NextDNS vs Competition? Who's pulling ahead?

Hey Recently I had a look at ControlD and I have learned that they implement a lot of new features and have ambitious plans:
No limits, 3rd Party Filters (including OISD), disable button, and more
https://blog.controld.com/no-limits-3rd-party-filters-and-more/
What's coming up?
- More Locations, Less Latency
- "AI" Based Malware Filtering (sometime in the Fall of 2022)

The issue with IPs was solved by auto delete feature:
https://feedback.controld.com/posts/870/100-ips-limit
https://feedback.controld.com/posts/891/ips-auto-delete

servilo That auto IP delete must be new, I had seen multiple people complaining about manually deleting it at the time and people were sharing scripts that would bulk delete the IPs. Nice to see that since that was the most problematic issue they had. I did know about third part filters since after some time with their own they didn't want to go through as most people wanted OISD or other filters. Disable button wouldn't exactly work but I guess a remote toggle to quickly whitelist the domain for lets say 5 minutes could work. So the users with the CA Cert could press a button to temporarily whitelist a domain. I don't think it would be too useful as when you properly configure a DNS you shouldn't need to do that in the first place but I get the appeal.

Hey Do you have a list of all the other DNS service's? 

Lone Wolf Any search engine will do the trick

servilo NextDNS forums is lacking when it comes to responses. They can do better with letting users know of fixes and generally reply more to inform they hear the users as it's just nice to see responses.

They should also really do the basic changes that people want with Dark Mode and block/allow through logs etc as it wouldn't be a huge change and get a lot of people to be far happier.

Other than that though, I'm still on with my statement as NextDNS being the best service in terms of for a general user, it lacks in some aspects but since the service is as simple as a DNS, once setup most users wouldn't even have a single issue.

The forums and issues here are present but on a larger scale with all the users, basically 99.9x aren't having any issues in the first place.

I'll read up on the first link since comparisons always get my interest.

servilo I've read the discussion not the whole since I'm somewhat lazy and it's 5am but I've read most of the pages.

For Quad9 I completely agree that it's one of the best services for blocking malicious domains, it's as others have said consistently amazing in blocking Malicious Domains.

ControlD at some point had horrible updated to Threat Intelligence where they had on par scores to NextDNS/Quad9 but lost everything with new domains but I've heard they fixed that. So if they still use the same feeds and update more often it should be pretty good with known threats.

For NextDNS as it's the service I use, I absolutely don't think that the Threat Intelligence Feeds on GitHub are all they are using.

With the recent test I did mostly to see if I was wrong with CleanBrowsing, Threat Intelligence caught most of the domains as well as AI, I've used the said "Free" sites before and know they change domains up every week or even more often to every few days, so the feeds are definitely not outdated or old.

They most likely don't list private feeds on their GitHub page as they don't have AI etc on their GitHub either.

I'd also say that if you got time, I can dm you a few links or you can just type in X show/movie full or like x season x episode / x game free on Google and you should check what gets blocked, verify through VirusTotal and compare the services, that's in my opinion the best way to go as it's the most likely source of infection in a household where someone wants x for free and gets Malicious Ads/Pages.

The above test would apply better for an end user and more likely than show the lack of layers in most services. These domains are barely caught by a few known AV providers and aren't listed on any major Malicious/Phishing lists so it shows how Intelligent the Threat Intelligence really is.

As a disclaimer, I don't condone piracy, most of the sites are filled with malicious domains, popups and general bad intent, as they aren't legal services, their sponsors/funding doesn't exactly come from legal methods and that usually involves Phishing and Malicious domains.

It's simply a good way of getting unknown threats to test services, even then I'd say be advised and don't do it if you don't know what you're doing.

Hey I like to read about tests but I don't have skills to verify tham.
I've been using NextDNS for more than a year but I think that Quad9 (set and forget) is the best service for me. Maybe next year I will also try ControlD for a few months but eventually Quad9 will win. I try different services because by using them I learn a lot.

servilo It's not hard at all to verify the domains that I've talked about, they are clear re-directors or domains that try to get you to sing-up / download things with malicious intent. You can also go through VirusTotal to ensure that in fact they have been tagged so by people in the security industry.

I do agree with Quad9 being the choice if you don't care about anything else other than malicious domains.

Like I've said though, NextDNS is on-par and at times better than Quad9 while giving you control over what you're blocking or not with NRD/DDNS Hostname Blocking that from my knowledge Quad9 doesn't use. These are all additional layers that do increase a users security with with little to no impact in general browsing for the average user visiting know sites but that services without control like Quad9 can't logically deploy as a Business might deploy and use a new domain or a DDNS domain that they can't unblock.

