Advice Request CleanBrowsing DNS vs NextDNS vs ControlD DNS

Please provide comments and solutions that are helpful to the author of this topic.

CleanBrowsing DNS vs NextDNS vs ControlD DNS

  • CleanBrowsing DNS

    Votes: 0 0.0%
  • NextDNS

    Votes: 9 45.0%
  • ControlD DNS

    Votes: 2 10.0%
  • Other

    Votes: 9 45.0%

  • Total voters
    20

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
Has anyone queried it with Quad9 as to why things are slower?
They operate solely on donations. Most of which are infrastructure. Since they are a not for profit they don’t have the capital to offer as many nodes closer to users. Honestly ping times are largely meaningless (within reason) as most browsing is done off of cache. Sometimes the faster ping server will give you an IP for a server in the wrong country. A lot of the perceived slowness is poor routing due to lack of geolocation and being routed to servers that aren’t optimal for your location. Quad9 has this problem sometimes, but so does Cloudflare. NextDNS is a bit better about it, but they still give me strange locations sometimes.
 

SohanRay

Level 5
Thread author
Mar 19, 2022
246
Has anyone queried it with Quad9 as to why things are slower?
Actually I did. Here's their Answer:

The primary reason that Quad9 is lower on DNS performance charts, like dnsperf.com, is because we depend on peering at internet exchanges to route end users to the closest-possible location. Many of our locations do not have "transit". You can think of transit as telling the whole internet that Quad9 is at a certain location; while peering at internet exchanges is telling only the local networks that Quad9 is at that location. As a result, if an ISP is not available at a local internet exchanges, or refuses to peer with us, the users on that network will be routed to the closest-possible location with transit, which is not always so close.

As Quad9 is a nonprofit that depends solely on donations and sponsors, transit is unfortunately the most-difficult resource to receive from a sponsor, as it's typically more expensive than data center space, power, and hardware.

We're constantly trying to increase our peering arrangements so we can get as much local traffic to the local locations as possible. At this very moment, we're conducting a peering audit so we can enable dozens more peers at internet exchanges around the world.
 

SohanRay

Level 5
Thread author
Mar 19, 2022
246
If you are aware how the AI in Nextdns works. Do you think the AI makes a difference when the Block Newly Registered Domains feature is ON?
 

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,595
It might make a difference if a formerly good site goes rogue, but who's to really know. We don't have any real way to test.
But that would mean that the AI needs to check the site on every access in order to recognize a malicious change in its code. I doubt that a site is rated multiple times by the AI to be honest.
 
  • Like
Reactions: Nevi and SohanRay

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
But that would mean that the AI needs to check the site on every access in order to recognize a malicious change in its code. I doubt that a site is rated multiple times by the AI to be honest.
Or it could look at trends, who knows. I don't claim to know how it works, and I definitely wouldn't rely on it as anything more than an add on. I was just saying that we don't know anything about what it actually does, so we can't really qualify it one way or the other.
 
  • Like
Reactions: Kongo

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,595
Or it could look at trends, who knows. I don't claim to know how it works, and I definitely wouldn't rely on it as anything more than an add on. I was just saying that we don't know anything about what it actually does, so we can't really qualify it one way or the other.
Asking the devs wouldn't bring any valuable answers I guess. 😌
 
  • Like
Reactions: SohanRay

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
Asking the devs wouldn't bring any valuable answers I guess. 😌
It sounds like it has borne no fruit. NextDNS is one I'm keeping an eye on for when the kids get older if I need some extra filtering. For now I'm happy with my setup.
 
  • Like
Reactions: Kongo

SohanRay

Level 5
Thread author
Mar 19, 2022
246
Asking the devs wouldn't bring any valuable answers I guess. 😌
I believe I can shed some light on this. The AI just like the NRD system, discovers new domains and flags them automatically if it finds it malicious. Then this list of malicious domains is blocked whenever a user tries to access it. I think it also scans for other malicious domains other than the new ones, but not sure about that. But the old malicious domains should be either taken down or added by the threat intelligence feeds I suppose.
 
  • Thanks
  • Like
Reactions: blackice and Kongo

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,595
NextDNS doesn't seem to like its competition 😄

Screenshot 2022-04-03 012503.png
 

flaubert1971

Level 2
Oct 14, 2019
71
I have been using computers for many years and I have never relied on dns other than those provided by my network provider. I have never caught a virus in all this time. Now, intrigued by so much talk about nextdns, I wanted to try it on my pc with windows 10 and no sw av installed. Well, I ran dnsbench and found that there are 29 faster dns providers than nextdns. Most importantly, I ran several speed tests and found a slight drop in download speed and a drastic drop in upload speed. So I decided to do without nextdns. I have a 1Gb / s fiber and I prefer not to sacrifice speed to the (presumed) security offered by different dns.
 
