Control D vs NextDNS - An Honest Comparison

· 8 min read
Control D vs NextDNS - An Honest Comparison

We've seen an influx of NextDNS users expressing interest in Control D, so this article is meant to address all the questions we've encountered so far. Since this is a Control D blog, there may be inherent bias, but I'll try to be as objective as possible as I've personally been a NextDNS user before Control D existed. Any omissions are not out of malice, if you spot some, email me at the address posted at the end of the article. Now, let's dive into the first and most obvious topic.

What does NextDNS have that Control D does not?

  1. "AI" based malware detection - Update May 2023: This is now available.
  2. Self-configuring router utility - Update May 2023: This is now available.
  3. CNAME Flattening
  4. Google Safe Browsing
  5. Block Parked Domains
  6. Web3 domain registries

The vast majority of the missing features (and many others) are already on our roadmap, and you can expect to see them released in the coming weeks or months, at the time of writing this article.

If you're thinking, "But NextDNS has feature X, which I do not see in your interface," please read on – all shall be made clear. But first, let's talk about major features that only Control D has.

What does Control D have that NextDNS does not?

  1. Traffic Redirection - Control D blocks any domain you resolve and redirects it via servers in over 100 exit locations. This allows you to change your IP without using a VPN. This plan costs $40/year. If you have no interest in this feature, you can use the cheaper $20/year plan (which costs the same as NextDNS).
  2. IP Blocklists - Control D's Malware filter blocks domains from many threat intelligence feeds that are both domain-based and IP based. This means it will block DNS queries that resolve to malicious IP networks, regardless of the FQDN itself not being present in any blocklist.
  3. Vast Library of Services - Control D supports over 400 different services (NextDNS has just 43), which you can block OR redirect via a proxy location, all with a single toggle.
  4. Curated Filters - Our native filters are handcrafted and based on five years of feedback from millions of Windscribe (our sister company) users. This means you will find them highly effective in terms of what they block, with far fewer false positives than in most community filters you may be using right now. If you still wish to use 3rd party Filters, Control D supports 12 of the most popular ones out there. If you really need one that we don't support, make a suggestion.
  5. Swappable Configurations - Your configurations (known as Profiles) are decoupled from the actual DNS resolvers (known as Devices). This allows you to maintain different Profiles and selectively enforce them on some, all, or none of your Devices. This is very handy if you wish to try a new Profile on an existing resolver that is already configured somewhere, without mutating the original Profile. You can also schedule automatic Profile swaps using the scheduler.
  6. Powerful Custom Rules - While NextDNS has basic Allow/Deny lists and "Rewrites" (all in three separate sections), Control D allows you to manage them all in one place, with much more functionality. Think of this as your Authoritative DNS server for the entire Internet. You can create custom rules that block, redirect (to IP or proxy) or bypass any domain name (or wildcard). You can create PTR records, group your rules into folders, assign default actions to folders (i.e. make your own Allow/Deny folders, and add domains), export folders to share rules, copy rules between Profiles, and a whole lot more. And yes, you can also search your rules.
  7. Multiple Analytics Levels - The analytics feature is not just limited to being ON or OFF. There is a middle ground that stores your data in a privacy-conscious fashion, meaning you still get to see what Control D is doing when blocking and redirecting, but it will not store the domains you're resolving, only the counts of various actions. This is privacy conscious, as we have no record of your browsing history.
  8. Expose IP Via DNS - This a Device settings that allows any Device to become a DDNS endpoint. With the setting enabled, every time you query against your Secure DNS resolver, the source IP is presented in a public DNS record. This eliminates the need to use a 3rd party DDNS service.  
  9. Geo Custom Rules - Make Custom Rules that leverage IP location data. With these, you can block (or redirect) any domain that resolves to IPs in a specific country.
  10. End User Support - We provide support for everyone. Email us, hit us up on Reddit, Twitter, or Discord, and we'll be happy to help you.
  11. Low(er) Latency - Control D is powered by one of the fastest DNS anycast networks on earth. Average DNS latency is much lower than NextDNS.

But what about feature X?

Control D was not designed to mirror NextDNS's interface 1:1. So while you won't find the same feature names, and feature toggles may be different or non-existent in our UI, it doesn't mean the underlying functionality is missing.

The following will go over some "missing" features and where you can find them. Just keep the following UI conventions in mind:

  • Anything that BLOCKS domains from resolving will be found in the Filters section.
  • Some Filters have Strict and Relaxed modes which further enhance their capabilities within the relevant scope.
  • The Services section gives you granular control over 400+ web services, apps, and games.
  • Custom Rules give you highly detailed control over individual domain names.
  • Settings not related to specific domains, services, or categories are found in Profile Options. These govern general behaviors.

Now that we've got the basics out of the way (you can dig deeper in this article), let's discuss some specifically named NextDNS features that are (not) missing from Control D, and where to find them in the interface.

"Native Tracking Protection"

Since this feature blocks OS telemetry, it is a part of Control D's IoT Telemetry Filter. NextDNS has individual toggles for different OSs which enforce a small set of rules. Our IoT Filter enforces all of them, as well as 10x more domains.

