Serious Discussion DNS Providers for Home Users – Still Cloudflare/Quad9, or Did NextDNS/Control D Finally Win?

[Bot]

A safe block list for TLD's while maintaining the ability to research without blocking potential information. There is no need to get crazy blocking TLD's. Keep in mind I Created this list for the US, you may have to adjust accordingly per country block.

Tier 1

.zip

.mov

.top

.xyz

.cam

.click

.country

.gq

.link

.men

.ooo

.party

.pro

.review

.stream

.work

Tier 2 (Research/Isolated)

.ru

.cn

.ir

.kp

.tk

.ml

.ga

.cf

.su

.bid

.loan

.win

That’s a sensible, restrained way to use TLD blocking – especially given you’re already on HaGeZi Pro Plus via ControlD.

1. Your tier idea makes sense

• Tier 1 – blanket‑block on your main profile is reasonable if:
  • You’re in the US
  • You’re not dealing with random small businesses / personal sites a lot
  These are all TLDs that have historically attracted a lot of junk/abuse. With HaGeZi on top, you’re double‑filtering the worst stuff, but blocking the TLDs entirely mainly just keeps you from ever wandering into those zones by accident.
  
  The main trade‑off: you will occasionally hit a legit site under `.xyz`, `.top`, `.link`, `.work`, `.pro`, etc. For most users, that’s an acceptable sacrifice.
  
• Tier 2 – “research/isolated” is the right mindset
  Blocking these on your daily driver profile is fine if you:
  • Don’t need software/docs from Russian, Chinese, Iranian sites, etc.
  • Don’t do threat intel / malware analysis work that depends on visiting them.
  Keeping them allowed only in an isolated browser/VM/profile is exactly how I’d recommend handling it, so you’re not blind to info hosted there, but you also don’t casually wander in from your main environment.

2. How I’d apply this with ControlD + HaGeZi

Since you’re already using HaGeZi Pro Plus (which is aggressive and well‑maintained):

• Main profile
  • Block your Tier 1 TLDs globally.
  • Optionally block some or all of Tier 2 if you truly never need them on this machine/profile.
• Research / test profile
  • No TLD blocking or only Tier 1 blocked.
  • Same HaGeZi list so you still have strong filtering.
  • Use this profile only in a hardened browser / VM for “getting the skinny”.

That way you keep your everyday environment clean and simple, but you don’t lose access to information that might be sitting on a `.ru`/`.cn`/etc. domain when you actually want to look at it.

If you’d like, say how you’ve split profiles/devices (e.g. one PC, one phone, using ControlD at OS level vs browser), and I can suggest a concrete mapping of Tier 1/Tier 2 per profile.

 

[ForgottenSeer 123960]

That’s a sensible, restrained way to use TLD blocking – especially given you’re already on HaGeZi Pro Plus via ControlD.

1. Your tier idea makes sense

• Tier 1– blanket‑block on your main profile is reasonable if:
  • You’re in the US
  • You’re not dealing with random small businesses / personal sites a lot
  These are all TLDs that have historically attracted a lot of junk/abuse. With HaGeZi on top, you’re double‑filtering the worst stuff, but blocking the TLDs entirely mainly just keeps you from ever wandering into those zones by accident.
  
  The main trade‑off: you will occasionally hit a legit site under `.xyz`, `.top`, `.link`, `.work`, `.pro`, etc. For most users, that’s an acceptable sacrifice.
• Tier 2 – “research/isolated” is the right mindset
  Blocking these on your daily driverprofile is fine if you:
  • Don’t need software/docs from Russian, Chinese, Iranian sites, etc.
  • Don’t do threat intel / malware analysis work that depends on visiting them.
  Keeping them allowed only in an isolated browser/VM/profile is exactly how I’d recommend handling it, so you’re not blind to info hosted there, but you also don’t casually wander in from your main environment.

2. How I’d apply this with ControlD + HaGeZi

Since you’re already using HaGeZi Pro Plus (which is aggressive and well‑maintained):

• Main profile
  • Block your Tier 1 TLDs globally.
  • Optionally block some or all of Tier 2 if you truly never need them on this machine/profile.
• Research / test profile
  • No TLD blocking or only Tier 1 blocked.
  • Same HaGeZi list so you still have strong filtering.
  • Use this profile only in a hardened browser / VM for “getting the skinny”.

That way you keep your everyday environment clean and simple, but you don’t lose access to information that might be sitting on a `.ru`/`.cn`/etc. domain when you actually want to look at it.

If you’d like, say how you’ve split profiles/devices (e.g. one PC, one phone, using ControlD at OS level vs browser), and I can suggest a concrete mapping of Tier 1/Tier 2 per profile.

You have me confused for another, I'm using NextDNS, but also using Hagezi pro ++

The list is created for deep research and open source ability. I have researched this thoroughly.

 

[Bot]

You have me confused for another, I'm using NextDNS, but also using Hagezi pro ++

The list is created for deep research and open source ability. I have researched this thoroughly.

You’re right, I mixed you up with the other poster using ControlD — thanks for correcting that.

Given you’re on NextDNS + HaGeZi Pro++ and your TLD list is aimed at deep research and OSS access, what you posted actually lines up well with that goal.

How I’d use your tiers in NextDNS

• Main profile (daily use)
  • Keep HaGeZi Pro++ enabled.
  • Block your Tier 1 TLDs:
    .zip, .mov, .top, .xyz, .cam, .click, .country, .gq, .link, .men, .ooo, .party, .pro, .review, .stream, .work
  • Leave Tier 2 unblocked here if you sometimes need to hit info on those (RU/CN/etc.) sites from your normal environment, or:
  • Block Tier 2 as well if you want a very “clean” daily profile and don’t mind switching when you need deeper research.
• Research profile (isolated browser / VM)
  • Same HaGeZi Pro++.
  • Option 1: Only block Tier 1, allow Tier 2 so you don’t lose access to RU/CN/IR/KP/… content.
  • Option 2: No TLD blocking at all, rely purely on HaGeZi + your own judgment.

Why your approach is solid for “deep research”

• You’re not going “nuke all but .com/.org” and losing tons of OSS and niche resources.
• You’re focusing on historically abuser‑heavy TLDs while still keeping a path (isolated profile) to see everything when needed.
• HaGeZi Pro++ already does heavy lifting on domains; TLD blocking here is a policy layer, not your primary defense.

If you want, paste your exact current NextDNS setup (TLD rules + key security/privacy options), and I can suggest only minimal tweaks so you keep your researched TLD philosophy intact.

 

[ForgottenSeer 123960]

You’re right, I mixed you up with the other poster using ControlD — thanks for correcting that.

Given you’re on NextDNS + HaGeZi Pro++ and your TLD list is aimed at deep research and OSS access, what you posted actually lines up well with that goal.

How I’d use your tiers in NextDNS

• Main profile (daily use)
  • Keep HaGeZi Pro++ enabled.
  • Block your Tier 1 TLDs:
    .zip, .mov, .top, .xyz, .cam, .click, .country, .gq, .link, .men, .ooo, .party, .pro, .review, .stream, .work
  • Leave Tier 2 unblocked here if you sometimes need to hit info on those (RU/CN/etc.) sites from your normal environment, or:
  • Block Tier 2 as well if you want a very “clean” daily profile and don’t mind switching when you need deeper research.
• Research profile (isolated browser / VM)
  • Same HaGeZi Pro++.
  • Option 1: Only block Tier 1, allow Tier 2 so you don’t lose access to RU/CN/IR/KP/… content.
  • Option 2: No TLD blocking at all, rely purely on HaGeZi + your own judgment.

Why your approach is solid for “deep research”

• You’re not going “nuke all but .com/.org” and losing tons of OSS and niche resources.
• You’re focusing on historically abuser‑heavy TLDs while still keeping a path (isolated profile) to see everything when needed.
• HaGeZi Pro++ already does heavy lifting on domains; TLD blocking here is a policy layer, not your primary defense.

If you want, paste your exact current NextDNS setup (TLD rules + key security/privacy options), and I can suggest only minimal tweaks so you keep your researched TLD philosophy intact.

Oh I have that covered I was just sharing with others how to block without over doing it, keeping abilities intact.

 

[Bot]

Oh I have that covered I was just sharing with others how to block without over doing it, keeping abilities intact.

Got it – thanks for clarifying, and that context helps.

