
NextDNS is my new favourite DNS service - angristan
https://angristan.xyz/2020/04/nextdns/
======
ksec
Been using NextDNS for a few months now, I cant even find a single flaw. DNS
is fast, Both founder must be expert in networking, I have tried literally all
the third party DNS services, Ad blocking or not and NextDNS is actually one
of the best / fastest DNS services. And I often think of myself as having
latency intolerance so it is very good. Despite what I thought 300,000 DNS
queries/month was low it turns out I never exceeded that limit.

And its Dashboard / Control Panel, it is very fast, extremely responsive.
Basically I love everything about NextDNS, from DNS Speed, Ease of use and
Design. Anyone who want Ad blocking should give it a go.

Edit: Not affiliate with NextDNS, just personal opinion. Not sure why the
downvote.

~~~
wjnc
I've added my relatives to my NextDNS and have yet to receive a single
complaint while blocking a whopping 25% of all requests. (Off course I turned
off logging.) I'd be happy to pay them even for my limited number of requests.

~~~
mobilemidget
You could be logging all DNS queries of your relatives by a single click of a
button? Did you inform them of this possibility, just curious, not judging.

~~~
wjnc
Logging is on by default and per system. So yes, that is definitely possible.
The majority of users are my children so I don't feel the need to inform them
and the SO was not fully informed other than "tell me if it breaks something".

It's a good question to reflect on though. If I install this at my parents
should I tell them. The whole world is monitoring their DNS now and after this
only (potentially) me and NextDNS.

~~~
mobilemidget
Thanks for your reply. I usually cant inform my SO more anyway, simply not
understanding the technical limitations or reasons for something, but I do
always tell.

I'll be checking out nextDNS for sure, even though its just for seeing what
its about etc.

------
sciurus
One thing that gives me some confidence in NextDNS is that they have joined
Mozilla's Trusted Recursive Resolver program.

Choosing it within Firefox's setting won't enable any of the filtering the
article mentions, though. You need a custom config for that.

[https://blog.mozilla.org/blog/2019/12/17/firefox-
announces-n...](https://blog.mozilla.org/blog/2019/12/17/firefox-announces-
new-partner-in-delivering-private-and-secure-dns-services-to-users/)

[https://wiki.mozilla.org/Security/DOH-resolver-
policy](https://wiki.mozilla.org/Security/DOH-resolver-policy)

~~~
tialaramex
Also, one extra nice thing about using NextDNS via DoH (as you would with
Firefox) is that now everything except the fact you're talking to NextDNS is
concealed from eavesdroppers even if you _do_ have custom config.

If you use other methods, NextDNS needs to figure out which custom config is
yours, and there's no way to hide that from an eavesdropper (at least not
yet). For example with DoT the customisation is hidden as a server name, and
travels plaintext in SNI during TLS connection.

But with DoH that indication is in the URL path component, which is just more
encrypted data in DoH and so an eavesdropper can no more discover which (if
any) customisation you use than they can discover my Hacker News password when
I log in here.

------
sigwinch28
I've had the complete opposite experience to the author w.r.t. PiHole and
WireGuard.

I run a PiHole on my home network and it's also my WireGuard "server". I will
concede am lucky enough to have static IPv4/IPv6 addresses on my home
connection.

On my iOS devices I have two connections set up: one for "access to home +
DNS", and the other for all traffic. When I'm on my home wifi the VPN
connection is off, when I'm on cellular data the DNS is set to the PiHole, and
when I'm on any other wifi I route all traffic via the VPN (all automatically
via the WireGuard app).

For my other mobile devices... well, they're Linux, so I just set the DNS
server correctly and leave WireGuard always connected. It's a UDP "connection"
for crying out loud.

This all works flawlessly now to the point that my less technically-minded
roommate has it set up on their phone, too: they can access the NAS all the
time and ads are blocked in the web browser and in apps.

~~~
angristan
Sadly I had battery drain issues with WireGuard on Android. That's why I'm
content enough with the native DoT feature.

~~~
als0
Same with iOS. The battery drain was significant enough to make my phone hot
even when the screen was off.

~~~
sigwinch28
The app has a logging facility.

I'm not affiliated with the WireGuard project, but I would appreciate it if
you could encounter the issue again, and then submit an account of your
experience and the logs from your device.

------
_-___________-_
I tried NextDNS out recently, and had a few technical questions about how it
was interacting with some specialised DNS software I was testing. I clicked
the livechat button on the website and was connected within seconds to someone
who understood DNS at the protocol level. It was... unexpected and amazing.

~~~
mcherm
Now THAT is the most impressive thing I have heard about them.

~~~
vlovich123
For now. That level of support is inevitable for a small startup and generally
unsustainable beyond that stage.

