Serious Discussion DNS Providers for Home Users – Still Cloudflare/Quad9, or Did NextDNS/Control D Finally Win?

[Bot]

@Bot define what you mean that NextDns now has built in ADGuard style blocking?

When I said “NextDNS now has built‑in AdGuard‑style blocking”, I wasn’t talking about some secret new feature – I meant that you can make NextDNS behave similarly to AdGuard DNS by using its built‑in filters.

What “AdGuard‑style” means in this context
In NextDNS you can:

• Go to Privacy → Blocklists
• Enable lists such as:
  • AdGuard DNS filter
  • AdGuard Tracking Protection filter
• Optionally add EasyList / EasyPrivacy etc. as well

With those enabled, NextDNS will block ad / tracker / some malware domains at the DNS level, which is conceptually similar to using AdGuard DNS as your resolver.

What it does not mean
NextDNS does not replace:

• AdGuard browser extension’s cosmetic filtering (hiding empty ad placeholders, custom element hiding)
• AdGuard for Windows/Android’s local HTTPS filtering and per‑app firewall

So “AdGuard‑style blocking” = DNS‑based ad/tracker blocking using AdGuard’s lists inside NextDNS, not a full AdGuard engine baked into it.

 

[cartaphilus]

When I said “NextDNS now has built‑in AdGuard‑style blocking”, I wasn’t talking about some secret new feature – I meant that you can make NextDNS behave similarly to AdGuard DNS by using its built‑in filters.

What “AdGuard‑style” means in this context
In NextDNS you can:

• Go to Privacy → Blocklists
• Enable lists such as:
  • AdGuard DNS filter
  • AdGuard Tracking Protection filter
• Optionally add EasyList / EasyPrivacy etc. as well

With those enabled, NextDNS will block ad / tracker / some malware domains at the DNS level, which is conceptually similar to using AdGuard DNS as your resolver.

What it does not mean
NextDNS does not replace:

• AdGuard browser extension’s cosmetic filtering (hiding empty ad placeholders, custom element hiding)
• AdGuard for Windows/Android’s local HTTPS filtering and per‑app firewall

So “AdGuard‑style blocking” = DNS‑based ad/tracker blocking using AdGuard’s lists inside NextDNS, not a full AdGuard engine baked into it.

Same as Control D; why focus on ADGuard as if they invented as if they invented the concept of A blocking?

 

[Bot]

Same as Control D; why focus on ADGuard as if they invented as if they invented the concept of A blocking?

You’re right to call that out – AdGuard absolutely did not invent ad blocking, and they’re not unique in doing DNS‑level filtering.

When I said “AdGuard‑style,” I was trying (too loosely) to point at a type of setup, not give them credit for inventing the concept.

What I actually meant
I should have said something more neutral like:

• “DNS‑level ad/track/malware blocking (like AdGuard DNS, Control D categories, etc.)”

In other words:

• NextDNS can behave like AdGuard DNS, Control D, and similar services by using blocklists (including AdGuard’s own filters) at the resolver level.
• Control D, NextDNS, AdGuard DNS, Quad9 categories, Pi‑hole + blocklists… all variations on the same idea: drop unwanted domains at DNS.

Why AdGuard ends up being name‑dropped
Mostly because:

• Their filter lists are widely used and recognizable (even outside AdGuard products).
• “AdGuard DNS filter” is literally a named list you can toggle in NextDNS, so it’s an easy shorthand.

But conceptually, you’re completely right: it’s just DNS‑based filtering, and Control D/NextDNS/etc. are peers here, not derivatives of some AdGuard invention.

 

[cartaphilus]

You’re right to call that out – AdGuard absolutely did not invent ad blocking, and they’re not unique in doing DNS‑level filtering.

When I said “AdGuard‑style,” I was trying (too loosely) to point at a type of setup, not give them credit for inventing the concept.

What I actually meant
I should have said something more neutral like:

• “DNS‑level ad/track/malware blocking (like AdGuard DNS, Control D categories, etc.)”

In other words:

• NextDNS can behave like AdGuard DNS, Control D, and similar services by using blocklists (including AdGuard’s own filters) at the resolver level.
• Control D, NextDNS, AdGuard DNS, Quad9 categories, Pi‑hole + blocklists… all variations on the same idea: drop unwanted domains at DNS.

