Just simplified my policies. Block third-party DNS and Remote access tools. Using REGEX-based adblocking (based on the most prevalent keywords and patterns in the Hagezi Pro++) instead of blocklists (In my own experience made my browsing slow like my MS were in hundreds). Most domains in the hagezi pro++ are already block by Cloudflare specially in the security categories and can also be blocked via TLDs.
Cloudflare Gateway Free Plan
- Thread starter rashmi
- Start date
As others have said NextDNS does this for free and you get the benefit of simple switches to subscribe to hundreds of thousands of rules that are being maintained by others, AI driven threat detection, newly registered domains and third-party tracker uncloaking all of these things you now have to do and maintain manually? that is too much work.
NextDNS doesn't offer half of what you get with Cloudflare and for free. Beside they limit free accounts to 300.000 queries per month which simply isn't enough for those that use internet A LOT.
Cloudflare Zero Trust does need one-time configuration with GitHub (to update blocklists), but once you do it, there's no need for additional configuration ever again.
Don't forget blocklists from NextDNS are cached unlike the lists in Gateway at least in my own experience
As mentioned by @Marko :) all the configuration has to be done just once similar to NextDNS or such other alternatives. However, the work required for that one-time configuration is definitely higher.
Latency differece between vanilla Cloudflare vs Cloudflare Zero Trust is not significant for me.
With vanilla Cloudflare, the query results that are cached on Cloudflare's server are between 5-14 ms for me. With Zero-Trust, those cached queries are within 12-20 ms on average. So, it adds minor latency for me.
Besides, I'm using Technitium DNS Server with its prefetch feature, stale records and more. So, most queries are basically 0-1 ms for me on the PC.
NextDNS doesn't have servers near me. The lowest latency for cached queries with it is 50 ms, which is not bad but still 2-3 times slower than my Cloudflare Zero-Trust.
BTW, in the screenshot, Udp doesn't mean I'm using plain DNS. It's DoH.
Every DNS server that filters content is slower than the one that doesn't. Because after checking filtering rules it has to check for corresponding IP address of the server. You can minimize this by caching all the queries for a longer period of time through 3rd party DNS clients that support such features. But at least on my connecting, slowdown isn't significant at all and websites load faster than with ControlD with same HaGeZi Pro++ list.
That is a lot of configuring and assuming uptime is near perfect among all parties. The learning curve is significant for regular consumers and while I understand your setup and will most likely implement it myself, I don't see that there will be a lot of buy in outside of MT-type folk lol.
I just recently reconfigured NextDNS by finding the fastest DNS servers near me peering wise to my ISP using AI and then a way to always use DNS over HTTP3. But I'm willing to explore this alternative as well.
I just recently reconfigured NextDNS by finding the fastest DNS servers near me peering wise to my ISP using AI and then a way to always use DNS over HTTP3. But I'm willing to explore this alternative as well.
They are not readible, so that answer is not much of a help, can't you simply post what domain you tested it? e.g domain example.com gets blocked by resolve country location US or something similar?Free legacy plan with no credit card info provided.
I checked these sites:
Last edited:
For the DNS, there is just one party which is Cloudflare. Not many things on the internet are more uptime-friendly than Cloudflare. Additionally, Cloudflare Zero-Trust is an enterprise product, so reliability is a priority for them.
Using something like GitHub action to update adblock filters adds one more party. However, GitHub action is also reliable. Used by hundreds of companies and millions of developers every day. So uptime is not an issue. Though there is one more avenue to automate the filter updating process using Cloudflare but I haven't looked into it properly yet.
Regular consumers don't even know what DNS is. So even NextDNS is a foreign concept to them. Any kind of custom DNS is for geeks like us.
By default, NextDNS also doesn't connect me to the nearest server distance/ISP routing-wise. But there are NextDNS sites to know the IP and encrypted DNS addresses of their servers which I assume AI chats have informed you about or something similar. NextDNS is great. Barely maintained but it's reliable.
You may play around with Cloudflare Gateway to learn and experiment.
You mean the attached image in that comment is not readable? I just checked again and it's clearly readable. There are like 10 website names in the image. Just zoom in.
Finally found the cause of the issue: You need to allow youtube.com and googlevideo.com if you have a YouTube restricted mode policy. YouTube also works well now with Google DNS blocked.
With your DNS configuration, many websites may break.
Some legitimate websites use support domains such as frames, js, and XHR.
I prefer to have this control, if necessary, in my uBo/AG + uBoL.
Anyway, congratulations.
@SeriousHoax and @Andy Ful it works now. I have no idea what I did differently.
As posted, I was 100% convinced I did exactly the same, but the results proof differently.
I must have accidentally enabled an option which caused improper policy configuration.
I repeated the policy (adding only Germany for testing purpose, because I know for sure Der Spiegel is hosted in Germany) and I got my personalized block page with extra line identifying the geo block policy when surfing to https://www.spiegel.de/.
As posted, I was 100% convinced I did exactly the same, but the results proof differently.
I must have accidentally enabled an option which caused improper policy configuration.
I repeated the policy (adding only Germany for testing purpose, because I know for sure Der Spiegel is hosted in Germany) and I got my personalized block page with extra line identifying the geo block policy when surfing to https://www.spiegel.de/.
