Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: nextdns.io – A Combination of Cloudflare DNS and Pi-Hole (nextdns.io)
372 points by nextdns on May 26, 2019 | hide | past | favorite | 146 comments

Nice. DNS has grown notoriously complex over the years and it is hard work to run a standards compliant service. Congratulations.

A few suggestions:

- Auto-detect OS and suggest specific setup instructions right on the landing page?

- The website goes blank when I block third-party JavaScript from loading. Can you please see if you can fix that?

- simplednscrypt has been handy for me to DoT/DoH/DNSCrypt with AdGuard DNS on PC. You could include instructions in the Windows section for that? https://dnscrypt.info/implementations/

- Provide a generic DNS endpoint like AdGuard does?

A few questions:

- What's the backend that fronts DoH, DoT, and DNSCrypt queries? Is it simply relayed to Cloudflare underneath the covers? How do you do that?

- Re: Privacy Policy: "We store user data following modern security standards". What user data is stored using what modern standards? I like the terse policy document, but I feel there needs to be a fine print detailing data collection and data retention. Examples: https://s3.amazonaws.com/lantern/LanternPrivacyPolicy.pdf and https://info.ecosia.org/privacy



> Auto-detect OS and suggest specific setup instructions right on the landing page?

It should already pre-select your OS tab on my.nextdns.io on the Setup page? If that's not the case, then it's probably a bug.

> The website goes blank when I block third-party JavaScript from loading. Can you please see if you can fix that?

Weird, we will have a look.

> simplednscrypt has been handy for me to DoT/DoH/DNSCrypt with AdGuard DNS on PC. You could include instructions in the Windows section for that? https://dnscrypt.info/implementations/

You can use your custom sdns:// endpoint listed on the Setup page, we assumed users using dnscrypt clients would know what this means. Good point, we will add setup instructions for it.

> Provide a generic DNS endpoint like AdGuard does?

We already have them, we decided to not show them on the website as it may confuse users. We may add them back.

> What's the backend that fronts DoH, DoT, and DNSCrypt queries? Is it simply relayed to Cloudflare underneath the covers? How do you do that?

It's a custom-made backend, and we recurse using unbound (we don't forward to cloudflare or anything like that).

> Re: Privacy Policy: "We store user data following modern security standards". What user data is stored using what modern standards? I like the terse policy document, but I feel there needs to be a fine print detailing data collection and data retention.

We will definitely improve that, we had to make some calls on priorities for the launch.

Minor nitpick, but > is universally used to indicate quoted text, and you've reversed the meaning here.

Edited, thanks!

The website goes blank when I block third-party JavaScript from loading. Can you please see if you can fix that?

Weird, we will have a look.

For those that block JavaScript by default, it would also be nice to get something more than You need to enable JavaScript to run this app. on the main page. At least a short blurb what this is.

(Since the most recent batch of CPU vulnerabilities, I have decided to use uMatrix to block anything but CSS by default.)

> Weird, we will have a look.

What's "weird" is that someone thought to mandate third-party map and chat javascript widgets on what should have been a simple page explaining what the combination of Cloudflare and PiHole is.

It detects my FreeBSD machine as windows.

> Nice. DNS has grown notoriously complex over the years and it is hard work to run a standards compliant service. Congratulations.

Running your own private recursive resolver is very easy.

Edit: I believe people are confusing running a DNS nameserver with running a DNS resolver. The former might be hard, the latter is very easy.

No. Its not. You need to buy hardware, set it up and later constantly maintain it. It requires technical knowledge, willingness to do it and, above all, free time. While initial investment may seem trivial, on the long run it's not. People very often tend to forget that own solutions are not set up and forget. This is why cloud services are a thing in a first place.

You can absolutely just run a recursive resolver on your laptop use that resolver in every[+] network. There is literally nothing special about a recursive resolver except it doing some legwork that a stub resolver / filter resolver (like glibc or dnsmasq) doesn't do.

If you run e.g. Linux or BSD, you'd just install knot-resolver, enable the service and put "" in your /etc/resolv.conf. That's it.

Similarly if you run something like pihole it is very easy to have it run a recursive resolver as well, I bet pihole has a page on how to set that up, and I doubt it is hard in any way.

If, of course, all you have now is a router provided by your ISP and you want to run your own intranet DNS resolver, then, yeah, you'll probably need some hardware for that. Obviously.

[+] some networks hijack outgoing DNS.

Debian 10 Buster already install Stubby DNS by default as your caching DNS server.

