Hacker News new | past | comments | ask | show | jobs | submit login

We've been working super hard on nextdns.io, a cloud-based private DNS service that gives you full control over what is allowed or blocked on your devices.

Here is a few things you can do with it:

- Block malicious websites, trackers, ads, and more by combining the most popular blocklists out there, all updated in real-time (100+ lists to choose from).

- Set your own privacy requirements: you decide what type of logs are kept (and for how long) depending on the level of analytics you want. Down to absolutely NO logs.

- Automatically use DNS-over-HTTPS on all networks (including cellular) with our apps for Android, iOS, Windows and macOS. They are all tiny, tightly integrated with the OS and have negligible battery usage. (Some of them are still being worked on.)

- Bypass nearly all forms of government/ISP censorship without the need for a slow/costly VPN, and make it way harder for your ISP to know what you are doing on the Internet.

- Get in-depth analytics and real-time query logs so you can measure the efficiency of your blocking strategy, see when the apps on your devices are calling home, etc. And choose what is logged down to absolutely no logs, you decide.

- Easily protect your family (you can create as many configurations as you want on one account, each with different settings, and you can use multiple different configurations while being on the same network).

It also supports all the latest DNS technologies (DNS-over-HTTPS/TLS, Query Name Minimisation, DNSSEC validation, etc.), and it's fast (for most countries, we are or will very soon be as low-latency as Google DNS, Cloudflare and the likes).

There are tons of other cool stuff we built into that service (like the fact that each configuration gets its own DoH/DoT endpoint and IPv6) but that post is already way too long :)

We recorded a short GIF of us browsing through the interface: https://gfycat.com/LinedVerifiableBellfrog

You can create your first configuration and test it right away without signing up (you can sign up later and "save" it).

We would really appreciate if you could try the service, tell us what you like, what you don't like, what you would add, etc. We will happily answer all questions (even the technical ones).

Cheers, and thanks!

Good on ya. How is this all being paid for? How are you making money? Is there a subscription fee?

It's free during beta, then freemium with low pricing tiers (something like free up to 500,000 DNS queries a month, then $0.99/month). We will tweak later based on actual costs at scale, but it will follow this logic.

I love this model. Get people in for free, let them discover how fabulous it is, then by the time they need a pro-grade thing they're happy to throw money at you.

See also: Netlify.

Best of luck! Looks great.

Awesome, that sounds pretty good

1. How would you compare your service with paid service "Circle" https://meetcircle.com/

2. How effective is it at blocking apps?

3. Will you OpenSource it?

4. Can you add some kind of Bash/scripts to configure profiles/settings on OpenSource routers such as OpenWRT, etc?

5. Will there be an API to control settings?

I tried using it. I'm in India, and while Cloudflare and Google DNS consistently resolve in 60-70ms, nextdns takes between 400-700ms for the first resolution and consistently 250ms for the same query repeated (I presume it caches the results?)

Should I assume you've gotten a huge spike in traffic because of this HN post? If yes, I don't mind trying again in a few days, but unless things improve, I wouldn't be able to use it despite loving it in concept (the UI of your implementation is great too). I don't want to discourage you folks, since you've done a great job with the rest of it.

Thanks for your efforts.

Disclaimer: I run a competing service.

India is difficult. I run our anycast network and we have coverage in India but I look forward to improved routing there in the future with additional transit providers.

It seems nextdns is announcing exclusively with Vultr: https://bgp.he.net/net/

Which is not in India: https://www.vultr.com/locations/

It's not the spike, it's probably a combination of:

- a routing imperfection (this things need to be tweaked over time).

- the fact that we didn't deploy our PoP in India yet (coming this month).

Can you talk to us on the chat if you have some time? It would help to do some debugging.

Great idea for service, but it has to be lightning fast to be in the middle of thousands of requests a minute as someone is surfing the web without making the web feel sluggish.

In NYC on the largest metro ISP. Earlier in the day, was getting 25-43 msec to the typical major DNS providers (,,,, as well as AdGuard), and usually 71 - 73 msec to you.

After a while, started getting as slow as 280 msec to you.

Last hour or so, mostly just getting timeouts to you, making the web, as well as apps, unusable.

Had to revert.

AdGuard DNS:

    dig @ news.ycombinator.com
    ; <<>> DiG 9.10.6 <<>> @ news.ycombinator.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6879
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    ; EDNS: version: 0, flags:; udp: 4096
    ;news.ycombinator.com.  IN A
    news.ycombinator.com. 56 IN A
    ;; Query time: 29 msec
    ;; SERVER:
    ;; WHEN: Sun May 26 15:32:11 EDT 2019
    ;; MSG SIZE  rcvd: 85


    dig @ news.ycombinator.com
    ; <<>> DiG 9.10.6 <<>> @ news.ycombinator.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14810
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    ; EDNS: version: 0, flags:; udp: 4096
    ;news.ycombinator.com.  IN A
    news.ycombinator.com. 0 IN A
    ;; Query time: 282 msec
    ;; SERVER:
    ;; WHEN: Sun May 26 15:32:17 EDT 2019
    ;; MSG SIZE  rcvd: 85

Try to do MTR and check for the routing.

