2

NextDNS vs DNSFilter / Why Multi Layered Security Matters

There are different approaches to security that can be taken, different layers, different viewpoints.

Some methods are simply better than others and with this I wanted to show how Multi Layered approach is a better way of dealing with Threats by comparing NextDNS to a Enterprise Competitior and how their different approaches yields different results in a quite frankly surprising way.

For this tests there are 15 domains mostly from today and a few are from yesterday. These are alive and malicious giving the DNS the necessary needs to analyze the domain on request (these have been tested and reported.) Here are the results.

In total out of the 15 domains, NextDNS catched 10 of the domains purely by the AI-Driven Threat Detection 14 being blocked by Threat Intelligence Feeds and 1 being blocked by NextDNS Ads & Trackers Blocklist and OISD. So in total all of them were catched, these aren't exactly 0 days and again have been reported but overall shows that if someone were to see these threats themselves they would have quite an amazing protection with the ability to fine tune using additional filters.

-----

Now for DNS Filter, it's a honestly more flashy service, their Page that shows a loading screen while the AI scan is going etc, yeah looks better. This is a service that seems more expensive and offers less features for their Basic plan compared to Pro and Enterprise. They don't list their pricing per client in terms of Enterprise so can't comment but let's get to the testing.

15 domains as before and all the functions that I could enable for security are enabled. I also double checked with their built in domain checking tool to make sure the results were the same with their preferred configuration. 

9 were blocked and 6 were let through, this still isn't the worst but the problem is, when there aren't multiple layers, the 6 domains passed both their testing website and the urls loaded successfully.

-----

In total comparing the AI services of both NextDNS got 10 domains and DNSFilter got 9. Comparable.

But with NextDNS using multiple layers such as Feeds, Blocklists and AI it managed to get a complete score with overhead for additional filters that are more agressive to possibly give even more security with a more than usable state for Enterprise users that do far less random browsing that might lead to false positives.

-----

It's great to see as a NextDNS user but also shocking as both networks are comparable in terms of latency and worldwide reach. Yet the other allows some threats that are known and have been reported earlier today.

-----

This whole thing was Inspired thanks to Sohan Ray  and DynamicNotSlow so thanks for the intial question and the curiosity that got me to do this.

17 replies

null
    • Sohan_Ray
    • 2 yrs ago
    • Reported - view

    Awsme work! 👍🏻👍🏻 I hope more people read this so they are confident in what they are investing in. And also, NextDns people, as it feels good to be appreciated and it motivates them to do even better. Cheers! 

    • Sohan_Ray
    • 2 yrs ago
    • Reported - view

    Have you ever tried ControlD dns? Its a product of Windscribe VPN company. I wonder how it compares to NextDns.... 

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray I haven't done a security comparison, which I can do if you'd like.

      I have tried ControlD before and I won't say that it's bad and honestly their network isn't as strong and they have gone down, if I'm not mistaken when the entire Facebook thing happened, there were problems on their end but most others also had issues like Adguard and many ISP based DNS servers.

      It shouldn't matter too much but in a full comparison it should be stated as in stress, NextDNS keeps up with Cloudflare and only a few others keep up, that's why DNSFilter was a good comparison in my opinion as they also have one of the best networks worldwide, so it was even.

      In terms of general usecase I'd prefer NextDNS as it gives far more flexibility and general options to fine tune. I could use 1HostPro/NextDNS Ads-Malware for my parents as they have a set amount of apps and I'd happily choose additional security over some loss of usability any day for them. For myself I can use OISD to have a great balance and with basic web knowhow I can easy avoid the few none blocked malicious sites that might get through. On ControlD you get, well their own filter, it's not bad but again they make the choice for you instead of you doing it yourself. The general amount of giving back and openness of the entire system is also better with NextDNS.

      For the positives, they are a smaller company so things might happen quicker as less users / less possible problems and easier decisions. The pricing is comparable and they do proxies for an additional subscriptions worth in terms of pricing.

      Again I can do testing if you'd like, but overall, it's ehh as you'd be losing some network stability and general options and functions that NextDNS has, even the AI itself is quite nice overall keeping up and even getting better results than the Enterprise solutions. It varies though and some might like less choice and function to have the proxy and it's a user chocie but with general flexibility and functions of NextDNS, I wouldn't personally take ControlD over it.

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Hey smaller company than NextDns? Are you sure that Windscribe is a smaller company than NextDns? 

      It would be great if you could test their controld dns for the 15 domains list.... Also I would like to see it for the free version of controld with the security filters and ad blocking ones

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray You're viewing it in a different way though, Google is one of the biggest corporations on earth but when you talk about their Radar/Soli technology you don't see it as the entire Alphabet megacorp but their own company as Windscribe is the main company but ControlD is a company that's owned by Windscribe. So it probably has its own team since logically you aren't going to leave a already successful business to create a new venture.

