Q&A NextDNS thoughts and experiences?

valvaris

Level 5
Verified
Jul 26, 2015
223
You should, it is a Sisyphus job that doesnt accomplish anything but meaninglessness triggering your and some users paranoia, pure FUD.
The primary issue is something totally different. Of course its tinfoil paranoia but what if the installer has / had and so on been compromised?! - Would you not know about that or why solutions out there claim the software could be malicious - I did not do that a few months ago...

The other reason why I did that is to see what Enterprise Grade AV with Sandboxing would do and what reports it generates - The other part is are the results consistent!

In this case it is not and always results to a different outcome.

With all the breaches going on - A little bit more care and a healthy dose of distrust is not misplaced atm.

Sincerely
Val.
 

Nightwalker

Level 22
Verified
Trusted
Content Creator
May 26, 2014
1,159
The primary issue is something totally different. Of course its tinfoil paranoia but what if the installer has / had and so on been compromised?! - Would you not know about that or why solutions out there claim the software could be malicious - I did not do that a few months ago...

The other reason why I did that is to see what Enterprise Grade AV with Sandboxing would do and what reports it generates - The other part is are the results consistent!

In this case it is not and always results to a different outcome.

With all the breaches going on - A little bit more care and a healthy dose of distrust is not misplaced atm.

Sincerely
Val.

I bet you gonna find similar results with many many other executable files while running that file in an "Enterprise Grade AV with Sandboxing", in case of doubt you should sent the file for Kaspersky, Microsoft, ESET and BitDefender and see what their labs think of the file, it is much more conclusive.

I am not discouraging you to do these amateur analyses, but in a public forum this does more harm than good, some users and visitors will just think that NextDNS is not trustable while you dont have any evidence of that, just a false positive prone Sandbox result.

"With all the breaches going on - A little bit more care and a healthy dose of distrust is not misplaced atm."

True, but your Sandbox amateur analyses posts in this thread have little with preventing a malware APT and more with a misguided focus that has origins in paranoia.
 
Last edited:

valvaris

Level 5
Verified
Jul 26, 2015
223
I bet you gonna find similar results with many many other executable files while running that file in an "Enterprise Grade AV with Sandboxing", in case of doubt you should sent the file for Kaspersky, Microsoft, ESET and BitDefender and see what their labs think of the file, it is much more conclusive.

I am not discouraging you to do these amateur analyses, but in a public forum this does more harm than good, some users and visitors will just think that NextDNS is not trustable while you dont have any evidence of that, just a false positive prone Sandbox result.
Sorry had to reread this a few times over....

If you would know how Sandblast works you should know it does more then just using a AI-Scanner! -

In terms of tech behind Checkpoint is Kaspersky current Engine plus the signatures from Checkpoint

The Threat Emulation Executes the File in a Virtual Environment and run's a VirusTotal Reputation check too.

What it did not like is a call to a outside source -> view report page and classifies that as a Trojan.

Of course I have uploaded this file multiple times to checkpoint since I am a partner - So nothing amateur about it! - coz that is normal to distrust a file at first and wait and see what the Vendors say!

What I can report von Sophos Intercept X Adv. with Sophos XG Firewall Sandbox license it outright blocks the file - So Checkpoint and Co. are not to blame there is a reason for that behavior. Yeah I am also a Sophos Engineer / Architect / Partner.

Since the file does not come thru - I can not estimate if Windows Smart-Screen will do something atm and am too lazy to experiment right now.

Best regards
Val.
 

Nightwalker

Level 22
Verified
Trusted
Content Creator
May 26, 2014
1,159
Sorry had to reread this a few times over....

If you would know how Sandblast works you should know it does more then just using a AI-Scanner! -

In terms of tech behind Checkpoint is Kaspersky current Engine plus the signatures from Checkpoint

The Threat Emulation Executes the File in a Virtual Environment and run's a VirusTotal Reputation check too.

What it did not like is a call to a outside source -> view report page and classifies that as a Trojan.

Of course I have uploaded this file multiple times to checkpoint since I am a partner - So nothing amateur about it! - coz that is normal to distrust a file at first and wait and see what the Vendors say!

What I can report von Sophos Intercept X Adv. with Sophos XG Firewall Sandbox license it outright blocks the file - So Checkpoint and Co. are not to blame there is a reason for that behavior. Yeah I am also a Sophos Engineer / Architect / Partner.