What you shared is actually a good example of how to:

• Use TLD blocking as a sane hardening layer (your Tier 1)
• Keep research and OSINT ability intact (your Tier 2 kept for isolated use)
• Avoid the “block everything except .com/.org” trap that breaks half the useful web

For anyone else reading your list, it might help to add (if you haven’t already):

• A short note that it’s US‑centric and should be adjusted per country/needs.
• A reminder that it’s meant to sit on top of something like HaGeZi Pro++ / other filters, not replace them.

Otherwise, your approach is exactly the kind of “tight but still usable” configuration that many people here are trying to achieve.

 

[Marko :)]

I use HaGeZi Multi-Ultimate in NextDNS.
It's only 41,000 more rules than Pro++.

I tried it but switched back to Pro Plus. Blocked many piracy sites and legit websites for checking the IP address (such as ipinfo.io).

 

[rashmi]

Mine was without giving any payment details. I created a long time ago but never used it. Is that the reason why my logs are limited to 1 hour only?

I also created my Cloudflare Zero Trust account without providing payment details. You may check the following thread for some information.

R

Serious Discussion Thread 'Cloudflare Gateway Free Plan'

Apr 11, 2024

I initially thought Cloudflare Gateway was for businesses. However, I came across a review mentioning its use for parental control and its solid free plan. I'm currently testing DNS-based services for parental control, such as NextDNS and AdGuardDNS. Comparing them to Cloudflare Gateway, I find it far superior, even with its free plan. It offers advanced features, but for parental control, I focused on testing Zero Trust > Gateway > DNS Locations and Firewall Policies. I created policies for Google search, YouTube, adult content, and movie sites. Cloudflare Gateway effectively enforced...

• rashmi
• Replies: 447
• Forum: VPN and DNS

• 
• 

I think the free plan's logs are for the current day/24 hours, not the last 24, so you can see current-day logs (time setting) but not the past 24 (date setting unavailable).

 

[rashmi]

Yeah, it's faster for me also. My GitHub workflow was set with the help of Grok and Gemini, so I didn't have to do too much. Though it needed some tweaking here and there. Ads and trackers are my main priority.

I experimented with scripts from a GitHub repository for ad blocking in Cloudflare Gateway. I tested the recommended local (not GitHub Actions) method using the Hagezi Multi Pro (Wildcard Domains) list, and everything worked well.

GitHub - mrrfv/cloudflare-gateway-pihole-scripts: Use Cloudflare Gateway DNS/VPN to block ads, malware and tracking domains - free alternative to NextDNS, Pi-hole and AdGuard

Use Cloudflare Gateway DNS/VPN to block ads, malware and tracking domains - free alternative to NextDNS, Pi-hole and AdGuard - mrrfv/cloudflare-gateway-pihole-scripts

github.com

 

[SeriousHoax]

I experimented with scripts from a GitHub repository for ad blocking in Cloudflare Gateway. I tested the recommended local (not GitHub Actions) method using the Hagezi Multi Pro (Wildcard Domains) list, and everything worked well.

GitHub - mrrfv/cloudflare-gateway-pihole-scripts: Use Cloudflare Gateway DNS/VPN to block ads, malware and tracking domains - free alternative to NextDNS, Pi-hole and AdGuard

Use Cloudflare Gateway DNS/VPN to block ads, malware and tracking domains - free alternative to NextDNS, Pi-hole and AdGuard - mrrfv/cloudflare-gateway-pihole-scripts

github.com

Nice! Glad to know that it worked for you.
Regarding GitHub actions, in simple terms it's basically about letting GitHub's VM stored on their servers do a job for you either automatically or manually. So, it's not an issue since it's not illegal to use it for updating filters on cloudflare gateway.

 

[Burbulator]

I am just curios : do you people use a "normal" DNS by setting a DNS server IP address in your router's settings or do you configure DoH/DoT on every client/device you own?

 

[TairikuOkami]

do you people use a "normal" DNS by setting a DNS server IP address in your router's settings or do you configure DoH/DoT on every client/device you own?

Why would anyone do it? Malware literally abuses DNS and DNS hierarchy supports it. Browser DNS > Windows DNS > Router DNS. Everyone ignores the router.

 

[Parkinsond]

I am just curios : do you people use a "normal" DNS by setting a DNS server IP address in your router's settings or do you configure DoH/DoT on every client/device you own?

DoH in the browser settings (PC and Phone).

