Hacker News new | past | comments | ask | show | jobs | submit login
NextDNS Is Out of Beta (nextdns.io)
334 points by jrnkntl 45 days ago | hide | past | favorite | 153 comments

Since pretty much all the reviews here are glowing I'll offer up an alternative.

If you want what they are selling, then it does work quite well.. but there are drawbacks.. one primarily.. that made me end up not using it for my whole network and only on my ipad when I don't want ads in a game.

As mentioned in other comments, you can whitelist domains, but unlike the whitelist in ublock or something in your browser, this means you need to know the exact ad server domain/domains. For example if I want ads on for certain websites to help support or troubleshoot my own site then I'm unable to do that or if the wife needs to see an ad in her game to get gems, you have to dig through the logs to find out what ad server its calling.. or set up another profile to not block any ads.

In short, you're not whitelisting the domain you're visiting, you need to whitelist every domain that website might call too. Perhaps most people are okay with then and if so then ignore :)

Another thing I didn't like, which I mean makes sense, but in order to label a device you need to run their client. I had set up nextdns on my router which worked great, but if I wanted different devices to have different rulesets they each needed to run the nextdns client. So good luck knowing which smart device is calling what because you're not going to be installing the client on your Alexa. One other downside of this which honestly I probably could have fixed was their client broke WSL network connections so on my primary device I ended up operating in logged out mode.

That said, I might end up giving it another shot at some point but running on a very limited set of rules rather then the pretty comprehensive rulesets I had enabled. I did like how it blocked the device telemetry calls.. perhaps that is all I need to block and then handle everything else client side.

Hope this helps someone!

> Another thing I didn't like, which I mean makes sense, but in order to label a device you need to run their client.

I hope I understood you correctly. A feature recently introduced (Or perhaps I just recently noticed) is the ability to label devices without using their clients, you can do this by prefixing your unique DNS endpoint with the label and terminating it with a hyphen.

Eg, Phone-xxxxx.dns.nextdns.io

Currently using OpenDNS Family Shield and giving NextDNS a try.

Re labeling devices: I set up descriptive hostnames and static LAN IPs on my router for all my devices (including smart ones). The NextDNS interface reports traffic using those hostnames without me having to run clients on any of my devices.

I'm curious how the ad blocking will work. I was running adblock on my router but had to disable it because a few legitimate sites were being blocked (i.e. school sites my kids needed access to). I'm hoping NextDNS provides easier to use controls and UI that would let me keep ad blocking enabled.

Did you install the clients or do anything in the setup to get that? I can see client hostnames where the client software is installed, but just my external IP for all others. It doesn't seem possible with just IPv4/Router config. Are you using IPv6 or DoH?

If you are wondering (as I did) how they can know what is your DNS resolver, they simply makes the webpage load some JS from a random host, like "https://853af2kklyt-dda385.test.nextdns.io/". Of course, as this host cannot be cached anywhere, their DNS are hit by your DNS resolver, thus they can know the IP of your DNS resolver. In my case as I have a DNS server at home, it displayed the name of the AS of my provider.

NextDNS is nice and easy to use for us, a family -- non-technical spouse, two kids with access to devices for schools, 'games & stuff'. I ran Pi-Hole on a Raspberry Pi 3 for about a year and it is one of the best ever there. I wanted something simple and something I can just clicky-click.

Been testing NextDNS for quite a while and I like it. Will continue as long as it serves what I'm looking for.

On a different note, unlike most of us, my wife and kids are worried that they can no longer see those 'interesting and useful' ads. They go on to those ads, spend long minutes browsing from one to the other, propelled by ads. My kids discovers 'these amazing games' via the ads. It is a different world out there.

I'll make sure to raise my kids on adblockers so they can never develop that habit.

That's why I switched to Adguard Home: https://adguard.com/en/adguard-home/overview.html You can make custom configurations per device, OS or a different label you give them. So you can have your wife see their ads while still blocking your smart TV from calling home.