Stubby is, as the name implies, not a recursive resolver. It's a DoT stub resolver.

I don't understand why any privacy conscious person would choose a hosted service instead of self-hosting your own solution.

Implementing the whole thing (modulo the anycast IP, which is the only thing I did not use) is easy. I have a docker-compose file which does the whole stack:

1. Unbound DNS which provides DNS-over-TLS service at port 853. It forward request to my local pihole's 53 port. 2. Pihole forward request to my Stubby DNS server. 3. Stubby connects to Google DNS over DNS-over-TLS. 4. A separate docker container to run certbot to update certificate used by the unbound container. 5. A separate docker container with Pomerium as reverse proxy so I can remote access PiHole UI.

Then you can configure your Android phone to use your unbound DNS server as the "private DNS" server. I've being using this setup for more than a month and works really well.

UPDATE: I posted my docker-compose.yaml file at https://github.com/yegle/your-dns. I'll update the README soon.

I don't know how you can say that's easy with a straight face. You just mentioned at least 5 software projects and/or technologies that a large bulk of people have never heard of.

A self-host solution by its nature requires some investment in the techniques and would take greater effort (that's how most open source projects make money).

Look, I'm not trying to sell my solution here. This is Hacker News, I'm simply share my setup and hope can help someone who's capable and willing to invest the time. I understand this is not for everyone, that's why I suggest nextdns.io as hosted solution in the README.

> A self-host solution by its nature requires some investment in the techniques and would take greater effort (that's how most open source projects make money).

That sounds like a pretty good reason not to run your own solution then, so I guess we can meet there.

> Look, I'm not trying to sell my solution here.

Yes, you are.

OP must have gone to a prestigious business schools in Paris

You just answered your own question. A self hosted solution requires a lot of domain and technical knowledge to set up. To you it might seem trivial, but that's an insurmountable barrier to many.

This project seems to occupy the same niche as products like Blokada. Most of the benefits of a self hosted solution, with a much lower barrier to entry.

Depending on your goal. If you just want to have an ad blocking DNS server then nextdns.io is fine. But if you also want to have some control over the privacy issue involved in using a public DNS server, you should seriously consider hosting it yourself.

You are using Google dns servers and you are saying you have "control over the privacy issue involved in using a public DNS server" ?

Depending on your goal: I really don't like the idea all the ISPs can track what websites I visited (Verizon, ATT, and ISPs behind public WiFi). To me, my setup is a huge improvement to the status quo.

I'm amazed that on a site called "Hacker News" people are giving you hassle for building your own self-hosted solution rather than handing control of your DNS over to random people, possibly for money down the line.

Well done.

The hassle is because of the implication that is super easy to run a self hosted solution. It's a decently complex task that your average person couldn't come close to doing, and many here would still take a bit of time to grok it all.

Hey, I've updated the README and the instruction should be straight forward.

Docker compose file makes everything easily reproducible and I've included working example configs. Not sure how I can further simplify the setup but open to suggestions.

How to use Docker? No idea

Technological proficiency is very distributed too. Some people are really good at web apps but have no idea how to program in a compiled language. There is so much out there and its not really feasible for everyone to know about everything.

Your solution is not privacy conscious or self-hosted as long as you send all your data to Google in exchange for resolved DNS records. Why not let Unbound resolve recursively?

I think it depends on who you're trying to protect against. While using DoT to a public resolver gives the public resolver the ability to build a history of your queries, running a recursive resolver yourself means anyone who's watching the wire (ISP, local government, etc.) can build a query history instead. Some people trust Google or Cloudflare more than those other entities, or figure that Google already knows pretty well what they're up to since Analytics is pretty much everywhere and they use Gmail.

The most useful option I've seen for trying to get the benefits of both has been rotating between a list of DoT resolvers, so none get all the history and end up with fragmented profiles. There's issues there since people access the same services and thus they'll get the full list over time if the software doesn't record who got what request and stickies it to them. There's always the option of doing it over Tor, but then you're introducing multisecond latencies to your DNS queries, which isn't exactly a great experience.

If you think someone is watching your wire they will see what you connect to after resolving it. That's true if your ISP resolved it, Google resolved it or you resolved it. If this is a problem, you need a different solution altogether.

So because a snooping provider is irrelevant when we talk only about resolving DNS, that only leaves the choice of which party to the chain of entities that are able to easily snoop on your or not. If privacy is important, adding Google or any other DoT resolver to that chain is strange.

