Advice Request NextDNS/ControlD vs Quad9, AV Web Protection

Please provide comments and solutions that are helpful to the author of this topic.

Moonhorse

Level 37
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,603
Could you run the test with NextDNS, and cloudflare gateway DNS too?
I understand NextDNS provides better configurability but is it better at blocking malicious domains than Cloudflare? Also, is ControlD better than these two at malicious domain blocking?
Sorry i have only access to phishtank & urlhaus , where i test free version of quad9, nextdns, cloudflare & controld. I have done testing during few days now, and i have find that controld is the best free dns you can have against malicious urls

ControlD & NextDNS are more configurable than cloudflare gateway and i believe thats where the difference is

I dont have that much time to test all of them , also i dont have fresh phishing/ malware urls to test them on


I would still recommend to trial them and do testing yourself and find the one that suits for you

Maybe @Evjl's Rain can run test comparison of dns filter
 

valvaris

Level 6
Verified
Well-known
Jul 26, 2015
263
The thing is the Internet does not only revolve around DNS... (DNS to IP or IP to DNS / Forward and Reverse Lookups)

For a better protection you should limit your GEO Size to the ones you really need. Example: US and EU

This goes for Incoming and Outgoing traffic. Like this even if malware hits a system, they will have a much more tough time to exfiltrate data or even connect to C2C Servers. The other Sideeffect is that DNS Requests out of the GEO Range will not reach the Systemes.

There are open-source projects that help lots PFsense and pfBlockerNG. OPNsense has a free way to implement GEO Blocking. This is all at the Network level and then add NextDNS / Cisco Umbrella / Cloudflare and such...

At the Browser I recommend UBlock Origin / Adguard for a little added extra.

Best regards
Val.
 

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,687
Malicious URL blocking on DNS level is great way to supplement other security layers (specially when Newly Registered Domains block is enabled) but is not a replacement of IPS, anti-phishing and anti-bot components.
DNS resolvers (Cisco with their Talos and Umbrella excluded) often don’t have the telemetry and resources to proactively stay on top of phishing and malware distribution, it is rather reactive, community-driven approach.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,475
OK, I got tired waiting for someone else to do it, so I did a quick test, because I wondered myself, if NextDNS is still the best in malware filtering.
I focused on free DNS, so only free ControlID. I am using NextDNS on 4 devices and it hardly reaches 200k, so yes, it is sufficiently free.
I tested using DoH on LibreWolf to avoid using browser's blocking features, like googlesafebrowsing, though it can be included in DNS.
Code:
https://dns.nextdns.io/......
https://dns.quad9.net/dns-query
https://doh.cleanbrowsing.org/doh/security-filter
https://doh.familyshield.opendns.com/dns-query
https://family.cloudflare-dns.com/dns-query
https://f3739c94.d.adguard-dns.com/dns-query
https://freedns.controld.com/no-porn-ads-dating-gov-gambling-drugs-social-typo-malware
https://zero.dns0.eu
Code:
Malware
1. https://thetranslog[dot]com/feso/auth/rlvqv4i/pablo.ghiglione@tvglobo.com.br - Threat AI/GoogleSafeBrowsing
2. https://gcc02[dot]safelinks.protection.outlook.com/?url=https%3A%2F%2Fvk.com%2Faway.php%3Fto%3Dhttps%253A%252F%252F690215.mystriplife.com%252F%252324465626f7261682e536368617276656e4073616e616e746f6e696f2e676f76&data=05%7C01%7CDeborah.Scharven%40sanantonio.gov%7C68b1fc69aede467afa5a08db4dd142b2%7C1ab0214fac4a4407a7c62ef1eb76dac5%7C0%7C0%7C638189334517396770%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=79%2BSUUjYkC4v%2BlR2%2Ft8L4aCCIvXxOEZmeu1YG17aZ%2FA%3D&reserved=0 - GoogleSafeBrowsing blocked the redirect
3. https://online[dot]forms.app/brandonhousholder/untitled-form - Threat AI
4. https://smartphoodapp[dot]com/xmine.exe - Threat AI
5. https://phd-ce.com[dot]br/kbase/rentfree.zip - Threat AI
6. https://osatech[dot]pt/kbase/rentfree.zip - Threat AI