Difference from pi-hole? Genuinely curious since I'm currently using pi-hole at home.

NextDNS is advertised as Cloudflare + Pi-Hole. And I think this is correct.

Something wrong with the Pi-Hole, I have to sit down (likely at home), and do it -- even to add/edit something. NextDNS is much simpler, I can set up from anywhere and I can even ask my wife to fix herself stuffs.

Must be just personal but these days, I'm not too keen on doing everything myself the way I want. I'm learning to say NO to a lot of things.

Not NextDNS, my question/comment was regarding the parent comment's mention of Adguard.

It's way faster in terms of UI atleast. It boots up almost instantly, configuration is pretty simple and the UI is better IMO.

What boots up almost instantly? It's supported on quite a few OSes [0], not to mention the underlying hardware. I found AdGuard's (Home) UI to be a bit more polished but it feels like it has feature parity with PiHole 5 otherwise. I tried both but stuck with PiHole since the community around it seemed more developed.

[0] https://github.com/AdguardTeam/AdGuardHome/wiki/Getting-Star...

PiHole 5 introduced the same features but there used to be a difference in the past.

How does it differ from the NextDNS configuration profiles?

You run it yourself on your own hardware - a PC, Raspberry Pi, Linux server, Docker container - you choose. It is open source; logging remains with yourself. It only works inside your own network unless you VPN into your home network when you are remote.

> It is a different world out there.

I've noticed the same thing! Wife and kids actually do tap on (some) ads and discover new games, merchandise, etc. that way. They are also easily tricked into reading or watching stuff by this or that 'influencer', which is mostly just advertising under disguise. Maybe tricked is too strong of a word here, because they seem to enjoy it ... it just seems to be part of the way they interact with online world.

As long as people are aware that their habits are being tracked and such it's a choice everyone can make for themselves.

(especially kids) not being aware of 1) clicks/behavior being tracked and 2) perhaps being manipulated by exploiting this knowledge about their behavior sounds bad to me...

Really happy to hear this. I have loved next dns since its start, not only for their product, but also due to the fact is is a clean sustainable business. No need for ads, a generous free tier, and a cheap full featured paid tiered. This is the way I would like to see most SaaS's go

And they give users incredible control over their data/privacy. Their privacy policy is fantastic[1].

On my dashboard I can:

- Enable/disable logs and decide whether logs include client IP address and domains

- Clear logs and set log retention period (as short as 1 hour and as long as 2 years)

- Select the country of the servers that store my logs to the US, EU, or Switzerland

I really hope to see more tech companies follow their lead.

[1] https://nextdns.io/privacy

That's awesome and I've tried nextdns and loved it. But - and this is just me - I just don't trust anyone to delete my logs or not log in the first place.

That's why I'll probably not move off of my pihole

You have to trust someone because at some point the DNS request is getting made. It sounds like you're just choosing to trust your ISP.

No you don't. If you use DoH or Dnscrypt over a VPN, the DNS provider can't associate the traffic with your IP (mitigating control of sorts).

They can associate the DNS calls with any VPN, too, can't they? If you use one of the 'big' commercial VPNs, I'd seriously doubt any of them are not logging at this point. They'd have already been warned due to 10's of thousands copyright violations originating from their networks, not to mention a lot of not-so-technical users, believing that they're actually anonymous, doing criminal things without realizing that the VPN logs it all.

Running your own Wireguard or OpenVPN on a cloud VPS is no solution, either. It's guaranteed that Amazon, Azure, etc. keep logs of all traffic, and will turn over the associated account without hesitation.

The DNS provider can't know your real IP, the VPN provider can't see your DNS traffic because dnscrypt,DoT and DoH encrypt the traffic.

Is anyone aware of a VPN out there that supports PiHole-like list filtering, so you could get the best of both worlds?

