NextDNS (free) security after 300K queries

I find myself using Quad9 instead of NextDNS due to the fact that NextDNS’s free tier is limited to 300,000 queries per month, after that I will be left unprotected. I may never reach this limit, but it’s still something that bother me, and it might actually happen for whatever reason. This is a security flaw in my opinion.

Also, all the benefit I would get with NextDNS is tided to my user account. If I want to use the service anonymously, I only have 7 days to fine tune the settings. After this period, a minor adjustment would require a new setting altogether.

EDIT: If you’re not carefully look into the settings, logging is opt-out, not opt-in. And since you’re bound to 7 days limit with anonymous setup, there’s no way to check whether the logging is enabled :sweat_smile:

You can’t really compare Quad9 and NextDNS, though.
From the two only NextDNS is blocking a large portion of ads and trackers.
NextDNS after 300k queries is basically what Quad9 is like all the time (not quite true, they block some known malware sites but no ads or trackers).

4 Likes

Quad9 ain’t on NextDNS’s level tho. Correct me if i’m wrong ? NextDNS just does a better job with much more servers around the world

I think Quad9 has a a very good number of servers all around the planet, too.
They only block the worst malware/phishing domains though, Quad9 was created for different reasons (mainly free/secure/private/uncensored DNS for everyone).

No, it’s not the same as Quad9. This is stated on NextDNS website:

“When exceeding the free monthly quota, NextDNS will continue to answer DNS queries like a classic non-blocking DNS service.”

Basically, after 300k, NextDNS does nothing at all (otherwise, you won’t be able to connect to the internet).

For ads and trackers, I have a browser solution as an alternative.

1 Like

It still works as a reverse DNS. It just doesn’t block anything. If you don’t click weird links blindly Quad9 will probably never block any URL for you.

According to a recent test from Lawrence Systems, Quad9 actually blocked a lot of malicious URLs :sweat_smile:

I’m not saying Quad9 does a bad job but in my day to day surfing I’m not visiting any malware/phishing domains. I don’t even know when a website was blocked the last time, has to be years.
NextDNS is much more “tangible” in every day use from the huge amount of ads/trackers it blocks (+malware sites etc. on top).

As others have pointed out, NextDNS and Quad9 are not comparable services. Both are great privacy respecting DNS services, but that is where the similarity ends.

If you want just a DNS with a security blocklist Quad 9 is a great option. NextDNS appeals more to people who want more control and fine tunability as well as adblocking.

Also, all the benefit I would get with NextDNS is tied to my user account.

You seem reluctant to use a user account or to enable logging and analytics. Which is fine, and reasonable, but NextDNS appeals to and is mostly intended for people who specifically want the features that a user account enables. If you don’t want that Quad9 or Adguard or Mullvad is a better alternative with no limits, but also a lot less features and customizability.

If I want to use the service anonymously

I think that is a unrealistic expectation with either NextDNS or Quad9 or any other traditional DNS whether it has an account or not. The absence of a user account does not make you anonymous. Every time you query Quad9 or NextDNS you are giving them your IP Address + the domain you queried. This is the case with or without an account, and the way I see it, your IP is a much more sensitive piece of info than some non-personal account credentials or an email alias. Don’t let not having an account fool you into thinking DNS is anonymous or private, it is not, and a no logs policy means they don’t store that sensitive data, not that they don’t or can’t see it.

As to the Lawrence Systems test

Both NextDNS and Quad9 were very effective in those tests, BUT that test is testing against a list made up of purely known/suspected malicious domains so of course it will block a lot. What Valynor said is correct in my eyes, if you have moderately safe browsing habits, you are unlikely to encounter these type of domains too often.

That said, considering the cost/benefit, I definitely prefer the strongest anti malware/phishing blocking I can have, we all get lazy or impulsive occasionally, best to have more layers of defense than relying on self-discipline alone. Quad9 is a great option if all you care about is security (dont care about adblocking or a control panel / logging / analytics).

One reason I do really appreciate NextDNS and its logging, is that I can see real world stats for my own browsing. I can tell you that of 150K total queries, 9K were blocked, and of that 9K only 9 requests were blocked for security reasons, and those 9 were all a single domain that appears to have been a false positive according to virustotal.

5 Likes

Both are comparable IMO since both are DNS resolver services with differences in the feature sets. Otherwise, we wouldn’t see many comparisons online. However, not both of them are respecting users privacy due to the fact that only NextDNS logs users IPs and domains by default (opt-out), while Quad9 doesn’t log any identifiable user data.