Phishtank:
1.
https://docs.google[dot]com/presentation/d/e/2PACX-1vQ4UYreeA6yHNrNCL9xScGocwJuaDV0fjV-NFiezw9cnmLko_pClazvc8mkegePrXdKasaWde0R_JmL/pub?start=false&loop=false&delayms=3000&slide=id.p
 - GoogleSafeBrowsing
2. https://itaponto[dot]com - GoogleSafeBrowsing/NRDs
3. https://banksdiscuont[dot]com - NRDs
4. https://app.chainqpt[dot]org - NRDs
Finding malicious links is exceptionally hard unless you have a subscription, so it is a fairly basic test, but I got the answer I was looking for.
NextDNS works and out of all free DNS, it is the only which blocks NRDs, that alone makes it worth it, regardless of any other feature.
For the record, last time ControlID failed to block NRDs even in the trial version, they used a blacklist for it? Not sure if it is fixed?

I tested only https links
10/10 - NextDNS
05/10 - ControlID
04/10 - Cloudflare
02/10 - OpenDNS
00/10 - Quad9
00/10 - CleanBrowsing
00/10 - Adguard
00/10 - DNS0

P.S. I have noticed, that some links are blocked now, so NextDNS also wins in the response time, it blocks fresh Phishtank links as well.
Of course take into the account that DNS is about blocking domains, not links. It can not block phishing/malware on legitimate domains.
 

SohanRay

Level 5
Thread author
Mar 19, 2022
246
OK, I got tired waiting for someone else to do it, so I did a quick test, because I wondered myself, if NextDNS is still the best in malware filtering.
I focused on free DNS, so only free ControlID. I am using NextDNS on 4 devices and it hardly reaches 200k, so yes, it is sufficiently free.
I tested using DoH on LibreWolf to avoid using browser's blocking features, like googlesafebrowsing, though it can be included in DNS.
Code:
https://dns.nextdns.io/......
https://dns.quad9.net/dns-query
https://doh.cleanbrowsing.org/doh/security-filter
https://doh.familyshield.opendns.com/dns-query
https://family.cloudflare-dns.com/dns-query
https://f3739c94.d.adguard-dns.com/dns-query
https://freedns.controld.com/no-porn-ads-dating-gov-gambling-drugs-social-typo-malware
https://zero.dns0.eu
Code:
Malware
1. https://thetranslog[dot]com/feso/auth/rlvqv4i/pablo.ghiglione@tvglobo.com.br - Threat AI/GoogleSafeBrowsing
2. https://gcc02[dot]safelinks.protection.outlook.com/?url=https%3A%2F%2Fvk.com%2Faway.php%3Fto%3Dhttps%253A%252F%252F690215.mystriplife.com%252F%252324465626f7261682e536368617276656e4073616e616e746f6e696f2e676f76&data=05%7C01%7CDeborah.Scharven%40sanantonio.gov%7C68b1fc69aede467afa5a08db4dd142b2%7C1ab0214fac4a4407a7c62ef1eb76dac5%7C0%7C0%7C638189334517396770%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=79%2BSUUjYkC4v%2BlR2%2Ft8L4aCCIvXxOEZmeu1YG17aZ%2FA%3D&reserved=0 - GoogleSafeBrowsing blocked the redirect
3. https://online[dot]forms.app/brandonhousholder/untitled-form - Threat AI
4. https://smartphoodapp[dot]com/xmine.exe - Threat AI
5. https://phd-ce.com[dot]br/kbase/rentfree.zip - Threat AI
6. https://osatech[dot]pt/kbase/rentfree.zip - Threat AI

Phishtank:
1.
https://docs.google[dot]com/presentation/d/e/2PACX-1vQ4UYreeA6yHNrNCL9xScGocwJuaDV0fjV-NFiezw9cnmLko_pClazvc8mkegePrXdKasaWde0R_JmL/pub?start=false&loop=false&delayms=3000&slide=id.p
 - GoogleSafeBrowsing
2. https://itaponto[dot]com - GoogleSafeBrowsing/NRDs
3. https://banksdiscuont[dot]com - NRDs
4. https://app.chainqpt[dot]org - NRDs
Finding malicious links is exceptionally hard unless you have a subscription, so it is a fairly basic test, but I got the answer I was looking for.
NextDNS works and out of all free DNS, it is the only which blocks NRDs, that alone makes it worth it, regardless of any other feature.
For the record, last time ControlID failed to block NRDs even in the trial version, they used a blacklist for it? Not sure if it is fixed?