      I'll do something similar to the current test but can't promise the domain size as I grab whatever was active in the last 2 days, going further would not show threat detection for new(ish) malware but things that are on every filter.

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray As how I compared the two in terms of size is, network + users maybe it's a flawed way of looking at it but in my mind, Userbase directly coronates to Network and the reverse is the same. So I would say that Cloudflare is bigger than Google in terms of DNS as they have more users and a larger network. Not as the Cloudflare company but their DNS.

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Hey ok. Appreciate the effort 🙂👍🏻. I believe i had read somewhere that ControlD isn't like a subsidiary company of Windscribe, but its a project started by them directly. 

      • Hey
      • 2 yrs ago
      • Reported - view

      I'll start doing the tests now and hopefully in about an hour have a result, it's going to be an even lengthier test as I gotta do their Free and Paid tier separately since there are more toggles in the paid one from what I know.

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray The results are in, NextDNS got a clean sheet as expected, out of the 57 that were tested, amazingly enough 39 were blocked by AI-Driven Threat Detection. That's quite amazing since AI treats them as 0 days, so there is no manual entery for the domains. 56 were caught by Threat Intelligence Feeds. Lastly one was blocked by NextDNS defualt and OISD.

      In terms of ControlD they also got all the malicious domains but in the logs, it was quite silly. 90% of the domains were listed as "Ads" that's a problem since the end user wouldn't know how dangerous a website they visited is, it not having proper categorizations genuinely shocked me and it seems like an extremely silly oversight. But overall they got all the domains and that's great on their end.

      In terms of Ads/Trakcers, NextDNS having options showed that, it was more capable with regional Ads as there are more options and using different filters for different countries and also using heavier filters, I had all the ads/popups blocked even on regional sites. But on English they were neck and neck.

      Their UI seems a bit clunky, it was the same with DNS filter and the responsiveness isn't amazing but it's not a bad UI.

      The one problem I had was it connected me to a country that was to say the least, on another continent. So I actually saw a difference in web loading speeds that I hadn't seen with NextDNS and DNSFilter but they can improve and bad routing happens everywhere to an extent.

      Overall, not a bad result for them, I'd still pick NextDNS 9/10 since AI results in better 0 day capabilities and I like having the options to make it fit my usecase instead of being forced to stick to what they choose for me but that's my preference, not bad though, not bad.

      • Hey
      • 2 yrs ago
      • Reported - view

      Also just to explain what I mean by 0 day threats is, if none of the filters were enabled / the domains were not blacklisted it would have still gotten the 39 that it did. It's like Behavioral based AVs. Even if a threat hasn't been detected and saved to the Database, it can still provide a layer of security as Unknown Threat Defense. So, if I had this random email with a malicious domain that no one knows about it has a 68.42% chance of blocking it (A basic calculation of the current result 39/57 but this won't always be the result as it can get a higher or lower score) as of the current Beta. It's not the highest chance but compared to 0% that you get with service that don't use similar technologies, it's substantial.

      This also applies to DNSFilter to an extent as they also use AI but their overall isn't as high since they don't seem to be using the best Threat Feeds. But in terms of pure 0 days, they are probably similar as seen with the intial testing.

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Hey Thanks a lot for your efforts. 😊👍🏻👍🏻🎉

      Could you just clarify, the ControlD dns that you tested, was it the free one or the paid one? 

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Hey BTW do you have the block TLDs enabled in nextdns? 

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray Did the tests on Free and Paid. I found a in my opinion serious problem on how they do security a few minutes ago, I could do further analysis if you'd like as I'm suspecting something else, could make a whole new thread about it as well. So if you're planning on using their service I can look into it.

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Hey I see. I am not exactly planning on using ControlD, but they have this feature in the paid plan, of blocking malicious IPs apart from the Dns rebinding protection . I was wondering if NextDns can do that... And how important that feature is... 

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray I've already investigated the feature and what it does, it can be useful at times but the thing with IPs is that, you shouldn't really come across much while browsing as most websites and links are domains but is there a benefit yeah.

      NextDNS have said that the risks of false positives were too high to implement the feture. It makes sense since if a Malicious domains can share IP with Good domains that can be problematic.

      Don't see it as, every few domains are going to falsely blocked but let's say there is a problematic IP every few thousand domains, that could add up to many false positives. It's a logical decision as the chance of finding malware as IP while casually browsing is extremely low.

      It's a tradeoff to have it or not to have it, different choices for different companies I guess.

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray On that note, I'm going to make a new thread comparing ControlD to NextDNS. It's mostly to hopefully point out and get ContolD to fix their honestly silly way of doing security going to double check now, should be up on a few hours.

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Hey ohk!👍🏻

Content aside

  • 2 Likes
  • 2 yrs agoLast active
  • 17Replies
  • 1007Views
  • 3 Following