That's true if an IP only serves requests for a single domain. With ESNI it's now possible to connect to a server that hosts services for multiple domains without the domain being divulged in the clear on the wire.

How does “forward to google dns” and “android” give you any privacy? Still you dns queries are recorded, tracked and indexed by them, linked to your ip and phone profile.

Disclaimer: I work at Google. I know our internal policy regarding PII information and the tooling around it to protect PII information, so individual employees cannot easily violate my privacy. And I know people work there are generally very vocal (think about Dragonfly) . I would trust more on Google to handle my privacy.

If totalitarianism ever comes to the US, Google would not be able to prevent the totalitarian regime from making use of its data-collection systems. A good analogy would be building a nuclear reactor on a site which sees very rare massive earthquakes. Apple in contrast has acted responsibly by designing its systems not to centralize or concentrate the data in the first place. That is, the unencrypted version of the data and the encryption keys stay on the iPhone.

Second, Google uses personal data combined with machine learning to optimize "user engagement" (roughly, hours spent on the service) because that has been proven to be a good predictor for how resistant an internet service is to competition or disruption. This optimization of user engagement has a bad effect on the productivity and perhaps the mental health of individuals and families and has a bad effect on our public discourse.

Sounds like the reaction to Dropbox again

Even if the setup is easy, production-grade hosting is not.

Not saying my setup has lower reliability than the hosted service (did nextdns.io promise any SLA?). For the added privacy, the potential lower reliability is a risk that I'm willing to take.

Even with this setup there are ways to increase reliability with-in the budget/skill set of a normal engineer, e.g. run two RasPi with keepalived and run VRRP on your routers. As a last resort, I can disable the "Private DNS" setting on my phone if my DNS is down and I can't fix quickly enough remotely.

keepalived is never the answer; if you can run it, your services are by definition crash-only share-nothing or inconsistent by design, or else you wouldn't let keepalived choose when to move the "primary flag" to the other service (as there'd be no way of sending the last ACKed data from the previous primary). Since this is the case, you could just load balance across the services and have them both active.

From a networking perspective, getting VRRP working on anything but physical equipment (e.g. in the cloud) is a fool's errand; it's L7/API-based and not on the ethernet level. Similarly with keepalived, which will get isolated from the monitored instances (thereby failing to the other, also "down" instance) — except it might have access to the API gateway of the cloud provider thereby disassociating the V-IP from both your instances; so you'll end up with more downtime with keepalived than you gain by it.

Since DNS is by default inconsistent, but eventually consistent and thereby possible to load-balance, you could run one instance of this stack on your static home IP and another instance on GCP/DO/AWS and configure multiple DNS servers in your DHCP options and on your phone, to get higher availability.

I really don't see the point of pi-hole in homebrewed stuff like this - its more efficient to have the block list in the initial DNS server itself.

A sidenote -- Anycast is trivially easy to setup; with their current host, Vultr, offering essentially turn-key solutions.

There’s a large distinction between BGP announcing and running a properly balanced anycast network. Vultr is not designed for this, they have limited bgp community strings - so running an anycast network there will work either only with select locations, or with sinkholes pulling in traffic from far away.

Could you share your compose file or the images you're using?

We've been working super hard on nextdns.io, a cloud-based private DNS service that gives you full control over what is allowed or blocked on your devices.

Here is a few things you can do with it:

- Block malicious websites, trackers, ads, and more by combining the most popular blocklists out there, all updated in real-time (100+ lists to choose from).

- Set your own privacy requirements: you decide what type of logs are kept (and for how long) depending on the level of analytics you want. Down to absolutely NO logs.

- Automatically use DNS-over-HTTPS on all networks (including cellular) with our apps for Android, iOS, Windows and macOS. They are all tiny, tightly integrated with the OS and have negligible battery usage. (Some of them are still being worked on.)

- Bypass nearly all forms of government/ISP censorship without the need for a slow/costly VPN, and make it way harder for your ISP to know what you are doing on the Internet.

- Get in-depth analytics and real-time query logs so you can measure the efficiency of your blocking strategy, see when the apps on your devices are calling home, etc. And choose what is logged down to absolutely no logs, you decide.

- Easily protect your family (you can create as many configurations as you want on one account, each with different settings, and you can use multiple different configurations while being on the same network).

It also supports all the latest DNS technologies (DNS-over-HTTPS/TLS, Query Name Minimisation, DNSSEC validation, etc.), and it's fast (for most countries, we are or will very soon be as low-latency as Google DNS, Cloudflare and the likes).

