Advice Request CleanBrowsing DNS vs NextDNS vs ControlD DNS

[blackice]

Has anyone queried it with Quad9 as to why things are slower?

They operate solely on donations. Most of which are infrastructure. Since they are a not for profit they don’t have the capital to offer as many nodes closer to users. Honestly ping times are largely meaningless (within reason) as most browsing is done off of cache. Sometimes the faster ping server will give you an IP for a server in the wrong country. A lot of the perceived slowness is poor routing due to lack of geolocation and being routed to servers that aren’t optimal for your location. Quad9 has this problem sometimes, but so does Cloudflare. NextDNS is a bit better about it, but they still give me strange locations sometimes.

 

[SohanRay]

Has anyone queried it with Quad9 as to why things are slower?

Actually I did. Here's their Answer:

The primary reason that Quad9 is lower on DNS performance charts, like dnsperf.com, is because we depend on peering at internet exchanges to route end users to the closest-possible location. Many of our locations do not have "transit". You can think of transit as telling the whole internet that Quad9 is at a certain location; while peering at internet exchanges is telling only the local networks that Quad9 is at that location. As a result, if an ISP is not available at a local internet exchanges, or refuses to peer with us, the users on that network will be routed to the closest-possible location with transit, which is not always so close.

As Quad9 is a nonprofit that depends solely on donations and sponsors, transit is unfortunately the most-difficult resource to receive from a sponsor, as it's typically more expensive than data center space, power, and hardware.

We're constantly trying to increase our peering arrangements so we can get as much local traffic to the local locations as possible. At this very moment, we're conducting a peering audit so we can enable dozens more peers at internet exchanges around the world.

 

[superleeds27]

Still might give Cleanbrowsing a try, or at least add it to the DNS Benchmark if it's not already in there.

Looks like they have 3 locations in the UK - CleanBrowsing Network Status

 

[SohanRay]

If you are aware how the AI in Nextdns works. Do you think the AI makes a difference when the Block Newly Registered Domains feature is ON?

 

[blackice]

If you are aware how the AI in Nextdns works. Do you think the AI makes a difference when the Block Newly Registered Domains feature is ON?

It might make a difference if a formerly good site goes rogue, but who's to really know. We don't have any real way to test.

 

[SohanRay]

It might make a difference if a formerly good site goes rogue, but who's to really know. We don't have any real way to test.

So in such a case how will the AI help?

 

[blackice]

So in such a case how will the AI help?

That's a question for the AI authors.

 

[Kongo]

It might make a difference if a formerly good site goes rogue, but who's to really know. We don't have any real way to test.

But that would mean that the AI needs to check the site on every access in order to recognize a malicious change in its code. I doubt that a site is rated multiple times by the AI to be honest.

 

[blackice]

But that would mean that the AI needs to check the site on every access in order to recognize a malicious change in its code. I doubt that a site is rated multiple times by the AI to be honest.

Or it could look at trends, who knows. I don't claim to know how it works, and I definitely wouldn't rely on it as anything more than an add on. I was just saying that we don't know anything about what it actually does, so we can't really qualify it one way or the other.

 

[Kongo]

Or it could look at trends, who knows. I don't claim to know how it works, and I definitely wouldn't rely on it as anything more than an add on. I was just saying that we don't know anything about what it actually does, so we can't really qualify it one way or the other.

Asking the devs wouldn't bring any valuable answers I guess.

 

[blackice]

Asking the devs wouldn't bring any valuable answers I guess.

It sounds like it has borne no fruit. NextDNS is one I'm keeping an eye on for when the kids get older if I need some extra filtering. For now I'm happy with my setup.

 

[SohanRay]

Asking the devs wouldn't bring any valuable answers I guess.

I believe I can shed some light on this. The AI just like the NRD system, discovers new domains and flags them automatically if it finds it malicious. Then this list of malicious domains is blocked whenever a user tries to access it. I think it also scans for other malicious domains other than the new ones, but not sure about that. But the old malicious domains should be either taken down or added by the threat intelligence feeds I suppose.

 

[Kongo]

NextDNS doesn't seem to like its competition

 

[SohanRay]

NextDNS doesn't seem to like its competition

View attachment 265408

Weird Indeed.

 

[Trooper]

NextDNS doesn't seem to like its competition

View attachment 265408

uBO blocked it for me first. Then when I went past that NextDNS blocked that site for me as well lol.

