1

AVLab: NextDNS vs Quad9 vs CleanBrowsing vs Cloudflare ...

AVLab Cybersecurity Foundation from Poland (https://avlab.pl/en/) tested a few DNS services - speed, anti-phishing and anti-malware protection. The article about tests is in Polish only but the tables with results are easy to understand and you can use google translate.
Polecane serwery DNS — które z nich są najszybsze i najlepiej chronią użytkownika?
(Recommended DNS servers - which ones are the fastest and best protect the user?)
https://avlab.pl/polecane-serwery-dns/

My comments in relation to the article:

There is nothing about NextDNS settings during testing in the article but I clarified with AVLab that they used default settings. I don't  remember what features are enabled in default settings but I am sure that AI-Driven Threat Detection BETA and Block Dynamic DNS Hostnames BETA are not enabled by default.

Source of phishing sites used during testing:
1) CERT Poland - https://cert.pl/en/posts/2020/03/malicious_domains/
2) PhishTank - https://phishtank.org/
Source of sites infected by malware used during testing:  
3) URLhaus - https://urlhaus.abuse.ch/

All sources (CERT.pl, PhishTank, URLhaus) are part of NextDNS Threat Intelligence Feeds:
https://github.com/nextdns/metadata/blob/master/security/threat-intelligence-feeds.json

URLhaus (ABUSE CH) is also provider of threat intelligence for Quad9 - https://quad9.net/about/partners

RESULTS
NextDNS results in blocking were not very good and I can't understand why. AI-Driven Threat Detection was not enabled but all three sources of phishing and malware websites are in NextDNS Threat Intelligence Feeds. Any possible explanation?

CleanBrowsing was the best in blocking malicious websites (phishing and malware).
Quad9 - second spot in blocking malicious websites.

From cleanbrowsing.org:  
"Our list of malicious (and phishing) domains are considered one of the best in the market and is updated every 3 hours. We are specially good at filtering phishing, malware and malicious domains used by web exploit attacks."
https://cleanbrowsing.org/for-security/

4 replies

null
    • Calvin_Hobbes
    • 1 yr ago
    • Reported - view

    There’s so many variables to determine what’s “best”.  Do you prefer faster vs safer vs ad/tracker blocking.   Much of that also depends on your region, isp and your own personal preference and your ability to use and troubleshoot a DNS problem.     What works best   for you will likely  be different than what works best for grandma.

    • Hey
    • 1 yr ago
    • Reported - view

    From my own testing with a few providers like urlhaus and a few more using only OISD with all the security options turned on, AI alone got about 60-70% of threats by itself then the rest was more or less gotten through OISD/NDR/Threat Intelligence etc this was before the DDNS Hostname Blocking.

    AI would mostly also be backed/overlapped by Threat Intelligence most of the time so even without AI it should be fine but AI does a lot from my testing.

    Anyhow, with the default settings on many tests including ones by me, a Youtuber (https://www.youtube.com/watch?v=wSAWCMTwPiU) and a few tests on Twitter that I'd seen, NextDNS most of the time gets even better results than Quad9.

      • Hey
      • 1 yr ago
      • Reported - view

      I'd also heavily disagree with CleanBrowsing's results for the free users who are simply using their Security IP address. I can't speak on behalf of their paid service with customization etc but purely using the IP I'd gotten something close to 40-50% when compared to 90+ by most major services like Quad9/NextDNS/DNSFilter. So if someones going for the pure free IP Quad9 would be much better from my knowledge. But yeah nothing is perfect and I'd say go on a few sites where malicious sites are posted live and test with them to get as close to 0-Day like results as possible and clean the DNS Cache to test for your own.

       

      I'd like point out this was done a 3-5 months ago though so they might have gotten better but at the time it wasn't a good result at all.

      • Coral_River
      • 1 yr ago
      • Reported - view

      Hey Thank you for your comment. The reason for poor results is that they used default settings. I've checked these settings.

      Features, which are enabled by default:
      - Threat Intelligence Feeds
      - Google Safe Browsing
      - Cryptojacking Protection
      - IDN Homograph Attacks Protection
      - Typosquatting Protection
      - Domain Generation Algorithms (DGAs) Protection

      Features, which are disabled by  default:
      - AI-Driven Threat Detection BETA
      - DNS Rebinding Protection
      - Block Newly Registered Domains (NRDs)
      - Block Dynamic DNS Hostnames BETA
      - Block Parked Domains

      I hope that next time they will enable all these features. They test DNS providers every year and this is the first time that NextDNS was included.

Login to reply

Content aside

  • 1 Likes
  • 1 yr agoLast active
  • 4Replies
  • 2623Views
  • 2 Following