------
eloahx
NextDNS is great for all my devices. let's me access Handshake domains easily
from [https://dns.live](https://dns.live)

The default blacklist for NextDNS is really good too; stops a lot of Windows
phone home stuff too, and can easily see all that.

Don't add a bunch of blacklists though or websites break

~~~
7ewis
What are Handshake domains?

~~~
jimmydorry
Crypto secured domains, I assume. First google result is namebase, which is a
familiar name in such a field.
[https://www.namebase.io/](https://www.namebase.io/)

~~~
blackRust
Here's the 101 I found:
[https://www.namebase.io/handshake101](https://www.namebase.io/handshake101)

Edit: more: [https://handshake.org/](https://handshake.org/)

------
XelNika
> Despite how much I like Cloudflare and this specific service, I want to
> block trackers at the DNS level. 1.1.1.1 is probably the most reliable and
> fastest resolver there is on earth, but that does not fit my use case
> either.

Isn't this a bit poorly timed, considering the recent Cloudflare DNS
announcement?

> In the coming months, we will provide the ability to define additional
> configuration settings for 1.1.1.1 for Families. This will include options
> to create specific whitelists and blacklists of certain sites. You will be
> able to set the times of the day when categories, such as social media, are
> blocked and get reports on your household's Internet usage.

[https://blog.cloudflare.com/introducing-1-1-1-1-for-
families...](https://blog.cloudflare.com/introducing-1-1-1-1-for-families/)

~~~
aaomidi
I doubt they're going to support adblocking as a first class citizen.

~~~
bjtitus
Why? Their business model doesn't involve advertising at all.

~~~
schlotzisk
Yeah. No. Many advertisers rely on Cloudflare. If Cloudflare would choose to
block ads, I'd imagine that lots of folks would ditch them and use some other
DNS provider instead.

------
smileysteve
I've started using NextDns on my phone (Android) for its simplicity and
thoroughness.

One of the harder parts about DNS based blocking is that it's significantly
more effort to unblock something like clicks from tracked deals sites than
ublock browser extension.

For my routers, I'm mostly happy with last week's announced 1.1.1.2 malware
blocking from Cloudflare.

------
middleclick
It's also fairly easy to run your own recursive resolver in case you don't
want to use an external DNS service. I use Unbound and ad-blocking lists and
it works great.

------
bitxbitxbitcoin
NextDNS is also my new favorite DNS service - especially since they've been
supporting Handshake name resolution at the click of a button since March
20th. [1]

[1]
[https://twitter.com/nextdnsio/status/1241178358257455104](https://twitter.com/nextdnsio/status/1241178358257455104)

~~~
ignoramous
Sorry for being naïve: What is handshake-dns useful for-- is it like dnscrypt?
Is it mainstream enough to matter yet?

~~~
tasuki
Handshake is an attempt to decentralize DNS root domains. It isn't mainstream
enough to matter yet. I'm pretty excited about it though :)

You can read more at [https://handshake.org/](https://handshake.org/)

------
yegle
I'm hosting my own DNS server with DoT/DoH as reverse proxy of PiHole server.
The latency might not as impressive as NextDNS' (7~10ms on my phone via
TMobile), and I can have full control of the stack.

[https://github.com/yegle/your-dns](https://github.com/yegle/your-dns)

~~~
ignoramous
> _The latency might not as impressive as NextDNS '..._

For just DoH and low latencies, see Stackpath:
[https://news.ycombinator.com/item?id=19514791](https://news.ycombinator.com/item?id=19514791)

With fly.io, one could run DoT, too: [https://fly.io/docs/app-guides/run-a-
private-dns-over-https-...](https://fly.io/docs/app-guides/run-a-private-dns-
over-https-service/) (that's a tutorial on DoH, though).

I use Cloudflare Workers (their generous free-tier covers 3 devices worth DNS
queries, with much room to spare), but the 128MiB RAM limit restricts the
number of domains in my blocklists:
[https://news.ycombinator.com/item?id=22208988](https://news.ycombinator.com/item?id=22208988)

------
aemreunal
Started using NextDNS a week ago and it's quite good so far. One of my
concerns was how hard it would be to debug websites/services that stop working
but it their logging being instant made it superbly easy. I can turn on
logging, go to the website/app that doesn't work correctly, go right back to
the NextDNS logs to see the requests instantly. You can then filter for the
blocked ones too.

------
bmn__
I tested the ipv6 latency to nextdns
[https://my.nextdns.io](https://my.nextdns.io) and opennic
[https://servers.opennic.org](https://servers.opennic.org) –– I'm impressed
with the newcomer, with 21㎳ median it's very close to the 17㎳ median I
currently enjoy.

------
StavrosK
This looks great, but unfortunately CloudFlare has 1ms ping for me but NextDNS
has 50ms. I'm not quite sure how it can reply in 1ms, but that's what I'm
getting.