I tested only https links
10/10 - NextDNS
05/10 - ControlID
04/10 - Cloudflare
02/10 - OpenDNS
00/10 - Quad9
00/10 - CleanBrowsing
00/10 - Adguard
00/10 - DNS0

P.S. I have noticed, that some links are blocked now, so NextDNS also wins in the response time, it blocks fresh Phishtank links as well.
Of course take into the account that DNS is about blocking domains, not links. It can not block phishing/malware on legitimate domains.
did you keep the logs in nextdns ON? If yes you could maybe say among the 10 how many was blocked by NRD in Nextdns?
 

SohanRay

Level 5
Thread author
Mar 19, 2022
246
did you keep the logs in nextdns ON? If yes you could maybe say among the 10 how many was blocked by NRD in Nextdns?
OK, I got tired waiting for someone else to do it, so I did a quick test, because I wondered myself, if NextDNS is still the best in malware filtering.
I focused on free DNS, so only free ControlID. I am using NextDNS on 4 devices and it hardly reaches 200k, so yes, it is sufficiently free.
I tested using DoH on LibreWolf to avoid using browser's blocking features, like googlesafebrowsing, though it can be included in DNS.
Code:
https://dns.nextdns.io/......
https://dns.quad9.net/dns-query
https://doh.cleanbrowsing.org/doh/security-filter
https://doh.familyshield.opendns.com/dns-query
https://family.cloudflare-dns.com/dns-query
https://f3739c94.d.adguard-dns.com/dns-query
https://freedns.controld.com/no-porn-ads-dating-gov-gambling-drugs-social-typo-malware
https://zero.dns0.eu
Code:
Malware
1. https://thetranslog[dot]com/feso/auth/rlvqv4i/pablo.ghiglione@tvglobo.com.br - Threat AI/GoogleSafeBrowsing
2. https://gcc02[dot]safelinks.protection.outlook.com/?url=https%3A%2F%2Fvk.com%2Faway.php%3Fto%3Dhttps%253A%252F%252F690215.mystriplife.com%252F%252324465626f7261682e536368617276656e4073616e616e746f6e696f2e676f76&data=05%7C01%7CDeborah.Scharven%40sanantonio.gov%7C68b1fc69aede467afa5a08db4dd142b2%7C1ab0214fac4a4407a7c62ef1eb76dac5%7C0%7C0%7C638189334517396770%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=79%2BSUUjYkC4v%2BlR2%2Ft8L4aCCIvXxOEZmeu1YG17aZ%2FA%3D&reserved=0 - GoogleSafeBrowsing blocked the redirect
3. https://online[dot]forms.app/brandonhousholder/untitled-form - Threat AI
4. https://smartphoodapp[dot]com/xmine.exe - Threat AI
5. https://phd-ce.com[dot]br/kbase/rentfree.zip - Threat AI
6. https://osatech[dot]pt/kbase/rentfree.zip - Threat AI

Phishtank:
1.
https://docs.google[dot]com/presentation/d/e/2PACX-1vQ4UYreeA6yHNrNCL9xScGocwJuaDV0fjV-NFiezw9cnmLko_pClazvc8mkegePrXdKasaWde0R_JmL/pub?start=false&loop=false&delayms=3000&slide=id.p
 - GoogleSafeBrowsing
2. https://itaponto[dot]com - GoogleSafeBrowsing/NRDs
3. https://banksdiscuont[dot]com - NRDs
4. https://app.chainqpt[dot]org - NRDs
Finding malicious links is exceptionally hard unless you have a subscription, so it is a fairly basic test, but I got the answer I was looking for.
NextDNS works and out of all free DNS, it is the only which blocks NRDs, that alone makes it worth it, regardless of any other feature.
For the record, last time ControlID failed to block NRDs even in the trial version, they used a blacklist for it? Not sure if it is fixed?

I tested only https links
10/10 - NextDNS
05/10 - ControlID
04/10 - Cloudflare
02/10 - OpenDNS
00/10 - Quad9
00/10 - CleanBrowsing
00/10 - Adguard
00/10 - DNS0

P.S. I have noticed, that some links are blocked now, so NextDNS also wins in the response time, it blocks fresh Phishtank links as well.
Of course take into the account that DNS is about blocking domains, not links. It can not block phishing/malware on legitimate domains.
Its kinda not so surprising to find issues in beta version. But ControlD doesn't quite have any more issues in the system as such.
 