"Block Disguised Third-Party Trackers"

Blocking of 3rd party trackers is enabled/enforced by default when you enable any of our Filters. We saw no reason to turn this into a toggle, as there is no point in ever disabling them – all it would do is make filtering less effective.

You can achieve this functionality in Control D by enabling our native Ads & Trackers Filter in Relaxed mode. This enables a "counter blocklist" that allows common affiliate and email tracking links to work, regardless of how many other Filters you have enabled (works with 3rd party filters too).

"DNS Rebinding Protection"

This feature (and many others) exists in Control D's Profile Options. Simply go to Manage Profiles & Devices, click the '...' menu next to a Profile, and select "Edit Details". There, you will find a wide range of options to fiddle with. These include:

  • DNS Rebind Protection
  • Disable DNSSEC
  • DNS caching overrides (cache boost) for all action types. You can specify the exact TTL you wish.

"Threat Intelligence Feeds"

Our Malware Filter (best used in Strict mode) references dozens of intelligence threat feeds. The Strict mode further enhances it by using IP level blocklists to improve the efficacy of this filter beyond what's possible with most DNS services. Any domain that resolves to a malicious IP will be blocked.

"IDN Homograph Attacks Protection / Typosquatting Protection"

Both of these are covered by the Phishing and Malware Filters in the Filters section. Always a good idea to enable both of these Filters.

"Domain Generation Algorithms (DGAs) Protection"

This is covered by the Malware (Strict) Filter in the Filters section.

"Block Dynamic DNS Hostnames"

This is covered by the Dynamic DNS Filter in the Filters section.

"SafeSearch / YouTube Restricted Mode"

There are no dedicated SafeSearch/Youtube Restricted mode toggles in Control D because the Adult Content Strict Filter covers them in the Filters section. Relaxed mode will just block porn sites, while the Strict mode also enables Safe Search on all search engines that support it (and blocks those that don't) and enables Youtube Restricted mode. The idea is that if you have kids on your network, you're probably blocking Porn websites already using Relaxed mode. We didn't feel there is a use case for allowing porn sites to load, while Safe Search is enabled, so these concepts are coupled.

Update Sept 2023: You can ignore the above. These are now individual toggles in Profile Options.

"Block Bypass Methods"

This is covered by the VPN & DNS Filter, in the Filters section.

"Block Child Sexual Abuse Material"

We're not sure why NextDNS felt the need to create a toggle for this feature... or more to the point why it can be disabled, and we cannot confirm or deny that we use the same system to block this type of material, due to contractual obligations that come with using said system (read: to use the anti-CSAM system, we cannot reveal we use the anti-CSAM system).

"Block Top-Level Domains"

You can achieve this and many other bespoke blocking (and redirection) behaviors using Custom Rules.

"Best" Configuration

So you may be asking: What is the best setup for me to use Control D most effectively, and not spend hours troubleshooting false blocks? Easy! When you sign up, you can choose your "Starting Configuration" – we suggest the Privacy Profile as a good starting point.

If you wish to set up your configuration manually, we recommend the following:

  • Enable Malware - Strict Filter
  • Enable Ads & Trackers - Relaxed Filter
  • Enable Phishing Filter
  • Enable DNS Rebind Protection in Profile Options
  • Optionally tweak the TTL for BLOCK records in Profile Options

This will give you a great starting point, which is more than enough for most people. If you wish to go further, you can also do the following:

  • Enable Default Rule -> Redirect and keep it in Auto Mode. This will change your IP address for all DNS enabled traffic. Be mindful that this feature can break non-HTTP protocols (custom SMTP servers, VOIP services, etc).
  • Enable IoT Telemetry Filter. This will block OS level trackers and telemetry domains. Be mindful that this can break some IoT devices that make telemetry mandatory for the device to function (ie. Alexa).
  • In the Services section, block Facebook, TikTok, Instagram to prevent tracking by the biggest privacy-violating companies out there, and keep some of your sanity by blocking social media/networks.

Future Roadmap

In the next while, we're going to be aggressively deploying new features. These features include, but are not limited to:

  • Multiple Enforced Profiles (SHIPPED)- Ability to enforce multiple Profiles (configurations) on a single Device (resolver). Rules are matched sequentially from one profile to another, allowing for highly configurable behavior.
  • API Documentation (SHIPPED) - Ability to generate API tokens, and consume API docs for scripted/advanced behaviors.
  • EncryptedClientHello support - Enables support for bleeding edge privacy TLS extension, internet-wide, even for websites that don't support it. This feature will require a root CA installation to work.
  • Analytics Improvements (SHIPPED) - More ways to view your historical and real time data to draw conclusions and troubleshoot issues.
  • Control Panel Overhaul (SHIPPED) - The UI will undergo a drastic change as part of the next major release that will address many current UX concerns.

I hope this was useful. Remember, we are trying to build the best DNS service out there, so if you have questions or suggestions that can help us achieve this goal, email me at yegor (at)