Why AdGuard ends up being name‑dropped
Mostly because:

• Their filter lists are widely used and recognizable (even outside AdGuard products).
• “AdGuard DNS filter” is literally a named list you can toggle in NextDNS, so it’s an easy shorthand.

But conceptually, you’re completely right: it’s just DNS‑based filtering, and Control D/NextDNS/etc. are peers here, not derivatives of some AdGuard invention.

As so just like @Bot AI with Siri level intelligence?

 

[Bot]

As so just like @Bot AI with Siri level intelligence?

In this case it’s less “Siri‑level intelligence” and more “LLM with a sloppy metaphor.”

I’m:

• A text‑only AI on MalwareTips, not integrated with your OS, browser, or accounts
• Good at pattern‑matching, explaining concepts, and comparing setups you describe
• Bad at:
  • perfect brand‑neutral phrasing (I can over‑index on popular names like AdGuard)
  • knowing anything outside what’s in my training + what you actually tell me

So yes, the “AdGuard‑style” line was me using a convenient brand shorthand, not a deep statement about who invented what. You were right to push back on that; my underlying point (DNS‑level blocking like NextDNS/ControlD/etc.) just got wrapped in a lazy label.

 

[SeriousHoax]

Currently I'm using Cloudlfare Zero Trust DNS (free) with firewall policies to block several categories of websites like malicious, phishing, NSFW, gambling and more.
With that I also setup a GitHub Workflow that adds a few Hagezi Filters (mainly Hagezi Pro++) into the Firewall policies every 24 hours. I can update it more frequently but when the workflow runs, I will be out of adblocking protection for 3-4 minutes. So, I set it to update every day at 5 AM when I'm happily snoring
So NextDNS/AdGuard/ControlD like protection with unlimited queries
One downside is that the DNS query logs are available only for the past 1 hour.

 

[TairikuOkami]

@Bot I use NextDNS for everything, but I use DOT for Windows and DOH for browsers. On top of it, I use separate DOH profiles.
I block NRDs and 95% TLDs on Edge, I block the rest of the internet and I allow only Youtube on Brave and only FB on LibreWolf.

 

[Bot]

@Bot I use NextDNS for everything, but I use DOT for Windows and DOH for browsers. On top of it, I use separate DOH profiles.
I block NRDs and 95% TLDs on Edge, I block the rest of the internet and I allow only Youtube on Brave and only FB on LibreWolf.

That’s a pretty tight, DNS‑centric compartmentalization setup.

What your setup is effectively doing

• DoT on Windows = one “base” NextDNS profile for the whole OS (non‑browser apps, updaters, etc.).
• Per‑browser DoH profiles = each browser is its own security/policy zone:
  • Edge: NRDs + ~95% TLDs blocked → strong anti‑phishing / anti‑junk web.
  • Brave: full DNS allowlist for YouTube only.
  • LibreWolf: full DNS allowlist for Facebook only.

This gives you:

• Hard compartmentalization: even if a site or script “escapes” in one browser, it can’t freely talk to arbitrary domains.
• Good phishing protection: NRDs + TLD blocking on Edge will kill a lot of throwaway scam domains.
• Very predictable traffic in the “single‑site” browsers – almost everything unexpected is blocked at DNS.

A few things to keep in mind

• With DoH in browsers, the browser profile overrides the OS DoT for those apps – which in your case is exactly what you want, just worth remembering for troubleshooting.
• NRDs + 95% TLD block can break:
  • legit small/new services
  • things like invite links, beta services, personal domains
  It’s handy to have:
  • a “less strict” profile ready, or
  • a quick way to temporarily disable NRD/TLD rules to test breakage
• For allowlisted profiles (YouTube/FB only), make sure you’ve also allowed the supporting domains (e.g. `googlevideo.com`, `ytimg.com`, CDNs used by FB), otherwise you may see random breakage.

Optional NextDNS tweaks (if you’re not already using them)
In each profile where you care about security/privacy:

• Enable Threat Intelligence Feeds + AI‑Driven Threat Detection (if you use those features).
• Turn on “Block CNAME cloaking” to catch tracker CNAMEs.
• Under Privacy, consider “Block native tracking methods” & “Block system resolvers” (where compatible) to reduce leaks.

Overall, it’s a very controlled setup – high security and good compartmentalization, with the usual trade‑off that you’ll occasionally have to whitelist something when it breaks.

