Advice Request NextDNS/ControlD vs Quad9, AV Web Protection

Please provide comments and solutions that are helpful to the author of this topic.

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,685
Considering that can services like NextDNS,ControlD even come close?
I basically replaced AV and AD/tracker blocking with DNS, along with OS/browser mitigations, that should be enough, for me anyway.
Oh....I have seen this one. Doesn't prove much as the source used to get those malicious domains is unknown.
Yes, those tests block known malicious domains, but they test DNS services using defaults. Blocking NRDs, private IPs, TLDs, VPNs, social media, etc, that alone blocks new threats.
 

Attachments

  • capture_02182023_112700.jpg
    capture_02182023_112700.jpg
    227.4 KB · Views: 230

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
I was thinking of testing NextDns, Quad9 and another dns vs 2/3 antivirus on malicious links and phishing videos as soon as I have time :)
Control D has a list for malware. But also another one for phishing.

You might need to create a custom malware + phishing configuration

 
F

ForgottenSeer 97327

@Shadowra could you test The European public DNS that makes your Internet safer. (DNS of the EU), Quad9 (logs in Swiss) and NextDNS (logs in EU or Swiss depending on user choice)

Beware that you enable to block in NextDNS the parked, the newly registered domains and enable AI, because a study has proven, that most HTTPS malware domains are hacked, most malvertising comes from redirected parked domains and most phishing from newly (less than 30 days existing) registered domains. AI is important because turnaround time of abused domains is only a few days

The average turnaround time and/or mitigate abuse complaints is as follows:
  • Response: the average turnaround is 1 day, mitigation is generally as follows:
  • Phishing: 24/48/96 hours
  • Spam: 96 hours
  • Malware: 24/48/96 hours
  • CSAM (Child Sex Abuse): 96 hours
  • Botnets reported/detected: 24/48/96 hours
  • Pharming: 24/48/96 hours

As a rule of thumb (in the EU), it s better to block HTTP websites (majority moved to HTTPS, less than 1% of business websites are still on HTTP and 95% of them are HTTP websites of dead companies, so in daily practice HTTP can be blocked)
 
Last edited by a moderator:

Templarware

Level 10
Verified
Well-known
Mar 13, 2021
462
Are you using blocklists in the Privacy section tab? Ads and trackers blocklists present there may be responsible for that. If you choose a bit wisely as to which ones to use, there aren't such issues usually..
I only used the best one, like OISD and removed the default one, otherwise it would be even worse.

If you''re not going to block Ads and tracking and only focus on security, then it makes no sense to use NextDNS, just use Quad9 since it's superior for that.
 

CyberDevil

Level 9
Verified
Well-known
Apr 4, 2021
414
I think NextDNS features are not far behind Quad9 - AI, open specialized lists, general purpose lists, built-in Google Safe, blocking new and parked domains, blocking most untrusted top level domains + blocking bypassing methods (other DNS and VPN).

I feel safe on the web only with NextDNS, although I wish it had some additional features to protect me from scammers, like Emsisoft's recently added integration with Scam Adviser. In fact, there are many opportunities to make it better, but it feels like the project is in a passive state of development.
 

SohanRay

Level 5
Thread author
Mar 19, 2022
246
I only used the best one, like OISD and removed the default one, otherwise it would be even worse.

If you''re not going to block Ads and tracking and only focus on security, then it makes no sense to use NextDNS, just use Quad9 since it's superior for that.
I agree using NextDNS without ad blocking would be a waste....but I use more than just OISD and I didn't find required domains getting blocked. Could you maybe see the logs in realtime and see which exact domains are getting blocked and by which filter/feature?
 

SohanRay

Level 5
Thread author
Mar 19, 2022
246
I think NextDNS features are not far behind Quad9 - AI, open specialized lists, general purpose lists, built-in Google Safe, blocking new and parked domains, blocking most untrusted top level domains + blocking bypassing methods (other DNS and VPN).

I feel safe on the web only with NextDNS, although I wish it had some additional features to protect me from scammers, like Emsisoft's recently added integration with Scam Adviser. In fact, there are many opportunities to make it better, but it feels like the project is in a passive state of development.
Regarding blocking most untrusted top level domains, NextDNS doesn't do that automatically right? I mean the user has to select which top level domains should be blocked manually right?
 
F

ForgottenSeer 97327

@SohanRay Yes NextDNS has user configurable block options on TopLevelDomain and Domain level (also an allow list for domains)
1676775600820.png
It is really usefull for the stuff you want to block completely

When you are a happy Quad9 user, there are also Github users (like LennyFox) who keep TLD blocklists which you can add to AdGuard or uBlockOrigin:
 
Last edited by a moderator:

SohanRay

Level 5
Thread author
Mar 19, 2022
246
@SohanRay Yes NextDNS has user configurable block options on TopLevelDomain and Domain level (also an allow list for domains)
It is really usefull for the stuff you want to block completely
yeah I mean I know its user configurable , as in user needs to select each TLD that needs to be blocked. I was asking if there is any setting or something that automatically blocks the most abused TLDs. Because I require currently to check the top 10 most abused TLDs in Spamhuase site from time to time to select which TLDs to block.
 