Right now it feels like I have to choose:

- Use my PiHole to block all sorts of content on filtering lists that are useful in cases like blocking unwanted tracking in mobile apps, but my ISP knows everything I access

- Use a VPN, where my ISP doesn't know what I'm doing, but every web service I use can use whatever tracking it wants (except where uBlock is used and such, but you don't get that luxury with, say, Samsung Smart TVs which are notorious for phoning home)

My home network is running a VPN I can access from my phone & computers while away. The home network includes a PiHole that is running DNSCrypt (DNS over HTTPS) with Cloudflare's DNS service.

Edit: so ultimately, you'd be trusting whoever's on DNSCrypt's resolvers list. Better than trusting Comcast, in my situation.

You can do this by picking a VPN provider that supports WireGuard. In WireGuard config file, you can change the dns address to pihole. I did this so that I can use VPN + nextdns together in iOS because I can't change DNS in iOS.

Why do you think a VPN provider is more trustworthy than the ISP?

The ISPs are going to log everything for sure. However I’d probably trust their incapability of putting data into <s>good/evil</s> use, comparing to professionals like google.

Despite the "selling your data" memes, Google/Facebook don't do that. They treat your data as a proprietary asset and sell services based on captive use of it. Companies like Comcast recognize their shortcomings and actually will just sell it.

That's why you should use DoH or DoT if you can

No my upstream is Cloudflare. Weirdly, I trust them.

If you don’t want to trust anyone with your DNS data, you should run Unbound or Knot resolver alongside Pi-hole.

Cloudflare is one of the world's largest networks, and a problem for anonymity and decentralization.

I'm in the same boat with a pihole as my primary blocker, but I use NextDNS as an upstream resolver since they, of all the options, seem most likely to not log (presuming I configure it apprpriately)

Do you trust your ISP? Because they are probably logging.

I trust my ISP (Swiss) much more, than any privately owned VPN-Company outside Switzerland or Iceland.

Then this solution is not for you.

If you trust ANY USA based company with privacy, then you probably learned nothing from the past, or present: https://en.wikipedia.org/wiki/CLOUD_Act

I live in Australia, so I can't trust my ISP either.

But missing the point. If I am worried about privacy from cloud players, why to trust another cloud player?

I would setup my own Pi-Hole if I wanted true privacy.

Missing something?

They're pretty upfront about this in the excellent documentation: https://help.nextdns.io/en/articles/3941241-what-is-the-adva...

""" To be fair, there are also some advantages of using Pi-hole® over NextDNS:

1) You know who runs it. We can’t ask you to trust us more than yourself. We can provide all the guarantees you want, show who we are and make promises, it is understandably easier to trust a solution you manage yourself. Keep in mind though, that all your unblocked DNS queries are still visible by your upstream DNS. So there is still someone you need to trust with your data.

2) It’s free with no limits. NextDNS is cheap, very cheap, but it’s still a paid service if you use it over a certain limit. Pi-hole® is free to use. You still have to pay about $35 for a Raspberry Pi + an SD card, which is equivalent to several years of NextDNS subscription. You should also consider donating to the Pi-hole® project if you use their solution. After a few years though, yes, Pi-hole® should become less expensive than NextDNS. """

> We can’t ask you to trust us more than yourself

They can't, but it might make sense to do so anyway.

I always explain this when it comes to running your own private CA as well. In principle you might do a better job than anybody else, and certainly if you fall down you'd know exactly who to blame. But you also might do a pretty shoddy job and cut corners you know you shouldn't, and knowing whose fault it is will be cold comfort if things do go wrong.

People who do this for a living can never be as trustworthy as you could be, but they might very well be more trustworthy than you are in practice and it's worth a moment's honest introspection to consider that.

"But missing the point. If I am worried about privacy from cloud players, why to trust another cloud player?"

The workflow I am (not quite finished) setting up is as follows - I run a caching, recursive nameserver (unbound) in my own colo space. That DNS server, not me or my devices, is the nextDNS client.

Then I set all of my own networks and devices to use my (unbound) DNS server.