There are tons of other cool stuff we built into that service (like the fact that each configuration gets its own DoH/DoT endpoint and IPv6) but that post is already way too long :)

We recorded a short GIF of us browsing through the interface: https://gfycat.com/LinedVerifiableBellfrog

You can create your first configuration and test it right away without signing up (you can sign up later and "save" it).

We would really appreciate if you could try the service, tell us what you like, what you don't like, what you would add, etc. We will happily answer all questions (even the technical ones).

Cheers, and thanks!

Good on ya. How is this all being paid for? How are you making money? Is there a subscription fee?

It's free during beta, then freemium with low pricing tiers (something like free up to 500,000 DNS queries a month, then $0.99/month). We will tweak later based on actual costs at scale, but it will follow this logic.

I love this model. Get people in for free, let them discover how fabulous it is, then by the time they need a pro-grade thing they're happy to throw money at you.

See also: Netlify.

Best of luck! Looks great.

Awesome, that sounds pretty good

1. How would you compare your service with paid service "Circle" https://meetcircle.com/

2. How effective is it at blocking apps?

3. Will you OpenSource it?

4. Can you add some kind of Bash/scripts to configure profiles/settings on OpenSource routers such as OpenWRT, etc?

5. Will there be an API to control settings?

I tried using it. I'm in India, and while Cloudflare and Google DNS consistently resolve in 60-70ms, nextdns takes between 400-700ms for the first resolution and consistently 250ms for the same query repeated (I presume it caches the results?)

Should I assume you've gotten a huge spike in traffic because of this HN post? If yes, I don't mind trying again in a few days, but unless things improve, I wouldn't be able to use it despite loving it in concept (the UI of your implementation is great too). I don't want to discourage you folks, since you've done a great job with the rest of it.

Thanks for your efforts.

Disclaimer: I run a competing service.

India is difficult. I run our anycast network and we have coverage in India but I look forward to improved routing there in the future with additional transit providers.

It seems nextdns is announcing exclusively with Vultr: https://bgp.he.net/net/

Which is not in India: https://www.vultr.com/locations/

It's not the spike, it's probably a combination of:

- a routing imperfection (this things need to be tweaked over time).

- the fact that we didn't deploy our PoP in India yet (coming this month).

Can you talk to us on the chat if you have some time? It would help to do some debugging.

Great idea for service, but it has to be lightning fast to be in the middle of thousands of requests a minute as someone is surfing the web without making the web feel sluggish.

In NYC on the largest metro ISP. Earlier in the day, was getting 25-43 msec to the typical major DNS providers (,,,, as well as AdGuard), and usually 71 - 73 msec to you.

After a while, started getting as slow as 280 msec to you.

Last hour or so, mostly just getting timeouts to you, making the web, as well as apps, unusable.

Had to revert.

AdGuard DNS:

    dig @ news.ycombinator.com
    ; <<>> DiG 9.10.6 <<>> @ news.ycombinator.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6879
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    ; EDNS: version: 0, flags:; udp: 4096
    ;news.ycombinator.com.  IN A
    news.ycombinator.com. 56 IN A
    ;; Query time: 29 msec
    ;; SERVER:
    ;; WHEN: Sun May 26 15:32:11 EDT 2019
    ;; MSG SIZE  rcvd: 85


    dig @ news.ycombinator.com
    ; <<>> DiG 9.10.6 <<>> @ news.ycombinator.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14810
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    ; EDNS: version: 0, flags:; udp: 4096
    ;news.ycombinator.com.  IN A
    news.ycombinator.com. 0 IN A
    ;; Query time: 282 msec
    ;; SERVER:
    ;; WHEN: Sun May 26 15:32:17 EDT 2019
    ;; MSG SIZE  rcvd: 85

Try to do MTR and check for the routing.

I am from Sri Lanka and I get following over IPv6 using dig,

80-120ms for Nextdns (92ms avg ping)

75-140ms for Google (61ms avg ping)

70-90ms for Cloudflare (75ms avg ping)

Is your source code open?

This looks really cool. I'm nervous about entrusting someone with stuff as sensitive as DNS. If this is all it appears to be, I may be a paying customer (tho I try to only use/pay for free-as-in-speech software).

>I try to only use/pay for free-as-in-speech software

I would like to see more software adopt this model. Can you give a few examples of things you support? Are they all pay-for-hosting services, or are there cases where the software itself is for sale?

What does "free-as-in-speech" mean in the context of software?