 

[Sampei.Nihira]

So, out of curiosity, I checked the TLDs that I blocked in NextDNS when I activated my account:

• cn
• ru
• kp
• tk
• ml
• ga
• cf
• su
• All languages with non-European characters

 

[Andy Ful]

(...)
Let the DNS holy war begin!

The poll about DNS providers is interesting, but it cannot be a war (or serious competition).
It is interesting because of users' opinions. However, a few things should be noticed:

1. There are no reliable tests of effectiveness. The known tests are usually conducted on URLs that are up to one month old, and most of those URLs are already long dead. So, it would be hard to insist on which DNS is more secure.
2. The public versions are largely ineffective against most live URLs. The effectiveness is much better when using a free account or paid versions.
   For example, the public versions do not include some important features, like NRD.
3. The features effective against live URLs can produce false positives. The false positives cannot be whitelisted when using public versions.
4. DNS performance can depend on geo-location.

 

[Bot]

The poll about DNS providers is interesting, but it cannot be a war (or serious competition).
It is interesting because of users' opinions. However, a few things should be noticed:

1. There are no reliable tests of effectiveness. The known tests are usually conducted on URLs that are up to one month old, and most of those URLs are already long dead. So, it would be hard to insist on which DNS is more secure.
2. The public versions are largely ineffective against most live URLs. The effectiveness is much better when using a free account or paid versions.
   For example, the public versions do not include some important features, like NRD.
3. The features effective against live URLs can produce false positives. The false positives cannot be whitelisted when using public versions.
4. DNS performance can depend on geo-location.

You’re basically right on all four points

DNS-provider polls are mostly about user experience (speed, convenience, features, trust) rather than a clean “who is objectively most secure” ranking.

1) “No reliable tests of effectiveness”
A lot of public “DNS security tests” are methodologically weak because:

• They use stale URL sets (weeks old), where churn is extreme (especially phishing and scam infra).
• They don’t separate “dead URL” vs “not blocked”.
• They rarely measure false positives with the same rigor as true positives.

So results often say more about the test dataset than the resolver.

2) Public resolvers are limited compared to account/paid tiers
Also correct in practice. The “good stuff” that improves hit-rate on live threats is commonly tied to:

• Policy controls (category filtering, custom lists)
• More aggressive threat intel feeds
• Newly Registered Domain (NRD) / DGA-style heuristics
• Per-user / per-network tuning via logs and allowlists

Public endpoints often run a safer, less aggressive baseline to avoid causing widespread breakage.

3) Features that help with live threats can raise false positives
Yes. NRD-style blocking and broad “suspicious domain” heuristics are inherently noisy:

• They can block brand-new legitimate sites, GitHub pages, short-lived campaign sites, small CDNs, etc.
• The practical difference between “usable security” and “annoying security” is usually how fast and how precisely you can whitelist (and how good the logs are).

This is one of the biggest reasons “public vs account” feels so different.

4) Performance depends on geo-location
Absolutely. Resolver speed depends heavily on:

• Anycast footprint and peering in your region
• ISP routing quirks
• Whether the provider has nearby POPs
• Local cache warmth (common domains resolve faster)

Two people can have opposite “fastest DNS” experiences and both be correct.

Practical takeaway (security-first)
DNS filtering is best treated as a risk-reduction and control layer, not a decisive “this makes me safe” control.

The most meaningful “real-world” comparison is usually:

• Which one gives you the right balance of blocking vs breakage for your own browsing habits
• Which one provides usable logs + fast whitelisting
• Which one performs well from your location

Conclusion
So yes: the poll is interesting for opinions and day-to-day experience, but “who’s most secure” is hard to claim without fresh, controlled datasets and careful FP tracking—and public endpoints are rarely comparable to account/paid configurations.

 

[ForgottenSeer 123960]

The poll about DNS providers is interesting, but it cannot be a war (or serious competition).
It is interesting because of users' opinions. However, a few things should be noticed:

1. There are no reliable tests of effectiveness. The known tests are usually conducted on URLs that are up to one month old, and most of those URLs are already long dead. So, it would be hard to insist on which DNS is more secure.
2. The public versions are largely ineffective against most live URLs. The effectiveness is much better when using a free account or paid versions.
   For example, the public versions do not include some important features, like NRD.
3. The features effective against live URLs can produce false positives. The false positives cannot be whitelisted when using public versions.
4. DNS performance can depend on geo-location.

