1

NextDNS vs ControlD, ControlD has a problem.

I've seen many people mention it, some said that it was better and I was intrigued. Yesterday I was asked to test it, so here are the results.

I had done test of malicious domains with reports from a day earlier. ContolD had 57 of them blocked and I was like yeah just like NextDNS so that's nice.

NextDNS was even better, it caught 39 domains by using purely using AI, giving a 68.42% zero day type detection ratio. The rest were caught by the Threat Intelligence and Filters.

-----

The only problem I had seen (With ControlD) at the time was their way of sorting the domains, about 90% of the malicious domains showed up as "Ads" on the logs giving a false sense of security. The user shoud know what's a threat and what's an Ad.

When you are on a malicious domain, that's redirecting or trying to push you to malware, you should know the risks and avoid the said domains.

That in of itself isn't the largest issue that they have. The issue comes from, not having updates fast enough in terms of their Threat Intelligence.

-----

When testing with domains that were 5-6 hours old, none of the domains were caught. So that really made me question a lot of things.

Them listing the domains as Ads was a turnoff for me but not catching new threats was shocking.

I've checked the domains today and the 4 of them are still not blocked and you're able to download the malicious files.

Malware don't have a tendency to wait until the the service gets to block them. These threats were reported yesterday evening as of posting.

So overall, with these problems I'm not happy with their results. These domains were blocked by NextDNS, Quad9 and some by Cloudflare. I see no reason why they can't block them on time.

24 replies

null
    • Sohan_Ray
    • 2 yrs ago
    • Reported - view

    Awesome analysis done here. Appreciate the effort. 👍🏻👍🏻

    • Sohan_Ray
    • 2 yrs ago
    • Reported - view

    Although NextDns performed well... One thing about it has always bothered me. And that is the fact that I have seen instances when a number of threat intelligence feed sources being used had depreciated and NextDns team hadn't done anything about it for quite long. And after a long break and number of issues raised regarding that concern, they finally fixed/updated them. 

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray It probably happens because the main people behind it do the changes on GitHub and the support doesn't directly change things themselves.

      You can see this by them linking GitHub for filter change requests here.

      The threads here requesting change to the main service do help but for filter changes and updates that involves the owners best way is to go to the creators directly / open issues on their GitHub page from what I've seen on the forums.

      There is also a trend where NextDNS doesn't make quick changes, it's great for stability and things working as intended. Everything that is here works perfectly but also as you said sometimes results in unwanted slowdowns.

      So hopefully whenever something critical does come up again, it's directed to GitHub on day one by either the OP or some of us in the community to speed up the process.

      it's a shame that it took that long, didn't know about it before so it's not a good look for the NextDNS devs on that end.

    • Sohan_Ray
    • 2 yrs ago
    • Reported - view

    How would you compare NextDns to Quad9? Which one is better in terms of protection? 

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Sohan Ray Consider this argument :

      Quad9 uses sources which are leading cybersecurity companies which uses web crawlers like Google to find domains and use their scanning engines to detect the malicious ones. And if the domains are suspected then they are tested by employees in the companies. 

      Whereas, NextDns uses lists that are open source, and maintained by some individuals. I doubt they have crawler systems or scanning engines in their arsenal to find and detect malicious domains. I wonder how they keep up to date their list of latest malicious domains. All I have seen is that they try and combine other blocklists from different sources who in turn update their lists in what way god knows. 

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray On the tests that I did, it basically had the same results as NextDNS and as you said they work with many companies to have the said protection resulting in a quite great protection ratio.

      But it comes at a cost, they don't do their own filters, it's not by choice either, they have to constantly maintain a good relationship with the said companies, so competing with their filters / systems or doing something that they don't like could result in problems.

      I've seen people ask for something similar to be done with NextDNS but I think that it would cost the entire Open Nature that NextDNS has to get to that point. This would also make them a "Independent" yet completely dependent service.

      There is also the fact that Quad9 is free of charge as a none profit organization. NextDNS would probably have to pay a good sum to get access to all the same filters as Quad9 that would impact pricing.

      That's if the said companies accept working with NextDNS, they wouldn't as it would be quite illogical to give your arsenal to another service, creating a better competitor.

      -----

      Overall, Quad9 seems to be neck and neck on my testings it wasn't a huge win or loss on either side, sometimes NextDNS updated their feeds faster than Quad9 but some other times NRD or AI stepped in to block something that was blocked by Quad9 already. Using heavier filters that update more often like 1HostPro etc should make the results closer if not close to being identical even on threats found minutes / hours ago but Quad9 might still have a small edge overall.

      NextDNS seems to know the advantage/disadvantages so they are doing NRD/AI and other approaches giving them additional layers to improve security.

      -----

      I'd prefer it being open, them being able to do more things overall without having to constantly think about their relationship with other corporations.

      Also as you said the open filters probably use general Web Feedback and other none open sources to come up with the end result. The general web and the userbase isn't a small bit community either so it keeps up most of the time and when that isn't enough there is NRD giving the 30 day additional time for the filters to catch up with Ads/Trackers/Threats and AI to mitigate new threats that are unknown.

      -----

      To give a simple answer, Quad9 and NextDNS seem to be really close. The additional layers that come with NextDNS do the job of stoping new malware to a great extent where the difference between Quad9 and NextDNS isn't huge.

      For that maybe 1%+- I wouldn't like them being completely dependent on others, giving up their open nature and customizations, I'm more than happy to pick my level of security instead of be given whatever a company chooses for me.

      • Hey
      • 2 yrs ago
      • Reported - view

      I'd also like to add that the +- is there since you can make it close to identical or lose some security for convince. There is no NextDNS result to be given outright, different filters setups and general configurations lead to different results as you know, having this gives room for the differences in configurations.

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Hey Thanks for the well thought perspective! 

