2

NextDNS vs AdGuard DNS 2.0?

AdGuard released their DNS v2.0 today:

https://adguard.com/en/blog/adguard-dns-2-0.html
 

Did anyone try this out? How does it compare to NextDNS?

26 replies

null
    • ahmed_ensar
    • 2 yrs ago
    • Reported - view

    Google Translate:

    Does NextDns use DPI why doesn't it show even a simple page?

      • NextDNs
      • 2 yrs ago
      • Reported - view

      ahmed ensar you need to install the nextdns root CA and enable block page for this to work. We don’t install this by default with our apps because it has security implications.

      • ahmed_ensar
      • 2 yrs ago
      • Reported - view

      NextDNS 

      Google Translate:

      I already use nextdns for inexperienced people at home. I don't have access to their phones and computers. It's ridiculous to tell you to go install a root certificate on his device. :D

      • Martheen
      • 2 yrs ago
      • Reported - view

      ahmed ensar AdGuard shouldn't be able to show that page too if you only use their DNS product. Installing root cert means the cert owner can see your HTTPS traffic, including banking credentials

      • Hey
      • 2 yrs ago
      • Reported - view

      ahmed ensar Yeah as Martheen said, a Root Certificate gives HTTPS traffic access, NextDNS from what I've seen in the Forums and FAQ have multiple layers to ensure it stays safe but they don't install it by default since most people don't need it and because it requires more trust than pure DNS most people wouldn't want it.

    • Hey
    • 2 yrs ago
    • Reported - view

    I would still choose NextDNS 10 out of 10 times but it's a pretty good service.

    Pricing wise NextDNS is cheaper in both Monthly and Yearly plans.

    Servers wise Adguard has 50+ while NextDNS has 132 and also embeds itself to carriers.

    Adguard has a 20 device and 3 million query limit with up-to 5 configurations. NextDNS has no limits in every single aspect mentioned.

    In terms of stability of the servers and infrastructure Adguard DNS went down when the Facebook/Instagram issue happened and there was extra load on the servers while NextDNS didn't see any changes in their ability to process requests and the team mentioned that they are able to take far more than the traffic that happened on the said day.

    You get Threat Intelligence Feeds, AI-Driven Threat Detection, Block Dynamic DNS Hostnames, IDN Homograph Attacks Protection, Cryptojacking Protection.

    The AI alone is as good or better than DNS-FIlter an enterprise DNS service, and the overall protection is mostly better than Quad9 through multiple tests from me and others on social media.

    You also get Allow Affiliate & Tracking Links that proxies requests that are made to domains that are needed to be allowed for functionality like Google Shopping Ads and Amazon Ads.

    Another huge thing that NextDNS does is they can Block Disguised Third-Party Trackers, Adguard goes with a Filter approach where they have a list of known domains that are hidden while NextDNS can see the CNAME and block it. Basically this helps with new Ad/Analytic domains that are not yet filtered out but the CNAME leads to a known Ad/Tracker domain.

    I also personally appreciate the Rewrites function since I use it a ton for multiple purposes.

    They also lack live logs that I really love with NextDNS.

     

    Overall Adguard DNS isn't bad, it's a simple case of, why spend more to have less servers, less layers of security and limits to your usage. You shouldn't need to think of any device limits and simply enjoy a better internet, having to monitor your usage alone is a turn-off for me, they also want you to use the full Adguard App on Windows as the client, I already dislike bundling so that also hurts the uses in my opinion since I gotta install a different application made for their Adblocker that won't be unlocked unless paid for just to use their DNS.

    It does also have positives like the ability to block/allow domains on the logs and a dark theme but snice I'll be using the DNS aspect more than the site itself and NextDNS is simply better with Network/Functions it's fine by me, would like to see those implemented in NextDNS though.

    So to put everything in a single sentence, NextDNS is better in terms of Network, Protection and general abilities, Adguard has a few nice-to-have functions but as I and almost everyone will be using the back-end more than the front-end and with the pricing using NextDNS is a no-brainer.

      • Hey
      • 2 yrs ago
      • Reported - view

      Also wanted to add a few sources for what I've said.

      (Network Size / Performance)

      https://www.dnsperf.com/#!dns-resolvers

      It used to be 11 ms for Cloudflare 12 for DNSFilter and 13 for NextDNS something happened this week and all the results are worse than it was in the last 2 weeks. I also typed the first two numbers and skipped the .xx as I don't remember them to comment.