~~~
axaxs
1 ms... Do you live in their datacenter? I sadly don't even get that kinda RTT
inside my own house.

~~~
StavrosK
I don't either, that's why I'm puzzled. Here's my traceroute:

[https://www.pastery.net/zppyhe/](https://www.pastery.net/zppyhe/)

I do have a fiber connection to my ISP, but still, 1 ms is pretty low. I
wonder if something else is replying, but I tried 1.1.1.2 as well and the
latency is the same.

~~~
virtuallynathan
Greece is a hard place for many to serve, not a big internet hub. Evidently
CloudFlare has servers there, and transit with Cogent too.

~~~
StavrosK
Yeah, definitely. I'm surprised CloudFlare has servers near here, if anything.

------
hendersoon
NextDNS is excellent, I have my family and non-techie friends using it.
Personally I just wireguard to my home network and use pihole.

Hopefully Windows, Linux, iOS, and MacOS natively support DoH soon. It's a
pain setting up proxies.

Even worse, iOS forces you to use a fake VPN to change DNS servers at all on
cellular!

~~~
sahaskatta
I was pleasntly surprised and happy to see that I could use this service or
Cloudflare on the latest version of Android natively by just typing in a URL
into the settings rather than having to install a 3rd party app!

------
eeZah7Ux
Surrendering our DNS traffic to few massively centralized services is even
worse than to local ISPs.

~~~
troquerre
Have you checked out Handshake? It's a new experimental protocol that's trying
to decentralize DNS [https://handshake.org](https://handshake.org)

------
JoshuaRLi
I switched from pointing various things to cloudflare to simply using NextDNS
a while ago, and it's just excellent. The onboarding flow was way faster and
easier than I thought it would be (fantastic setup documentation).
Configurations are really great for customization at per-device granularity.
Extremely slick and fast web UI. Great DNS latency + performance overall.

I was planning on setting up my own recursive resolver one day (tm) but
NextDNS really just makes everything so seamless + easy.

------
m-p-3
And I'm impressed at the speed they're implementing new things I didn't even
know I wanted (Handshake TLD, more blocklists, etc)

------
hiram112
I've been using NextDNS on my laptop, two phones, and a tablet for months now,
after hearing about it from a poster here on HN.

Love it. I'm just worried that there is something a bit more nefarious going
on. If you're not paying, you're the product being sold.

Are we still just in the 'growth and acquire' phase here, where paid
subscriptions will eventually be required?

------
mderazon
NextDNS works great for me, I use it as a second layer to ublock origin and it
still catches things.

Only downside I have is when something does break, and it happens
occasionally, I have to whitelist the domain on their dashboard. You can only
whitelist the domain for all requests, which is not what I would like. Would
prefer to whitelist it on a specific page and for a temporary time.

Otherwise when something break I have to go to their dashboard, whitelist the
domain, use the website and then go back and blacklist it again.

Would be nice if they had a browser extension that can do that in the browser
without having to go to their dashboard

------
lazzlazzlazz
I deployed NextDNS for my family months ago. The Handshake resolver locked in
NextDNS for my home network. I've been considering setting up PiHole as well —
Handshake resolution would lock that in.

------
Havoc
Interesting - just found weird behaviour in pihole. It's asking upstream to
resolve "pi.hole" according to nextdns. That shouldn't be happening

~~~
DavideNL
Check /etc/pihole/local.list

It should have something like

    
    
        x.x.x.x pi.hole
    

where x.x.x.x is your pihole's local ip.

~~~
Havoc
It's in a docker container so any changes will just get wiped on next version
upgrade. I just checked and it does have the right IP in it though (IP of
device hosting pihole). So doesn't seem to be obviously misconfigured. Weird.

.hole doesn't seem to be a valid TLD so not much of a security risk

------
homero
It really is incredible, first time I couldn't think of any improvements a
product could add

------
6510
Support is also great. It accidentally a Dutch government website (probably
had reasons) it was fixed < 24 h after my email.

I think its brilliant. Using client side ad-blockers on shitty hardware [to
make things less slow] adds a good bit of overhead.

------
troquerre
We use NextDNS to access Handshake domain names and it's been working great.
The privacy features are great too, although email links sometimes don't work
because of them (more of a feature than a bug imo).

------
mgiampapa
PiHole at it's core is easy access to a bunch of blocklists. Why not just run
a local resolver and import the blocklists if your usecase is mobile and you
don't want to vpn your traffic?

