I've been using https://nextdns.io/ for a while and I really like it. You can do DNS over HTTPS through Firefox (sadly not on an OS level in Windows for example, but that's fine -- I'm sure OS level support works better on Linux), and it supports a lot of user-level customization. You can add and remove entire blocklists, you can black/white-list specific domains, see logs of your blocks, some analytics, create your own redirects etc. and it doesn't cost you a thing. The main website does a pretty good job of explaining the selling points.
You can use it as-is but if you want user-specific configuration you'll get a custom URL that looks something like "https://dns.nextdns.io/c8g88a", and whatever comes in that way will use your settings and will be logged as per your configuration (of course, you can disable logging).
I’ve just looked into this - it looks excellent. Can I ask: is this an all-round superior solution to running your own pi-hole?
I set up dual redundant pi-holes on raspberry pi 4s on my home network but switching all devices to NextDNS would give me access to filtered DNS even when away from home, plus save me the trouble of running two raspis (including two Ubuntu instances) just for that purpose.
Could anyone knowledgeable in such things suggest any downsides to a wholesale switch?
I recently spent a bunch of time comparing NextDNS vs PiHole. The reality is their features-sets are pretty close, but I eventually settled on NextDNS and here were some of my takeaways:
NextDNS Pros:
* Can use NextDNS on any network (thanks to their apps or just regular DNS-over-HTTP/TLS).
* (Could get similar functionality on PiHole with a remote hosted PiHole + VPN, but much more complex to setup)
* NextDNS allows for multiple different configuration setups per account (so you can fine-tune your blocking/filtering differently for different devices).
* (PiHole AFIK only supports a single configuration)
* NextDNS IMHO had the superior UI. With more powerful config options.
* In reality with some extra manual config/coding you could probably get PiHole to do most of what is in the config for NextDNS, but it would take some work.
PiHole Pros:
* PiHole is open source.
* The NextDNS server code is closed-source, but they do have an open-source CLI client.
* PiHole is self-hosted (much better from a privacy perspective).
* But you do get all the downsides of being responsible for hosting something as central as a DNS server yourself...
-NextDNS is a product with a free tier. It will always be limited in that sense.
+Pihole is free and open. It is also yours to build,manage,customize as you please.
-NextDNS is also further away, meaning there will be much more latency for all your DNS queries. It is usually best to run your own resolver, or have a local DNS server in your network.
+Pihole sits on a device on your network. You can also enable recursion directly on the pihole by installing Unbound on the same device.
> NextDNS is also further away, meaning there will be much more latency for all your DNS queries. It is usually best to run your own resolver, or have a local DNS server in your network.
But your local PI resolver would likely have to pass on your request to an upstream DNS server if it isn't cached. Although its negligible, this extra hop would add latency. This is assuming the result isn't in the OS or browser DNS cache.
You could also setup PiVPN[1] on the same Raspberry Pi running Pi-hole with Wireguard and setup all your mobile devices to automatically connect back home when they're off the home wifi.I've had this setup running for a couple of months now and couldn't be happier with it.
The WireGuard apps for iOS and OSX have a configuration section titled “On-demand activation” that lets you do this. On the iOS app, I have it set to activate on cellular connection and WiFi connections to routers if the SSID != my home router’s SSID. Likewise on OSX, except for the cellular option.
You can also splurge and for under $10/mo set it up on a DigitalOcean (or similar) cheap hosting provider and have it available everywhere. And you can share with friends and family.
The cost in your example is far, far more than $10 USD a month. If you can set this up, your time is absolutely worth something and even if this is your area of expertise, you are now personally responsible for a critical piece of your internet browsing infrastructure.
There are tons of important details to keeping a critical service up and running almost all the time - even if you are competent in this, that is still time every month making sure it's running, secure and functional.
The only reasons in my opinion to DIY a solution would be a) learning, hobby or for fun or b) you have requirements that can't be met another way, like privacy goals.
The thing is that it's not really complicated anymore. It may be my area of expertise, but just following basic step-by-step instructions, it took me about 10 minutes to have a full ad-blocking, Wireguard VPN server on a DigitalOcean droplet by using Algo: https://github.com/trailofbits/algo , including the setup for my phone and iPad.
Algo is a great project and I also use it, but if you’re running it in production and not spending some time each month at least on security analysis and review, your self-assessd expertise may be more of the Dunning-Kruger variety.
I have had one up for around 2 years now and would say I have spent less than 5 minutes maintaining it over that time period. I did spend more than typical time setting it up because I added a custom php page so I could remotely add client ip addresses to the dns iptables whitelist, but I could have just done the basic setup in <20 minutes. It’s solid as a rock. Am I lazy about it? Sure. But I don’t quite consider it critical. It’s just personal use basic internet. And if something were to go wrong, most if not all client configurations have a backup/secondary dns option anyway so as long as that is configured things keep working fine, just with ads.
NextDNS is a commercial entity founded by a Netflix employee who is working on a Netflix CDN. Do the NextDNS terms of use address the potential for data sharing between the two entities.
Running NextDNS has costs. Given the absence of fees for using NextDNS, it has a commercial interest in collecting information about users. Like other third party DNS providers (middlemen), e.g., Google or Cisco/OpenDNS, NextDNS supports ENDS Client-Subnet. This extension has zero value in terms of ad-blocking and privacy and arguably should be "off" by default unless the user asks for it.
PiHole is non-commercial project AFAIK, although they have registered a trademark.
