DNS Secure Browsing Follow Up: NextDNS Tweaked and Re-Tested
ฝัง
- เผยแพร่เมื่อ 3 มิ.ย. 2024
- 2023 Forum Post & Video on DNS Filtering
lawrence.video/2023-dns-test
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag/
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 10% off your order at
🛒 www.techsupplydirect.com?aff=2
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
Time Stamps
00:00 - Which DNS Service is Best for Filtering Malicious Sites
00:38 - Services Tested Quad9, Cloudflare Families, NextDNS, AdGuard DNS
00:49 - The process used for testing
01:12 - The Previous DNS Results
01:44 - Testing NextDNS With an Account
#security #privacy #DNS - วิทยาศาสตร์และเทคโนโลยี
Kudos Tom for taking onboard the feedback & re-testing NextDNS.
Your assessment is totally fair, there are trade-offs here, but the blocking results do speak to the benefit of their service, over free options at least.
The speed and attentiveness of thoughtfully following up so quickly is amazing 👍
If you are concerned about NextDNS Privacy, they do provide an option on the settings page to completely disable any logging, or have them stored in Europe under strict privacy ruling.
In Switzerland too.
Europe does NOT have strict logging laws. Those only apply for select private companies. In marxist Sweden ISPs are even taken to court by the oppressive vile EU if the ISP does not map everything the user does and save the data for years.
wondering out loud here... with different states having different laws (I'm in California thank goodness, with strict privacy laws...) nextDNS doesn't ask for my email address or have different privacy rules for this state which tells me they don't store anything or sell anything to 3rd parties... and they clearly state that on there webpage...
now that was more of the outcome i was expecting from nextdns. :)
thanks for the transparency.
NextDNS does have where you can minimize the logs down to 1 hour which I find useful in case I need to check for something that was blocked and need to allow.
This is why I trust you!!!! you care about everyone being in the know! That is some awesome results. Quad 9 is still the best easy, go to of mine as well. NextDNS is for specific use cases or locking down my home net because the kids LOL.
Thank you for taking the time to re-test!
Really good and fair video. Thanks for this!
Nice work
Thank you. I love NextDNS
false positive is as important as true positive.
Yes. Especially if you want the solution to pass the Family test i.e. "Google Shopping got blocked and now my wife is angry because she can't open the link to the ad she saw and actually wanted to buy" and other things like that.
This, you can have a 100% detection rate, but that doesn't mean anything if the FP rate is 100%.
Yes, hence the term...False Positive. 😅
another point to note for average home/SMB users is that, the free tier of NextDNS is limited to 300,000 queue per month. After that queues are not filtered. Take myself as an example, I would used up the quota within 2 weeks.
Liar. There are not that many porn sites and results stay cached in your local DNS. Unless you are not caching anything (which is dumb).
@@Katchi_ you understand that everyone has different use case and settings, right? Just others have different case from you doesn’t make them liars
Yea the non-profit of quad9 is what makes me choose it. Also NextDNS is based in the USA with NSA and all the issues that come from that country with terrible privacy laws.
I used it up in 2-3 weeks with just my phone connected.
@@rickross4337 I have 11 devices running and so far this month I have 18,864 queries to NextDNS, so i never exceed the amount. AdGuardHome has a cache too.
Thank you
One point worth noting, if you’re required to register the IP you will be querying from, that’s going to immediately make it a non starter for a lot of the homelab folks and such as they likely won’t have a fixed IP address.
This is mitigated by running dynamic dns service such as no-ip or something similar.
Most people (such as myself) have DDNS configured in my homelab so this was super easy to address
IP address registration only needed for clients using classic DNS over UDP (port 53) over IPv4. For IPv6 your customer identifier is part of the last bits of the DNS server address. NextDNS also provides endpoints for DNS-over-TLS/QUIC (DoT) and DNS-over-HTTPS (DoH) where the identifier is part of the URL.
Wireguard, pihole, + quad 9. I think next dns is ok for on device vanilla style ad blocking if you don’t have a vpn or pihole, but it comes at the price of KYC unless you have an alt ID
Your argument is sound but I wanted to point out that in nextdns you can configure how long logs are retained in the settings tab. Not sure how much someone could mine if I set mine retention to only 1 hour.
I'm currently using controld
With NextDNS, you can select to delete queriers/logs after 7 days and store your data in a territory with higher regulations when it comes to data privacy.
I will stick with quad9.
If in the end, the concerns are protection AND privacy, why not just go with a local Unbound dns server in recursive mode and/or a Pi-hole with whatever blocklists you would need?
Quad9 looks like the choice for me.