Moreover, NextDNS’s privacy policy #3 could be the most confusing privacy policy I have ever read. They said, “If not specifically requested by the user, no data is logged…”. If only by this statement, I would assume that the logging is opt-in, but it’s opt-out, though :sneezing_face:

Of course, we’re talking about privacy, after all. How could I am not reluctant about having to create my account or feeling good about having my log on the cloud? :sweat_smile:

The problem is logging, as explained on above. Whether I have to send them my IP and domain is not relevant here, as long as they’re not logging me. Unfortunately, NextDNS is happily logging you by default, while you don’t even have an option to have Quad9 logging you.

I prefer to use any service as anonymously as much as possible. Having to give my email (even if it’s just an alias) instead of just saving a link, which is uniquely identifiable to my setup anyway, is not my cup of tea. My point is that NextDNS seems to love my personal info for no appearance reason.

I am not even sure whether both you and Valynor actually watch the test result. Otherwise, you wouldn’t keep saying that both of them are good at blocking sites, both of them are doing the same thing, etc. Even with the testing list that made up of purely known/suspected malicious domains like you said, NextDNS lets those domains in at a whopping number at 33.11% out of 8,333 domains tested!!! About the same as Cloudflare 1.1.1.1 (unblocked setting). While only 0.79% of the domains survive Quad9 blocking.


I am not here to defense for Quad9 or to attack NextDNS. I am here to expose my concern to the fact regarding my security and privacy when using NextDNS. It’s not even my debate. I didn’t even debate anything until this post. Having a 300,000 queries per month limit along with an inability to know whether I am getting log (after 7 days) is a “tangible” downside in my every day usage with NextDNS. Ads and tracking can be mitigated by Brave Shield that I use, plus Brave show me how many ads I blocked without cloud logging.

1 Like

He posted a followup / correction video that it sounds like you may not have seen yet. NextDNS with a profile scored 100%, the best of the bunch.

3 Likes

Which is not related to our conversion here or my conversion with Valynor on the above. We’re not talikng about the maximum setting on NextDNS. We’re talking about my concern regarding what it will do after the 300,000 queries per month limit. That’s the reason why I shared the non-follow up test in the first place.

You really are nitpicking here, IMHO.
NextDNS losing at this comparison without block lists is uh … not a surprise?

Also you can look up how many queries you are doing per month in your account. I usually do about 150k, with several devices, so I can quite confidently say that I will not reach 300k, period.

There is a really simple way to prevent running into the 300k limit and it will only cost you $2 per month.

3 Likes

I thought you would be surprised since you said “NextDNS after 300k queries is basically what Quad9 is like all the time”. That’s the reason I shared the test. It’s the test I watched sometime ago and remember the result. It’s a good example showing how NextDNS would perform after 300k limit.

Whether I could reach that limit is another matter entirely.

I think NextDNS is just not right for you, which is fine. It seems like you (1) don’t want a DNS that requires any configuration (2) don’t want a query limit but also prefer not to pay (3) don’t really care about the control NextDNS offers. If that’s true, I think Quad9 is a great choice for you, much better than NextDNS for what you want. Another option would be self-hosting (e.g. Pi-Hole or Adguard Home)

2 Likes
  1. Configuration is fine. But it should be a good default configuration. Logging by default, which seems to contrary to the service’s privacy policy itself, is not a good default in my opinion.

  2. Yes, I really don’t want to pay if it’s possible :sweat_smile: I believe that a paywall service would essentially make it harder for me to recommend it to my family and friends to use, especially in the DNS resolver market that many good free options are available.

  3. I do care about what NextDNS offers. But I prefer to use it freely without any limitations, anonymously as much as possible (not having to create any account), and the most importantly, not logging any of my usage on the cloud (this would make their dashboard/analytic a con/to avoid feature to me).

Quad9 that has a good malicious site blocking + Brave Shield to block ads and tracking locally. This setup seems to work for me currently.

I’m kind of inclined to agree with you. I think we’ll remove NextDNS from the general list of generic DNS providers and add it to a new category of “cloud-based custom filtering providers,” seeing as we probably wouldn’t recommend the free version of NextDNS in the first place over the other 5 options.

3 Likes

ZERO — Hardened security for highly sensitive environments — dns0.eu is from NextDNS and completely free to use. However there are only servers inside the EU, that might be good or bad for you. It does not offer customization but has a lot of the categories already activated, so as a general more secure DNS it might be what you’re looking for.

3 Likes

Brave is using Google’s Safe Browsing list which should have pretty much all of the malicious sites in it anyway.

Where NextDNS really shines is that it can extend this protection to all of your device (esp. important on mobile devices). While e.g. a malicious mobile app might contact a malicious/phishing site many apps and the OS itself contact trackers and ad servers all the time and that’s where NextDNS really can make a difference.

1 Like

Using the 2$ Version of nextDNS at the Moment for testing.
Some things just cost $$$, which i am fine with.

So far so good.
Opt Out of logging but:
Maby I will opt back in to see w h a t is beeing blocked. Because it will show you what trackers etc if you do.

Then opt back out.

This pretty much sums it up.