Could you run the test with NextDNS, and cloudflare gateway DNS too?
I understand NextDNS provides better configurability but is it better at blocking malicious domains than Cloudflare? Also, is ControlD better than these two at malicious domain blocking?
Sorry i have only access to phishtank & urlhaus , where i test free version of quad9, nextdns, cloudflare & controld. I have done testing during few days now, and i have find that controld is the best free dns you can have against malicious urls
ControlD & NextDNS are more configurable than cloudflare gateway and i believe thats where the difference is
I dont have that much time to test all of them , also i dont have fresh phishing/ malware urls to test them on
I would still recommend to trial them and do testing yourself and find the one that suits for you
Maybe @Evjl's Rain can run test comparison of dns filter
The thing is the Internet does not only revolve around DNS... (DNS to IP or IP to DNS / Forward and Reverse Lookups)
For a better protection you should limit your GEO Size to the ones you really need. Example: US and EU
This goes for Incoming and Outgoing traffic. Like this even if malware hits a system, they will have a much more tough time to exfiltrate data or even connect to C2C Servers. The other Sideeffect is that DNS Requests out of the GEO Range will not reach the Systemes.
There are open-source projects that help lots PFsense and pfBlockerNG. OPNsense has a free way to implement GEO Blocking. This is all at the Network level and then add NextDNS / Cisco Umbrella / Cloudflare and such...
At the Browser I recommend UBlock Origin / Adguard for a little added extra.
I've seen a test a few months ago. Out of 50 malicious links, NextDNS blocked 50/50, Quad9 blocked 49/50. Cloudflare with malware blocking falls behind, but I don't remember it's score :c.
Bitdefender also has great protection against malicious sites.
Malicious URL blocking on DNS level is great way to supplement other security layers (specially when Newly Registered Domains block is enabled) but is not a replacement of IPS, anti-phishing and anti-bot components.
DNS resolvers (Cisco with their Talos and Umbrella excluded) often don’t have the telemetry and resources to proactively stay on top of phishing and malware distribution, it is rather reactive, community-driven approach.
OK, I got tired waiting for someone else to do it, so I did a quick test, because I wondered myself, if NextDNS is still the best in malware filtering.
I focused on free DNS, so only free ControlID. I am using NextDNS on 4 devices and it hardly reaches 200k, so yes, it is sufficiently free.
I tested using DoH on LibreWolf to avoid using browser's blocking features, like googlesafebrowsing, though it can be included in DNS.
Malware
1. https://thetranslog[dot]com/feso/auth/rlvqv4i/pablo.ghiglione@tvglobo.com.br - Threat AI/GoogleSafeBrowsing
2. https://gcc02[dot]safelinks.protection.outlook.com/?url=https%3A%2F%2Fvk.com%2Faway.php%3Fto%3Dhttps%253A%252F%252F690215.mystriplife.com%252F%252324465626f7261682e536368617276656e4073616e616e746f6e696f2e676f76&data=05%7C01%7CDeborah.Scharven%40sanantonio.gov%7C68b1fc69aede467afa5a08db4dd142b2%7C1ab0214fac4a4407a7c62ef1eb76dac5%7C0%7C0%7C638189334517396770%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=79%2BSUUjYkC4v%2BlR2%2Ft8L4aCCIvXxOEZmeu1YG17aZ%2FA%3D&reserved=0 - GoogleSafeBrowsing blocked the redirect
3. https://online[dot]forms.app/brandonhousholder/untitled-form - Threat AI
4. https://smartphoodapp[dot]com/xmine.exe - Threat AI
5. https://phd-ce.com[dot]br/kbase/rentfree.zip - Threat AI
6. https://osatech[dot]pt/kbase/rentfree.zip - Threat AI
Phishtank:
1.
https://docs.google[dot]com/presentation/d/e/2PACX-1vQ4UYreeA6yHNrNCL9xScGocwJuaDV0fjV-NFiezw9cnmLko_pClazvc8mkegePrXdKasaWde0R_JmL/pub?start=false&loop=false&delayms=3000&slide=id.p
- GoogleSafeBrowsing
2. https://itaponto[dot]com - GoogleSafeBrowsing/NRDs
3. https://banksdiscuont[dot]com - NRDs
4. https://app.chainqpt[dot]org - NRDs
Finding malicious links is exceptionally hard unless you have a subscription, so it is a fairly basic test, but I got the answer I was looking for.