I am from Sri Lanka and I get following over IPv6 using dig,

80-120ms for Nextdns (92ms avg ping)

75-140ms for Google (61ms avg ping)

70-90ms for Cloudflare (75ms avg ping)

Is your source code open?

This looks really cool. I'm nervous about entrusting someone with stuff as sensitive as DNS. If this is all it appears to be, I may be a paying customer (tho I try to only use/pay for free-as-in-speech software).

>I try to only use/pay for free-as-in-speech software

I would like to see more software adopt this model. Can you give a few examples of things you support? Are they all pay-for-hosting services, or are there cases where the software itself is for sale?

What does "free-as-in-speech" mean in the context of software?

A strict interpretation would suggest something along the lines of "we don't censor what the customers of our software do with it", which is true for almost all software (aside from social media platforms). I don't see how this would apply here, since this software isn't being used for the creation of anything.

A looser interpretation would suggest that, if the software is used to access content (eg. web browser) then, aside from technical limitations, it doesn't censor content that it could otherwise display. I can see how this might apply to a DNS.

I don't see, however, how "free-as-in-speech" has any reference to open or closed source. (Not sure if that was what was meant.)

"free-as-in-speech" is usually intended to contrast with "free-as-in-beer", thereby disambiguating the word "free" in English. Some software is "free-as-in-speech", which means you aren't limited with what you can do with it or its code -- "free" means that the user has certain rights. I think Stallman introduced this way of talking about software; people sometimes use "libre" instead. https://ssd.eff.org/en/glossary/open-source-software

Yes, this is exactly what I meant with my usage of the word. free-as-in-speech (where you can easily recreate the speech yourself) versus free-as-in-beer (where you can't easily recreate the beer since it is closed source) (at least this is always how I have interpreted the meaning personally).

The most recent example would be FileBot which I bought a subscription for mostly because it is high quality and is free software (as-in-speech). I would have used less functional free (as in speech and beer) alternatives had the filebot source not been available to me.

Filebot homepage: https://www.filebot.net/ Source code: https://github.com/filebot/filebot

While I now understand "free-as-in-speech" is meant to refer to "free in the sense of Stallman's ideology", I still don't think the following makes any sense:

> free-as-in-speech (where you can easily recreate the speech yourself)

Freedom of speech has nothing to do with recreating the speech. The term "free speech" means "no censorship".

The connection, as I now understand it based on other comments here, is that "free speech" refers to a freedom relating to people's rights as opposed to "free beer", which refers to cost. In that sense I can understand the connection to free software in the sense that Stallman advocates for.

That's an interesting one. I had heard of filebot but don't have any personal use case for it. The license probably qualifies as libre but definitely isn't GPL compatible, for the record: https://github.com/filebot/filebot/blob/master/LICENSE.md

Edit: Actually, it's worth noting that the statement in the README arguably makes filebot non-free. "You may NOT use the source code to publish binary builds without explicit authorization." If that's actually supposed to be enforced by the terms of the license, filebot is definitely not libre software.

On the other hand, it's not clear at all whether this is prohibited by the license. It prohibits "Publishing binaries or competing clones that undermine the ability of the original author to make money from his work." I don't see why publishing a binary for free on a new platform would undermine this in most cases, given that the author already publishes free binaries for most platforms on the official website.

Yeah that's a good point regarding publishing binaries. I would guess that he wants to keep tight quality control (since in the past there were crap binaries being passed around). But yes I don't consider it GPL compatible, but it (was, see below) close enough for me ¯\_(ツ)_/¯ (I try not to let perfect be the enemy of good).

That said I just tried to build it for the first time (wanted to make a small improvement) and there are no documented build steps and a standard ant build doesn't work. There are open github issues where the author is very dismissive and just says basically "code not supported, just for educational purposes."

I poked at it for about 15 minutes but I've never used ant before and couldn't get the build working. That really saddens me. Unless things improve I won't be renewing my subscription. I'm pretty disappointed to say the least.

How about geoblocking? Have you considered adding a smart DNS like functionality?

I am in the East Coast with 100Mbit fiber:

dig @ google.com ;; Query time: 390 msec

Could be a routing issue (this things need to be tweaked over time). Can you talk to us via the chat on the website so we can debug?

468ms in the UK.

9ms on Cloudflare, 10ms on Google.

There seems to be some routing oddities going on. I'm also in the UK (on AAISP). Sometimes I get ~48ms response, other times 200-300ms.

Looking at mtr I'm occasionally routed to Dallas, Texas. Other times it's correctly routing over my ISP's peering to Vultr.

What command did you run in mtr to see the routing locations?

Or just a normal report, then lookup the IP location?

By default mtr will do reverse DNS lookups on all hops. Several of the traces I ran showed the route to nextdns's /24 transiting over NTT and from the DNS name you can figure out where each router is.

273msec in DC

Do you support time-based blocking? Aka no reddit during working hours?

dnscrypt-proxy can be used to securely access nextdns, and it supports time-based blocking https://github.com/jedisct1/dnscrypt-proxy/wiki/Filters#time...

i was expecting this since ~ a year. congrats. main pain point for me : ads on my ios device on cellular.

you solved it.

only turn down : mi iphone SE ( os last versions) seems to get little pics of heat

What about client subnet?

Right now it's disabled for everyone, it will be supported with an option to disable it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact