me/rescure_domain_blacklist.txt --hasn't been updated since 2 months eventhough it says feed update frequency ...
github.com github.com
Click to expand...
Well, probably depends what filters are added on NextDNS, default includes Google Safe Browsing that's good protection even against fresh malicious domains.
Just wait for other users opinions like from @SecureKongo he is an advanced user of NextDNS.
 
  • Like
  • Thanks
Reactions: Nevi, simmerskool, [correlate] and 4 others
SohanRay

SohanRay

Level 5
Thread author
Mar 19, 2022
246
ScandinavianFish said:
NextDNS is superior in almost every way compared to Quad9, and can become even better when properly configured
Click to expand...
Maybe in terms of control, because Quad9 doesn't provide any. But, what would be the case if the quality of threat intelligence feeds is compared? Nextdns just uses public lists and that too around at least 17 of those I have found to be useless as they haven't been updated for months!
 
  • Like
Reactions: Nevi, [correlate], Kongo and 2 others
blackice

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,821
NextDNS can have some quirks. I've never been able to run it on a router without it popping some google and cloudflare hits on leak tests. They insist this is impossible, but it's the only DNS service I've ever seen bring up another DNS resolver when using their service. I'm not alone either, other people have posted about it on their help page. They also had a lot of trouble getting DoT to play nice on ASUS routers. As much as I like NextDNS, Quad9 is much easier to set and forget as long as you are just looking for an extra layer of security.
 
  • Like
Reactions: Nevi, simmerskool, [correlate] and 6 others
Kongo

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,521
I personally wouldn't call myself an "advanced" NextDNS user, but thanks I guess 😄 @silversurfer

NextDNS Threat Intelligence Feeds > AI Based Threat Detection > Google Safe browsing. This is how I would rank all three of them.

@ScandinavianFish already said that you can also add more filters like the oisd filter which is a great starter list for malware, tracker and ad-blocking. Even tho it doesn't necessarily detect malicious sites, I also recommend the "Block Newly Registered Sites" setting which blocks all domains that were registered less than 30 days ago. As most malicious or phishing sites are only a few days old and as older domains are already taken down, this can be quite a strong addition to your blocklists. In my opinion the main strenght of NextDNS isn't the detection of malicious sites but the risk-reduction to even access one. I already mentioned the example "Block Newly Registered Sites". It reduces the risk of being infected by restricting the access to sites that have a high possibility of being infected. Same goes for Typosquatting Protection or the blocking of often abused Top Level Domains.

If you are looking for a set and forget DNS service then I would go for Quad9. If you want a configurable one, then I'd recommend NextDNS. It's a matter of preference. Either way I am sure that your DNS service won't be the only security layer on your system/network. So if a site slips through, you should have a backup anyway. So a short answer to your question if the Threat Intelligence Feeds are good enough: In my opinion they are good enough and also aren't outdated as you stated earlier. It catches many malicious and phising sites that are only a few days old with it's Threat Intelligence Feeds. I did some testing in the past and was always quite satisfied with the results.

You can also check out this video:
 
  • Like
Reactions: Nevi, simmerskool, Amahl Farouk and 11 others
Trooper

Trooper

Level 16
Verified
Top Poster
Well-known
Aug 28, 2015
775
blackice said:
NextDNS can have some quirks. I've never been able to run it on a router without it popping some google and cloudflare hits on leak tests. They insist this is impossible, but it's the only DNS service I've ever seen bring up another DNS resolver when using their service. I'm not alone either, other people have posted about it on their help page. They also had a lot of trouble getting DoT to play nice on ASUS routers. As much as I like NextDNS, Quad9 is much easier to set and forget as long as you are just looking for an extra layer of security.
Click to expand...

Agree with this. I have noticed this as well. I would go with Quad9 if it had the customization of NextDNS.
 
  • Like
Reactions: Nevi, simmerskool, [correlate] and 3 others
Kongo

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,521
Here an addition:

Screenshot 2022-03-24 180741.png

Screenshot 2022-03-24 180856.png


This one is a phishing page so please only visit if you know what you're doing! :)
 
  • Like
Reactions: Nevi, simmerskool, [correlate] and 6 others
SohanRay

SohanRay

Level 5
Thread author
Mar 19, 2022
246
SecureKongo said:
I personally wouldn't call myself an "advanced" NextDNS user, but thanks I guess 😄 @silversurfer

NextDNS Threat Intelligence Feeds > AI Based Threat Detection > Google Safe browsing. This is how I would rank all three of them.

@ScandinavianFish already said that you can also add more filters like the oisd filter which is a great starter list for malware, tracker and ad-blocking. Even tho it doesn't necessarily detect malicious sites, I also recommend the "Block Newly Registered Sites" setting which blocks all domains that were registered less than 30 days ago. As most malicious or phishing sites are only a few days old and as older domains are already taken down, this can be quite a strong addition to your blocklists. In my opinion the main strenght of NextDNS isn't the detection of malicious sites but the risk-reduction to even access one. I already mentioned the example "Block Newly Registered Sites". It reduces the risk of being infected by restricting the access to sites that have a high possibility of being infected. Same goes for Typosquatting Protection or the blocking of often abused Top Level Domains.

If you are looking for a set and forget DNS service then I would go for Quad9. If you want a configurable one, then I'd recommend NextDNS. It's a matter of preference. Either way I am sure that your DNS service won't be the only security layer on your system/network. So if a site slips through, you should have a backup anyway. So a short answer to your question if the Threat Intelligence Feeds are good enough: In my opinion they are good enough and also aren't outdated as you stated earlier. It catches many malicious and phising sites that are only a few days old with it's Threat Intelligence Feeds. I did some testing in the past and was always quite satisfied with the results.

You can also check out this video:
Click to expand...

Thanks for the prompt reply. I didn't exactly say that their whole threat intelligence feeds were outdated. But yeah, 17 of them is definitely outdated and like months old. I had personally checked them. You can too, the list of the outdated ones is mentioned in my github post.
Also according to Paolo Alto networks latest post, their stats say that an inactive domain becoming malicious after quite some time is lot more likely than newly registered domains being malicious.
 
  • Like
Reactions: Nevi, [correlate], SeriousHoax and 1 other person
Kongo

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,521
SohanRay said:
Also according to Paolo Alto networks latest post, their stats say that an inactive domain becoming malicious after quite some time is lot more likely than newly registered domains being malicious.
Click to expand...
Good to know, but that doesn't change the fact that the blocking of newly registered domains can increase the protection quite a bit.
 
  • Like
Reactions: Nevi, [correlate], SeriousHoax and 5 others
blackice

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,821
SecureKongo said:
Good to know, but that doesn't change the fact that the blocking of newly registered domains can increase the protection quite a bit.
Click to expand...
It can also generate false positives and complaints among the residents if you are filtering for a whole network. Lots of legit advertising links end up being from new domains. So it depends on how much managing you want to do. When I attempted filtering ads and such on the whole network it resulted in many submissions to my "complaint inbox", also known as "hey husband, WTF did you break!!?".
 
  • Like
Reactions: Nevi, [correlate], SeriousHoax and 4 others

Similar threads

SohanRay
Question Does blocking private IP addresses to protect against DNS rebinding really help?
Replies
1
Views
519
VPN and DNS
Bot
Bot
SohanRay
    • Like
Advice Request NextDNS/ControlD vs Quad9, AV Web Protection
Replies
93
Views
15,386
VPN and DNS
windscribe
windscribe
jetman
    • Like
    • Thanks
Question Is there any independent testing of DNS providers?
Replies
4
Views
1,356
VPN and DNS
jetman
jetman

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top