  • Like
Reactions: Nevi and oldschool

zkSnark

Level 5
Verified
Well-known
Jan 13, 2019
223
I was thinking of testing NextDns, Quad9 and another dns vs 2/3 antivirus on malicious links and phishing videos as soon as I have time :)
NextDNS reduced the speed for me so I went for Quad9 which was better than Next. Few days back, I found out about Mullvad DNS and now I am using MullvadDNS (adblock.doh.mullvad.net) on mobile phone which is performing best for me till now.
For your upcoming test, please include MullvadDNS (doh.mullvad.net and adblock.doh.mullvad.net) too. Thanks.
 
F

ForgottenSeer 97327

I am playing a bit DNS settings in router, network adaptor and browser, but (question) is it correct that the priority sequence is application > network adaptor > router ? Meaning when I have enabled NextDNS in my browser, that is the DNS my browser uses. Other applications use the DNS set in network adaptor and other devices (not having set a DNS) will use the DNS set in the router?
 

SohanRay

Level 5
Thread author
Mar 19, 2022
246
I am playing a bit DNS settings in router, network adaptor and browser, but (question) is it correct that the priority sequence is application > network adaptor > router ? Meaning when I have enabled NextDNS in my browser, that is the DNS my browser uses. Other applications use the DNS set in network adaptor and other devices (not having set a DNS) will use the DNS set in the router?
The browser uses the DNS set in its settings, and the DNS set in the device if no DNS is set. The device uses the DNS set in its settings, or the DNS of the network its connected to if no DNS is set. The DNS set in the router is practically the network's DNS , unless theres some other network present too. Like mobile data.
Any application, would use the Device DNS settings unless some DNS is set in the application explicitly, in case its possible to do so in that application.
 
  • Thanks
Reactions: ForgottenSeer 97327

SohanRay

Level 5
Thread author
Mar 19, 2022
246
I was looking into Cloudflare Gateway DNS and NextDNS as a comparision. Which one do you think is better at blocking malicious domains?
Cloudflare partners with Virustotal which gathers intel from a lot of security companies.
 

Moonhorse

Level 38
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,728
I was looking into Cloudflare Gateway DNS and NextDNS as a comparision. Which one do you think is better at blocking malicious domains?
Cloudflare partners with Virustotal which gathers intel from a lot of security companies.
NextDNS is better

Ran bunch of malware/phishing urls and controld free did much better than quad9 & cloudflare free:unsure: expecially against phishing
Personally im gonna swap from quad9 to controld
 

SohanRay

Level 5
Thread author
Mar 19, 2022
246
NextDNS is better

Ran bunch of malware/phishing urls and controld free did much better than quad9 & cloudflare free:unsure: expecially against phishing
Personally im gonna swap from quad9 to controld
Wait...so where was NextDNS ranking in this test? And by Cloudflare do you mean you used the Cloudflare gateway DNS?
 

Moonhorse

Level 38
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,728
Wait...so where was NextDNS ranking in this test? And by Cloudflare do you mean you used the Cloudflare gateway DNS?
I did not test cloudflare gateway, just public resolvers of quad9 , cloudflare & ControlD ....and ControlD did best against malicious urls

About wich is better cloudflare gateway or NextDNS, you asked

I have used both cloudflare warp/ gateway paid dns & NextDNS

In my opinion NextDNS is better , because you can configure it more than cloudflare. You can block newly registered domains & use AI to block malicious sites, its aswell fastest dns on my end

You should trial them both and test wich suits best for you
 
  • Like
Reactions: Nevi and SohanRay

SohanRay

Level 5
Thread author
Mar 19, 2022
246
I did not test cloudflare gateway, just public resolvers of quad9 , cloudflare & ControlD ....and ControlD did best against malicious urls

About wich is better cloudflare gateway or NextDNS, you asked

I have used both cloudflare warp/ gateway paid dns & NextDNS

In my opinion NextDNS is better , because you can configure it more than cloudflare. You can block newly registered domains & use AI to block malicious sites, its aswell fastest dns on my end
Could you run the test with NextDNS, and cloudflare gateway DNS too?
I understand NextDNS provides better configurability but is it better at blocking malicious domains than Cloudflare? Also, is ControlD better than these two at malicious domain blocking?
 

Kuttz

Level 13
Verified
Top Poster
Well-known
May 9, 2015
630
NextDNS if well configured offers more protection than Quad9. Features like "Block Newly Registered Domains" for example blocks every domain that was created less than 30 days. Since most of the malicious, phishing domains are quite new and often short lived, the feature is quite effective in dealing with such threats and hardly cause any interference to normal browsing. Configurability is NextDNS highlight when compared to other DNS service providers.

In addition to Ad blocking and security features, NextDNS can also block Native Windows Tracking to a good extent if you enable the feature. After enabling it, my 3rd most blocked tracking queries is from Windows 10 itself. ControlD, even though I haven't tried it yet but would recommend trying it over the ordinary DNS services like Quad9, Cloudflare etc.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top