Some folks have also written 'minimalist' DNS servers for DNS validation (delegate to a sub-domain that you control if your provider does not have an API):
These are all great resources, but a bit off topic, no?
NextDNS is essentially Pi-hole-as-a-service, and its APIs are not focused on managing DNS in the traditional sense. Instead, they provide visibility into NextDNS's lookup/block analytics, managing settings, etc.
It seems that lexicon is handy to use dns-01 instead of DNS aliasing.
If you do aliasing, you can serve the DNS challenge from the server you want and that you fully control. You don't need to interface with your registrar, you just add an NS record once (manually).
You need lexicon if you want to serve the challenge from your registrar instead, and lexicon is the tool that will allow you to talk to many registrars.
> It seems that lexicon is handy to use dns-01 instead of DNS aliasing.
Say I own example.com, but because it lives on a DNS server that does not have an API, or changes to the company's domain need to go through change control, I cannot easily change it.
But I want an ACME/LE cert for foo.example.com, which could be an internal-only service so http-01 is not available.
So I can set up a CNAME/alias at _acme-challenge.foo.example.com and point it to (e.g.) foo.example.org. Now I also own example.org, but because it's not the 'main' domain the controls on it are less onerous.
So when I request "foo.example.com", it finds the CNAME and heads over to "foo.example.org", where I've update the ACME nonce dynamically. The CNAME setup is a one-time thing, and can go through the 'regular' steps initially, and can then just be left alone.
Or, instead of a entire new domain (example.org), I can delegate things to a sub-domain (dnsauth.example.com) as well.
As you can see in your own summary, it doesn't require talking with example.com's provider's awkward API, which was my point. Instead you can subvert that and use a DNS you can easily update or even run DNS temporarily from your ACME client, so implementing many APIs (what lexicon does) is not required.
I've been using this service on my dev laptop, tablet, and phone for a few years now. It works well, and every time I turn it off, I immediately notice a huge difference as it blocks so much garbage that brings my phone's browser, especially, to a crawl.
I have never paid a cent for it. I still don't understand how they can make money... unless I'm actually the product being sold (which I was always under the impression that they didn't sell or share user data). Who knows.
I pay for it, the cap of 300k queries a month on the free tier was far too little for a household of two. Depends on what type of devices are running on you network of course but I hit 845,809 queries for the last 30 days.
I assume a number of people are paying for it. easier than running a pihole locally.
Just recently started using NextDNS, and yeah, I hit those 300K pretty quickly.
I noticed that some apps/devices would continue querying pretty aggressively after being blocked, and this seemed to eat through the available queries pretty quickly.
But $20/year is such a great deal IMO it was an insta-buy for me.
I was far from hitting the limit and I started paying for it either way, this feels like one of those project that should get all the money it can get.
I suspect the free tier falls (at least in some sense) under "marketing" rather than being expected to return a direct profit. It's enough to be useful, but (I assume) little enough that enough people subscribe.
For comparison, my account has roughly 3.5M queries over the past 30 days, and 298k of those are to a single domain :P.
My devices in my home network (2 adults, 1 small kid) did around 1M queries in the past 30 days. Close to 70k were blocked. Using this service has a huge positive impact, but can be a bit on the aggressive side depending on your settings. I‘ve added a dozen of domains to the allowlist during the past two years. Happily paying for it.
Yea I have had to do a lot of allowlist customizing but I also am doing a pretty aggressive set of filters and options. I also have a second profile that does much, much less and have family on that one.
Now can we just get an easy way in the GUI to import/export our custom blocklists / allow lists ? And bulk adding/removing things to both would be nice as well through the GUI.
I would love to disable filtering for a limited time (eg when opening a TechCrunch article which doesn’t load with nextDns enable), but the api doesn’t seems to provide a way to achieve this. So I need to open the app and disable NextDns, then I forget toi re-enable it..
Depending on what machine you're running with issues against. I got a work around by using YogaDNS and setting it to point to CloudFlare DNS, you can use any external DNS service to this affect.
So when I hit issues with NextDNS where my block list is too strict or it has to be amended but want to hit another website rather than wait for the allow list to update.
I launch YogaDNS so my DNS servers are temporarily changed, rather than disable NextDNS. Then I disable YogaDNS a few moments later when I expect my settings in NextDNS have updated/refreshed.
You still have the same problem, you have to remember to disable YogaDNS but I find it to be a lot easier, turning on and off the YogaDNS app.
I recently started using NextDNS, and it's great, but was thinking about exactly this use case as I went to my allow-list yet again to add a domain so I could use some app/site, I forget which.
NextDNS is great, but occasionally breaks things depending on the blocklists enabled, so I was toying with the idea of building a utility that would show the last n blocked domains with an easy option to click-to-add a specific domain to the allow-list.
NextDNS is not a DNS hosting service - it's a DNS server you can use for queries, like OpenDNS, or Cloudflare's 1.1.1.1, etc.
What you're looking for is a DNS hosting service with an API that can be used from an ACME client. I use LuaDNS for that, their service is excellent and you can store your zone files in git (and auto-update DNS with a webhook on push).
* https://github.com/AnalogJ/lexicon
For CLI and Python.
Such a utility is handy if you want to use the dns-01 method for ACME/Let's Encrypt via DNS aliasing:
* https://dan.langille.org/2019/02/01/acme-domain-alias-mode/
* https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mo...
* https://news.ycombinator.com/item?id=28256326 (2020)
Deep dive on how ACME DNS validation works:
* https://www.eff.org/deeplinks/2018/02/technical-deep-dive-se...
Some folks have also written 'minimalist' DNS servers for DNS validation (delegate to a sub-domain that you control if your provider does not have an API):
* https://github.com/joohoi/acme-dns