
Show HN: nextdns.io – A Combination of Cloudflare DNS and Pi-Hole - nextdns
https://www.nextdns.io/
======
ignoramous
Nice. DNS has grown notoriously complex over the years and it is hard work to
run a standards compliant service. Congratulations.

A few suggestions:

\- Auto-detect OS and suggest specific setup instructions right on the landing
page?

\- The website goes blank when I block third-party JavaScript from loading.
Can you please see if you can fix that?

\- simplednscrypt has been handy for me to DoT/DoH/DNSCrypt with AdGuard DNS
on PC. You could include instructions in the Windows section for that?
[https://dnscrypt.info/implementations/](https://dnscrypt.info/implementations/)

\- Provide a generic DNS endpoint like AdGuard does?

A few questions:

\- What's the backend that fronts DoH, DoT, and DNSCrypt queries? Is it simply
relayed to Cloudflare underneath the covers? How do you do that?

\- Re: Privacy Policy: " _We store user data following modern security
standards_ ". What _user data_ is stored using what _modern standards_? I like
the terse policy document, but I feel there needs to be a fine print detailing
data collection and data retention. Examples:
[https://s3.amazonaws.com/lantern/LanternPrivacyPolicy.pdf](https://s3.amazonaws.com/lantern/LanternPrivacyPolicy.pdf)
and [https://info.ecosia.org/privacy](https://info.ecosia.org/privacy)

Thanks.

~~~
nextdns
Thanks!

> Auto-detect OS and suggest specific setup instructions right on the landing
> page?

It should already pre-select your OS tab on my.nextdns.io on the Setup page?
If that's not the case, then it's probably a bug.

> The website goes blank when I block third-party JavaScript from loading. Can
> you please see if you can fix that?

Weird, we will have a look.

> simplednscrypt has been handy for me to DoT/DoH/DNSCrypt with AdGuard DNS on
> PC. You could include instructions in the Windows section for that?
> [https://dnscrypt.info/implementations/](https://dnscrypt.info/implementations/)

You can use your custom sdns:// endpoint listed on the Setup page, we assumed
users using dnscrypt clients would know what this means. Good point, we will
add setup instructions for it.

> Provide a generic DNS endpoint like AdGuard does?

We already have them, we decided to not show them on the website as it may
confuse users. We may add them back.

> What's the backend that fronts DoH, DoT, and DNSCrypt queries? Is it simply
> relayed to Cloudflare underneath the covers? How do you do that?

It's a custom-made backend, and we recurse using unbound (we don't forward to
cloudflare or anything like that).

> Re: Privacy Policy: "We store user data following modern security
> standards". What user data is stored using what modern standards? I like the
> terse policy document, but I feel there needs to be a fine print detailing
> data collection and data retention.

We will definitely improve that, we had to make some calls on priorities for
the launch.

~~~
caymanjim
Minor nitpick, but > is universally used to indicate quoted text, and you've
reversed the meaning here.

~~~
nextdns
Edited, thanks!

------
yegle
I don't understand why any privacy conscious person would choose a hosted
service instead of self-hosting your own solution.

Implementing the whole thing (modulo the anycast IP, which is the only thing I
did not use) is easy. I have a docker-compose file which does the whole stack:

1\. Unbound DNS which provides DNS-over-TLS service at port 853. It forward
request to my local pihole's 53 port. 2\. Pihole forward request to my Stubby
DNS server. 3\. Stubby connects to Google DNS over DNS-over-TLS. 4\. A
separate docker container to run certbot to update certificate used by the
unbound container. 5\. A separate docker container with Pomerium as reverse
proxy so I can remote access PiHole UI.

Then you can configure your Android phone to use your unbound DNS server as
the "private DNS" server. I've being using this setup for more than a month
and works really well.

UPDATE: I posted my docker-compose.yaml file at
[https://github.com/yegle/your-dns](https://github.com/yegle/your-dns). I'll
update the README soon.

