There are a couple of things that might be “secure DNS” as that’s not really a well defined term… there’s DNSSEC which is meant to provide confirmation that the data you get back is legit and not tampered with.. there’s DNS over SSL/HTTPS where the communication between the client and the server is encrypted and an eavesdropper can’t see your request… There’s the notion that your ISP may be collecting your DNS queries and selling the information to data brokers so you should use somebody else’s DNS servers… And there’s DNS servers that act as filters, preventing you from visiting “bad” sites (whatever your service calls bad).

NextDNS looks like it’s the last item. Your DNS requests go through them, and they have a listing of sites that are good, bad, etc and will refuse to answer queries properly for the bad sites… like advertising networks, etc. A simple solution to eliminate a lot of ads on your entire internet connection even for non-browsers or browsers without adblock add-ons, etc. When ads are hosted by a 3rd party when you’re browsing a web site, DNS requests are needed to find the 3rd party and NextDNS should block the request and so the ad doesn’t load.

If you’ve ever heard of a “PiHole”, it’s software you can run at home to do your own DNS filtering in the same way. NextDNS is just doing something similar as a cloud service sort of thing.

DNS is one of those services that are absolutely essential. Without it, your internet connection is basically worthless. So a good, fast, responsive, and safe DNS service is important. Most ISPs provide such services to their customers, but as I’ve broadly gone over above, there may be reasons you want something else.

I’ll break this into two parts.

What is secure DNS: Standard DNS is a simple query to a DNS server, unencrypted plain text. Anyone listening can see who is going to what website simply by seeing what DNS requests are made. If a computer makes a DNS request to get an IP for [Google.com](http://Google.com), they are like visiting [Google.com](http://Google.com) etc.
Secure DNS is encrypted, either using HTTPS for DNS over Https (DoH), TLS for DNS over TLS (DoT) or the new one DNS over Quic, which I think it still SSL somehow but I’m not sure. Like the difference between HTTP and HTTPS, someone watching network traffic can see a DNS request was made and to what server, but they can’t tell what you looked up. DoH is nice in that as it is HTTPS traffic so it blends right in with HTTPS. Its hard to tell whats a DNS request over HTTPS vs a standard web request to view a webpage.

As for why people have different servers, sometimes its speed, sometimes its security, sometimes its privacy. Many people by default use the DNS servers setup by their ISP. That means the ISP has logs of every DNS request, and therefor every website you visited and when. Switch DNS providers and they don’t have that log anymore. Encrypt the traffic and they can’t even try to watch it. Sometimes its security, some DNS providers (Like cloud flares 1.1.1.2) have malware protection, and will not answer DNS requests to known malware sites, or adult sites, or even enforce safe search via DNS. And sometimes it’s just speed. One DNS server might answer requests in 100ms, one 50ms.

EDIT: Not really ELIF in hindsight, but EL I’m in Cybersecurity is good enough I guess.

Lol, I’m in cyber too, and was kinda confused too. It doesn’t seem like “Secure DNS” is really a technical term.

It looks like it might be used by different companies as a marketing term for different things. Like Norton seems to call their DNS over HTTPS suite “secure DNS”. This kind of “secure dns” would be secure because the requests are encrypted and can’t be sniffed.

Another thing could be DNSSEC, which I’m not 100% familiar with, but it looks like it more or less uses certificates to sign DNS responses to prevent things like response forgery.

Now then, your nextDNS service seems to be marketing more or less domain blacklisting + DNSSEC.

Basically regular DNS uses postcards without envelopes. Anyone processing the postcard can look at it and read the message (dns query). Secure DNS is like sending a postcard inside an envelope. The post office can process it but the people handling it can’t read the contents. This is oversimplifying it but hey, I’m pretending you’re five years old.