Advice Request NextDNS thoughts and experiences?

Please provide comments and solutions that are helpful to the author of this topic.
Nightwalker said:
You should, it is a Sisyphus job that doesnt accomplish anything but meaninglessness triggering your and some users paranoia, pure FUD.
Click to expand...
The primary issue is something totally different. Of course its tinfoil paranoia but what if the installer has / had and so on been compromised?! - Would you not know about that or why solutions out there claim the software could be malicious - I did not do that a few months ago...

The other reason why I did that is to see what Enterprise Grade AV with Sandboxing would do and what reports it generates - The other part is are the results consistent!

In this case it is not and always results to a different outcome.

With all the breaches going on - A little bit more care and a healthy dose of distrust is not misplaced atm.

Sincerely
Val.
 
  • Like
  • Applause
Reactions: Venustus, Protomartyr, Kongo and 1 other person
valvaris said:
The primary issue is something totally different. Of course its tinfoil paranoia but what if the installer has / had and so on been compromised?! - Would you not know about that or why solutions out there claim the software could be malicious - I did not do that a few months ago...

The other reason why I did that is to see what Enterprise Grade AV with Sandboxing would do and what reports it generates - The other part is are the results consistent!

In this case it is not and always results to a different outcome.

With all the breaches going on - A little bit more care and a healthy dose of distrust is not misplaced atm.

Sincerely
Val.
Click to expand...

I bet you gonna find similar results with many many other executable files while running that file in an "Enterprise Grade AV with Sandboxing", in case of doubt you should sent the file for Kaspersky, Microsoft, ESET and BitDefender and see what their labs think of the file, it is much more conclusive.

I am not discouraging you to do these amateur analyses, but in a public forum this does more harm than good, some users and visitors will just think that NextDNS is not trustable while you dont have any evidence of that, just a false positive prone Sandbox result.

"With all the breaches going on - A little bit more care and a healthy dose of distrust is not misplaced atm."

True, but your Sandbox amateur analyses posts in this thread have little with preventing a malware APT and more with a misguided focus that has origins in paranoia.
 
Last edited:
  • Like
  • +Reputation
  • Applause
Reactions: Venustus, Protomartyr, Jan Willy and 2 others
Nightwalker said:
I bet you gonna find similar results with many many other executable files while running that file in an "Enterprise Grade AV with Sandboxing", in case of doubt you should sent the file for Kaspersky, Microsoft, ESET and BitDefender and see what their labs think of the file, it is much more conclusive.

I am not discouraging you to do these amateur analyses, but in a public forum this does more harm than good, some users and visitors will just think that NextDNS is not trustable while you dont have any evidence of that, just a false positive prone Sandbox result.
Click to expand...
Sorry had to reread this a few times over....

If you would know how Sandblast works you should know it does more then just using a AI-Scanner! -

In terms of tech behind Checkpoint is Kaspersky current Engine plus the signatures from Checkpoint

The Threat Emulation Executes the File in a Virtual Environment and run's a VirusTotal Reputation check too.

What it did not like is a call to a outside source -> view report page and classifies that as a Trojan.

Of course I have uploaded this file multiple times to checkpoint since I am a partner - So nothing amateur about it! - coz that is normal to distrust a file at first and wait and see what the Vendors say!

What I can report von Sophos Intercept X Adv. with Sophos XG Firewall Sandbox license it outright blocks the file - So Checkpoint and Co. are not to blame there is a reason for that behavior. Yeah I am also a Sophos Engineer / Architect / Partner.

Since the file does not come thru - I can not estimate if Windows Smart-Screen will do something atm and am too lazy to experiment right now.

Best regards
Val.
 
  • Like
Reactions: Venustus and Kongo
valvaris said:
Sorry had to reread this a few times over....

If you would know how Sandblast works you should know it does more then just using a AI-Scanner! -

In terms of tech behind Checkpoint is Kaspersky current Engine plus the signatures from Checkpoint

The Threat Emulation Executes the File in a Virtual Environment and run's a VirusTotal Reputation check too.

What it did not like is a call to a outside source -> view report page and classifies that as a Trojan.

Of course I have uploaded this file multiple times to checkpoint since I am a partner - So nothing amateur about it! - coz that is normal to distrust a file at first and wait and see what the Vendors say!

What I can report von Sophos Intercept X Adv. with Sophos XG Firewall Sandbox license it outright blocks the file - So Checkpoint and Co. are not to blame there is a reason for that behavior. Yeah I am also a Sophos Engineer / Architect / Partner.

