NextDNS vs DNSFilter / Why Multi Layered Security Matters

Sohan Ray I haven't done a security comparison, which I can do if you'd like.

I have tried ControlD before and I won't say that it's bad and honestly their network isn't as strong and they have gone down, if I'm not mistaken when the entire Facebook thing happened, there were problems on their end but most others also had issues like Adguard and many ISP based DNS servers.

It shouldn't matter too much but in a full comparison it should be stated as in stress, NextDNS keeps up with Cloudflare and only a few others keep up, that's why DNSFilter was a good comparison in my opinion as they also have one of the best networks worldwide, so it was even.

In terms of general usecase I'd prefer NextDNS as it gives far more flexibility and general options to fine tune. I could use 1HostPro/NextDNS Ads-Malware for my parents as they have a set amount of apps and I'd happily choose additional security over some loss of usability any day for them. For myself I can use OISD to have a great balance and with basic web knowhow I can easy avoid the few none blocked malicious sites that might get through. On ControlD you get, well their own filter, it's not bad but again they make the choice for you instead of you doing it yourself. The general amount of giving back and openness of the entire system is also better with NextDNS.

For the positives, they are a smaller company so things might happen quicker as less users / less possible problems and easier decisions. The pricing is comparable and they do proxies for an additional subscriptions worth in terms of pricing.

Again I can do testing if you'd like, but overall, it's ehh as you'd be losing some network stability and general options and functions that NextDNS has, even the AI itself is quite nice overall keeping up and even getting better results than the Enterprise solutions. It varies though and some might like less choice and function to have the proxy and it's a user chocie but with general flexibility and functions of NextDNS, I wouldn't personally take ControlD over it.

Sohan Ray You're viewing it in a different way though, Google is one of the biggest corporations on earth but when you talk about their Radar/Soli technology you don't see it as the entire Alphabet megacorp but their own company as Windscribe is the main company but ControlD is a company that's owned by Windscribe. So it probably has its own team since logically you aren't going to leave a already successful business to create a new venture.

I'll do something similar to the current test but can't promise the domain size as I grab whatever was active in the last 2 days, going further would not show threat detection for new(ish) malware but things that are on every filter.

Sohan Ray As how I compared the two in terms of size is, network + users maybe it's a flawed way of looking at it but in my mind, Userbase directly coronates to Network and the reverse is the same. So I would say that Cloudflare is bigger than Google in terms of DNS as they have more users and a larger network. Not as the Cloudflare company but their DNS.

I'll start doing the tests now and hopefully in about an hour have a result, it's going to be an even lengthier test as I gotta do their Free and Paid tier separately since there are more toggles in the paid one from what I know.

Sohan Ray The results are in, NextDNS got a clean sheet as expected, out of the 57 that were tested, amazingly enough 39 were blocked by AI-Driven Threat Detection. That's quite amazing since AI treats them as 0 days, so there is no manual entery for the domains. 56 were caught by Threat Intelligence Feeds. Lastly one was blocked by NextDNS defualt and OISD.

In terms of ControlD they also got all the malicious domains but in the logs, it was quite silly. 90% of the domains were listed as "Ads" that's a problem since the end user wouldn't know how dangerous a website they visited is, it not having proper categorizations genuinely shocked me and it seems like an extremely silly oversight. But overall they got all the domains and that's great on their end.

In terms of Ads/Trakcers, NextDNS having options showed that, it was more capable with regional Ads as there are more options and using different filters for different countries and also using heavier filters, I had all the ads/popups blocked even on regional sites. But on English they were neck and neck.

Their UI seems a bit clunky, it was the same with DNS filter and the responsiveness isn't amazing but it's not a bad UI.

The one problem I had was it connected me to a country that was to say the least, on another continent. So I actually saw a difference in web loading speeds that I hadn't seen with NextDNS and DNSFilter but they can improve and bad routing happens everywhere to an extent.

Overall, not a bad result for them, I'd still pick NextDNS 9/10 since AI results in better 0 day capabilities and I like having the options to make it fit my usecase instead of being forced to stick to what they choose for me but that's my preference, not bad though, not bad.

Also just to explain what I mean by 0 day threats is, if none of the filters were enabled / the domains were not blacklisted it would have still gotten the 39 that it did. It's like Behavioral based AVs. Even if a threat hasn't been detected and saved to the Database, it can still provide a layer of security as Unknown Threat Defense. So, if I had this random email with a malicious domain that no one knows about it has a 68.42% chance of blocking it (A basic calculation of the current result 39/57 but this won't always be the result as it can get a higher or lower score) as of the current Beta. It's not the highest chance but compared to 0% that you get with service that don't use similar technologies, it's substantial.

This also applies to DNSFilter to an extent as they also use AI but their overall isn't as high since they don't seem to be using the best Threat Feeds. But in terms of pure 0 days, they are probably similar as seen with the intial testing.

Sohan Ray Did the tests on Free and Paid. I found a in my opinion serious problem on how they do security a few minutes ago, I could do further analysis if you'd like as I'm suspecting something else, could make a whole new thread about it as well. So if you're planning on using their service I can look into it.

Sohan Ray I've already investigated the feature and what it does, it can be useful at times but the thing with IPs is that, you shouldn't really come across much while browsing as most websites and links are domains but is there a benefit yeah.

NextDNS have said that the risks of false positives were too high to implement the feture. It makes sense since if a Malicious domains can share IP with Good domains that can be problematic.

Don't see it as, every few domains are going to falsely blocked but let's say there is a problematic IP every few thousand domains, that could add up to many false positives. It's a logical decision as the chance of finding malware as IP while casually browsing is extremely low.

It's a tradeoff to have it or not to have it, different choices for different companies I guess.

Sohan Ray On that note, I'm going to make a new thread comparing ControlD to NextDNS. It's mostly to hopefully point out and get ContolD to fix their honestly silly way of doing security going to double check now, should be up on a few hours.