      (CNAME Uncloaking)

      https://medium.com/nextdns/nextdns-added-cname-uncloaking-support-becomes-the-first-cross-platform-solution-to-the-problem-e3f437f84342

      Basically NextDNS actually finds the CNAME live and blocks. It's better for privacy as they block the main ad/tracking domains behind the cloaking instead of the hidden domain.

      Adguard keeps a list of these domains instead of Uncloaking them, this leads to worse blocking performance if the domain is new and unknown but still leads to a known tracker through CNAME.

      (NextDNS security tests.)

      https://m.youtube.com/watch?v=wSAWCMTwPiU

      https://mobile.twitter.com/brentcrawford/status/1500910925624262657

      The only thing I don't agree with that test above is CleanBrowsing as on my testing, I got worse results compared to every other DNS using new domains through their Malware Protection IP from their site.

      Lastly to clarify what I said about using a Paid for app on Adguard. Using the DNS is fine and you don't need to pay to use the app. What I mean is you have to purchase Adguard as well to use the app completely. So after purchasing their DNS, you gotta use an app that also leads to incentives to purchase more or not fully utilize it's functionality.

      So not that you gotta pay for the app to use the DNS but, just an annoyance that you get bundled an app that you don't need that's going to try to get you to purchase their Adblocker.

      • Pierre_Cartier
      • 2 yrs ago
      • Reported - view

      Hey nothing to add, perfect comment. 👏🏻👍🏻

      AdGuard people are not fairplay with NextDNS.

      https://reddit.com/r/nextdns/comments/wrxr23/adguard_dns_20_is_launched/

    • Martheen
    • 2 yrs ago
    • Reported - view

    Deploying on a new device is far more annoying than NextDNS.

    On NextDNS: Find your config ID, just type it alongside the simple address pattern on the browser's DoH or Android's DoT setting, and done. Got multiple devices? Just use the same address, perhaps add whatever identifier you want if you need it.

    On AdGuard: Find your preferred server config, add a new device, and use the generated unique address for your device. Got multiple devices? Repeat with different addresses.

    I also don't get their pricing tier. 300k requests monthly on the free tier, fine, that's the NextDNS limit too. But having multiple devices doesn't really add that much cost, so does having multiple profiles (or "servers"), the CPU overhead is identical, and storage overhead is just one small DB row for each profile/device. And all those limits even on paid tiers? They don't price their package according to how much it cost for them plus their expected profit margin, but according to how they think their customers are making. Sure, that works when they have a monopoly, but NextDNS exist. It's baffling how they pick this route even though their target market is already used to a superior product with better pricing.

    • Edmund
    • 2 yrs ago
    • Reported - view

    They have some differences, like 10m monthly requests for their plan (was 3m) for .50USD more before VAT, limited profile and devices configuration, they have less server more, likely to go down, and less blocklist (they want blocking with little false positive)

    I been using Adguard DNS beta, and here are some feature that are only available on Adguard DNS

    • you can set very low TTL time
    • each device configuration have unique ID (with Nextdns you need to create new configuration)
    • you can import/export user rules
    • They have more info in the statistics / search logs with filters
    • You can turn off individual devices / turn off global blocking
    • Comes free from Adguard VPN subscriber 
    • Email support
    • DARK THEME

    I think that's all that I can think off, but I'll stick to NextDNS because they have better uptime. Unless you need very low TTL time, need individual switch, and are Adguard VPN subscriber, go try it.

      • Martheen
      • 2 yrs ago
      • Reported - view

      Ed You don't need a new configuration on NextDNS for a new device, if your config ID is abc123 then either your--device--name-abc123.dns.nextdns.io for DoT/DoQ or https://dns.nextdns.io/abc123/your%20device%20name for DoH is enough to differentiate between devices on the log.

      • Edmund
      • 2 yrs ago
      • Reported - view

      Martheen what I meant was, you need new configuration if you need different ID like

      Lorem--ipsum-(ID).ultralow.dns1.nextdns.io

      dolor--sit--amet-(ID2).ultralow.dns1.nextdns.io

      with AdGuardDNS you get 
      (random ID).d.adguard-dns.com

      different device gets different ID, also they have "Server" what we call configuration in NextDNS, you can also select which "Server" the device used without changing the ID

      with NextDNS you need different configuration to give individual device a different ID, and you can't change which configuration to use, other than changing the ID to that configuration

      • Hey
      • 2 yrs ago
      • Reported - view

      Ed I actually don't see their Unique ID as a benefit but as a headache like Martheen said. It adds unnecessary complications. Their setup is also less intuitive with them trying to get their apps installed every time and the apps come with a trial version of Adguard Premium that's going to confuse and incentivize a user to purchase a license when they don't need it.