Since the file does not come thru - I can not estimate if Windows Smart-Screen will do something atm and am too lazy to experiment right now.

Best regards
Val.
Click to expand...

I know how it works, I just did something similar now, it isnt nothing special.



So yeah, can we move on with this possible tampered installer thing?
 
  • Like
Reactions: Venustus and Kongo
Nightwalker said:
I know how it works, I just did something similar now, it isnt nothing special.



So yeah, can we move on with this possible tampered installer thing?
Click to expand...
Sorry hard to read very blurry - You can upload pictures directly from clipboard here to the forum no need for external picture hosting

For sure you read my topic too - The file has been provided to the Vendors multiple times over

Ohh.. and nice to know what engine your are using for scanning plz :)
 
valvaris said:
Sorry hard to read very blurry - You can upload pictures directly from clipboard here to the forum no need for external picture hosting
Click to expand...

It is a thumbnail, thats why it is "blurry", to see the image in full resolution you need to click on it.

sandbox.JPG
 
  • Like
  • Thanks
Reactions: Venustus and valvaris
Nightwalker said:
It is a thumbnail, thats why it is "blurry", to see the image in full resolution you need to click on it.

View attachment 253233
Click to expand...

EDIT: Seems that my PC does not like this site on my Laptop it works just fine as you mentioned the pic is clear...

EDIT 2: Thank you very much for the Report you just helped me allot :)
 

Attachments

  • 1611318129557.png
    1611318129557.png
    315.8 KB · Views: 1,023
Last edited:
  • Like
Reactions: Venustus
valvaris said:
Plz do not hold me for stupid if I say its blurry I mean it - no need to get rude!!!
Source: move-along — ImgBB (ibb.co)
View attachment 253234

EDIT: Seems that my PC does not like this site on my Laptop it works just fine as you mentioned the pic is clear...
Click to expand...
I think you should just leave it like that. He wasn't rude in any way. At the moment it looks like you both don't seem to care about the testing itself, you just both want to be right. 😄
 
  • Like
  • HaHa
Reactions: Venustus, Jan Willy and valvaris
SecureKongo said:
I think you should just leave it like that. He wasn't rude in any way. At the moment it looks like you both don't seem to care about the testing itself, you just both want to be right. 😄
Click to expand...
A slight misunderstanding - Thanks for jumping in btw :D

So to conclude this fiasco here is the result why both checkpoint and sophos say the file is a no go.

It tries to connect to a outside source during installation maybe to retrieve the config file for the client <- No assurances there!!! If that is meant to be that way or not is up to the original developer.

The changes to MD5 hash is coz a slight modification is made to the installer to retrieve the correct file for installation per client. The SHA1 is constant a big thank you to @Nightwalker and his report on post: Q&A - NextDNS thoughts and experiences? | MalwareTips Community

Sincerely
Val.
 
Last edited:
  • Like
Reactions: Venustus, Protomartyr, Nightwalker and 1 other person
I just signed up for a nextdns account. To my surprise, it's very good. But there is one issue that I can't seem to solve with it. When using it with NextDNS Ads & Trackers Blocklist and AdGuard DNS filter, the amazon shopping app doesn't work on my android phone. (If I change the DNS sever it's fine.) I've looked at the logs and I can't see why there's an issue. Has anyone else experienced this?
 
n8chavez said:
I just signed up for a nextdns account. To my surprise, it's very good. But there is one issue that I can't seem to solve with it. When using it with NextDNS Ads & Trackers Blocklist and AdGuard DNS filter, the amazon shopping app doesn't work on my android phone. (If I change the DNS sever it's fine.) I've looked at the logs and I can't see why there's an issue. Has anyone else experienced this?
Click to expand...
Look at my guide: Tutorial - NextDNS: a DoH/ DoT guide
 
  • Like
Reactions: n8chavez
Oops. I spoke too soon. The issue has not been resolved. I believe the issue is being caused by NextDNS Ads & Trackers Blocklist. Any ideas?

Edit:

Sorry to keep posting, but I think I've solved my proble (for real this time). According to this bug report, the block page needs to be disabled. It's know to cause issues with the moble apps. It seem to work for me, though can anyone else confirm?
 
Last edited:
From a NextDNS forum user, here a unofficial solution for NextDNS export and also adding own list:
Export your config using hjk789/NXEnhanced edit the denylist with a macro tool or something from your text editor, then import it back.
Click to expand...

Blocking a large list of domains

is there a method i can use to add and block a large list of malware domains to my setup? currently you have to block each domain one by one
help.nextdns.io help.nextdns.io
 
  • Like
Reactions: Jan Willy

You may also like...