 

[flaubert1971]

I have been using computers for many years and I have never relied on dns other than those provided by my network provider. I have never caught a virus in all this time. Now, intrigued by so much talk about nextdns, I wanted to try it on my pc with windows 10 and no sw av installed. Well, I ran dnsbench and found that there are 29 faster dns providers than nextdns. Most importantly, I ran several speed tests and found a slight drop in download speed and a drastic drop in upload speed. So I decided to do without nextdns. I have a 1Gb / s fiber and I prefer not to sacrifice speed to the (presumed) security offered by different dns.

 

[blackice]

I have been using computers for many years and I have never relied on dns other than those provided by my network provider. I have never caught a virus in all this time. Now, intrigued by so much talk about nextdns, I wanted to try it on my pc with windows 10 and no sw av installed. Well, I ran dnsbench and found that there are 29 faster dns providers than nextdns. Most importantly, I ran several speed tests and found a slight drop in download speed and a drastic drop in upload speed. So I decided to do without nextdns. I have a 1Gb / s fiber and I prefer not to sacrifice speed to the (presumed) security offered by different dns.

It is good to keep in mind that as long as the ping is under 100ms you aren't going to notice a huge difference in DNS providers, especially with caching of frequent sites. A much more important thing to look at is where are the DNS servers you're being sent to and what CDNs are they pointing you to. Some larger ISPs even host content for streaming and large sites on their edge servers closer to customers, but you only get pointed to these IPs for sites if you are using their DNS service. DNSBench is largely worthless.

 

[Nightwalker]

They operate solely on donations. Most of which are infrastructure. Since they are a not for profit they don’t have the capital to offer as many nodes closer to users. Honestly ping times are largely meaningless (within reason) as most browsing is done off of cache. Sometimes the faster ping server will give you an IP for a server in the wrong country. A lot of the perceived slowness is poor routing due to lack of geolocation and being routed to servers that aren’t optimal for your location. Quad9 has this problem sometimes, but so does Cloudflare. NextDNS is a bit better about it, but they still give me strange locations sometimes.

This should not happen very often because NextDNS uses Anycast.

What is Anycast and Ultralow?

Our network spans many locations worldwide, striving to have a presence in the main city of most countries or states. In each location, we always select two different providers with distinct network…

help.nextdns.io

 

[blackice]

This should not happen very often because NextDNS uses Anycast.

What is Anycast and Ultralow?

Our network spans many locations worldwide, striving to have a presence in the main city of most countries or states. In each location, we always select two different providers with distinct network…

help.nextdns.io

They also use anonymized EDNS Client Subnet optionally (though I haven't seen a lot of benefit from it). Almost all DNS are anycast these days. It does not prevent the issue I have mentioned. Using Cloudflare and Quad9 I get routed across the country in spite of Anycast. NextDNS has a very close server to me, so it is more reliable for this. However sometimes my ISP routes me to a different server. In the case of Quad9 there are closer datacenters to me, but my ISP routes me to a much farther location. It doesn't make a huge difference other than slightly slower buffering on video. DNS is a bit more complicated than ping and anycast. For most people the difference is negligible, however there are cases where suboptimal routing happens.

Edit: A good example of this is ControlD. Their answer to 'speed' is "we use anycast!", but I continually get very slow routing when using ControlD.

 

[Brahman]

They also use anonymized EDNS Client Subnet optionally (though I haven't seen a lot of benefit from it). Almost all DNS are anycast these days. It does not prevent the issue I have mentioned. Using Cloudflare and Quad9 I get routed across the country in spite of Anycast. NextDNS has a very close server to me, so it is more reliable for this. However sometimes my ISP routes me to a different server. In the case of Quad9 there are closer datacenters to me, but my ISP routes me to a much farther location. It doesn't make a huge difference other than slightly slower buffering on video. DNS is a bit more complicated than ping and anycast. For most people the difference is negligible, however there are cases where suboptimal routing happens.

Edit: A good example of this is ControlD. Their answer to 'speed' is "we use anycast!", but I continually get very slow routing when using ControlD.

If you use tls/quic protocol with nextdns it will not be using anycast and its always the closest dns server gets used.
With TLS......

"status": "ok",
"protocol": "DOT",
"profile": "................................",
"client": "......................",
"srcIP": ".....................",
"destIP": "........................",
"anycast": false,
"server": "anexia-maa-1",
"clientName": "unknown-dot",
"deviceName": "AdguardTLS",
"deviceID": ".............."

With DOH......

"status": "ok",
"protocol": "DOH",
"profile": "..................",
"client": "....................",
"srcIP": "........................",
"destIP": ".....................",
"anycast": true,
"server": "vultr-tyo-1",
"clientName": "unknown-doh",
"deviceName": "Adguard",
"deviceID": "..............."