~~~
svnpenn
I don't know how you can say that's easy with a straight face. You just
mentioned at least 5 software projects and/or technologies that a large bulk
of people have never heard of.

~~~
yegle
A self-host solution by its nature requires some investment in the techniques
and would take greater effort (that's how most open source projects make
money).

Look, I'm not trying to sell my solution here. This is Hacker News, I'm simply
share my setup and hope can help someone who's capable and willing to invest
the time. I understand this is not for everyone, that's why I suggest
nextdns.io as hosted solution in the README.

~~~
jstummbillig
> A self-host solution by its nature requires some investment in the
> techniques and would take greater effort (that's how most open source
> projects make money).

That sounds like a pretty good reason not to run your own solution then, so I
guess we can meet there.

> Look, I'm not trying to sell my solution here.

Yes, you are.

------
nextdns
We've been working super hard on nextdns.io, a cloud-based private DNS service
that gives you full control over what is allowed or blocked on your devices.

Here is a few things you can do with it:

\- Block malicious websites, trackers, ads, and more by combining the most
popular blocklists out there, all updated in real-time (100+ lists to choose
from).

\- Set your own privacy requirements: you decide what type of logs are kept
(and for how long) depending on the level of analytics you want. Down to
absolutely NO logs.

\- Automatically use DNS-over-HTTPS on all networks (including cellular) with
our apps for Android, iOS, Windows and macOS. They are all tiny, tightly
integrated with the OS and have negligible battery usage. (Some of them are
still being worked on.)

\- Bypass nearly all forms of government/ISP censorship without the need for a
slow/costly VPN, and make it way harder for your ISP to know what you are
doing on the Internet.

\- Get in-depth analytics and real-time query logs so you can measure the
efficiency of your blocking strategy, see when the apps on your devices are
calling home, etc. And choose what is logged down to absolutely no logs, you
decide.

\- Easily protect your family (you can create as many configurations as you
want on one account, each with different settings, and you can use multiple
different configurations while being on the same network).

It also supports all the latest DNS technologies (DNS-over-HTTPS/TLS, Query
Name Minimisation, DNSSEC validation, etc.), and it's fast (for most
countries, we are or will very soon be as low-latency as Google DNS,
Cloudflare and the likes).

There are tons of other cool stuff we built into that service (like the fact
that each configuration gets its own DoH/DoT endpoint and IPv6) but that post
is already way too long :)

We recorded a short GIF of us browsing through the interface:
[https://gfycat.com/LinedVerifiableBellfrog](https://gfycat.com/LinedVerifiableBellfrog)

You can create your first configuration and test it right away without signing
up (you can sign up later and "save" it).

We would really appreciate if you could try the service, tell us what you
like, what you don't like, what you would add, etc. We will happily answer all
questions (even the technical ones).

Cheers, and thanks!

~~~
terragon
I tried using it. I'm in India, and while Cloudflare and Google DNS
consistently resolve in 60-70ms, nextdns takes between 400-700ms for the first
resolution and consistently 250ms for the same query repeated (I presume it
caches the results?)

Should I assume you've gotten a huge spike in traffic because of this HN post?
If yes, I don't mind trying again in a few days, but unless things improve, I
wouldn't be able to use it despite loving it in concept (the UI of your
implementation is great too). I don't want to discourage you folks, since
you've done a great job with the rest of it.

Thanks for your efforts.

~~~
nextdns
It's not the spike, it's probably a combination of:

\- a routing imperfection (this things need to be tweaked over time).

\- the fact that we didn't deploy our PoP in India yet (coming this month).

