NextDNS vs ControlD, ControlD has a problem.

Sohan Ray It probably happens because the main people behind it do the changes on GitHub and the support doesn't directly change things themselves.

You can see this by them linking GitHub for filter change requests here.

The threads here requesting change to the main service do help but for filter changes and updates that involves the owners best way is to go to the creators directly / open issues on their GitHub page from what I've seen on the forums.

There is also a trend where NextDNS doesn't make quick changes, it's great for stability and things working as intended. Everything that is here works perfectly but also as you said sometimes results in unwanted slowdowns.

So hopefully whenever something critical does come up again, it's directed to GitHub on day one by either the OP or some of us in the community to speed up the process.

it's a shame that it took that long, didn't know about it before so it's not a good look for the NextDNS devs on that end.

Sohan Ray On the tests that I did, it basically had the same results as NextDNS and as you said they work with many companies to have the said protection resulting in a quite great protection ratio.

But it comes at a cost, they don't do their own filters, it's not by choice either, they have to constantly maintain a good relationship with the said companies, so competing with their filters / systems or doing something that they don't like could result in problems.

I've seen people ask for something similar to be done with NextDNS but I think that it would cost the entire Open Nature that NextDNS has to get to that point. This would also make them a "Independent" yet completely dependent service.

There is also the fact that Quad9 is free of charge as a none profit organization. NextDNS would probably have to pay a good sum to get access to all the same filters as Quad9 that would impact pricing.

That's if the said companies accept working with NextDNS, they wouldn't as it would be quite illogical to give your arsenal to another service, creating a better competitor.

-----

Overall, Quad9 seems to be neck and neck on my testings it wasn't a huge win or loss on either side, sometimes NextDNS updated their feeds faster than Quad9 but some other times NRD or AI stepped in to block something that was blocked by Quad9 already. Using heavier filters that update more often like 1HostPro etc should make the results closer if not close to being identical even on threats found minutes / hours ago but Quad9 might still have a small edge overall.

NextDNS seems to know the advantage/disadvantages so they are doing NRD/AI and other approaches giving them additional layers to improve security.

-----

I'd prefer it being open, them being able to do more things overall without having to constantly think about their relationship with other corporations.

Also as you said the open filters probably use general Web Feedback and other none open sources to come up with the end result. The general web and the userbase isn't a small bit community either so it keeps up most of the time and when that isn't enough there is NRD giving the 30 day additional time for the filters to catch up with Ads/Trackers/Threats and AI to mitigate new threats that are unknown.

-----

To give a simple answer, Quad9 and NextDNS seem to be really close. The additional layers that come with NextDNS do the job of stoping new malware to a great extent where the difference between Quad9 and NextDNS isn't huge.

For that maybe 1%+- I wouldn't like them being completely dependent on others, giving up their open nature and customizations, I'm more than happy to pick my level of security instead of be given whatever a company chooses for me.

I'd also like to add that the +- is there since you can make it close to identical or lose some security for convince. There is no NextDNS result to be given outright, different filters setups and general configurations lead to different results as you know, having this gives room for the differences in configurations.

Sohan Ray I didn't do a test against DNSFilter at the time as I wasn't happy with the updates and results of ControlD so I checked to see others that were easily accessible and could be used by everyone, Cloudflare that was used was the Malware Filtering DNS nothing too special.

I can also do the tests now but the whole brand new aspect would be out of the table. The tests were done on that time with the latest domains of that time.

I also said Cloudflare especially since they aren't as quick as NextDNS or Quad9 that was one of my points, those people that aren't even focused on it could do a faster job of recognizing malicious domains and that's why I was a bit more confident saying that I don't really see a reason why they should miss these domains when nearly everything else has them caught.

Sohan Ray I can do one with NextDNS vs Quad9 as that's a lot easier and I used the DNSFilter trial so would be abusing the service if I were to do it again. I'm in the process of doing it now finished with NextDNS results and I'll move to Quad9 now. In terms of scale it should be 100+ since today seems to be a big day for malware.

Sohan Ray Here are the results out of the 101 Malicious Domains all of them were blocked by NextDNS. Some of the extremely new threats were not picked up by Quad9 yet and one older threat (reported yesterday evening) was also missed by Quad9.

5 domains that were newly reported that they (probably) didn't update for yet as they were reported less than 30 minutes ago. There was 1 domain that was older but hadn't been blocked. Giving it a still solid 95/101

They both didn't block one domain (not counted in the 101) doing further research resulted in the site not being blocked by anyone so it could have been a false positive in terms of the report.

This test was done on my second configuration to reduce confusion with the main router, as the length of the test was longer. This setup had OISD/Fanboys Annoyance only so all of these were blocked by the most lenient NextDNS setup in terms of filters (in my opinion) and the AI/NRD/Threat Intelligence Feeds.

In terms of pure AI performance it was 81/101 so it seems consistent with the other results.

So overall NextDNS and Quad9 did great Quad9 could have updated better but it was not a huge loss of security in terms of the entire test so both were really solid.

NextDNS just edged out today by updating faster and getting a few more domains.

Sohan Ray it's a mix of a few well known open source blacklists and a few that aren't as well known and aren't in the main filters. I went this route as I can't find the malware personally. Most of them are included in NextDNS, Quad9 and probably (ControlD) as it seems to be a modified version of existing lists. But some still aren't. My main goal was to compare that day and hopefully hours/few hours threats. This was done for the most part as even on the 101 domains about 40-50 were less than an hour old. So it would show the companies systems put in place for redundancy and update times. With the ones that aren't listed / used being 0 day like cases. It's not a perfect test scenario but in terms of what an average person can get, I tried to diversify and generally give an assessment of the work that was put in to ensure an update security measures with redundancy feturss to block unknown threats and generally how it did overall.

So to simplify about half of the domains were known domains that were mostly in that day, wanted to do this because of the ControlD scenario. The other half were mostly less than an hour old with again most of it being 0 day like threats that aren't found in most filters.

I tried to diversify and generally change as much as possible and did a double check of the domains to GitHub but some of the filters could be upstreamed by something on the GitHub so I can't say 100% but there should be more than a few unknown threats in there as, some only got Blocked by OISD and some Purely NRD/AI.

Sohan Ray Interesting, it also has a Free tier, so for AI/ML that's quite nice, if it's on the spot that's even nicer. I'll try to do a comparison later on as I've had Covid and it turned into a flu with a toothache on the top. So feeling a bit tired these days. Overall though, I'd really like to compare them. With the amount of filters that they claim, it should do a great job on known threats part that I still do for their update times, the latest threats with unknown/lesser known websites, that should be really nice to compare.

The best part is that they are free, so I don't have to worry about my trial running out, I'll try to check it out soon.

Sohan Ray I've automated the process instead of doing it myself through a script, 820 domains, all from 3 hours ago all Newly Registered, for the moment being NextDNS is aceing it I'm also going to create a new configuration to easily pick up the NextDNS results.

The most comprehensive test that I'm doing, I'll do it with CleanBrowsing, Quad9 and if you could create a new account on your behalf as a trial DNSFilter, I can't make a new account personally as it would be abuse of trial.