Since the file does not come thru - I can not estimate if Windows Smart-Screen will do something atm and am too lazy to experiment right now.

Best regards
Val.

I know how it works, I just did something similar now, it isnt nothing special.



So yeah, can we move on with this possible tampered installer thing?
 

valvaris

Level 5
Verified
Jul 26, 2015
223
I know how it works, I just did something similar now, it isnt nothing special.



So yeah, can we move on with this possible tampered installer thing?
Sorry hard to read very blurry - You can upload pictures directly from clipboard here to the forum no need for external picture hosting

For sure you read my topic too - The file has been provided to the Vendors multiple times over

Ohh.. and nice to know what engine your are using for scanning plz :)
 

Nightwalker

Level 22
Verified
Trusted
Content Creator
May 26, 2014
1,159
Sorry hard to read very blurry - You can upload pictures directly from clipboard here to the forum no need for external picture hosting

It is a thumbnail, thats why it is "blurry", to see the image in full resolution you need to click on it.

sandbox.JPG
 

valvaris

Level 5
Verified
Jul 26, 2015
223
It is a thumbnail, thats why it is "blurry", to see the image in full resolution you need to click on it.

View attachment 253233

EDIT: Seems that my PC does not like this site on my Laptop it works just fine as you mentioned the pic is clear...

EDIT 2: Thank you very much for the Report you just helped me allot :)
 

Attachments

  • 1611318129557.png
    1611318129557.png
    315.8 KB · Views: 667
Last edited:
  • Like
Reactions: venustus

SecureKongo

Level 21
Verified
Feb 25, 2017
1,089
Plz do not hold me for stupid if I say its blurry I mean it - no need to get rude!!!
Source: move-along — ImgBB (ibb.co)

EDIT: Seems that my PC does not like this site on my Laptop it works just fine as you mentioned the pic is clear...
I think you should just leave it like that. He wasn't rude in any way. At the moment it looks like you both don't seem to care about the testing itself, you just both want to be right. 😄
 

valvaris

Level 5
Verified
Jul 26, 2015
223
I think you should just leave it like that. He wasn't rude in any way. At the moment it looks like you both don't seem to care about the testing itself, you just both want to be right. 😄
A slight misunderstanding - Thanks for jumping in btw :D

So to conclude this fiasco here is the result why both checkpoint and sophos say the file is a no go.

It tries to connect to a outside source during installation maybe to retrieve the config file for the client <- No assurances there!!! If that is meant to be that way or not is up to the original developer.

The changes to MD5 hash is coz a slight modification is made to the installer to retrieve the correct file for installation per client. The SHA1 is constant a big thank you to @Nightwalker and his report on post: Q&A - NextDNS thoughts and experiences? | MalwareTips Community

Sincerely
Val.
 
Last edited:

n8chavez

Level 2
Feb 26, 2021
75
I just signed up for a nextdns account. To my surprise, it's very good. But there is one issue that I can't seem to solve with it. When using it with NextDNS Ads & Trackers Blocklist and AdGuard DNS filter, the amazon shopping app doesn't work on my android phone. (If I change the DNS sever it's fine.) I've looked at the logs and I can't see why there's an issue. Has anyone else experienced this?
 
F

ForgottenSeer 85179

I just signed up for a nextdns account. To my surprise, it's very good. But there is one issue that I can't seem to solve with it. When using it with NextDNS Ads & Trackers Blocklist and AdGuard DNS filter, the amazon shopping app doesn't work on my android phone. (If I change the DNS sever it's fine.) I've looked at the logs and I can't see why there's an issue. Has anyone else experienced this?
Look at my guide: Tutorial - NextDNS: a DoH/ DoT guide
 
  • Like
Reactions: n8chavez

n8chavez

Level 2
Feb 26, 2021
75
Oops. I spoke too soon. The issue has not been resolved. I believe the issue is being caused by NextDNS Ads & Trackers Blocklist. Any ideas?

Edit:

Sorry to keep posting, but I think I've solved my proble (for real this time). According to this bug report, the block page needs to be disabled. It's know to cause issues with the moble apps. It seem to work for me, though can anyone else confirm?
 
Last edited:
F

ForgottenSeer 85179

From a NextDNS forum user, here a unofficial solution for NextDNS export and also adding own list:
Export your config using hjk789/NXEnhanced edit the denylist with a macro tool or something from your text editor, then import it back.
 
  • Like
Reactions: Jan Willy
Top