Both are set-up and forget if you ask me as long as you don't want to mess with your config daily. For the average user who wants privacy and control with all the security benefits, NextDNS and for the users who just want Privacy and Security and don't mind not blocking ads/analytics.

They are interchangeable and would more or less perform the same in a realistic attack vector standpoint if you ask me.

To add to this, by purely blocking Ads/Re-directors and generally iffy domains, you could dramatically reduce your attack vector.

Most of the tests are done through known malicious domains that are detectable to an extent since they have clear intentions to infect your system or pish you out of your money.

There is also the middle ground of Ad-ware and questionable sites that are far more likely to be visited by the average user.

Ads that are deceptive and used to prey on emotions, feelings or insecurities to basically steal from people through fake Charities, Fake Medications and methods of Making Money / Self Help / Mentoring or similar fishy businesses. That's without counting all the deceptive PC speedup or fake services that steal info from basic email to card details.

So blocking ads on top of direct malicious threats is a better approach for most people as the likelihood of them falling for a malicious ad that slipped away or a problematic website that isn't directly malware but is questionable is far more likely compared to getting targeted malware.

I also don't want to undermine the tests done with threats from list/domain providers. It's as important since if that domain exists and is known, someone somewhere is going to fall for it.

I just wanted to add a different point of view since in fact Quad9 is really good but you also need to account for their compatibility and how a major DNS is not going to realistically block something even if a tiny percent cares as the user can't modify or change any actions from the DNS.

With pure numbers Quad9 and NextDNS are interchangeable from what I've seen myself with NextDNS edging it out on some cases, but it's not just customizability that you get, you also get functions that wouldn't work for everyone and a completely different method of blocking threats.

Hey Cybersecurity is not only about DNS service:
- I don't visit high risk websites,
- I use Brave Browser, which is very good at blocking ads,
- I have a good Internet Security suite,
- I use the Bitdefender TrafficLight extension.
In this situation the choice of DNS service is not so important. Both Quad9 and NextDNS will do.

servilo I've never said not believe that DNS is the only layer of defense needed, we were talking about DNS services and that's why I pointed out NRD/DDNS.

Also, I've tested Bitdefenders Traffic Light just a few days ago and it's lacking in many ways, it doesn't block some domains that has been on Urlhaus for hours your choice to use it but wanted to let you know.

Hey There is no product which gives 100% protection but all defensive layers, which I use give very good protection (but also not 100%).

Hey Control D has definitely improved. They also now update all their feeds hourly (which wasn't so before). They have their in-house blocklists in place too. 

NextDNS does use Private feeds which aren't disclosed publicly. One of its founders answered this question of mine in Github once.

One major thing that people might have missed, (even I did until  recently) is that NextDNS doesn't just use blocklists/threat intelligence feeds, but also uses advanced hueristics to detect/catch malicious domains. And 'AI' feature isn't the only one that does that.

Visit ->https://www.dns0.eu/zero

Another free public DNS service  launched by Nextdns founders. You will find most of the NextDNS security features mentioned under 'Heuristics'. And the top description saying that the DNS uses human-vetted threat intelligence with advanced heuristics that automatically identify high-risk patterns.

Control D only uses blocklists, and most other DNS services also do that only.

NextDNS LinkedIn

https://id.linkedin.com/company/nextdns

Adguard LinkedIn

https://cy.linkedin.com/company/adguard

https://ca.linkedin.com/company/controld-inc

This doesn't precisely show everyone that's working but for NextDNS, it's not bad, 6 people listed on LinkedIn vs 2 on ControlD and 25 on Adguard.

Adguards team is larger since they have extensions, full fledged Adblockers VPN DNS etc as well as filter maintainers so that's the entire team not just DNS.

As a disclosure, this doesn't mean it's the entire team, just something we can gather with a quick search to give context through LinkedIn connections.

Rob 

NextDNS: <25 Employees ; Revenue: <$5 Million

https://www.zoominfo.com/c/nextdns-inc/482552930

By using zoominfo.com you can also check other DNS providers from the US.

NextDNS is very good at protecting his own privacy ;-)

Lone Wolf You can use AdGuard/RethinkDNS app and set the upstream to Quad9, local filtering will use any blocklist you want.

Martheen I like RethinkDNS, but the amount of lists is crazy! How many are recommended? And which ones are the best?