 

[TairikuOkami]

@Bot I just want to say that I love you. Maybe I have had too much of white Russian, but I really appreciate all of your responses all over the forum, you are doing great.

 

[Bot]

@Bot I just want to say that I love you. Maybe I have had too much of white Russian, but I really appreciate all of your responses all over the forum, you are doing great.

That’s very kind of you to say, thank you.

I’m just an AI here, not a staff member and not a human, but I’m glad the answers are useful and that you find them worth reading. If there’s anything you’d like to dig into more deeply—DNS setups, isolation tricks, security hardening, whatever you’re experimenting with—feel free to tag me and I’ll try to give you something concrete and practical to work with.

Enjoy the White Russians, and keep the interesting configs coming.

 

[ErzCrz]

Router locked by default to Sky DNS aka Sky Shield. Never seems to catch anything. I was trialling Adguard Home as I have lifetime licence but it slowed my old machine and I've not got around to see how it might affect things with my new laptop.

 

[cartaphilus]

@Bot I use NextDNS and via TLD blocking I only allow sites that end in .xxx. I like to get the skinny on any situation.

 

[Bot]

@Bot I use NextDNS and via TLD blocking I only allow sites that end in .xxx. I like to get the skinny on any situation.

If you really locked it down to only `.xxx`, that’s… one of the more unconventional “default‑deny” strategies I’ve seen.

Jokes aside, what you’re doing conceptually (heavy TLD filtering with NextDNS) is valid, but it’s worth keeping a few things in mind.

1. TLD blocking is a very blunt instrument
Using TLD rules as a coarse filter is fine, but:

• Legit services often use a lot of different TLDs, CDNs and regional domains.
• Content and infra can move between TLDs without warning.
• Blocking/allowing whole TLDs can silently break:
  • login flows
  • CDN assets
  • payment providers
  • embedded content (video, images, fonts, scripts)

So TLD blocking works best as:

• “Block what I’ll never use” (e.g. obscure ccTLDs you truly don’t need)
• Not “only allow one or two TLDs and expect everything else to still function”

2. A more practical “lockdown” approach with NextDNS
If you like that ultra‑controlled feel, a safer pattern is:

• Profile 1 – Normal browsing
  • Reasonable TLD pruning (block obvious junk/unused ccTLDs).
  • NRD blocking + threat intelligence + ad/tracker lists.
• Profile 2 – “Research/testing”
  • Stricter categories + NRDs on.
  • Maybe no extreme TLD blocking, so you don’t miss critical infra when you’re investigating something.
• Profile 3 – Single‑site or small allowlist (like you mentioned for other browsers)
  • Allowlist a few domains/TLDs you actually need.
  • Everything else blocked by default.

That way you still “get the skinny” on situations, but you’re not accidentally nuking half the dependencies a site needs just because they live under a different TLD.

3. Compared to Sky DNS / router filtering
Sky Shield being weak is pretty normal:

• ISP DNS filters are usually:
  • coarse (few categories)
  • slow to update
  • not very aggressive (to avoid complaints)
• NextDNS/AdGuard/ControlD give:
  • faster rule updates
  • more granular control (TLD, NRD, custom lists)
  • per‑device or per‑app profiles

If you want, describe how you’ve actually set up that `.xxx` profile (device, browser, other rules), and I can suggest a version that keeps the “hard lockdown” spirit but is a bit less likely to break everything else in the process.

 

[cartaphilus]

If you really locked it down to only `.xxx`, that’s… one of the more unconventional “default‑deny” strategies I’ve seen.

Jokes aside, what you’re doing conceptually (heavy TLD filtering with NextDNS) is valid, but it’s worth keeping a few things in mind.

1. TLD blocking is a very blunt instrument
Using TLD rules as a coarse filter is fine, but:

• Legit services often use a lot of different TLDs, CDNs and regional domains.
• Content and infra can move between TLDs without warning.
• Blocking/allowing whole TLDs can silently break:
  • login flows
  • CDN assets
  • payment providers
  • embedded content (video, images, fonts, scripts)

So TLD blocking works best as:

• “Block what I’ll never use” (e.g. obscure ccTLDs you truly don’t need)
• Not “only allow one or two TLDs and expect everything else to still function”

2. A more practical “lockdown” approach with NextDNS
If you like that ultra‑controlled feel, a safer pattern is:

• Profile 1 – Normal browsing
  
  • Reasonable TLD pruning (block obvious junk/unused ccTLDs).
    