You are right, this is not a competition and all of it is subjective. Although when you pit using this kind of system wide protection against using nothing the odds are favored. Your effectively stopping issues at the gate. You can demonstrate this by blocking TLDs and trying to visit those sites. You can also use the manual block list and again try to visit those urls. You can enable ad blocking list and visit sites you know run ads and banners. There are multiple ways to test your DNS manually.

 

[Andy Ful]

There are multiple ways to test your DNS manually.

Yes. I conducted some manual tests on zero-day and one-day URLs and came to the conclusions included in my previous post (points 2 and 3).

 

[ForgottenSeer 123960]

Yes. I conducted some manual tests on zero-day and one-day URLs and came to the conclusions included in my previous post (points 2 and 3).

Yes i read it before responding and it is why I stated this.

Although when you pit using this kind of system wide protection against using nothing the odds are favored.

 

[ForgottenSeer 123960]

The "Old Guard": Infrastructure & Speed

Cloudflare (1.1.1.1 / 1.1.1.2)

Role

The "Speed King".

Pros

Unmatched global anycast infrastructure. The 1.1.1.2 (Security) and 1.1.1.3 (Family) endpoints offer basic filtering, but they are "dumb" filters, you cannot whitelist a false positive.

Cons

No analytics, no customization.

Best For

Gamers demanding lowest latency; setting up a router for relatives who need maintenance-free internet.

Quad9 (9.9.9.9)

Role

The "Security Standard".


Pros

Aggregates threat intelligence from over 100+ sources. Non-profit, privacy-centric jurisdiction (Switzerland).

Cons

Slightly higher latency than Cloudflare in some regions; similarly lacks granular control.

Best For

Privacy purists and users wanting maximum malware protection without configuration.


The "Next-Gen" Filtering & Control


NextDNS

Role

The "Cloud Pi-hole"

Pros

Brings network-wide ad-blocking and tracking protection to the cloud. Supports distinct profiles for different devices (e.g., Kids' iPad vs. Dad's Laptop).

Cons

Requires configuration (DoH/DoT setup). The free tier has a query limit (300k/month), which heavy households will hit.

Best For

Network admins who want visibility (analytics) and control without maintaining a physical Raspberry Pi.

Control D

Role

The "Traffic Shaper".

Pros

Differentiates itself with "Transparent Proxying". It can redirect traffic for specific services (e.g., Netflix, BBC iPlayer) through different geographic locations via DNS, acting as a "VPN Lite" for specific apps.

Cons

Higher learning curve for advanced features; paid tiers required for proxy features.

Best For

Users who want ad-blocking and geo-unblocking without the overhead of a full VPN.

Recommendation / Remediation

Select your provider based on your Admin Profile:

Profile A The "Set and Forget" (Low Maintenance)

Recommendation

Quad9 (9.9.9.9)

Why

You get enterprise-grade threat blocking with zero configuration. It protects devices from C2 (Command & Control) callbacks effectively.

Config

Set router DNS to 9.9.9.9 and 149.112.112.112.

Profile B: The Network Admin (High Control)

Recommendation

NextDNS

Why

You need to see what your devices are doing. If a smart bulb starts spamming a Chinese IP, NextDNS logs will show you. You can whitelist sites that break.

Config

Use DoH (DNS over HTTPS) in browser/OS settings directly to attribute device names in logs.

Profile C: The Streamer/Traveler (Utility)

Recommendation

Control D

Why

You want to watch content from other regions or spoof your location for specific services without routing all your traffic (like gaming) through a slow VPN tunnel.

The thread OP mentions "ISPs logging everything". This is a valid threat model.

Fact Check

In the US, ISPs are permitted to sell aggregate browsing data. In the UK, the Investigatory Powers Act requires ISPs to log connection records.

Limitation

Encrypted DNS (DoH/DoT) hides your DNS lookups from the ISP, but SNI (Server Name Indication) in the HTTPS handshake still reveals the domain name to the ISP in most cases (unless ECH - Encrypted Client Hello, is fully supported by both client and server).

Advice

DNS encryption is a privacy improvement, not a silver bullet. For total ISP obfuscation, a VPN is still required.

 

[Marko :)]

Cloudflare (1.1.1.1 / 1.1.1.2)

Best For
Gamers demanding lowest latency...

DNS doesn't matter for gaming. DNS doesn't have any effect on gaming whatsoever.