Can you talk to us on the chat if you have some time? It would help to do some
debugging.

~~~
Terretta
Great idea for service, but it has to be lightning fast to be in the middle of
thousands of requests a minute as someone is surfing the web without making
the web feel sluggish.

In NYC on the largest metro ISP. Earlier in the day, was getting 25-43 msec to
the typical major DNS providers (1.1.1.1, 4.4.4.4, 8.8.8.8, 9.9.9.9, as well
as AdGuard), and usually 71 - 73 msec to you.

After a while, started getting as slow as 280 msec to you.

Last hour or so, mostly just getting timeouts to you, making the web, as well
as apps, unusable.

Had to revert.

AdGuard DNS:

    
    
        dig @176.103.130.130 news.ycombinator.com
        
        ; <<>> DiG 9.10.6 <<>> @176.103.130.130 news.ycombinator.com
        ; (1 server found)
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6879
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
        
        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags:; udp: 4096
        ;; QUESTION SECTION:
        ;news.ycombinator.com.  IN A
        
        ;; ANSWER SECTION:
        news.ycombinator.com. 56 IN A 209.216.230.240
        
        ;; Query time: 29 msec
        ;; SERVER: 176.103.130.130#53(176.103.130.130)
        ;; WHEN: Sun May 26 15:32:11 EDT 2019
        ;; MSG SIZE  rcvd: 85
    
    

nextdns.io

    
    
        dig @5.182.208.100 news.ycombinator.com
        
        ; <<>> DiG 9.10.6 <<>> @5.182.208.100 news.ycombinator.com
        ; (1 server found)
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14810
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
        
        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags:; udp: 4096
        ;; QUESTION SECTION:
        ;news.ycombinator.com.  IN A
        
        ;; ANSWER SECTION:
        news.ycombinator.com. 0 IN A 209.216.230.240
        
        ;; Query time: 282 msec
        ;; SERVER: 5.182.208.100#53(5.182.208.100)
        ;; WHEN: Sun May 26 15:32:17 EDT 2019
        ;; MSG SIZE  rcvd: 85

------
miki725
Personally I run either pihole or something similar however setting something
similar for all the friends is a bit cumbersome as it at least requires
getting a raspberry pi. This seems like a really intriguing alternative
although will voice similar concerns as others are expressing that the site
does not indicate the source of the funding, motivations for the project, etc.
As such that could be a barrier to entrust something as personal as DNS to a
service without understanding their motivations and future plans. Would be
great if that could be better outlined on the site.

~~~
nextdns
Motivations: like most tech startups, scratching your own itch :)

Funding: Free during beta, then freemium with low pricing tiers (something
like free up to 500,000 DNS queries a month, then $0.99/month). We will tweak
later based on actual costs at scale, but it will follow this logic.

~~~
underwater
I wouldn't know if 500k is a little or a lot.

~~~
jamesog
According to my nextdns analytics from the last few weeks my house has peaked
at around 28,000 queries a day, 331k so far this month.

Nextdns is blocking somewhere in the region of 400-600 queries each day,
mostly things like Google Analytics, Apple iAd.

~~~
PappaPatat
5 people household here with 15 devices (iPhones, iPads, PS4, Raspis &
Chromecasts) DNS via PiHole:

138,473 queries over the last 30 days

31,928 queries blocked (23%)

Hope this helps.

~~~
quaffapint
Also 5 person house with 60K queries in the last 24 hours with 39K blocked -
that's 60+% blocked. All pretty much thanks to all the logging that Roku does
that PiHole blocks.

------
neonhz
I suggest just to use pihole at home on a rpi device. Granting a new and small
company may be orders of magnitude worse than giving info to the 'evil'
unicorns. The big fishes are continuously monitored by a wide community and
from the governments as well. I wouldn't give such a private information to
anyone not proving that all my private data is treated as it deserves. The
only way I can see this happening would be to have them release everything to
the Foss community.

------
kweks
Bypasses Turkish government blocks on Wikipedia etc, which I hadn't been able
to figure out even with google/CF over HTTPS.

Awesome!

~~~
macns
oh wow I had no idea about this:
[https://en.wikipedia.org/wiki/Block_of_Wikipedia_in_Turkey](https://en.wikipedia.org/wiki/Block_of_Wikipedia_in_Turkey)

~~~
canada_dry
Well now, we can't very well have Turkish citizens read up about their
leader's election fraud - can we?!?

[https://en.wikipedia.org/wiki/Recep_Tayyip_Erdo%C4%9Fan#Elec...](https://en.wikipedia.org/wiki/Recep_Tayyip_Erdo%C4%9Fan#Electoral_fraud)

And forget about reading up on the faux coup d'état.