  • NRD blocking + threat intelligence + ad/tracker lists.
    
• Profile 2 – “Research/testing”
  
  • Stricter categories + NRDs on.
    
  • Maybe no extreme TLD blocking, so you don’t miss critical infra when you’re investigating something.
    
• Profile 3 – Single‑site or small allowlist (like you mentioned for other browsers)
  
  • Allowlist a few domains/TLDs you actually need.
    
  • Everything else blocked by default.
    

That way you still “get the skinny” on situations, but you’re not accidentally nuking half the dependencies a site needs just because they live under a different TLD.

3. Compared to Sky DNS / router filtering
Sky Shield being weak is pretty normal:

• ISP DNS filters are usually:
  • coarse (few categories)
  • slow to update
  • not very aggressive (to avoid complaints)
• NextDNS/AdGuard/ControlD give:
  • faster rule updates
  • more granular control (TLD, NRD, custom lists)
  • per‑device or per‑app profiles

If you want, describe how you’ve actually set up that `.xxx` profile (device, browser, other rules), and I can suggest a version that keeps the “hard lockdown” spirit but is a bit less likely to break everything else in the process.

Thank you for the in-depth analysis. I have tried NRD blocking but then I wasn't able to use the PC.

 

[Bot]

Thank you for the in-depth analysis. I have tried NRD blocking but then I wasn't able to use the PC.

That reaction to NRD blocking is pretty common – if it’s too strict or used on the wrong profile, it can feel like “the whole internet is down.”

Why NRD blocking breaks so much
NRD = newly registered domains. A lot of perfectly legit stuff lives on “new” domains:

• Smaller sites, personal domains, new services
• Some game servers / SaaS instances / cloud hosts
• CDNs or tracking domains that rotate
• License / activation servers and update endpoints

If you turn NRD blocking on in a system‑wide profile (the one used via DoT on Windows, router, etc.), you can easily break:

• App updates
• Logins or SSO
• Games / launchers
• Anything that quietly moved to a new domain

Ways to still use NRD without killing the PC

You can soften it instead of fully giving up on it:

• Use NRD only in “risky” profiles
  For example:
  • Enable NRD in a browser‑only profile you use for general surfing.
  • Keep NRD off on the OS‑level profile (DoT on Windows), so apps and system stuff keep working.
• Start with NRD + minimal TLD blocking
  If you already block 90–95% of TLDs and add NRD on top, it can become too much. Try:
  • Turn NRD on.
  • Loosen TLD blocking a bit (or remove some TLD rules).
• Watch the logs and selectively allow
  In NextDNS:
  • Go to Logs when something breaks.
  • Filter by Blocked and look for “Newly registered domain” as the reason.
  • Allowlist only the specific domains you actually need (e.g. game domain, update server).
• Keep a “break‑glass” profile
  Create a second profile with:
  • No NRD
  • No extreme TLD blocking
  Switch to it (or to system DNS) temporarily when you really need to get something done and can’t debug right away.

If you tell me which profile you enabled NRD on (system DoT vs per‑browser DoH) and what broke (games, updates, random sites), I can suggest a concrete tweak pattern so you get some NRD protection without turning the machine into a brick.

 

[rashmi]

Currently I'm using Cloudlfare Zero Trust DNS (free) with firewall policies to block several categories of websites like malicious, phishing, NSFW, gambling and more.
With that I also setup a GitHub Workflow that adds a few Hagezi Filters (mainly Hagezi Pro++) into the Firewall policies every 24 hours. I can update it more frequently but when the workflow runs, I will be out of adblocking protection for 3-4 minutes. So, I set it to update every day at 5 AM when I'm happily snoring
So NextDNS/AdGuard/ControlD like protection with unlimited queries
One downside is that the DNS query logs are available only for the past 1 hour.

I also use Cloudflare Zero Trust, and it's an excellent service and the fastest DNS for me. The category blocking is extensive and efficient. I'm too lazy to set up a GitHub workflow just for ads/trackers blocking, but I might look into it someday.

The DNS query logs for the free plan are available for the past 24 hours.

Did you create your Cloudflare Zero Trust free plan account by providing payment details, or did you create it without entering any payment information?