Could you share the final (or live) list that you are blocking please?
after watching the video i got curious and checked in my own network's DNS settings. Found that firefox uses DoH now and no obvious way to switch it (and i didnt care enough to really dig into that) so makes me wonder how effective changing the DNS on the router is anymore
DoH on Firefox uses your DNS of choice. If you choose Cloudlfare on your router, then FF will try to conect to Cloudflare's DoH DNS servers, If you choose quad9 same. If he can't connect via DoH he will use your plain default port 53 DNS.
You can switch it, its under the privacy and security. Turning it off it will use your PC/Router DNS settings.
They offer NextDNS in their DNSoverHTTPS service, but not quad9, so i turn it off.
@@pedromain Sadly quad9 isn't slectable in my country for firefox
Is there same pricing of Cloudfare with Nextdns pro?
I would wonder how mulvad falls into this bunch? From a privacy and security scope
I used to use Mullvad’s “base” encrypted DNS but found that it was blocking sites I had a legitimate need for. I’ve since switched between Quad9 and AdGuard, though I haven’t definitively settled on one or the other.
Every single DNS out there logs data, even no-log like Quad9 or Cloudflare, because of DDoS protection and they mention it in their Privacy Policy. The only difference is, how fast they remove logs, some after 2 hours, some after days. It is like arguing whether you should have Google/MS account, if you do not, they will log your data, if you do, you can remove it at your discretion.
For the small difference, I'll stick with quad 9. We give up enough of our data these days.
NextDNS is still a for profit company, although I don't know if they sell the aggregated data, they can/do hold it. I prefer Quad9, nonprofit, they don't hold data.
What about "Cloudflare gateway" with firewall rules to block more stuff?
You'd likely get a similar result to nextdns, about 100% block rate.
@jacksoncremean1664 it is pain when each time you need to reconfigure and link yourself
It would be interesting to get an ip onto these malicious lists, and try and remove it...
An alternative to NextDNS would be to run your own PiHole somewhere in the cloud, then you are the only one in charge of the logs!
There aren't many good threat feeds that are freely available, so you have to use another DNS service with threat feeds for good detection.
Of course everything is blocked in your test as NextDNS queries that blocklist every 5 minutes by their threat intelligence feeds...
didn't know that .top domains are used for malicious purposes
Now do Control D
It is costly!
@@wildyato3737 It costs the same.
So basically before, you use NextDNS for a test with out a single clue of what was NextDNS, ok, if this is the methodology that you use to test stuff we are in good hands, well, at least you are honest in recognising your mistakes. Thanks for the video.
I would partiallu blame NextDNS for that tbh. They state on their homepage try if now (no signup required) then give you the dns IP's. If you overlooked the link IP part then yeah its not going to work as expected. Although we have no idea if Tom linked the IP or not or didnt even click that page and just entered the DNS ips on his test machine.
@@_Miner when he made the initial video, I immediately knew that he didn't had a clue what he was talking about, but he was so eager to praise Quad9 that he went for it anyway, and by the way I really like Quad9, I think he is correct, one of the best DNS services out there.
not testing ControlD??
The script is in my forums, feel free to test all the DNS services you are interested in.
Fully agree, by registering yourself you are now personally identifiable, ergo you are now eligible to have your data sold.... and they WILL sell it.
He tested only unencrypted DNS with IP pinning and ignored the ability to not create any logs or on choosen logging location.
This review was pretty much superficial, even NextDNS nailed it by blocking everything.
If you care about privacy, having to provide email and ip-address kinda goes against the entire thing though.
@@wile123456I just want automatic linking system ,not manually link that each time...
nextdns definately Freemium but it's Open Source, so no problem there
Nah..it will be paid..thanks to AI..
at time passes Ai will be smart enough to figure out dangerous threats...and it is exclusive to NextDNS..
NOT other dns providers uses AI..
Absolutely horrific to register to a DNS provider 😮😢
No matter how well it works… if you have to sell your soul, it’s never worth it.
There is absolutely no way they don’t track the request.
Also they are a US company so they are less beholden to GDPR and as a non-US citizen the NSA has full reign to spy on your traffic if they request it from NextDNS
NextDNS is selling user data
Source?
Who in their right mind would register their ip and email address with a company that can see every DNS query you're making? No thanks :)
Any DNS server is going to see which IP you have as its part of the headers for the request you make every time you access a website.
IP address registration is only needed in for IPv4 clients using classic DNS over UDP (port 53). E-mail can also be some anonymous throw-away address
TRADING FREEDOM for SECURITY, In this CASE TRADING PRIVACY for SECURITY, and in the END YOU'LL HAVE NEITHER.
Pretty much everyone using any security product like AV, they run with system rights and gather and share all info.