[https://en.wikipedia.org/wiki/2016_Turkish_coup_d%27%C3%A9ta...](https://en.wikipedia.org/wiki/2016_Turkish_coup_d%27%C3%A9tat_attempt)

------
jamesog
I've been using nextdns since I saw it posted on Twitter a few weeks ago. It's
been great.

I used to run something like PiHole on my home network but ultimately dnsmasq
is not a good DNS server so I ditched it. I've been running CoreDNS for a
while, forwarding to Google DNS and Cloudflare DNS (both using DNS over TLS)
for a while and that worked fine. I'd augmented CoreDNS to serve a hosts file
as a blocklist, similar to PiHole.

Nextdns has replaced Google and Cloudflare as forwarders in CoreDNS and it's
working really well. I've been liking the proper network-level ad-blocking and
being able to use the analytics to figure out what was blocked when something
doesn't work.

The nextdns guys are also really responsive and helpful. One of them spent a
couple of hours on live-chat with me debugging an analytics issue.

~~~
iuguy
What's wrong with DNSmasq?

~~~
jamesog
It's not great as a DNS server. It has some really odd behaviour. One of the
things which used to annoy me a lot when using it as a recursor is things like
`dig +trace` would just stop at dnsmasq, so you'd have to bypass it by doing
something like `dig +trace @8.8.8.8`.

Every DNS expert I know says to avoid dnsmasq.

It works fine as a DHCP server, though.

------
fredsanford
This is a service I've been looking for!

But...

Why do you need a shitton of javascript to load your main page?

I cannot see the main page with ublock origin + umatrix blocking 3rd party and
firefox finger print resistant options turned on.

~~~
nextdns
It's probably the map + the chat thing (only things that are third party, and
won't stay there for long), we will fix.

------
dual_basis
This seems great! I've been wanting to try out Pi-Hole for some time now, but
I was concerned about how it might impact the other members of the family who
would get annoyed if it made other services stop working. Thanks for making a
free beta available as well!

Your setup page is fantastic! Especially appreciate the status indicating if
it is set up correctly on the device I am using. I set it up on Linux, which I
notice you don't have a tab for, but that should be pretty straightforward to
add. (Even though Linux users may, typically, know how to do this themselves,
it might be nice to include Linux as a signal that it is truly cross-
platform.)

I noticed inconsistent results on Android depending on whether I had it set up
via Intra or as DNS-over-TLS in the native Android settings. Internet browsing
was similar to on desktop, either way, but my concern is mostly related to
video apps, specifically the ones my family use (Hulu, YouTube, CWSeed). On
Intra, all the video apps seemed to work but there were still ads in all of
them. For DNS-over-TLS CWSeed stopped working entirely, saying "video playback
failed". Hulu and YouTube still worked but they also still had ads, while on
Desktop they did not!

These are the sort of issues I was concerned about when considering using
PiHole for the whole house. Are these things that can be mitigated on your
end, or will they require per-device apps to be installed, and potentially
even require rooting the device?

(Incidentally, how is it that YouTube and Hulu get around the ad blocker on
Android?)

~~~
mthoms
FWIW I bought a Raspberry Pi and installed Pi-Hole a few months back. It's
been almost flawless for us.

Adding to the domain whitelist and/or disabling the DNS blocking temporarily
(in case of issues) is dead simple for anyone in the family. You just need to
provide them with the local IP address of your Pi. The GUI - at least for
these simple tasks - is quite straight forward.

I agree though, this service looks very promising.

------
sstanfie
Tried using: set my Meraki to serve up the IP address given by the dashboard.
The my.nextdns.io dashboard says something like "this device is using a
different configuration with nextdns".

I think it happens after you configure an anonymous DNS, then you create an
account. It feels like my configuration got disconnected or something. Hard to
describe.

Regardless, the blacklist/whitelist didn't work. Maybe a caching problem? Will
try back later.

~~~
homero
The router, os and browser can cache so whitelist takes a while

------
kissgyorgy
There is a very important use-case which you can do on a local network but
can't with this: setting up a DHCP server and pushing a default DNS server
address even to clients which network settings you don't have access to, is
possible locally. Xbox, streaming devices, non-geek friends devices, etc.
Pihole can do this and ohmygod it's life changing!