A strict interpretation would suggest something along the lines of "we don't censor what the customers of our software do with it", which is true for almost all software (aside from social media platforms). I don't see how this would apply here, since this software isn't being used for the creation of anything.

A looser interpretation would suggest that, if the software is used to access content (eg. web browser) then, aside from technical limitations, it doesn't censor content that it could otherwise display. I can see how this might apply to a DNS.

I don't see, however, how "free-as-in-speech" has any reference to open or closed source. (Not sure if that was what was meant.)

"free-as-in-speech" is usually intended to contrast with "free-as-in-beer", thereby disambiguating the word "free" in English. Some software is "free-as-in-speech", which means you aren't limited with what you can do with it or its code -- "free" means that the user has certain rights. I think Stallman introduced this way of talking about software; people sometimes use "libre" instead. https://ssd.eff.org/en/glossary/open-source-software

Yes, this is exactly what I meant with my usage of the word. free-as-in-speech (where you can easily recreate the speech yourself) versus free-as-in-beer (where you can't easily recreate the beer since it is closed source) (at least this is always how I have interpreted the meaning personally).

The most recent example would be FileBot which I bought a subscription for mostly because it is high quality and is free software (as-in-speech). I would have used less functional free (as in speech and beer) alternatives had the filebot source not been available to me.

Filebot homepage: https://www.filebot.net/ Source code: https://github.com/filebot/filebot

While I now understand "free-as-in-speech" is meant to refer to "free in the sense of Stallman's ideology", I still don't think the following makes any sense:

> free-as-in-speech (where you can easily recreate the speech yourself)

Freedom of speech has nothing to do with recreating the speech. The term "free speech" means "no censorship".

The connection, as I now understand it based on other comments here, is that "free speech" refers to a freedom relating to people's rights as opposed to "free beer", which refers to cost. In that sense I can understand the connection to free software in the sense that Stallman advocates for.

That's an interesting one. I had heard of filebot but don't have any personal use case for it. The license probably qualifies as libre but definitely isn't GPL compatible, for the record: https://github.com/filebot/filebot/blob/master/LICENSE.md

Edit: Actually, it's worth noting that the statement in the README arguably makes filebot non-free. "You may NOT use the source code to publish binary builds without explicit authorization." If that's actually supposed to be enforced by the terms of the license, filebot is definitely not libre software.

On the other hand, it's not clear at all whether this is prohibited by the license. It prohibits "Publishing binaries or competing clones that undermine the ability of the original author to make money from his work." I don't see why publishing a binary for free on a new platform would undermine this in most cases, given that the author already publishes free binaries for most platforms on the official website.

Yeah that's a good point regarding publishing binaries. I would guess that he wants to keep tight quality control (since in the past there were crap binaries being passed around). But yes I don't consider it GPL compatible, but it (was, see below) close enough for me ¯\_(ツ)_/¯ (I try not to let perfect be the enemy of good).

That said I just tried to build it for the first time (wanted to make a small improvement) and there are no documented build steps and a standard ant build doesn't work. There are open github issues where the author is very dismissive and just says basically "code not supported, just for educational purposes."

I poked at it for about 15 minutes but I've never used ant before and couldn't get the build working. That really saddens me. Unless things improve I won't be renewing my subscription. I'm pretty disappointed to say the least.

How about geoblocking? Have you considered adding a smart DNS like functionality?

I am in the East Coast with 100Mbit fiber:

dig @ google.com ;; Query time: 390 msec

Could be a routing issue (this things need to be tweaked over time). Can you talk to us via the chat on the website so we can debug?

468ms in the UK.

9ms on Cloudflare, 10ms on Google.

There seems to be some routing oddities going on. I'm also in the UK (on AAISP). Sometimes I get ~48ms response, other times 200-300ms.

Looking at mtr I'm occasionally routed to Dallas, Texas. Other times it's correctly routing over my ISP's peering to Vultr.

What command did you run in mtr to see the routing locations?

Or just a normal report, then lookup the IP location?

By default mtr will do reverse DNS lookups on all hops. Several of the traces I ran showed the route to nextdns's /24 transiting over NTT and from the DNS name you can figure out where each router is.

273msec in DC

Do you support time-based blocking? Aka no reddit during working hours?

dnscrypt-proxy can be used to securely access nextdns, and it supports time-based blocking https://github.com/jedisct1/dnscrypt-proxy/wiki/Filters#time...

i was expecting this since ~ a year. congrats. main pain point for me : ads on my ios device on cellular.

you solved it.

only turn down : mi iphone SE ( os last versions) seems to get little pics of heat

What about client subnet?