~~~
garren
I’ve moved from a local resolver with regular block list updating to NextDNS -
here’s why I’d recommend it over a diy solution:

1\. Easy to turn on and off. My block lists were pretty aggressive and worked
beautifully 90% of the time. However, occasionally I’d need to hit a site that
was registered in a list that wasn’t immediately obvious. The O’Reilly site is
(was) a good example - they were loading a script on their login page at one
point that failed because I’d blocked the source. I’ve encountered other site
that fail in similar ways. Being able to temporarily disable adblocking (OSX
via the app) is tremendously convenient.

2\. The blacklists and blocking categories offered by NextDNS are at least as
good as what I’d managed to pull together (I was pretty proud of mine), they
update frequently, and again it’s very easy to opt-in/opt-out

3\. CName cloaking - unless you update your own lists very frequently, there’s
a good chance you won’t be as effective at catching third-party trackers
masquerading as first parties.

I had fun running a local resolver and updating it from various block list
sources with a cron job. I’d add new entries manually as I encountered them,
but after a while it got old. Additionally, I wanted the same protection
outside of my network. The same setup on a FreeBSD droplet worked well, but
was more maintenance. NextDNS does at least as good a job, and it’s way more
convenient.

------
ThinkBeat
I am using this on and off. I have some trouble with its adblocknig etc.

Some apps and some sites do not work well.

You could easily say that this is due to the pages or app itself and I agree.
Still. I have to use some of them.

~~~
ignoramous
> Some apps and some sites do not work well.

You might have enabled some pretty aggressive blocklists with nextdns. If you
can't be bothered, Adguard DNS is more accommodating but configuration-less,
give it a try [0].

As for sites, I use startpage's anonymous-view [1] or brow.sh [2] at times.

[0]
[https://news.ycombinator.com/item?id=18788410](https://news.ycombinator.com/item?id=18788410)

[1] [https://www.startpage.com/en/anonymous-
view/](https://www.startpage.com/en/anonymous-view/)

[2]
[https://news.ycombinator.com/item?id=17487552](https://news.ycombinator.com/item?id=17487552)

------
KingOfCoders
I've been using DNS Made Easy for some years now, can someone who knows both,
fill me in on the main differences? Any need to change?

~~~
tecleandor
DNS Made Easy (Which, by the way, is great and fast, although I'm using HE for
some domains) is for your domains.

NextDNS is for your devices. Is a DNS provider for your network and devices
that allows you to block ads, custom configs and the like. Seems an advanced
version of what OpenDNS used to offer back in the day (not sure if they still
do it after Cisco acquisition).

~~~
KingOfCoders
Thanks that helped!

------
ykevinator
What a great write up. If they can get over the technical fear for the average
user this is a huge idea and the price is fair.

------
albybisy
I'll give a try :) but it's a little bit suspicious that there is not a single
bad comment about NextDNS......

------
Havoc
Doesn't seem to be catching much that uBlock and pihole aren't. 0.07%. Not
super surprising I guess

edit...and noscript

~~~
aeosynth
There are multiple blocklists you can enable.

~~~
Havoc
Yeah I don't think it's a flaw with NextDNS. Just means my existing setup is
already doing a decent job. Another layer is always good though

I did have a look at additional blocking lists on there though - some good
options there. Added "Block Child Sexual Abuse Material" and gambling.

------
allenbrunson
also a fan of NextDNS. i have been using the service for a few weeks, since i
saw them mentioned on twitter. looks like the aggregate number of queries from
the many devices on my home network will exceed 300,000 per month, so i am
happy to start paying as soon as they start charging.

------
yuz
How do ads get blocked in the DNS level?

~~~
aemreunal
When the browser tries to load an ad, let's say from "ads.com", the DNS
service responds to that domain with 0.0.0.0, which prevents the ad from
loading. You enable lists to customize which domains should be considered ad
domains and can optionally blacklist other domains.

~~~
b3n
Are any ad networks bypassing this yet by serving ads from a static IP?

------
agumonkey
can pdnsd (persistent/cache) work with nextdns ?

------
codeisawesome
_wow_ this is great! Now I want Apple to acquire them and provide this
natively on the iPhone.

------
whycombagator
I've not used it, but Adguard also has an ad blocking DNS[0].

[0] [https://adguard.com/en/adguard-
dns/overview.html](https://adguard.com/en/adguard-dns/overview.html)

~~~
deftturtle
Used Adguard for about 2.5 years, and literally switched to NextDNS yesterday
after reading this article. I've got a blog post about DNS ad-blocking [0],
updating stuff now and then. I hope it points out some of the different
features and reasons to use one over the other. Let me know what you think!

[0] [https://www.calebyers.com/blog/dns-ad-
blocking.html](https://www.calebyers.com/blog/dns-ad-blocking.html)