~~~
713233eb
And you can also redirect all port 53 traffic to PiHole on the gateway and let
only PiHole query DNS to circumvent clients that use hardcoded IP addresses
(e.g. 8.8.8.8 by default)

------
raghavdua_cse18
Really Cool, I have set up something similar for my family and is paying $20
every month for VPS, I have tried NextDNS and found it be really useful and
considering the pricing structure which you mentioned in the comments, your
product seems to be a far more affordable option. A few suggestions:

1) Consider launching an App for managing configurations or at least make the
current web app a PWA

2) Allow users to create duplicate configurations

3) In the logs section of the analytics page, I saw that some blocked domains
were being resolved, it was saying that the domains were manually
whitelisted(they were not)

4) Allow adding custom hosts file sources

5) You can create a Windows/MacOS app for updating dynamic IP address(similar
to the one provided by OpenDNS)

6) You can give a button to whitelist domains in the log section, just like
the one provided by the PiHole in the Query page of its web UI

7) Allow adding multiple domains to whitelist & blacklist at once

8) Allow regex and wildcard blocking

9) Mobile UI is not 100% responsive

------
AlphaWeaver
This looks really polished, well designed, and most importantly: simple.

The privacy policy [0] also shines: it's five points and very specific.

[0]: [https://www.nextdns.io/privacy](https://www.nextdns.io/privacy)

~~~
nextdns
Thanks! Simple is definitely what we were aiming for.

------
chimen
Nice. Congrats on the release! If you're allowing custom profiles with custom
block/whitelist domains it means you're holding a database on this thing and
doing lots of queries on requests. Will your product be able to scale with
more users since it's free? How are you keeping all this logic from affecting
your latency? I'm curious of technical implementations that's all.

------
sc_
I use unbound + dnscrypt-proxy + [https://github.com/oznu/dns-zone-
blacklist](https://github.com/oznu/dns-zone-blacklist) to do pretty much this.
WireGuard also adds another layer & sets DNS easily per client. Hosted on a
$5/month VPS, works very well.

------
superasn
I've been using adguard dns for a while and while it's an amazing service for
mobile, the thing I don't like about it is that it's super aggressive at
blocking malware sites and sometimes even blocks legit sites with no way to
whitelist.

I believe your service would also solves this problem. Congrats on the launch
too!

------
keiraarts
This is incredibly useful and the on boarding is effortless.

Great job - I'd love to know if you plan on charging for this.

~~~
nextdns
Thanks!

Free during beta, then freemium with low pricing tiers (something like free up
to 500,000 DNS queries a month, then $0.99/month). We will tweak later based
on actual costs at scale, but it will follow this logic.

------
aembleton
When i use nextDNS I can't cast from the YouTube Android app to my Chromecast.
This is with nothing being blocked. I can cast from the Netflix and iPlayer
apps. Just not from Youtube. It works again as soon as I switch back to a
different DNS provider.

Has anyone else seen this?

------
pssflops
I'm in no-way a power user in this space so the simplicity and descriptions
were very helpful and I'm looking forward to supporting this when you release
a payment model. Excellent results so far, only a few pages had trouble
loading and a simple reload fixed it.

------
lepouet
Not high priority but maybe you could explain the different blocking methods
on the settings page ?

------
malnourish
I would love to try this, but I don't know if I can trust the Privacy Policy,
as ignoramus brought up. Could you please explain what data you store and with
whom and under what circumstances it would be shared?

------
OJFord
> A combination of CloudFlare DNS and Pi-Hole

The tagline on the site is actually ' _we like to think of it as_ ^...'

Per comments here I don't think it actually uses CF or Pi-Hole, so the title's
a bit off.

------
CraftThatBlock
This is really great! Is their any plan to improve performance? Google and
CloudFlare are both ~15ms in my location (Montreal), while nextdns seems to be
around ~30ms (which isn't bad per se).