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Hey did you check how many Dnsfilter was able to block in this test? 

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray I didn't do a test against DNSFilter at the time as I wasn't happy with the updates and results of ControlD so I checked to see others that were easily accessible and could be used by everyone, Cloudflare that was used was the Malware Filtering DNS nothing too special.

      I can also do the tests now but the whole brand new aspect would be out of the table. The tests were done on that time with the latest domains of that time.

      I also said Cloudflare especially since they aren't as quick as NextDNS or Quad9 that was one of my points, those people that aren't even focused on it could do a faster job of recognizing malicious domains and that's why I was a bit more confident saying that I don't really see a reason why they should miss these domains when nearly everything else has them caught.

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Hey ohk! I asked about Dnsfilter as it would give a more accurate idea of comparison between it and NextDns, with a bigger list of domains that is. 

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray I can do one with NextDNS vs Quad9 as that's a lot easier and I used the DNSFilter trial so would be abusing the service if I were to do it again. I'm in the process of doing it now finished with NextDNS results and I'll move to Quad9 now. In terms of scale it should be 100+ since today seems to be a big day for malware.

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray Here are the results out of the 101 Malicious Domains all of them were blocked by NextDNS. Some of the extremely new threats were not picked up by Quad9 yet and one older threat (reported yesterday evening) was also missed by Quad9.

      5 domains that were newly reported that they (probably) didn't update for yet as they were reported less than 30 minutes ago. There was 1 domain that was older but hadn't been blocked. Giving it a still solid 95/101

      They both didn't block one domain (not counted in the 101) doing further research resulted in the site not being blocked by anyone so it could have been a false positive in terms of the report.

      This test was done on my second configuration to reduce confusion with the main router, as the length of the test was longer. This setup had OISD/Fanboys Annoyance only so all of these were blocked by the most lenient NextDNS setup in terms of filters (in my opinion) and the AI/NRD/Threat Intelligence Feeds.

      In terms of pure AI performance it was 81/101 so it seems consistent with the other results.

      So overall NextDNS and Quad9 did great Quad9 could have updated better but it was not a huge loss of security in terms of the entire test so both were really solid.

      NextDNS just edged out today by updating faster and getting a few more domains.

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Hey Awsme! Thanks for the efforts.❤️

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Sohan Ray Although, the sources that you used to get those malicious domains, were they partly from one of the sources used by NextDns? Because that way, NextDns will obviously block all the domains as its in their blacklist. 

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray it's a mix of a few well known open source blacklists and a few that aren't as well known and aren't in the main filters. I went this route as I can't find the malware personally. Most of them are included in NextDNS, Quad9 and probably (ControlD) as it seems to be a modified version of existing lists. But some still aren't. My main goal was to compare that day and hopefully hours/few hours threats. This was done for the most part as even on the 101 domains about 40-50 were less than an hour old. So it would show the companies systems put in place for redundancy and update times. With the ones that aren't listed / used being 0 day like cases. It's not a perfect test scenario but in terms of what an average person can get, I tried to diversify and generally give an assessment of the work that was put in to ensure an update security measures with redundancy feturss to block unknown threats and generally how it did overall.

      So to simplify about half of the domains were known domains that were mostly in that day, wanted to do this because of the ControlD scenario. The other half were mostly less than an hour old with again most of it being 0 day like threats that aren't found in most filters.

      I tried to diversify and generally change as much as possible and did a double check of the domains to GitHub but some of the filters could be upstreamed by something on the GitHub so I can't say 100% but there should be more than a few unknown threats in there as, some only got Blocked by OISD and some Purely NRD/AI.

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Hey 👍🏻

    • Sohan_Ray
    • 2 yrs ago
    • Reported - view

    You mentioned Cloudflare her in the test. Did you mean cloudflare security filter dns or Cloudflare gateway? 

    • Sohan_Ray
    • 2 yrs ago
    • Reported - view

    Hi, could you check the capabilities of CleanBrowsing dns as compared to NextDns? You can use the public security filter of CleanBrowsing. As they said, they use public lists, private lists and their own research using their own crawler engine. They even use AI and Machine learning. Seems they are really good. 

    They also claim that their blacklist database is considered one of the bests in the industry. 

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray Interesting, it also has a Free tier, so for AI/ML that's quite nice, if it's on the spot that's even nicer. I'll try to do a comparison later on as I've had Covid and it turned into a flu with a toothache on the top. So feeling a bit tired these days. Overall though, I'd really like to compare them. With the amount of filters that they claim, it should do a great job on known threats part that I still do for their update times, the latest threats with unknown/lesser known websites, that should be really nice to compare.

      The best part is that they are free, so I don't have to worry about my trial running out, I'll try to check it out soon.

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Hey ok. Do let me know when you're done. They have a paid tier too. There they do provide option to block ads and trackers too. Although the paid tier is pretty expensive if compared to NextDns. 

      And get well soon🙂

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray I've automated the process instead of doing it myself through a script, 820 domains, all from 3 hours ago all Newly Registered, for the moment being NextDNS is aceing it I'm also going to create a new configuration to easily pick up the NextDNS results.

      The most comprehensive test that I'm doing, I'll do it with CleanBrowsing, Quad9 and if you could create a new account on your behalf as a trial DNSFilter, I can't make a new account personally as it would be abuse of trial.

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Hey so sorry, 😓actually just like you even I have used up their trial already. Pretty long ago. Feels bad, that the one time you asked for help and I couldn't help you. 😣

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Sohan Ray Although you can keep Dnsfilter out of the test as anyways we as individual customers can't use it. Their plans are only for business and not for homes or personal uses. 

Content aside

  • 1 Likes
  • 2 yrs agoLast active
  • 24Replies
  • 3338Views
  • 3 Following