Right now it's disabled for everyone, it will be supported with an option to disable it.

Personally I run either pihole or something similar however setting something similar for all the friends is a bit cumbersome as it at least requires getting a raspberry pi. This seems like a really intriguing alternative although will voice similar concerns as others are expressing that the site does not indicate the source of the funding, motivations for the project, etc. As such that could be a barrier to entrust something as personal as DNS to a service without understanding their motivations and future plans. Would be great if that could be better outlined on the site.

Motivations: like most tech startups, scratching your own itch :)

Funding: Free during beta, then freemium with low pricing tiers (something like free up to 500,000 DNS queries a month, then $0.99/month). We will tweak later based on actual costs at scale, but it will follow this logic.

You should add some kind of rogue device/app guarantee+ notification. If something starts to drill a server, it could spike the users costs without their knowledge. That means every device and app is a liability for the user.

Something to ponder.

I know my Nvidia shield DRILLS Netflix even when it's a asleep.

I wouldn't know if 500k is a little or a lot.

Here is my usage on my PI. 2 people around 5 devices.


Seems like it's close to what a 'normal' household would consume: https://support.opendns.com/hc/en-us/community/posts/2201126...

According to my nextdns analytics from the last few weeks my house has peaked at around 28,000 queries a day, 331k so far this month.

Nextdns is blocking somewhere in the region of 400-600 queries each day, mostly things like Google Analytics, Apple iAd.

5 people household here with 15 devices (iPhones, iPads, PS4, Raspis & Chromecasts) DNS via PiHole:

138,473 queries over the last 30 days

31,928 queries blocked (23%)

Hope this helps.

Also 5 person house with 60K queries in the last 24 hours with 39K blocked - that's 60+% blocked. All pretty much thanks to all the logging that Roku does that PiHole blocks.

I suggest just to use pihole at home on a rpi device. Granting a new and small company may be orders of magnitude worse than giving info to the 'evil' unicorns. The big fishes are continuously monitored by a wide community and from the governments as well. I wouldn't give such a private information to anyone not proving that all my private data is treated as it deserves. The only way I can see this happening would be to have them release everything to the Foss community.

Bypasses Turkish government blocks on Wikipedia etc, which I hadn't been able to figure out even with google/CF over HTTPS.


Well now, we can't very well have Turkish citizens read up about their leader's election fraud - can we?!?


And forget about reading up on the faux coup d'état.


I've been using nextdns since I saw it posted on Twitter a few weeks ago. It's been great.

I used to run something like PiHole on my home network but ultimately dnsmasq is not a good DNS server so I ditched it. I've been running CoreDNS for a while, forwarding to Google DNS and Cloudflare DNS (both using DNS over TLS) for a while and that worked fine. I'd augmented CoreDNS to serve a hosts file as a blocklist, similar to PiHole.

Nextdns has replaced Google and Cloudflare as forwarders in CoreDNS and it's working really well. I've been liking the proper network-level ad-blocking and being able to use the analytics to figure out what was blocked when something doesn't work.

The nextdns guys are also really responsive and helpful. One of them spent a couple of hours on live-chat with me debugging an analytics issue.

What's wrong with DNSmasq?

It's not great as a DNS server. It has some really odd behaviour. One of the things which used to annoy me a lot when using it as a recursor is things like `dig +trace` would just stop at dnsmasq, so you'd have to bypass it by doing something like `dig +trace @`.

Every DNS expert I know says to avoid dnsmasq.

It works fine as a DHCP server, though.

This is a service I've been looking for!


Why do you need a shitton of javascript to load your main page?

I cannot see the main page with ublock origin + umatrix blocking 3rd party and firefox finger print resistant options turned on.

It's probably the map + the chat thing (only things that are third party, and won't stay there for long), we will fix.

This seems great! I've been wanting to try out Pi-Hole for some time now, but I was concerned about how it might impact the other members of the family who would get annoyed if it made other services stop working. Thanks for making a free beta available as well!

Your setup page is fantastic! Especially appreciate the status indicating if it is set up correctly on the device I am using. I set it up on Linux, which I notice you don't have a tab for, but that should be pretty straightforward to add. (Even though Linux users may, typically, know how to do this themselves, it might be nice to include Linux as a signal that it is truly cross-platform.)