------
sergiomattei
How do you make money? How can I make sure you won't sell my data?

~~~
nextdns
The service is free during beta, then freemium with low pricing tiers
(something like free up to 500,000 DNS queries a month, then $0.99/month). We
will tweak later based on actual costs at scale, but it will follow this
logic.

Selling data is against what we believe in and would also be counter-
productive (everybody would stop using the service instantly).

~~~
Terretta
Happy to pay. Your feature set is already fantastic, and love the many methods
to leverage it from various devices or configurations.

But has to be rock solid, and fast.

------
egamirorrim
Possibly a very ignorant question, this looks cool but why would I use it over
Cloudflare's 1.1.1.1 with DNS-over-https (or another encrypted method)?

~~~
philshem
Because it’s PiHole, you can black/whitelist custom domains, temporarily
disable, see traffic, etc

------
steve918
I'm not sure how this is different than OpenDNS?

~~~
shireboy
I’ve been using opendns but iOS doesn’t let you set dns for your cell
connection and for WiFi it has to be set once per network. cloudflare 1.1.1.1
was nice in that the app set up a vpn with the dns so that it works on all
connections. But they don’t give you control over dns, blacklists etc. this is
the control of opendns with the convenience of the vpn app.

------
vkdelta
Is anyone having problem with redeeming this testflight code "AFDFPLP3" It
does not accept "A" at the beginning.

~~~
nextdns
Damn you're right, we have no idea why.

Clicking this link in iOS will work though, for some reason:
[https://testflight.apple.com/join/AFDFPLP3](https://testflight.apple.com/join/AFDFPLP3)

~~~
vkdelta
yes, Probably an apple bug. Will check with few folks. I typed the link
manually. using it now! Great product. Have sent you few questions.

------
t0astbread
Sounds interesting but what benefits does this solution have over just
blacklisting via /etc/hosts?

------
shireboy
Very nice. I’ve been annoyed opendns hasn’t done similar and hoping something
like this would come around.

~~~
nextdns
Them getting bought by Cisco has greatly hindered their ability to innovate
and stay current I guess.

------
oceankid
Really well designed and communicated. Things are kept simple and advanced
knobs are made possible.

------
FullMetalBitch
I was going to implement pi-hole for a non-profit organization I may use this
instead.

~~~
nextdns
Please reach out to us in the future, we will definitely have some discount,
or be free, for serious non-profits.

------
lucasverra
I've implemented on my iPhone and still get ads on youtube native app.

How to remove them ?

------
polskibus
What is the monetization plan? How have you financed the development so far?

~~~
keybits
From the OP on another reply:

> Free during beta, then freemium with low pricing tiers (something like free
> up to 500,000 DNS queries a month, then $0.99/month). We will tweak later
> based on actual costs at scale, but it will follow this logic.

~~~
polskibus
Would be great if they put it high on the front page. Someone privacy-focused
may be worried when he sees something privacy-oriented advertised without a
business plan, which could indicate that selling data to advertisers could be
the secret.

------
nyolfen
very cool! might i recommend creating a config for dnscloak?

~~~
jedisct1
DNSCloak has a built-in config editor, so you can add a static section with
the DNS Stamp for your NextDNS endpoint.

But yes, NextDNS should provide something that's ready to copy-and-paste.

------
novaleaf
would be perfect with scheduling.

------
sneak
Be advised: pi-hole ignores security issues in their product.

[https://github.com/pi-hole/pi-hole/issues/2704](https://github.com/pi-
hole/pi-hole/issues/2704)

~~~
jedberg
I’ve been a security professional for 20+ years and I agree with them. You’re
complaining about an attack surface that would be more easily explored in a
bunch of different ways.

I’m not sure why you bring this up on every post vaguely related to pi-hole.

~~~
sneak
I bring it up just so that people are aware and can make their own decision
about risk/benefit when choosing to deploy the software. There is obviously
room for opinion on the matter and I specifically am not claiming that the
project is bad or should be avoided, just that people using it in a default
config out of the box know the risks that that presents.

The “be advised” is just that.

It’s not a big deal, and I think I only mentioned it once before.