@SpiderWeb My wrap-up of NextDNS (which I use in the router) versus Cloudflare (which I use in the browser) is
Benefits of NextDNS (free with account) over Cloudflare (free with ZT)
1. NextDNS is (much) easier to configure,
2. NextDNS has many build-in blocklists (not only ad and tracking blocklist, but also telemetry blocking of IOT devices)
3. Excellent reporting (e.g. add exception from blocked logs)
4. Optional privacy benefit to host the logs in Zwitserland
Downside of NextDNS
1. Has a limitation of 300.000 queries (only when you exceed that number that is a disadvantage)
2. Has an awkward default setting (you need to enable "allow affiliate and tracking links" when you enable blocklists, NextDNS hides your IP when it resolves those links)
3. Small company, little to no development, still lists some old unmaintained blocklists, DNS0.eu has been replaced by DNS4.eu (loss of income source for NextDNS)
Benefits of Cloudflare over NextDNS
1. Has (much) more options to fine tune firewall policies
2. Has no limitation on number of queries
3. One of the fastest and largest DNS server networks
4. Optional privacy benefit when you use WARP on your device with IP masking
Downside of Cloudflare
1. Needs Github automation to add third-party blocklists (although forking and enabling existing automatons is an easy one time setup)
2. Has a limitation of 300.000 blockrules for third-party blocklist (only when you exceed that number that is a disadvantage)
3. Free offers very limited (minimal time range) reporting of logs
Benefit 1 and 2 of Cloudflare ZT are the reason I prefer ZT in the browser
Benefit 2 and 3 of NextDNS are the reason I prefer NextDNS in the router
We use Quad9 as OS DNS on our phones and laptops, because it offers good malware protection is privacy friendly, set and forget and 100% problem free.
Benefits of NextDNS (free with account) over Cloudflare (free with ZT)
1. NextDNS is (much) easier to configure,
2. NextDNS has many build-in blocklists (not only ad and tracking blocklist, but also telemetry blocking of IOT devices)
3. Excellent reporting (e.g. add exception from blocked logs)
4. Optional privacy benefit to host the logs in Zwitserland
Downside of NextDNS
1. Has a limitation of 300.000 queries (only when you exceed that number that is a disadvantage)
2. Has an awkward default setting (you need to enable "allow affiliate and tracking links" when you enable blocklists, NextDNS hides your IP when it resolves those links)
3. Small company, little to no development, still lists some old unmaintained blocklists, DNS0.eu has been replaced by DNS4.eu (loss of income source for NextDNS)
Benefits of Cloudflare over NextDNS
1. Has (much) more options to fine tune firewall policies
2. Has no limitation on number of queries
3. One of the fastest and largest DNS server networks
4. Optional privacy benefit when you use WARP on your device with IP masking
Downside of Cloudflare
1. Needs Github automation to add third-party blocklists (although forking and enabling existing automatons is an easy one time setup)
2. Has a limitation of 300.000 blockrules for third-party blocklist (only when you exceed that number that is a disadvantage)
3. Free offers very limited (minimal time range) reporting of logs
Benefit 1 and 2 of Cloudflare ZT are the reason I prefer ZT in the browser
Benefit 2 and 3 of NextDNS are the reason I prefer NextDNS in the router
We use Quad9 as OS DNS on our phones and laptops, because it offers good malware protection is privacy friendly, set and forget and 100% problem free.
Last edited:
Does NextDNS block DGA domains?
They do,
but I'm not seeing any source of DGA blocking database in their GitHub. If a source is not public then they say that the database is internalized but in case of DGA, I see no mention of it which is odd.
GitHub - nextdns/metadata: This repository contains the data behind our Security, Privacy and Parental Control features.
This repository contains the data behind our Security, Privacy and Parental Control features. - nextdns/metadata
github.com
They have an option for dns rebinding protection, which fails to pass the test by controld, while using hagezi dns rebinding list (using AG account) successfully pass.
I have concerns regarding some of their native lists sources.
Yeah, I saw that post of yours. I cannot say with certainty the reason behind it since ControlD have their own domain for testing DNS rebinding. But it is true that NextDNS is hardly maintained nowadays. For example, their DNS bypass method filter which is supposed to block VPNs, proxies, DoH, etc. hasn't been updated in 3 years. If they don't have the time to maintain it, they could easily switch to using Hagezi's DoH/VPN/TOR/Proxy Bypass filter which is what AdGuard DNS do but for whatever reasons they won't.
GitHub - nextdns/dns-bypass-methods
Contribute to nextdns/dns-bypass-methods development by creating an account on GitHub.
github.com
Yes the priority sequence is
1. DOH in the browser (overrules OS settings)
2. DNS of the OS (overrules router settings)
3. DNS in the router
As posted I use these three levels to
1. Limit smart home (IOT) devices (which have a bad reputation in regard to updating and patching firmware for vulnabilities) to a few TLD's with NextDNS
2. Use a reputable zero config DNS at OS-level (I choose Quad9, but any other free DNS like DNS4.eu of ControlD free would do the job also)
3. Use the granular control of CloudFlare Zero Trust in the browser (with some mild adblocking using OISD small sanatized for TOP-N domains)
But like @Andy Ful and @TairikuOkami do, you could also use DNS policies as attack surface reduction for malware using only one DNS service (there are always more roads leading to Rome
), that requires a little more fine tuning,
I even tested controld own free dns plans (native malware and ads / hagezi) using their own test; they did not pass also.
I think it needs to be enabled manually in their paid version.
You may also like...
-
Need guidance and advice from those knowledgeable about ad blocking
- Started by rashmi
- Replies: 55
-
Google Cloud and Cloudflare hit by widespread service outages- Started by Gandalf_The_Grey
- Replies: 22
-