My goal is to receive all of the benefits of a paid nextdns account, but on the nextdns side, all they see is a single, fixed IP, in a fixed location, owned by a corporate entity, doing a bunch of DNS queries.

In fact, I am a bit worried about this exact setup because although I am using this for my own, personal use, consistent with their expectations, I could just as easily be a full-blown ISP passing through my nameservice to nextDNS ... how do they deal with that ?

Do they care ?

Totally guessing here. If they saw one IP making ISP-rate queries they could contact you and negotiate a different price. Even with caching you are very likely going to see much higher query rates occasionally when a whole network of people are using it.

You personally make a many DNS queries as a full-blown ISP? The fact that your server does it's own caching may keep your query rate lower than others.

I'm sure they can refuse service to customers in certain cases.

No, I wouldn't make anywhere near that number of DNS requests, but the setup would be the same - a caching, forwarding nameserver doing a MITM between my networks and nextDNS.

So I assume they allow (or, rather, can't really disallow) such a setup but I wonder what ramifications it has when someone decides to front their entire customer base behind their nextDNS acount ...

I'd assume they would just ask them to stop.

You aren’t missing anything, your setup would be more private.

There is a valid niche between no privacy and completely self hosted dns-over https, that a service like nextdns solves well. Just as Apple solves a by default more secure yet still not without flaws phone, or how using a vpn provider is a midpoint between a self hosted vpn and no vpn. I think the privacy trade off here is good for many.

Whilst I completely agree with your comment, I have a nit to pick about the self hosted VPN part. What commercial VPN providers sell is plausible deniability through multiple users having access to the same set of endpoints. A self hosted VPN does not provide that. If I have a server somewhere and route my traffic through it, that server doing something can easily be tied to me doing something. Hence why you probably shouldn’t self host a VPN. Now, if you’re only afraid of your ISP or neighbours snooping, then a self hosted VPN makes sense. If you’re afraid of advertisers or the MPAA, then a commercial VPN makes sense.

Am I alone in the feeling that a lot of privacy related solutions are just paying for a promise? For example, a VPN can record all my requests, they just promise not to and I can’t verify it.

You are not, at some point you'll just have to trust someone. Just like that the app you submitted to the App Store is the same one you are downloading and hasn't been tampered with.

As always it's a matter of tradeoffs, if you just don't want to get tracked by ads it's probably a good solution. If you are afraid of some nation state trying to track you down, then probably not.

How do you block unwanted DNS requests outside of the Pi-Hole’s radius (e.g. Home Network)? If I’m on mobile, NextDNS let’s you disable on user specified WiFi networks and then re-enables when you leave range.

NextDNS can also be used as a fallback if your Pi goes down for whatever reason too. Might as well have options in this space.

VPNs are generally pretty easy to setup these days. If redundancy is needed, can always run it on a cheap VPS provider.

Dynamic DNS and a redundant Pi-Hole setup

70% of HN readers probably don't have the technical knowledge (or hardware on hand) to set up pi-hole without investing 10+ hours.

For those of us with a raspberry pi or intel nuc on hand, sure, it only takes 30 minutes.

This service is for people who want to kill ads at the DNS level without dealing with the hardware / setup of pihole.

Also, not many people are going to bother setting up a VPN to access their pihole DNS when traveling or on cellular, which makes NextDNS attractive.

The other argument is "just use ublock matrix". The counter-argument is it doesn't block native app ads / tracking. (One of the #1 blocked domains on my pihole is from Dashlane's MacOS app, constantly wanting to phone home)

> 70% of HN readers probably don't have the technical knowledge (or hardware on hand) to set up pi-hole without investing 10+ hours.

That seems pretty dismissive of our audience. I cant think of many things easier to set up than pi-hole, unless even using SSH is too difficult to understand.

1) Buy a rasp-pi (or pretty much any other device support a reasonably standard Linux distribution)

2) Copy one of many Linux distributions to an SD card with something like etcher: a couple clicks. Or buy one of the many pre-made kits with Linux already on the card.

3) Run a single line linux command via SSH and follow prompts.

