Advice Request NextDNS/ControlD vs Quad9, AV Web Protection

Please provide comments and solutions that are helpful to the author of this topic.

SohanRay

Level 5
Thread author
Mar 19, 2022
246
How well does small dns filtering services like NextDns,ControlD filter out malicious domains when compared to big players like Quad9 and AV web protections like Bitdefender Web protection, Sophos Web protection etc?
BIg players like Quad9 gathers threat intel from over 20 reputed partners. AVs like Bitdefender also gather data from millions of points of its presence, colaborates with law enforcement agencies and ISPs etc.
Considering that can services like NextDNS,ControlD even come close?
 

Templarware

Level 10
Verified
Well-known
Mar 13, 2021
460
NextDNS blocks legit stuff, like Ubisoft games, it requires constant configuration so I stooped using it it went for Quad9.
 
  • Like
Reactions: shazi

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
849
Considering that can services like NextDNS,ControlD even come close?
You answered your own question. No, they can't come close at the moment (that will change if userbase increases). I don't browse shady domains so I can't give you my opinion on NextDns malicious blocking capability. But it's adblocking is good but they mainly only use 3rd party filters/lists, again how good their own adblocking filter/list is another matter. It does catch something, but the 3rd party filters (OISD, AdGuard, Notracking) catch a lot more/same level.
 

SohanRay

Level 5
Thread author
Mar 19, 2022
246
NextDNS blocks legit stuff, like Ubisoft games, it requires constant configuration so I stooped using it it went for Quad9.
Are you using blocklists in the Privacy section tab? Ads and trackers blocklists present there may be responsible for that. If you choose a bit wisely as to which ones to use, there aren't such issues usually..

You answered your own question. No, they can't come close at the moment (that will change if userbase increases). I don't browse shady domains so I can't give you my opinion on NextDns malicious blocking capability. But it's adblocking is good but they mainly only use 3rd party filters/lists, again how good their own adblocking filter/list is another matter. It does catch something, but the 3rd party filters (OISD, AdGuard, Notracking) catch a lot more/same level.
How would the scenario change if user base increases for those services? Are you saying they'll have more money to collaborate with reputed threat intel partners?
 

Digmor Crusher

Level 24
Verified
Top Poster
Well-known
Jan 27, 2018
1,382
I use my ISP's DNS, running tests it seems to be the fastest, however not sure I can see the difference when we're talking miiliseconds. Google Safe Browing, Smartscreen, safe habits, UBO, and brain .exe ensures that I do not need a DNS service.
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
849
Google Safe Browing, Smartscreen, safe habits, UBO, and brain .exe ensures that I do not need a DNS service.
Exactly. I don't use NextDns for its malicious web protection. I use it for its adblocking/trackers and blocking unwanted TLD's on mobile and tablets.

brain.exe is best defence against malicious domains as digimor said. Malicious domains come and go so quick that any blacklist is obsolete in minutes.
 

SohanRay

Level 5
Thread author
Mar 19, 2022
246
Exactly. I don't use NextDns for its malicious web protection. I use it for its adblocking/trackers and blocking unwanted TLD's on mobile and tablets.

brain.exe is best defence against malicious domains as digimor said. Malicious domains come and go so quick that any blacklist is obsolete in minutes.
If you want DNS just for adblocking then you can use Control D free DNS , its free without limitations.
And if you are correct about 'Malicious domains come and go so quick that any blacklist is obsolete in minutes' then I guess the blocking new domains feature in NextDNS, ControlD is an execellent effective feature.
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,862
I use my ISP's DNS, running tests it seems to be the fastest, however not sure I can see the difference when we're talking miiliseconds. Google Safe Browing, Smartscreen, safe habits, UBO, and brain .exe ensures that I do not need a DNS service.
The other thing is that large ISPs tend to host CDNs for things like streaming services and large websites on their edge servers, or get optimal routing for your ISP’s network. You tend to have a better experience with those services if you just use your ISP DNS as you don’t get redirected to those servers with outside DNS services.
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,355
Malicious domains not necessarily come and go in minutes, I have many examples of malicious domains that have been around for quite some time.

Blocking newly registered domains is a great idea (I personally use it) but attackers and scammers in many cases can leave the domain to “marinate” for a while, before they launch a campaign. In any case, NextDNS with its AI-Driven Threat Protection blocks more than Control D but most likely falls short compared to Quad9 which gets threat intelligence feeds from better sources.
 
F

ForgottenSeer 97327

QUAD9 uses only filter lists, while NextDNS also has an option to use AI. When you use public malware lists, it depends on the list you are using as a source (Next also uses public lists only different ones than Quad9).

Quad9 outperforms Next when blocking C&C servers (it was also intended as free DNS for SME and Soho). NEXT does better when blocking Phishing, they are more or less equal when it comes to Malware blocking. Because the refresh/update frequencies impact the malware blocking performance, you might get different results when testing at different moments of the day using the same sources.

When you like to play and fine tune your DNS, there is no better free DNS than NEXT (with great reporting insights and lots of security and privacy options).When you are a set and forget type of user with privacy concerns (regarding DNS logs) there is no better free DNS than Quad9. When you are set and forget and don't care about DNS logs, there is no better DNS than your ISP. Availability of servers nearby may impact your decision (more or less time to resolve the IP address belonging to the domain name you are requesting).

DNS security internals itself Next is a little better than Quad9, but that is on rarely misused features (Quad is better than most free DNS services and Next is also better and on a few points best).

I was testing URL filters some time ago, then by accident I met a guy on a party who was a free Lance security consultant. Above is the recap of the info he provided me.

The guy himself used: default DNS at home (his ISP better performance IP TV and no hassle on mobile phones when abroad) and Next on his own laptop and Quad9 on his kids laptop (telling me he would not be able to resist looking what his teen kids were visiting when they were on Next, because they deserve their own privacy he had setup their laptops with Quad9). This shows IMO we are talking about inches of differences not yards or miles in protection differences. Writing this recap I realize he did not mention were he put his wife's devices on.
 
Last edited by a moderator:

SohanRay

Level 5
Thread author
Mar 19, 2022
246
QUAD9 uses only filter lists, while NextDNS also has an option to use AI. When you use public malware lists, it depends on the list you are using as a source (Next also uses public lists only different ones than Quad9).

Quad9 outperforms Next when blocking C&C servers (it was also intended as free DNS for SME and Soho). NEXT does better when blocking Phishing, they are more or less equal when it comes to Malware blocking. Because the refresh/update frequencies impact the malware blocking performance, you might get different results when testing at different moments of the day using the same sources.

When you like to play and fine tune your DNS, there is no better free DNS than NEXT (with great reporting insights and lots of security and privacy options).When you are a set and forget type of user with privacy concerns (regarding DNS logs) there is no better free DNS than Quad9. When you are set and forget and don't care about DNS logs, there is no better DNS than your ISP. Availability of servers nearby may impact your decision (more or less time to resolve the IP address belonging to the domain name you are requesting).

DNS security internals itself Next is a little better than Quad9, but that is on rarely misused features (Quad is better than most free DNS services and Next is also better and on a few points best).

I was testing URL filters some time ago, then by accident I met a guy on a party who was a free Lance security consultant. Above is the recap of the info he provided me.
Great helpful Info . Thanks a million! 😊.
By the way, NextDNS does use AI but Quad9's almost every threat intel partner uses AI. So in the end its kind of the same in that respect I believe.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top