I noticed inconsistent results on Android depending on whether I had it set up via Intra or as DNS-over-TLS in the native Android settings. Internet browsing was similar to on desktop, either way, but my concern is mostly related to video apps, specifically the ones my family use (Hulu, YouTube, CWSeed). On Intra, all the video apps seemed to work but there were still ads in all of them. For DNS-over-TLS CWSeed stopped working entirely, saying "video playback failed". Hulu and YouTube still worked but they also still had ads, while on Desktop they did not!

These are the sort of issues I was concerned about when considering using PiHole for the whole house. Are these things that can be mitigated on your end, or will they require per-device apps to be installed, and potentially even require rooting the device?

(Incidentally, how is it that YouTube and Hulu get around the ad blocker on Android?)

FWIW I bought a Raspberry Pi and installed Pi-Hole a few months back. It's been almost flawless for us.

Adding to the domain whitelist and/or disabling the DNS blocking temporarily (in case of issues) is dead simple for anyone in the family. You just need to provide them with the local IP address of your Pi. The GUI - at least for these simple tasks - is quite straight forward.

I agree though, this service looks very promising.

Tried using: set my Meraki to serve up the IP address given by the dashboard. The my.nextdns.io dashboard says something like "this device is using a different configuration with nextdns".

I think it happens after you configure an anonymous DNS, then you create an account. It feels like my configuration got disconnected or something. Hard to describe.

Regardless, the blacklist/whitelist didn't work. Maybe a caching problem? Will try back later.

The router, os and browser can cache so whitelist takes a while

There is a very important use-case which you can do on a local network but can't with this: setting up a DHCP server and pushing a default DNS server address even to clients which network settings you don't have access to, is possible locally. Xbox, streaming devices, non-geek friends devices, etc. Pihole can do this and ohmygod it's life changing!

And you can also redirect all port 53 traffic to PiHole on the gateway and let only PiHole query DNS to circumvent clients that use hardcoded IP addresses (e.g. by default)

This doesn't have anything to do with running a local PiHole, it's just a feature of having a local DHCP server. Any typical home router also has a local DHCP server, and if you change the DNS associated with the internet connection on the router this will be passed on to any device which connects via DHCP.

This works with this service. You can associate your public IP (your router's WAN) with a custom blocking configuration. Then you put their AnyCast IP address in your DHCP server's DNS server list. The local devices will use that address, be seen from your public IP, and get the custom config you want.

No any router supports doing that

Really Cool, I have set up something similar for my family and is paying $20 every month for VPS, I have tried NextDNS and found it be really useful and considering the pricing structure which you mentioned in the comments, your product seems to be a far more affordable option. A few suggestions:

1) Consider launching an App for managing configurations or at least make the current web app a PWA

2) Allow users to create duplicate configurations

3) In the logs section of the analytics page, I saw that some blocked domains were being resolved, it was saying that the domains were manually whitelisted(they were not)

4) Allow adding custom hosts file sources

5) You can create a Windows/MacOS app for updating dynamic IP address(similar to the one provided by OpenDNS)

6) You can give a button to whitelist domains in the log section, just like the one provided by the PiHole in the Query page of its web UI

7) Allow adding multiple domains to whitelist & blacklist at once

8) Allow regex and wildcard blocking

9) Mobile UI is not 100% responsive

This looks really polished, well designed, and most importantly: simple.

The privacy policy [0] also shines: it's five points and very specific.

[0]: https://www.nextdns.io/privacy

Thanks! Simple is definitely what we were aiming for.

Nice. Congrats on the release! If you're allowing custom profiles with custom block/whitelist domains it means you're holding a database on this thing and doing lots of queries on requests. Will your product be able to scale with more users since it's free? How are you keeping all this logic from affecting your latency? I'm curious of technical implementations that's all.

I use unbound + dnscrypt-proxy + https://github.com/oznu/dns-zone-blacklist to do pretty much this. WireGuard also adds another layer & sets DNS easily per client. Hosted on a $5/month VPS, works very well.

I've been using adguard dns for a while and while it's an amazing service for mobile, the thing I don't like about it is that it's super aggressive at blocking malware sites and sometimes even blocks legit sites with no way to whitelist.

I believe your service would also solves this problem. Congrats on the launch too!

This is incredibly useful and the on boarding is effortless.

Great job - I'd love to know if you plan on charging for this.


Free during beta, then freemium with low pricing tiers (something like free up to 500,000 DNS queries a month, then $0.99/month). We will tweak later based on actual costs at scale, but it will follow this logic.

I'm in no-way a power user in this space so the simplicity and descriptions were very helpful and I'm looking forward to supporting this when you release a payment model. Excellent results so far, only a few pages had trouble loading and a simple reload fixed it.