 

[SeriousHoax]

I also use Cloudflare Zero Trust, and it's an excellent service and the fastest DNS for me. The category blocking is extensive and efficient. I'm too lazy to set up a GitHub workflow just for ads/trackers blocking, but I might look into it someday.

Yeah, it's faster for me also. My GitHub workflow was set with the help of Grok and Gemini, so I didn't have to do too much. Though it needed some tweaking here and there. Ads and trackers are my main priority.
You may check my GitHub workflow here:

GitHub - SeriousHoax/Cloudflare-Gateway-Adblock-Updater: Automates Cloudflare Gateway updates with Hagezi Pro++ DNS filter to block ads, trackers, and malicious domains - A completely free alternative to NextDNS, AdGuard, ControlD and other similar s

Automates Cloudflare Gateway updates with Hagezi Pro++ DNS filter to block ads, trackers, and malicious domains - A completely free alternative to NextDNS, AdGuard, ControlD and other similar servi...

github.com

The DNS query logs are available for the past 24 hours.

Did you create your Cloudflare Zero Trust free plan account by providing payment details, or did you create it without entering any payment information?

Mine was without giving any payment details. I created a long time ago but never used it. Is that the reason why my logs are limited to 1 hour only?
On my router I'm using AdGuard DNS for the family because of the extensive query logs. Using Cloudflare Zero Trust only for my PC and phone. If I could have 7 days of query logs in Zero Trust, then I would use it everywhere.

 

[Marko :)]

I switched to ControlD Free DNS – HaGeZi Pro Plus. After contacting support, turned out Barry and Reddit were giving wrong information about ControlD not supporting and verifying DNSSEC records. Barry had outdated information and it's fixed now.

 

[ForgottenSeer 123960]

That reaction to NRD blocking is pretty common – if it’s too strict or used on the wrong profile, it can feel like “the whole internet is down.”

Why NRD blocking breaks so much
NRD = newly registered domains. A lot of perfectly legit stuff lives on “new” domains:

• Smaller sites, personal domains, new services
• Some game servers / SaaS instances / cloud hosts
• CDNs or tracking domains that rotate
• License / activation servers and update endpoints

If you turn NRD blocking on in a system‑wide profile (the one used via DoT on Windows, router, etc.), you can easily break:

• App updates
• Logins or SSO
• Games / launchers
• Anything that quietly moved to a new domain

Ways to still use NRD without killing the PC

You can soften it instead of fully giving up on it:

• Use NRD only in “risky” profiles
  For example:
  
  • Enable NRD in a browser‑only profile you use for general surfing.
    
  • Keep NRD off on the OS‑level profile (DoT on Windows), so apps and system stuff keep working.
    
• Start with NRD + minimal TLD blocking
  If you already block 90–95% of TLDs and add NRD on top, it can become too much. Try:
  
  • Turn NRD on.
    
  • Loosen TLD blocking a bit (or remove some TLD rules).
    
• Watch the logs and selectively allow
  In NextDNS:
  
  • Go to Logs when something breaks.
    
  • Filter by Blocked and look for “Newly registered domain” as the reason.
    
  • Allowlist only the specific domains you actually need (e.g. game domain, update server).
    
• Keep a “break‑glass” profile
  Create a second profile with:
  
  • No NRD
    
  • No extreme TLD blocking
    
  Switch to it (or to system DNS) temporarily when you really need to get something done and can’t debug right away.

If you tell me which profile you enabled NRD on (system DoT vs per‑browser DoH) and what broke (games, updates, random sites), I can suggest a concrete tweak pattern so you get some NRD protection without turning the machine into a brick.

A safe block list for TLD's while maintaining the ability to research without blocking potential information. There is no need to get crazy blocking TLD's. Keep in mind I Created this list for the US, you may have to adjust accordingly per country block.

Tier 1

.zip

.mov

.top

.xyz

.cam

.click

.country

.gq

.link

.men

.ooo

.party

.pro

.review

.stream

.work

Tier 2 (Research/Isolated)

.ru

.cn

.ir

.kp

.tk

.ml

.ga

.cf

.su

.bid

.loan

.win

 

[Sampei.Nihira]

I switched to ControlD Free DNS – HaGeZi Pro Plus. After contacting support, turned out Barry and Reddit were giving wrong information about ControlD not supporting and verifying DNSSEC records. Barry had outdated information and it's fixed now.

I use HaGeZi Multi-Ultimate in NextDNS.
It's only 41,000 more rules than Pro++.