SohanRay

Level 5
Thread author
Mar 19, 2022
246
I made the note to the right of the each link. I tried not to focus on NRDs, only 2 links were blocked by NRD alone, the rest by Threat AI or GoogleSafeBrowsing.
seems like you tested with pretty recent malicious links. Could you maybe share the list somehow? Probably posting here won't be allowed so it might be a bit tricky....
 
  • Like
Reactions: oldschool

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,089

markstitovits

Level 2
Sep 13, 2022
54
NextDNS is much more customizable, but may require manual configuration. Quad9 is also an excellent option. I've seen a test once with NextDNS default options scoreing 50/50 and Quad9 scoring 49/50 against malware.
I also recommend that you try out dns0.eu, or dns0 zero for zero tolerance made by co-founders of NextDNS.
 
  • Like
Reactions: Nevi

n8chavez

Level 17
Well-known
Feb 26, 2021
801
Why is it that no one wants to pay for things? The free versions are always used, and it's kind of baffling. What do you think enables free products/versions to exists? It's the paid versions. If everyone uses nothing but the free versions the company will go out of business. Stop it! If you are not paying for the product, you are the product.
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
Why is it that no one wants to pay for things?
Human nature. People just want everything to be top quality but want it cheap or free. People pay a lot of money for consumer goods these days, for example mobile phones and designer shoes but they last 2 years for phones and 6 months for shoes if you're lucky. It's also a consequence of poor-quality control of products and services in the Western world, most people have been burnt and are very cynical or sceptical and thus want to save some money. Software is no different, constant bugs and exploits and update patches and people just turn off from paying for software and go with the free version.
 
  • Like
  • Hundred Points
Reactions: Nevi and Trident

windscribe

From Windscribe
Verified
Developer
Well-known
Dec 28, 2016
121
OK, I got tired waiting for someone else to do it, so I did a quick test, because I wondered myself, if NextDNS is still the best in malware filtering.
I focused on free DNS, so only free ControlID. I am using NextDNS on 4 devices and it hardly reaches 200k, so yes, it is sufficiently free.
I tested using DoH on LibreWolf to avoid using browser's blocking features, like googlesafebrowsing, though it can be included in DNS.
Code:
https://dns.nextdns.io/......
https://dns.quad9.net/dns-query
https://doh.cleanbrowsing.org/doh/security-filter
https://doh.familyshield.opendns.com/dns-query
https://family.cloudflare-dns.com/dns-query
https://f3739c94.d.adguard-dns.com/dns-query
https://freedns.controld.com/no-porn-ads-dating-gov-gambling-drugs-social-typo-malware
https://zero.dns0.eu
Code:
Malware
1. https://thetranslog[dot]com/feso/auth/rlvqv4i/pablo.ghiglione@tvglobo.com.br - Threat AI/GoogleSafeBrowsing
2. https://gcc02[dot]safelinks.protection.outlook.com/?url=https%3A%2F%2Fvk.com%2Faway.php%3Fto%3Dhttps%253A%252F%252F690215.mystriplife.com%252F%252324465626f7261682e536368617276656e4073616e616e746f6e696f2e676f76&data=05%7C01%7CDeborah.Scharven%40sanantonio.gov%7C68b1fc69aede467afa5a08db4dd142b2%7C1ab0214fac4a4407a7c62ef1eb76dac5%7C0%7C0%7C638189334517396770%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=79%2BSUUjYkC4v%2BlR2%2Ft8L4aCCIvXxOEZmeu1YG17aZ%2FA%3D&reserved=0 - GoogleSafeBrowsing blocked the redirect
3. https://online[dot]forms.app/brandonhousholder/untitled-form - Threat AI
4. https://smartphoodapp[dot]com/xmine.exe - Threat AI
5. https://phd-ce.com[dot]br/kbase/rentfree.zip - Threat AI
6. https://osatech[dot]pt/kbase/rentfree.zip - Threat AI

Phishtank:
1.
https://docs.google[dot]com/presentation/d/e/2PACX-1vQ4UYreeA6yHNrNCL9xScGocwJuaDV0fjV-NFiezw9cnmLko_pClazvc8mkegePrXdKasaWde0R_JmL/pub?start=false&loop=false&delayms=3000&slide=id.p
 - GoogleSafeBrowsing
2. https://itaponto[dot]com - GoogleSafeBrowsing/NRDs
3. https://banksdiscuont[dot]com - NRDs
4. https://app.chainqpt[dot]org - NRDs
Finding malicious links is exceptionally hard unless you have a subscription, so it is a fairly basic test, but I got the answer I was looking for.
NextDNS works and out of all free DNS, it is the only which blocks NRDs, that alone makes it worth it, regardless of any other feature.
For the record, last time ControlID failed to block NRDs even in the trial version, they used a blacklist for it? Not sure if it is fixed?