      I try to avoid using any apps but lets say on Windows 11, NextDNSs app works and is extremely light, you set it up once, it has a single job and it gets out of your way, that's how it's meant to be, not some bundle where you have 20 different settings you didn't ask for that are mostly all behind a paywall. Some might not care but it's one of the things I truly hate, software that's locked for no reason or bundled in with more products that you don't need.

      • Edmund
      • 2 yrs ago
      • Reported - view

      Hey I didn't said it was in my benefit, but like a side to side comparation. Yes I know their apps is bloated and locked with paid stuff. Yes I know that NextDNS has great app and CLI. But maybe the function of this feature is to have different "server" to choose from with different blocking list (custom user rule maybe) on the fly, without changing the ID and affecting other devices, I don't need that, I only said this to compare it to NextDNS.

      • Hey
      • 2 yrs ago
      • Reported - view

      Ed Oh alright, since everything else listed were benefits like Dark theme etc I thought you were saying that the entire confusing aspect was a benefit.

      Also you can achieve the same with creating user Profiles on NextDNS it's the same feature with a different name and it's unlimited.

    • Coral_River
    • 2 yrs ago
    • Reported - view
    Hey said:
    The only thing I don't agree with that test above is CleanBrowsing as on my testing, I got worse results compared to every other DNS using new domains through their Malware Protection IP from their site.

     There are other tests in which CleanBrowsing did very well:

    1) Recommended DNS servers - which ones are the fastest and best protect the user? (Cloudflare, Quad9, Comodo Secure DNS, CleanBrowsing, Alternate DNS, AdGuard DNS, NextDNS)
    Polecane serwery DNS — które z nich są najszybsze i najlepiej chronią użytkownika?
    https://avlab.pl/polecane-serwery-dns/
    - Phishing Protection - CleanBrowsing was the #1 provider
    - Malware Protection - CleanBrowsing was the #1 provider, AdGuard DNS was the worst.
    ( they used default settings for NextDNS - more info:
    https://help.nextdns.io/t/35hw4q1/avlab-nextdns-vs-quad9-vs-cleanbrowsing-vs-cloudflare )

    2) Phishing Protection — Comparing DNS Security Filters (Quad9, OpenDNS, CleanBrowsing, Norton ConnectSafe, Comodo Secure, Yandex Safe)
    https://medium.com/@nykolas.z/phishing-protection-comparing-dns-security-filters-9d5a09849b91
    "CleanBrowsing was the #1 provider in my tests , followed by Quad9 and OpenDNS in second (they did well in different areas)."

    3) This is not about security but it is worth mentioning:
    Porn Filters Compared: OpenDNS, Neustar, CleanBrowsing, Norton, Yandex and AdGuard
    https://hackernoon.com/porn-filters-compared-opendns-neustar-cleanbrowsing-norton-yandex-and-adguard-41f207062c4
    "Out of the 88 porn domains, I expected all of them to be blocked. They were ranked on the search engines and easily found online. Only CleanBrowsing blocked them all, with Norton SafeConnect very close in second place by missing 5 domains"
    "CleanBrowsing: 100% blockedNorton: 94% blocked (83 blocked, 5 not blocked)Yandex: 93% blocked (82 blocked, 6 not blocked)OpenDNS: 89% blocked (79 blocked, 9 not blocked)Neustar: 81% blocked (72 blocked, 16 not blocked)AdGuard: 55% blocked (55 blocked, 39 not blocked)"

      • Hey
      • 2 yrs ago
      • Reported - view

      servilo I'll try my tests again but like I've said the last time I tried it, it was horrible getting like 50-60% when compared to most others. It could still be something on my end somehow though. I was on Windows 11 and pinged domains using a script through their Security Filter DNS someone asked me at the time about doing these tests and out of everything it was the worst out of at least 6 services. So I'll try yo do another one and see, maybe it was a bug or something not going right that day.

      • Hey
      • 2 yrs ago
      • Reported - view

      servilo I've done a basic but realistic test, I've went on questionable websites, the type that have "free" content, software, movies etc the best of the best when it comes to new phishing and malicious domains.

      I've collected domains that are blocked via AI/Threat Intelligence and nothing else to keep it fair as I'm using the Security Filter on CleanBrowsing and not a profile.

      So with real world threats that people can see in the wild, NextDNS had 14/14 and CleanBrowsing detected 1/14.

      This might not seem fair since I've located the domains off NextDNS but going through them, nearly all are detected on VirusTotal as Malicious or Phishing through known providers like Bitdefender and Kaspersky. So these domains are verified to be malicious by major AV providers.

      • Pierre_Cartier
      • 2 yrs ago
      • Reported - view

      servilo Apart from the Polish study all others are 5 years old. In cybersecurity this is huge. Not sure they are still relevant, but interesting though. 

      Anyway security in general must be tuned to be really effective. Especially NextDNS which appears to be too tech for some people, especially when you look at the questions on NextDNS sub on Reddit. 

      • Hey
      • 2 yrs ago
      • Reported - view

      Pierre Cartier I'd say NextDNS is probably the easiest one to setup, turn everything on basically. Other than things like Parental Controls etc and Block Page, add OISD and possibly Fanboys Annoyance to avoid GDPR and after that, you'll never really have an issue. I've been using the above setup for years now with basically no issues other than NDR blocking a new Plex Server a friend of mine setup and that's the expected behavior so not an issue.

      Also to add to my initial testing Quad9 a free Security DNS had 12/14 blocked and looking at the 1/14 by CleanBrowsing I'm sure with my initial observations.

      • Pierre_Cartier
      • 2 yrs ago
      • Reported - view

      Hey No issue on my side either. But you or me might not be general public. If you look at the questions people are asking on Reddit not sure easy is the right word 😉

    • Coral_River
    • 2 yrs ago
    • Reported - view

    @ Pierre Cartier, @ Hey

    I've found 3 more studies about DNS protection services.
    The two studies by Robert Spotswood are old but very interesting because:
    - all DNS providers have poor results,
    - he explains the methodology and difficulties with testing DNS servers,
    - he compares DNS filtering rates with AV detection rates (2019).

    MALICIOUS SITE FILTERS ON DNS IN 2020
    (Quad9, Cloudflare family, OpenDNS, CleanBrowsing, Adguard DNS)
    https://www.skadligkod.se/general-security/phishing/malicious-site-filters-on-dns-in-2020/

    DNS Protection Services April 2018 Tests
    (Quad9, OpenDNS, Comodo Secure DNS, Norton ConnectSafe, Mnemonic)
    https://www.spotswood-computer.net/

    DNS Protection Services October 2019 Tests
    (Quad9, OpenDNS, Comodo Secure DNS, Mnemonic Passive DNS, Norton ConnectSafe DNS4, Neustar UltraRecursive DNS, Safesurfer)
    https://www.spotswood-computer.net/

      • Hey
      • 2 yrs ago
      • Reported - view

      servilo Yeah DNS testing is hard to be accurate as some services use different Feeds and Lists to block malicious domains. Their update schedule also dramatically change I've seen a few serviced getting close to Quad9 with a day or two old malicious domains that get completely crippled the second there are new domains in the equation.

      My goal with that test was to be realistic, real websites that make their profits from Malicious Ads, they register new domains and wait it out before using them to net get blocked by things like NRD they usually set the domains up as a middleman to re-direct, it also reduces detection. They are usually the worst offenders for Phishing and Adware with all sort of weird pages.

      I can send you the exact domains that I've checked as well, they are all found to be Malicious/Phishing through VirusTotal by multiple venders most by Kaspersky/Bitdefender/Sophos/Webroot etc. So these domains should be blocked as it's a general in the wild domains that can actually get to people.

      • Pierre_Cartier
      • 2 yrs ago
      • Reported - view

      servilo No test here but security stuff. Michael is very well know on security topics. 

      Number 39 Encrypted DNS. https://defensivecomputingchecklist.com/#dohdot

    • Ruby_Balloon
    • 2 yrs ago
    • Reported - view

    Just my 2 cents, I tried Adguard DNS Beta and it worked fine, they have some interesting features like the aforementioned dark theme, blocking iCloud Private Relay, and setting a custom TTL but their capped queries is a deal breaker personally. They increased it to 10 million queries from the original 3 million for the personal subscription but still a deal breaker imo, especially when NextDNS' plan has unlimited queries. I've been using Control D for the last couple of months and so far I'm satisfied as I see more potential utility out of it personally but I've used NextDNS for a few years with rare issues and still have a backup config just in case I have to fallback.

Content aside

  • 2 Likes
  • 2 yrs agoLast active
  • 26Replies
  • 10567Views
  • 8 Following