  • Like
Reactions: SohanRay

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
I have been using computers for many years and I have never relied on dns other than those provided by my network provider. I have never caught a virus in all this time. Now, intrigued by so much talk about nextdns, I wanted to try it on my pc with windows 10 and no sw av installed. Well, I ran dnsbench and found that there are 29 faster dns providers than nextdns. Most importantly, I ran several speed tests and found a slight drop in download speed and a drastic drop in upload speed. So I decided to do without nextdns. I have a 1Gb / s fiber and I prefer not to sacrifice speed to the (presumed) security offered by different dns.
It is good to keep in mind that as long as the ping is under 100ms you aren't going to notice a huge difference in DNS providers, especially with caching of frequent sites. A much more important thing to look at is where are the DNS servers you're being sent to and what CDNs are they pointing you to. Some larger ISPs even host content for streaming and large sites on their edge servers closer to customers, but you only get pointed to these IPs for sites if you are using their DNS service. DNSBench is largely worthless.
 
  • Like
Reactions: flaubert1971

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
They operate solely on donations. Most of which are infrastructure. Since they are a not for profit they don’t have the capital to offer as many nodes closer to users. Honestly ping times are largely meaningless (within reason) as most browsing is done off of cache. Sometimes the faster ping server will give you an IP for a server in the wrong country. A lot of the perceived slowness is poor routing due to lack of geolocation and being routed to servers that aren’t optimal for your location. Quad9 has this problem sometimes, but so does Cloudflare. NextDNS is a bit better about it, but they still give me strange locations sometimes.

This should not happen very often because NextDNS uses Anycast.

 
  • Like
Reactions: flaubert1971

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
This should not happen very often because NextDNS uses Anycast.

They also use anonymized EDNS Client Subnet optionally (though I haven't seen a lot of benefit from it). Almost all DNS are anycast these days. It does not prevent the issue I have mentioned. Using Cloudflare and Quad9 I get routed across the country in spite of Anycast. NextDNS has a very close server to me, so it is more reliable for this. However sometimes my ISP routes me to a different server. In the case of Quad9 there are closer datacenters to me, but my ISP routes me to a much farther location. It doesn't make a huge difference other than slightly slower buffering on video. DNS is a bit more complicated than ping and anycast. For most people the difference is negligible, however there are cases where suboptimal routing happens.

Edit: A good example of this is ControlD. Their answer to 'speed' is "we use anycast!", but I continually get very slow routing when using ControlD.
 

Brahman

Level 18
Verified
Top Poster
Well-known
Aug 22, 2013
890
They also use anonymized EDNS Client Subnet optionally (though I haven't seen a lot of benefit from it). Almost all DNS are anycast these days. It does not prevent the issue I have mentioned. Using Cloudflare and Quad9 I get routed across the country in spite of Anycast. NextDNS has a very close server to me, so it is more reliable for this. However sometimes my ISP routes me to a different server. In the case of Quad9 there are closer datacenters to me, but my ISP routes me to a much farther location. It doesn't make a huge difference other than slightly slower buffering on video. DNS is a bit more complicated than ping and anycast. For most people the difference is negligible, however there are cases where suboptimal routing happens.

Edit: A good example of this is ControlD. Their answer to 'speed' is "we use anycast!", but I continually get very slow routing when using ControlD.
If you use tls/quic protocol with nextdns it will not be using anycast and its always the closest dns server gets used.
With TLS......
"status": "ok",
"protocol": "DOT",
"profile": "................................",
"client": "......................",
"srcIP": ".....................",
"destIP": "........................",
"anycast": false,
"server": "anexia-maa-1",
"clientName": "unknown-dot",
"deviceName": "AdguardTLS",
"deviceID": ".............."
Untitled-1.jpg

With DOH......
"status": "ok",
"protocol": "DOH",
"profile": "..................",
"client": "....................",
"srcIP": "........................",
"destIP": ".....................",
"anycast": true,
"server": "vultr-tyo-1",
"clientName": "unknown-doh",
"deviceName": "Adguard",
"deviceID": "..............."
Untitled-2.jpg
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top