Third party DNS caches will always be inferior to DIY in respect of certain issues such as ad-blocking, privacy, security, reliablity, etc. (I am a DIY-er and when third party DNS has an outage, the applications I use are still able to use the internet without any problems because I have zero reliance of third party DNS providers.) When using third party DNS these factors are outside the user's control. Users cannot tell third party DNS providers what to do, nor can they execute quality control, they can only accept what is offered to them. Of course, third party DNS will always be superior in terms of convenience and perhaps "features". I personally do not need all of the "features" offered by third party DNS, but I cannot speak for other users.
The user's "choice" between DIY and third party DNS depends on what is important to the user and what the user is capable of doing herself. When the user is not capable of running DNS software herself, then DIY is removed from consideration and the "choice" is simply between one third party provider or another. The user has very little control in that situation.
When it comes to DNS, for me nothing beats having control. For me, "control", not convenience, is the best feature. I prefer whitelist to blocklist. Every user is different.
The only downside is that you're now using a free cloud service, so there's the obvious privacy concerns, and the possibility their servers will go down. It's really just a matter of the classic "free cloud vs. self hosted" pros/cons as usual.
I've been a user since it was first mentioned on HN and the major issue at the moment is the performance. I often have to turn it off to get sites to resolve at all, otherwise chrome hangs indefinitely.
Having said that it's free (beta) right now so that's a statement of fact and by no means a complaint
You're saying you have this issue with NextDNS? I've been using it since it was mentioned here, as well, and have had zero issues that were not self-created. FWIW.
Same. Been using NextDNS regularly since it was first announced on HN and have not seen any performance issues since the first few days. Highly recommend!
I saw someone mention NextDNS on HN about 2 months and decided to try it.
The only issue's I've had is:
1. Epic Game Store was blocked - not an issue now as I uninstalled it and bought Borderlands 3 on steam. Now EGS is blocked again.
2. Adverts display in Google now that I don't have an ad-block, but it prevents me clicking them so I'm not fussed.
3. raygun.io is blocked - not sure why as it doesn't track any information of value as it's primarily used for crash reporting, and they are GDPR compliant.
Other than that, this has been amazing. I'm definitely going to be a paid customer once its out of beta.
NextDNS is great. I have tried various DNS services -- OpenDNS, Cleanbrowsing, Cloudflare Gateway, Quad9, etc and I keep coming back to NextDNS. Would definitely recommend giving it a try if you're looking for a solid DNS-based security/privacy setup.
I've always thought if I owned any sort of fund, I would immediately have made basically this when I first saw pi-hole and then analyzed the data to estimate a given tech companies DAU numbers. I wonder who owns NextDNS. No idea if my idea would work or be per se legal but I bet you can grab some interesting insights.
i've used some of those as well, and finally settled on adguard pro for my ios devices. do you (or anyone else) know how nextdns and adgaurd compare on ios?
adguard pro allows customization of dns servers (including DoT), has a running local log of dns queries, and provides custom whitelists/blacklists functionality. their dns (or maybe the app) very occasionally hangs requests, making my device seem like it's disconnected.
i've considered switching to nextdns but haven't found a compelling reason yet.
The only annoying part is that it doesn’t give you any sys notification when blocking a site. You have to check the logs. So if gmail isn’t losing the inbox that means something needs to be whitelisted and you now have to dig.
Thanks for mentioning it - I just started using it and seems great. I particularly like being able to setup multiple profiles that lets me have strong parental control configuration for kids - ability to view logs is also good though the search can do with some improvements.
> setup multiple profiles that lets me have strong parental control configuration for kids
I've been using it too, but I've found nextdns go down from time to time. How are you dealing with explaining how to change the DNS setting to people at home because "internet doesn't work"? I wish DoH client implementations had support for primary and secondary endpoints [0]. I've seen people straight up uninstall DoH clients from their devices in frustration.
I must point out that the Android implementation for DoT does fallback to OS or network provided DNS resolver (usually, dns.google), and that's a saving grace [1]. And so, I have no reservations setting up nextdns for everyone on the Androids.
[1] Speaking of DoH instead: Google's https://getintra.org falls back to last-known good DoH resolver, but then, never (?) switches back to primary unless restarted, from what I can recall.
> How are you dealing with explaining how to change the DNS setting to people at home because "internet doesn't work"?
I may be mistaken here but I thought the reason almost all operating systems allow you to specify more than one DNS is in case the primary one goes down. So if you specify NextDNS as the primary and say, Google or whatever, as the secondary: you likely won't see downtime (but obviously the filtering will disappear until the primary one comes back up and/or DNS caches reset etc)
That doesn't always work, because servers aren't always used in strict order.
For example, my default Kubuntu 19.10 installation flips the primary and secondary if the primary is unresponsive for a while. Since my laptop takes a moment to establish a WiFi connection upon waking up, it always decides that the primary server is down and to default to the secondary server. It has currently been 3½ hours since my laptop queried its primary server and it has queried the secondary server over 1000 times in the past 24 hours despite the primary having 100% uptime.
Most stub resolvers have an option to use strict order, but you can't rely on it as a network admin.
In my case, my daughter so far accesses internet primarily via specific apps on the family tablet so any websites not opening are not an issue yet. Moving to nextdns is more of an preemptive move as I just gave her my old laptop; eventually she will be on the internet by herself (intentionally or accidentally) so hopefully this helps with that.
> You can do DNS over HTTPS through Firefox (sadly not on an OS level in Windows for example, but that's fine -- I'm sure OS level support works better on Linux
You can use it as-is but if you want user-specific configuration you'll get a custom URL that looks something like "https://dns.nextdns.io/c8g88a", and whatever comes in that way will use your settings and will be logged as per your configuration (of course, you can disable logging).