NextDNS works and out of all free DNS, it is the only which blocks NRDs, that alone makes it worth it, regardless of any other feature.
For the record, last time ControlID failed to block NRDs even in the trial version, they used a blacklist for it? Not sure if it is fixed?
P.S. I have noticed, that some links are blocked now, so NextDNS also wins in the response time, it blocks fresh Phishtank links as well.
Of course take into the account that DNS is about blocking domains, not links. It can not block phishing/malware on legitimate domains.
OK, I got tired waiting for someone else to do it, so I did a quick test, because I wondered myself, if NextDNS is still the best in malware filtering.
I focused on free DNS, so only free ControlID. I am using NextDNS on 4 devices and it hardly reaches 200k, so yes, it is sufficiently free.
I tested using DoH on LibreWolf to avoid using browser's blocking features, like googlesafebrowsing, though it can be included in DNS.
Malware
1. https://thetranslog[dot]com/feso/auth/rlvqv4i/pablo.ghiglione@tvglobo.com.br - Threat AI/GoogleSafeBrowsing
2. https://gcc02[dot]safelinks.protection.outlook.com/?url=https%3A%2F%2Fvk.com%2Faway.php%3Fto%3Dhttps%253A%252F%252F690215.mystriplife.com%252F%252324465626f7261682e536368617276656e4073616e616e746f6e696f2e676f76&data=05%7C01%7CDeborah.Scharven%40sanantonio.gov%7C68b1fc69aede467afa5a08db4dd142b2%7C1ab0214fac4a4407a7c62ef1eb76dac5%7C0%7C0%7C638189334517396770%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=79%2BSUUjYkC4v%2BlR2%2Ft8L4aCCIvXxOEZmeu1YG17aZ%2FA%3D&reserved=0 - GoogleSafeBrowsing blocked the redirect
3. https://online[dot]forms.app/brandonhousholder/untitled-form - Threat AI
4. https://smartphoodapp[dot]com/xmine.exe - Threat AI
5. https://phd-ce.com[dot]br/kbase/rentfree.zip - Threat AI
6. https://osatech[dot]pt/kbase/rentfree.zip - Threat AI
Phishtank:
1.
https://docs.google[dot]com/presentation/d/e/2PACX-1vQ4UYreeA6yHNrNCL9xScGocwJuaDV0fjV-NFiezw9cnmLko_pClazvc8mkegePrXdKasaWde0R_JmL/pub?start=false&loop=false&delayms=3000&slide=id.p
- GoogleSafeBrowsing
2. https://itaponto[dot]com - GoogleSafeBrowsing/NRDs
3. https://banksdiscuont[dot]com - NRDs
4. https://app.chainqpt[dot]org - NRDs
Finding malicious links is exceptionally hard unless you have a subscription, so it is a fairly basic test, but I got the answer I was looking for.
NextDNS works and out of all free DNS, it is the only which blocks NRDs, that alone makes it worth it, regardless of any other feature.
For the record, last time ControlID failed to block NRDs even in the trial version, they used a blacklist for it? Not sure if it is fixed?
P.S. I have noticed, that some links are blocked now, so NextDNS also wins in the response time, it blocks fresh Phishtank links as well.
Of course take into the account that DNS is about blocking domains, not links. It can not block phishing/malware on legitimate domains.
OK, I got tired waiting for someone else to do it, so I did a quick test, because I wondered myself, if NextDNS is still the best in malware filtering.
I focused on free DNS, so only free ControlID. I am using NextDNS on 4 devices and it hardly reaches 200k, so yes, it is sufficiently free.
I tested using DoH on LibreWolf to avoid using browser's blocking features, like googlesafebrowsing, though it can be included in DNS.
Malware
1. https://thetranslog[dot]com/feso/auth/rlvqv4i/pablo.ghiglione@tvglobo.com.br - Threat AI/GoogleSafeBrowsing
2. https://gcc02[dot]safelinks.protection.outlook.com/?url=https%3A%2F%2Fvk.com%2Faway.php%3Fto%3Dhttps%253A%252F%252F690215.mystriplife.com%252F%252324465626f7261682e536368617276656e4073616e616e746f6e696f2e676f76&data=05%7C01%7CDeborah.Scharven%40sanantonio.gov%7C68b1fc69aede467afa5a08db4dd142b2%7C1ab0214fac4a4407a7c62ef1eb76dac5%7C0%7C0%7C638189334517396770%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=79%2BSUUjYkC4v%2BlR2%2Ft8L4aCCIvXxOEZmeu1YG17aZ%2FA%3D&reserved=0 - GoogleSafeBrowsing blocked the redirect
3. https://online[dot]forms.app/brandonhousholder/untitled-form - Threat AI
4. https://smartphoodapp[dot]com/xmine.exe - Threat AI
5. https://phd-ce.com[dot]br/kbase/rentfree.zip - Threat AI
6. https://osatech[dot]pt/kbase/rentfree.zip - Threat AI
Phishtank:
1.
https://docs.google[dot]com/presentation/d/e/2PACX-1vQ4UYreeA6yHNrNCL9xScGocwJuaDV0fjV-NFiezw9cnmLko_pClazvc8mkegePrXdKasaWde0R_JmL/pub?start=false&loop=false&delayms=3000&slide=id.p
- GoogleSafeBrowsing
2. https://itaponto[dot]com - GoogleSafeBrowsing/NRDs
3. https://banksdiscuont[dot]com - NRDs
4. https://app.chainqpt[dot]org - NRDs
Finding malicious links is exceptionally hard unless you have a subscription, so it is a fairly basic test, but I got the answer I was looking for.
NextDNS works and out of all free DNS, it is the only which blocks NRDs, that alone makes it worth it, regardless of any other feature.
For the record, last time ControlID failed to block NRDs even in the trial version, they used a blacklist for it? Not sure if it is fixed?
P.S. I have noticed, that some links are blocked now, so NextDNS also wins in the response time, it blocks fresh Phishtank links as well.
Of course take into the account that DNS is about blocking domains, not links. It can not block phishing/malware on legitimate domains.
I made the note to the right of the each link. I tried not to focus on NRDs, only 2 links were blocked by NRD alone, the rest by Threat AI or GoogleSafeBrowsing.
I made the note to the right of the each link. I tried not to focus on NRDs, only 2 links were blocked by NRD alone, the rest by Threat AI or GoogleSafeBrowsing.
seems like you tested with pretty recent malicious links. Could you maybe share the list somehow? Probably posting here won't be allowed so it might be a bit tricky....
seems like you tested with pretty recent malicious links. Could you maybe share the list somehow? Probably posting here won't be allowed so it might be a bit tricky....
NextDNS is much more customizable, but may require manual configuration. Quad9 is also an excellent option. I've seen a test once with NextDNS default options scoreing 50/50 and Quad9 scoring 49/50 against malware.
I also recommend that you try out dns0.eu, or dns0 zero for zero tolerance made by co-founders of NextDNS.
Why is it that no one wants to pay for things? The free versions are always used, and it's kind of baffling. What do you think enables free products/versions to exists? It's the paid versions. If everyone uses nothing but the free versions the company will go out of business. Stop it! If you are not paying for the product, you are the product.
Human nature. People just want everything to be top quality but want it cheap or free. People pay a lot of money for consumer goods these days, for example mobile phones and designer shoes but they last 2 years for phones and 6 months for shoes if you're lucky. It's also a consequence of poor-quality control of products and services in the Western world, most people have been burnt and are very cynical or sceptical and thus want to save some money. Software is no different, constant bugs and exploits and update patches and people just turn off from paying for software and go with the free version.
OK, I got tired waiting for someone else to do it, so I did a quick test, because I wondered myself, if NextDNS is still the best in malware filtering.
I focused on free DNS, so only free ControlID. I am using NextDNS on 4 devices and it hardly reaches 200k, so yes, it is sufficiently free.
I tested using DoH on LibreWolf to avoid using browser's blocking features, like googlesafebrowsing, though it can be included in DNS.
Malware
1. https://thetranslog[dot]com/feso/auth/rlvqv4i/pablo.ghiglione@tvglobo.com.br - Threat AI/GoogleSafeBrowsing
2. https://gcc02[dot]safelinks.protection.outlook.com/?url=https%3A%2F%2Fvk.com%2Faway.php%3Fto%3Dhttps%253A%252F%252F690215.mystriplife.com%252F%252324465626f7261682e536368617276656e4073616e616e746f6e696f2e676f76&data=05%7C01%7CDeborah.Scharven%40sanantonio.gov%7C68b1fc69aede467afa5a08db4dd142b2%7C1ab0214fac4a4407a7c62ef1eb76dac5%7C0%7C0%7C638189334517396770%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=79%2BSUUjYkC4v%2BlR2%2Ft8L4aCCIvXxOEZmeu1YG17aZ%2FA%3D&reserved=0 - GoogleSafeBrowsing blocked the redirect
3. https://online[dot]forms.app/brandonhousholder/untitled-form - Threat AI
4. https://smartphoodapp[dot]com/xmine.exe - Threat AI
5. https://phd-ce.com[dot]br/kbase/rentfree.zip - Threat AI
6. https://osatech[dot]pt/kbase/rentfree.zip - Threat AI
Phishtank:
1.
https://docs.google[dot]com/presentation/d/e/2PACX-1vQ4UYreeA6yHNrNCL9xScGocwJuaDV0fjV-NFiezw9cnmLko_pClazvc8mkegePrXdKasaWde0R_JmL/pub?start=false&loop=false&delayms=3000&slide=id.p
- GoogleSafeBrowsing
2. https://itaponto[dot]com - GoogleSafeBrowsing/NRDs
3. https://banksdiscuont[dot]com - NRDs
4. https://app.chainqpt[dot]org - NRDs
Finding malicious links is exceptionally hard unless you have a subscription, so it is a fairly basic test, but I got the answer I was looking for.
NextDNS works and out of all free DNS, it is the only which blocks NRDs, that alone makes it worth it, regardless of any other feature.
For the record, last time ControlID failed to block NRDs even in the trial version, they used a blacklist for it? Not sure if it is fixed?
P.S. I have noticed, that some links are blocked now, so NextDNS also wins in the response time, it blocks fresh Phishtank links as well.
Of course take into the account that DNS is about blocking domains, not links. It can not block phishing/malware on legitimate domains.
Not exactly accurate for Control D as you're using an account-less resolver vs a customized setup for NextDNS with your own account. Free resolvers don't use the experimental ML Filter (yet), or have NRD and Phishing filters enabled.
If you enable those filters with an actual account, you get the following results for the domains you mentioned (9/10). It blocked everything except "docs.google[dot]com" domain, which I don't see how NextDNS could block this either. It's a presentation on Google Docs, it cannot be accurately blocked by any DNS services.
With time, other DNS also caught up, the idea is that NextDNS was the fastest, so it works against zero days. STill good to know that ControlID is that good.
That was the general idea, comparing free DNS resolvers.
With time, other DNS also caught up, the idea is that NextDNS was the fastest, so it works against zero days. STill good to know that ControlID is that good.
NextDNS free accounts and Control D free DNS resolvers (that don't require accounts) don't have the same features, or same Filters enabled. A fair comparison is using a Control D account (even a trial will do) and enabling the same features as you have enabled with NextDNS. Control D vs NextDNS - An Honest Comparison
Despite NextDNS offering free accounts with a 300k limit (CD free resolvers have no limits), I'm personally puzzled how this can be enough for anything except very light usage. I'm in a 2 person household, with very few devices on the network. My stats for the month on the router. My personal phone and laptop don't register here, as they're on dedicated devices, and add an extra ~500k queries/month. I use these devices sparingly, and have very few apps installed.
@windscribe so you have now released experimental ML/AI as well? It might be time to retest ControlD (don’t be mad at me, I will do a new account and start a new trial). Might post here the results if I got the time.
Btw you are right about the usage. Here are my stats from NextDNS.
This week we also released a router utility, similar to NextDNS's but arguable with a lot more features (as of yesterday). Command Line Daemon
When installed on a router (it runs on Windows, Mac, and Linux too) you can see your entire network topology, and redirect traffic to unique profiles, all via the web GUI.
The biggest "downside" of Control D as it stands now is average latency. NextDNS is currently lower (on average), I agree. We're working on this now.
Apologies if this has been mentioned before, but this is news to me. Apparently there is a firefox plugin that gives NextDNS a lot of the abilities I liked about ControlD. With it you can import large lists, export configs, sort lists, and highlight domains in lists. But the ability to import lists was a huge plus for controlD over NextDNS. Not anymore!
