HTTPS DNS - Cloudflare vs NextDNS?

You need to decide what you want out of your DNS first. From the two choices, I'm suspecting you're choosing between the two built in DNS over HTTPS options in Firefox? Otherwise it makes no sense - Cloudflare offer (fast) encrypted DNS and that's it. NextDNS offer a (mostly paid) adblocking DNS, like PiHole/AdGuard Home in the cloud. They're very different, but both do happen to the the default choices in Firefox as I said, which made me wonder.

Both are fast and reliable, with NextDNS being the slightly slower of the two. Quad9 offers malware/threat protection automatically, and transparently, which is a bonus. They're a bit slower than Cloudflare (on average) but they're a non-profit, based in Switzerland, which may sway your choice. Either way, if you can use DNS over QUIC or TLS, I'd suggest that over DNS over HTTPS - which leaks metadata and can lead to you being fingerprinted.
 
Rainmaker said:
You need to decide what you want out of your DNS first. From the two choices, I'm suspecting you're choosing between the two built in DNS over HTTPS options in Firefox? Otherwise it makes no sense - Cloudflare offer (fast) encrypted DNS and that's it. NextDNS offer a (mostly paid) adblocking DNS, like PiHole/AdGuard Home in the cloud. They're very different, but both do happen to the the default choices in Firefox as I said, which made me wonder.

Both are fast and reliable, with NextDNS being the slightly slower of the two. Quad9 offers malware/threat protection automatically, and transparently, which is a bonus. They're a bit slower than Cloudflare (on average) but they're a non-profit, based in Switzerland, which may sway your choice. Either way, if you can use DNS over QUIC or TLS, I'd suggest that over DNS over HTTPS - which leaks metadata and can lead to you being fingerprinted.
Click to expand...

You can apply policies to CloudFlare to filter DNS by category. I have it working via a Cloudflared tunnel - I've not explored if it can be used directly via Firefox or other browser.

developers.cloudflare.com

Domain categories · Cloudflare Zero Trust docs

Cloudflare Gateway allows you to block known and potential security risks on the public Internet, as well as specific categories of content. Domains are categorized by Cloudflare Radar.
developers.cloudflare.com developers.cloudflare.com
 
#Chri5# said:
You can apply policies to CloudFlare to filter DNS by category. I have it working via a Cloudflared tunnel - I've not explored if it can be used directly via Firefox or other browser.

developers.cloudflare.com

Domain categories · Cloudflare Zero Trust docs

Cloudflare Gateway allows you to block known and potential security risks on the public Internet, as well as specific categories of content. Domains are categorized by Cloudflare Radar.
developers.cloudflare.com developers.cloudflare.com
Click to expand...
Yeah, that's true. It still requires you to sign up (including payment details, even for the free tier) and install their app though. With the OP asking specifically about DoH and referencing the two default choices in Firefox, I figured it was the more likely scenario. Someone who knows what Cloudflare ZeroTrust is (and how to configure it) likely already knows what they want from their DNS, and where to find it. :) Doesn't mean to say I'm correct, obviously - but when the OP is a single sentence we can only make assumptions and ask more questions.
 
Ice Tea said:
I just wondered how the two defaults in Firefox compare as i assumed there must be some sort of reason they didn't include others.
Click to expand...
Thought so. :) Mozilla signed agreements with those two providers, with stipulations on (non) use of users' data and DNS queries etc. You are still free to use any provider you wish, though as I said you'd be better off using DoQ or DoT at the OS level rather than relying solely on DoH, if you have the choice. Both providers will work, both are fast and responsive and won't censor you. Your queries will be safe from prying eyes either way (though without encrypted hello/ech it's a bit moot). TLDR, just use a VPN and your queries will be hidden as well as everything else. Tor for when you *really* want to stay under the radar. For regular browsing, either option (or Quad9, or any of the other non-logging options) will do just fine as well.
 
I see Quad9 has already had a lawsuit from Sony to block copyright websites and there has recently been talk of this happening with other providers like Cloudflare.
 
Ice Tea said:
I see Quad9 has already had a lawsuit from Sony to block copyright websites and there has recently been talk of this happening with other providers like Cloudflare.
Click to expand...
...in Germany, thanks to a faulty interpretation of German law which allows exemption for third party liability for ISPs, but excluded Quad9 (and other DNS providers) for no sane reason. Still works fine here:

Code: 
dig canna.to @9.9.9.9

; <<>> DiG 9.10.6 <<>> canna.to @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64607
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;canna.to.            IN    A

;; ANSWER SECTION:
canna.to.        300    IN    A    46.148.26.194

;; Query time: 318 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Sun Aug 14 10:16:55 BST 2022
;; MSG SIZE  rcvd: 53
 
You must log in or register to reply here.
Back
Top Bottom