NextDNS vs AdGuard DNS 2.0?

NextDNS 

Google Translate:

I already use nextdns for inexperienced people at home. I don't have access to their phones and computers. It's ridiculous to tell you to go install a root certificate on his device. :D

ahmed ensar AdGuard shouldn't be able to show that page too if you only use their DNS product. Installing root cert means the cert owner can see your HTTPS traffic, including banking credentials

ahmed ensar Yeah as Martheen said, a Root Certificate gives HTTPS traffic access, NextDNS from what I've seen in the Forums and FAQ have multiple layers to ensure it stays safe but they don't install it by default since most people don't need it and because it requires more trust than pure DNS most people wouldn't want it.

Also wanted to add a few sources for what I've said.

(Network Size / Performance)

https://www.dnsperf.com/#!dns-resolvers

It used to be 11 ms for Cloudflare 12 for DNSFilter and 13 for NextDNS something happened this week and all the results are worse than it was in the last 2 weeks. I also typed the first two numbers and skipped the .xx as I don't remember them to comment.

(CNAME Uncloaking)

https://medium.com/nextdns/nextdns-added-cname-uncloaking-support-becomes-the-first-cross-platform-solution-to-the-problem-e3f437f84342

Basically NextDNS actually finds the CNAME live and blocks. It's better for privacy as they block the main ad/tracking domains behind the cloaking instead of the hidden domain.

Adguard keeps a list of these domains instead of Uncloaking them, this leads to worse blocking performance if the domain is new and unknown but still leads to a known tracker through CNAME.

(NextDNS security tests.)

https://m.youtube.com/watch?v=wSAWCMTwPiU

https://mobile.twitter.com/brentcrawford/status/1500910925624262657

The only thing I don't agree with that test above is CleanBrowsing as on my testing, I got worse results compared to every other DNS using new domains through their Malware Protection IP from their site.

Lastly to clarify what I said about using a Paid for app on Adguard. Using the DNS is fine and you don't need to pay to use the app. What I mean is you have to purchase Adguard as well to use the app completely. So after purchasing their DNS, you gotta use an app that also leads to incentives to purchase more or not fully utilize it's functionality.

So not that you gotta pay for the app to use the DNS but, just an annoyance that you get bundled an app that you don't need that's going to try to get you to purchase their Adblocker.

Hey nothing to add, perfect comment.

AdGuard people are not fairplay with NextDNS.

https://reddit.com/r/nextdns/comments/wrxr23/adguard_dns_20_is_launched/

Ed You don't need a new configuration on NextDNS for a new device, if your config ID is abc123 then either your--device--name-abc123.dns.nextdns.io for DoT/DoQ or https://dns.nextdns.io/abc123/your%20device%20name for DoH is enough to differentiate between devices on the log.

Martheen what I meant was, you need new configuration if you need different ID like

Lorem--ipsum-(ID).ultralow.dns1.nextdns.io

dolor--sit--amet-(ID2).ultralow.dns1.nextdns.io

with AdGuardDNS you get 
(random ID).d.adguard-dns.com

different device gets different ID, also they have "Server" what we call configuration in NextDNS, you can also select which "Server" the device used without changing the ID

with NextDNS you need different configuration to give individual device a different ID, and you can't change which configuration to use, other than changing the ID to that configuration

Ed I actually don't see their Unique ID as a benefit but as a headache like Martheen said. It adds unnecessary complications. Their setup is also less intuitive with them trying to get their apps installed every time and the apps come with a trial version of Adguard Premium that's going to confuse and incentivize a user to purchase a license when they don't need it.

I try to avoid using any apps but lets say on Windows 11, NextDNSs app works and is extremely light, you set it up once, it has a single job and it gets out of your way, that's how it's meant to be, not some bundle where you have 20 different settings you didn't ask for that are mostly all behind a paywall. Some might not care but it's one of the things I truly hate, software that's locked for no reason or bundled in with more products that you don't need.

Hey I didn't said it was in my benefit, but like a side to side comparation. Yes I know their apps is bloated and locked with paid stuff. Yes I know that NextDNS has great app and CLI. But maybe the function of this feature is to have different "server" to choose from with different blocking list (custom user rule maybe) on the fly, without changing the ID and affecting other devices, I don't need that, I only said this to compare it to NextDNS.

Ed Oh alright, since everything else listed were benefits like Dark theme etc I thought you were saying that the entire confusing aspect was a benefit.

Also you can achieve the same with creating user Profiles on NextDNS it's the same feature with a different name and it's unlimited.

servilo I'll try my tests again but like I've said the last time I tried it, it was horrible getting like 50-60% when compared to most others. It could still be something on my end somehow though. I was on Windows 11 and pinged domains using a script through their Security Filter DNS someone asked me at the time about doing these tests and out of everything it was the worst out of at least 6 services. So I'll try yo do another one and see, maybe it was a bug or something not going right that day.

servilo I've done a basic but realistic test, I've went on questionable websites, the type that have "free" content, software, movies etc the best of the best when it comes to new phishing and malicious domains.

I've collected domains that are blocked via AI/Threat Intelligence and nothing else to keep it fair as I'm using the Security Filter on CleanBrowsing and not a profile.

So with real world threats that people can see in the wild, NextDNS had 14/14 and CleanBrowsing detected 1/14.

This might not seem fair since I've located the domains off NextDNS but going through them, nearly all are detected on VirusTotal as Malicious or Phishing through known providers like Bitdefender and Kaspersky. So these domains are verified to be malicious by major AV providers.

servilo Apart from the Polish study all others are 5 years old. In cybersecurity this is huge. Not sure they are still relevant, but interesting though. 

Anyway security in general must be tuned to be really effective. Especially NextDNS which appears to be too tech for some people, especially when you look at the questions on NextDNS sub on Reddit. 

Pierre Cartier I'd say NextDNS is probably the easiest one to setup, turn everything on basically. Other than things like Parental Controls etc and Block Page, add OISD and possibly Fanboys Annoyance to avoid GDPR and after that, you'll never really have an issue. I've been using the above setup for years now with basically no issues other than NDR blocking a new Plex Server a friend of mine setup and that's the expected behavior so not an issue.

Also to add to my initial testing Quad9 a free Security DNS had 12/14 blocked and looking at the 1/14 by CleanBrowsing I'm sure with my initial observations.

Hey No issue on my side either. But you or me might not be general public. If you look at the questions people are asking on Reddit not sure easy is the right word

servilo Yeah DNS testing is hard to be accurate as some services use different Feeds and Lists to block malicious domains. Their update schedule also dramatically change I've seen a few serviced getting close to Quad9 with a day or two old malicious domains that get completely crippled the second there are new domains in the equation.

My goal with that test was to be realistic, real websites that make their profits from Malicious Ads, they register new domains and wait it out before using them to net get blocked by things like NRD they usually set the domains up as a middleman to re-direct, it also reduces detection. They are usually the worst offenders for Phishing and Adware with all sort of weird pages.

I can send you the exact domains that I've checked as well, they are all found to be Malicious/Phishing through VirusTotal by multiple venders most by Kaspersky/Bitdefender/Sophos/Webroot etc. So these domains should be blocked as it's a general in the wild domains that can actually get to people.

servilo No test here but security stuff. Michael is very well know on security topics. 

Number 39 Encrypted DNS. https://defensivecomputingchecklist.com/#dohdot