Advice Request CleanBrowsing DNS vs NextDNS vs ControlD DNS

Please provide comments and solutions that are helpful to the author of this topic.

CleanBrowsing DNS vs NextDNS vs ControlD DNS

  • CleanBrowsing DNS

    Votes: 0 0.0%
  • NextDNS

    Votes: 9 45.0%
  • ControlD DNS

    Votes: 2 10.0%
  • Other

    Votes: 9 45.0%

  • Total voters
    20

SohanRay

Level 5
Thread author
Mar 19, 2022
246
NextDNS as 2nd best, it's close to Quad9.
Are you sure? If you check this link from my post... Nextdns uses poor quality threat intelligence feeds I think.
 

ScandinavianFish

Level 7
Verified
Dec 12, 2021
322
Are you sure? If you check this link from my post... Nextdns uses poor quality threat intelligence feeds I think.
It still has AI powered protection and Google Safe Browsing, aswell as Block Newly Registered Domains and the ability to add more filter lists
 
Last edited:

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
9,962
Are you sure? If you check this link from my post... Nextdns uses poor quality threat intelligence feeds I think.
Well, probably depends what filters are added on NextDNS, default includes Google Safe Browsing that's good protection even against fresh malicious domains.
Just wait for other users opinions like from @SecureKongo he is an advanced user of NextDNS.
 

SohanRay

Level 5
Thread author
Mar 19, 2022
246
NextDNS is superior in almost every way compared to Quad9, and can become even better when properly configured
Maybe in terms of control, because Quad9 doesn't provide any. But, what would be the case if the quality of threat intelligence feeds is compared? Nextdns just uses public lists and that too around at least 17 of those I have found to be useless as they haven't been updated for months!
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,670
NextDNS can have some quirks. I've never been able to run it on a router without it popping some google and cloudflare hits on leak tests. They insist this is impossible, but it's the only DNS service I've ever seen bring up another DNS resolver when using their service. I'm not alone either, other people have posted about it on their help page. They also had a lot of trouble getting DoT to play nice on ASUS routers. As much as I like NextDNS, Quad9 is much easier to set and forget as long as you are just looking for an extra layer of security.
 

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,453
I personally wouldn't call myself an "advanced" NextDNS user, but thanks I guess 😄 @silversurfer

NextDNS Threat Intelligence Feeds > AI Based Threat Detection > Google Safe browsing. This is how I would rank all three of them.

@ScandinavianFish already said that you can also add more filters like the oisd filter which is a great starter list for malware, tracker and ad-blocking. Even tho it doesn't necessarily detect malicious sites, I also recommend the "Block Newly Registered Sites" setting which blocks all domains that were registered less than 30 days ago. As most malicious or phishing sites are only a few days old and as older domains are already taken down, this can be quite a strong addition to your blocklists. In my opinion the main strenght of NextDNS isn't the detection of malicious sites but the risk-reduction to even access one. I already mentioned the example "Block Newly Registered Sites". It reduces the risk of being infected by restricting the access to sites that have a high possibility of being infected. Same goes for Typosquatting Protection or the blocking of often abused Top Level Domains.

If you are looking for a set and forget DNS service then I would go for Quad9. If you want a configurable one, then I'd recommend NextDNS. It's a matter of preference. Either way I am sure that your DNS service won't be the only security layer on your system/network. So if a site slips through, you should have a backup anyway. So a short answer to your question if the Threat Intelligence Feeds are good enough: In my opinion they are good enough and also aren't outdated as you stated earlier. It catches many malicious and phising sites that are only a few days old with it's Threat Intelligence Feeds. I did some testing in the past and was always quite satisfied with the results.

You can also check out this video:
 

Trooper

Level 16
Verified
Top Poster
Well-known
Aug 28, 2015
772
NextDNS can have some quirks. I've never been able to run it on a router without it popping some google and cloudflare hits on leak tests. They insist this is impossible, but it's the only DNS service I've ever seen bring up another DNS resolver when using their service. I'm not alone either, other people have posted about it on their help page. They also had a lot of trouble getting DoT to play nice on ASUS routers. As much as I like NextDNS, Quad9 is much easier to set and forget as long as you are just looking for an extra layer of security.

Agree with this. I have noticed this as well. I would go with Quad9 if it had the customization of NextDNS.
 

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,453
Here an addition:

Screenshot 2022-03-24 180741.png

Screenshot 2022-03-24 180856.png


This one is a phishing page so please only visit if you know what you're doing! :)
 

SohanRay

Level 5
Thread author
Mar 19, 2022
246
I personally wouldn't call myself an "advanced" NextDNS user, but thanks I guess 😄 @silversurfer

NextDNS Threat Intelligence Feeds > AI Based Threat Detection > Google Safe browsing. This is how I would rank all three of them.

@ScandinavianFish already said that you can also add more filters like the oisd filter which is a great starter list for malware, tracker and ad-blocking. Even tho it doesn't necessarily detect malicious sites, I also recommend the "Block Newly Registered Sites" setting which blocks all domains that were registered less than 30 days ago. As most malicious or phishing sites are only a few days old and as older domains are already taken down, this can be quite a strong addition to your blocklists. In my opinion the main strenght of NextDNS isn't the detection of malicious sites but the risk-reduction to even access one. I already mentioned the example "Block Newly Registered Sites". It reduces the risk of being infected by restricting the access to sites that have a high possibility of being infected. Same goes for Typosquatting Protection or the blocking of often abused Top Level Domains.

If you are looking for a set and forget DNS service then I would go for Quad9. If you want a configurable one, then I'd recommend NextDNS. It's a matter of preference. Either way I am sure that your DNS service won't be the only security layer on your system/network. So if a site slips through, you should have a backup anyway. So a short answer to your question if the Threat Intelligence Feeds are good enough: In my opinion they are good enough and also aren't outdated as you stated earlier. It catches many malicious and phising sites that are only a few days old with it's Threat Intelligence Feeds. I did some testing in the past and was always quite satisfied with the results.

You can also check out this video:

Thanks for the prompt reply. I didn't exactly say that their whole threat intelligence feeds were outdated. But yeah, 17 of them is definitely outdated and like months old. I had personally checked them. You can too, the list of the outdated ones is mentioned in my github post.
Also according to Paolo Alto networks latest post, their stats say that an inactive domain becoming malicious after quite some time is lot more likely than newly registered domains being malicious.
 

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,453
Also according to Paolo Alto networks latest post, their stats say that an inactive domain becoming malicious after quite some time is lot more likely than newly registered domains being malicious.
Good to know, but that doesn't change the fact that the blocking of newly registered domains can increase the protection quite a bit.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,670
Good to know, but that doesn't change the fact that the blocking of newly registered domains can increase the protection quite a bit.
It can also generate false positives and complaints among the residents if you are filtering for a whole network. Lots of legit advertising links end up being from new domains. So it depends on how much managing you want to do. When I attempted filtering ads and such on the whole network it resulted in many submissions to my "complaint inbox", also known as "hey husband, WTF did you break!!?".
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top