I tested only https links
10/10 - NextDNS
05/10 - ControlID
04/10 - Cloudflare
02/10 - OpenDNS
00/10 - Quad9
00/10 - CleanBrowsing
00/10 - Adguard
00/10 - DNS0

P.S. I have noticed, that some links are blocked now, so NextDNS also wins in the response time, it blocks fresh Phishtank links as well.
Of course take into the account that DNS is about blocking domains, not links. It can not block phishing/malware on legitimate domains.
Not exactly accurate for Control D as you're using an account-less resolver vs a customized setup for NextDNS with your own account. Free resolvers don't use the experimental ML Filter (yet), or have NRD and Phishing filters enabled.

If you enable those filters with an actual account, you get the following results for the domains you mentioned (9/10). It blocked everything except "docs.google[dot]com" domain, which I don't see how NextDNS could block this either. It's a presentation on Google Docs, it cannot be accurately blocked by any DNS services.
 

Attachments

  • blocked_cd.PNG
    blocked_cd.PNG
    152.1 KB · Views: 217

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,475
Free resolvers don't use the experimental ML Filter (yet), or have NRD and Phishing filters enabled.
That was the general idea, comparing free DNS resolvers.
If you enable those filters with an actual account, you get the following results for the domains you mentioned (9/10).
With time, other DNS also caught up, the idea is that NextDNS was the fastest, so it works against zero days. STill good to know that ControlID is that good.
 
Last edited:

windscribe

From Windscribe
Verified
Developer
Well-known
Dec 28, 2016
121
That was the general idea, comparing free DNS resolvers.

With time, other DNS also caught up, the idea is that NextDNS was the fastest, so it works against zero days. STill good to know that ControlID is that good.
NextDNS free accounts and Control D free DNS resolvers (that don't require accounts) don't have the same features, or same Filters enabled. A fair comparison is using a Control D account (even a trial will do) and enabling the same features as you have enabled with NextDNS. Control D vs NextDNS - An Honest Comparison

Despite NextDNS offering free accounts with a 300k limit (CD free resolvers have no limits), I'm personally puzzled how this can be enough for anything except very light usage. I'm in a 2 person household, with very few devices on the network. My stats for the month on the router. My personal phone and laptop don't register here, as they're on dedicated devices, and add an extra ~500k queries/month. I use these devices sparingly, and have very few apps installed.
 

Attachments

  • cd_stats.PNG
    cd_stats.PNG
    124.8 KB · Views: 213
Last edited:

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,687
@windscribe so you have now released experimental ML/AI as well? It might be time to retest ControlD (don’t be mad at me, I will do a new account and start a new trial). Might post here the results if I got the time.

Btw you are right about the usage. Here are my stats from NextDNS.
IMG_1476.png
 
Last edited:

windscribe

From Windscribe
Verified
Developer
Well-known
Dec 28, 2016
121
Yes, we have earlier last week: Improving Our Malware Filter With Machine Learning

This week we also released a router utility, similar to NextDNS's but arguable with a lot more features (as of yesterday). Command Line Daemon

When installed on a router (it runs on Windows, Mac, and Linux too) you can see your entire network topology, and redirect traffic to unique profiles, all via the web GUI.

The biggest "downside" of Control D as it stands now is average latency. NextDNS is currently lower (on average), I agree. We're working on this now.
 

Attachments

  • device_clients.PNG
    device_clients.PNG
    44.8 KB · Views: 226

n8chavez

Level 17
Well-known
Feb 26, 2021
801
Apologies if this has been mentioned before, but this is news to me. Apparently there is a firefox plugin that gives NextDNS a lot of the abilities I liked about ControlD. With it you can import large lists, export configs, sort lists, and highlight domains in lists. But the ability to import lists was a huge plus for controlD over NextDNS. Not anymore!

See the addon, or tampermonkey script.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top