When i use nextDNS I can't cast from the YouTube Android app to my Chromecast. This is with nothing being blocked. I can cast from the Netflix and iPlayer apps. Just not from Youtube. It works again as soon as I switch back to a different DNS provider.

Has anyone else seen this?

Not high priority but maybe you could explain the different blocking methods on the settings page ?

I would love to try this, but I don't know if I can trust the Privacy Policy, as ignoramus brought up. Could you please explain what data you store and with whom and under what circumstances it would be shared?

> A combination of CloudFlare DNS and Pi-Hole

The tagline on the site is actually 'we like to think of it as ^...'

Per comments here I don't think it actually uses CF or Pi-Hole, so the title's a bit off.

This is really great! Is their any plan to improve performance? Google and CloudFlare are both ~15ms in my location (Montreal), while nextdns seems to be around ~30ms (which isn't bad per se).

How do you make money? How can I make sure you won't sell my data?

The service is free during beta, then freemium with low pricing tiers (something like free up to 500,000 DNS queries a month, then $0.99/month). We will tweak later based on actual costs at scale, but it will follow this logic.

Selling data is against what we believe in and would also be counter-productive (everybody would stop using the service instantly).

Happy to pay. Your feature set is already fantastic, and love the many methods to leverage it from various devices or configurations.

But has to be rock solid, and fast.

Could your beta testers get a better deal? If not could we stay beta testers and get a better deal?

Possibly a very ignorant question, this looks cool but why would I use it over Cloudflare's with DNS-over-https (or another encrypted method)?

Because it’s PiHole, you can black/whitelist custom domains, temporarily disable, see traffic, etc

That doesn't get rid of ads.

I'm not sure how this is different than OpenDNS?

I’ve been using opendns but iOS doesn’t let you set dns for your cell connection and for WiFi it has to be set once per network. cloudflare was nice in that the app set up a vpn with the dns so that it works on all connections. But they don’t give you control over dns, blacklists etc. this is the control of opendns with the convenience of the vpn app.

Is anyone having problem with redeeming this testflight code "AFDFPLP3" It does not accept "A" at the beginning.

Damn you're right, we have no idea why.

Clicking this link in iOS will work though, for some reason: https://testflight.apple.com/join/AFDFPLP3

yes, Probably an apple bug. Will check with few folks. I typed the link manually. using it now! Great product. Have sent you few questions.

Sounds interesting but what benefits does this solution have over just blacklisting via /etc/hosts?

Very nice. I’ve been annoyed opendns hasn’t done similar and hoping something like this would come around.

Them getting bought by Cisco has greatly hindered their ability to innovate and stay current I guess.

Really well designed and communicated. Things are kept simple and advanced knobs are made possible.

I was going to implement pi-hole for a non-profit organization I may use this instead.

Please reach out to us in the future, we will definitely have some discount, or be free, for serious non-profits.

I've implemented on my iPhone and still get ads on youtube native app.

How to remove them ?

What is the monetization plan? How have you financed the development so far?

From the OP on another reply:

> Free during beta, then freemium with low pricing tiers (something like free up to 500,000 DNS queries a month, then $0.99/month). We will tweak later based on actual costs at scale, but it will follow this logic.

Would be great if they put it high on the front page. Someone privacy-focused may be worried when he sees something privacy-oriented advertised without a business plan, which could indicate that selling data to advertisers could be the secret.

very cool! might i recommend creating a config for dnscloak?

DNSCloak has a built-in config editor, so you can add a static section with the DNS Stamp for your NextDNS endpoint.

But yes, NextDNS should provide something that's ready to copy-and-paste.

would be perfect with scheduling.

Be advised: pi-hole ignores security issues in their product.


I’ve been a security professional for 20+ years and I agree with them. You’re complaining about an attack surface that would be more easily explored in a bunch of different ways.

I’m not sure why you bring this up on every post vaguely related to pi-hole.

I bring it up just so that people are aware and can make their own decision about risk/benefit when choosing to deploy the software. There is obviously room for opinion on the matter and I specifically am not claiming that the project is bad or should be avoided, just that people using it in a default config out of the box know the risks that that presents.

The “be advised” is just that.

It’s not a big deal, and I think I only mentioned it once before.

Just to know, this isn't using Pi-Hole (from what I understand). This is a "Pi-Hole-like" service.

Confirming that we are not using Pi-hole, the title is just a catchy way of explaining the service.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact