Advice Request NextDNS/ControlD vs Quad9, AV Web Protection

Please provide comments and solutions that are helpful to the author of this topic.

CyberDevil

Level 6
Verified
Well-known
Apr 4, 2021
245
I want to switch from NextDNS to ControlD, as NextDNS seems to me to be a frankly abandoned project that has not been updated for over a year, which to me is a factor of decreasing trust. The proxying feature is also an important plus for me, as I essentially don't need a full-blown VPN for my normal tasks.

And this is where I have a question. Could someone please tell me what proxying locations ControlD has. Are they the same as Windscribe? I am particularly interested in Israel, Turkey, Russia. :)
 

n8chavez

Level 16
Well-known
Feb 26, 2021
761
I want to switch from NextDNS to ControlD, as NextDNS seems to me to be a frankly abandoned project that has not been updated for over a year, which to me is a factor of decreasing trust. The proxying feature is also an important plus for me, as I essentially don't need a full-blown VPN for my normal tasks.

And this is where I have a question. Could someone please tell me what proxying locations ControlD has. Are they the same as Windscribe? I am particularly interested in Israel, Turkey, Russia. :)
2023-10-31_10h04_38.png2023-10-31_10h04_55.png2023-10-31_10h05_10.png2023-10-31_10h05_31.png2023-10-31_10h05_56.png2023-10-31_10h06_06.png

2023-10-31_10h10_41.png2023-10-31_10h11_03.png2023-10-31_10h11_12.png


Here's their proxy list. It's pretty extensive.
 

spaceoctopus

Level 16
Verified
Top Poster
Content Creator
Well-known
Jul 13, 2014
766
This kind of thing is the reason I stopped using DNS ControlD, and DNS blocking in general. The ‘best’ is when they randomly block Apple or google services and suddenly nothing works on the device or network.
It is a well know fact that sometimes DNS services will give you results like that, blocking legitimate sites, false positive and so on, due to the way they work. Also, when you activate the different filters, ControlD warns you about that. Remember that you can unblock websites by whitelisting them. Nevertheless a DNS service and in that case, ControlD, is an excellent addition to your security setup.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,671
It is a well know fact that sometimes DNS services will give you results like that, blocking legitimate sites, false positive and so on, due to the way they work. Also, when you activate the different filters, ControlD warns you about that. Remember that you can unblock websites by whitelisting them. Nevertheless a DNS service and in that case, ControlD, is an excellent addition to your security setup.
I understand that. Here is the problem. Usability issues that cripple functionality lead to users bypassing the DNS. Either changing DNS, switching to mobile from wifi, using a hotspot. This then defeats any security benefit if users get in the habit of bypassing any block. If I am not available to whitelist something, it just leads to bypass. Also, it was near impossible to whitelist the Apple issue as dozens of urls used in the background were causing the issues. So, I see DNS as a tool that’s mostly beneficial to higher knowledge individuals. It doesn’t work for those who don’t understand what’s happening. I wouldn’t have the patience to deal with it if I did t know what was happening either.
 

n8chavez

Level 16
Well-known
Feb 26, 2021
761
I understand that. Here is the problem. Usability issues that cripple functionality lead to users bypassing the DNS. Either changing DNS, switching to mobile from wifi, using a hotspot. This then defeats any security benefit if users get in the habit of bypassing any block. If I am not available to whitelist something, it just leads to bypass. Also, it was near impossible to whitelist the Apple issue as dozens of urls used in the background were causing the issues. So, I see DNS as a tool that’s mostly beneficial to higher knowledge individuals. It doesn’t work for those who don’t understand what’s happening. I wouldn’t have the patience to deal with it if I did t know what was happening either.

So, let me see if I have this right. Instead of whitelisting something you'd rather stop using DNS filtering because it can *maybe* block something legitimate? Isn't that like refusing to shower because you might drown? Also, that's your own fault for using Apple anything. They suck.
 
  • Like
Reactions: cryogent and Idanox

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,671
So, let me see if I have this right. Instead of whitelisting something you'd rather stop using DNS filtering because it can *maybe* block something legitimate? Isn't that like refusing to shower because you might drown? Also, that's your own fault for using Apple anything. They suck.
Not exactly what I said, but take from it what you want.
 
  • Like
Reactions: simmerskool

spaceoctopus

Level 16
Verified
Top Poster
Content Creator
Well-known
Jul 13, 2014
766
@blackice DNS services are not that complicated to use.Of course, if you are an advance user you may dwell into advanced settings. But most DNS services are user friendly.

Again, better use a DNS service in combination with a good antivirus for most users, rather than using some advanced default/deny programs, combining different adblockers and all sorts of anti-tracking softwares. You get good protection against all kinds of online threats, without having headaches with your security setup.
 

windscribe

From Windscribe
Verified
Developer
Well-known
Dec 28, 2016
124
On the subject of malware protection, Control D (as far as I know) is the only service that implements IP blocklists into a DNS service, meaning it will block domains that resolve to malicious IP networks, and doesn't just leverage "domain rules" like all the others. This is part of the Balanced filter: Malware

Also, Control D also implements an in-house made machine learning model that can block domains without them appearing on any blocklist. The description of the v1 model is here: Improving Our Malware Filter With Machine Learning

(Contrary to NextDNS where there is no info on how it works except "It uses AI, trust me bro").

Currently in production the v2 model is used (much better than the v1), and we're wrapping up v3 which has been audited by a 3rd party and will have a new write up sometime in January when it's released. It's very effective.
 

Trident

Level 26
Verified
Top Poster
Well-known
Feb 7, 2023
1,533
I don't have any experience with ControlD but transparency is always a good thing. Yet, I don't really care how NextDNS does it, as long as it works. And it does work.
NextDNS blocks a lot less based on AI compared to ControlD (and not only based on AI but in general). However, the Control D AI, even in its mildest form, produces very many FPs and makes browsing a hell. Specially when not-so-popular, non-US/UK websites are used.
It looks like when collecting the training set, they forgot other parts of the world exist.
They’ve just used a collection of popular websites.

The number of false positives needs to be urgently mitigated before the AI filter can become usable. I currently have it well off!
 

windscribe

From Windscribe
Verified
Developer
Well-known
Dec 28, 2016
124
NextDNS blocks a lot less based on AI compared to ControlD (and not only based on AI but in general). However, the Control D AI, even in its mildest form, produces very many FPs and makes browsing a hell. Specially when not-so-popular, non-US/UK websites are used.
It looks like when collecting the training set, they forgot other parts of the world exist.
They’ve just used a collection of popular websites.

The number of false positives needs to be urgently mitigated before the AI filter can become usable. I currently have it well off!
You are referring to the old v1 model from many months ago. The v2 one has 3 aggressiveness settings, if you set it to "Relaxed" you won't have any false positives. We've had zero complaints from those running it in this mode.
 

windscribe

From Windscribe
Verified
Developer
Well-known
Dec 28, 2016
124
Do you have any plans to add scam protection as well? For example, integration with Scamadviser, blocking low-rated websites on WOT and Trustpilot, etc.? I think this would be a very interesting feature. Fake online stores and companies are also one of the important threats.
Hi, yes that's on the roadmap part of a much bigger project where we will slowly stop relying on 3rd party services and lists and classify every domain ourselves using a system we're building.

This is a rather large scope of work, and will take some time.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top