4) change DNS settings in router to use the pi-hole.

Although I agree, it's not terribly complex to follow the steps. Lack of time to fiddle with self-managing a device seems like it could be a bigger limiter.

Sure, but presumably the type of people who are willing to run their own DNS resolver are capable of changing a setting on their router. There's substantially more effort in de-breaking sites broken by pi-hole or other ad-blocking software than there is in maintaining the blocking device.

70% of many audiences, even of tech news sites? Sure. But of Hacker News' audience? I would expect many here could follow the basic setup tutorial relatively easily.

I'm more worried for my local ISP selling my browsing history, or exposing it due to incompetence, because something like that already happened and nowadays I'm worried they send that data to local authorities too.

The "cloud players" you're worried of are big targets and the law protects me, since we have the GDPR and the EU is trigger happy in giving fines to big companies. Also my data is not that useful right now to a US company.

Also the ad blockers for iOS Safari don't work well and I use iOS Firefox anyway, which can't use Safari's content blockers. So I'll take any help in blocking ads I can get.

This will also be valuable for doing some content filtering for my son, without installing anti-virus crap on his devices.

It really depends on your threat model.

Does GDPR and other EU laws not protect you from your ISP also? I'm not sure how your home ISP is less trustworthy than your VPNs ISP if they're both in the EU (and if you arent, GDPR doesnt apply to you).

It does, but the problem is my ISP is also incompetent and that's what I fear the most. And I know they are logging.

This is cool.

NextDNS appears to implement DNS over HTTPs (DoH) and Firefox ships with it as an option, next to Cloudflare.

UPDATE — Took it for a test drive:

* Logs are concerning, but look good for optimizing the traffic and notice odd communications; I already noticed telemetry sent by my browser that I switched off

* Ad blocking seems to work, not as good as desktop uBlock Origin, but I'll take anything for my iPhone

* Latency is around 30 - 100 msec, which seems a bit high? (server I connect to seems to be 400 km away)

> I already noticed telemetry sent by my browser that I switched off

Mozilla is running some Firefox experiments with different DoH providers. Eventually Firefox may automatically select whichever DoH provider is the fastest for each user. This would improve performance for users and reduce the privacy concerns about DoH consolidation with one provider (the current Firefox default Cloudflare).

One cool thing about NextDNS is that they also support the Handshake DNS protocol. It’s an alternative root DNS that supports new TLDs while maintaining compatibility with existing ICANN TLDs https://handshake.org

I got pretty excited when I saw that and tried to find some use cases for it as soon as I enabled NextDNS. But I couldn't find any use case where it would make domain management easier. In fact it seemed overly complicated with it being auction based and having to use a cryptocurrency.

Have you found Handshake useful in any way?

Right now most of the sites are personal projects and toy sites. You can check out some of them here https://github.com/NamebaseHQ/Awesome-Handshake. For my personal use, I set up tieshun.txt to point to my personal todo.txt file, and I use watchman to rsync my local todo.txt to tieshun.txt so I can access it from all my devices. I could also set up todo.tieshunroquerre.com for this but I find that tieshun.txt is much more convenient to use.

I bought tieshun.txt on https://gateway.io (in beta). The owner of .txt set up their own registry and they're selling .txt domains. That's another aspect of Handshake that I'm excited about. To get an ICANN TLD you need to be a big corporation that can pay for the $200k application fee (and you're not even guaranteed to get the name), whereas anyone can create a registry on their own TLD with Handshake.

The cryptocurrency aspect is unintuitive (if possible it would've been ideal to not require it), but it's actually needed in order to have a more secure root of trust alternative to CAs. This article expands on this point: https://www.namebase.io/blog/meet-handshake-decentralizing-d...

I trialed nextDNS based on other people talking about it here, and have really liked it - it’s really awesome to have an always on, dns-over-https solution for every device. I think it’s really worth the 20$ per year, just for the slick ui and not having to manage a pihole somewhere.

I was not aware of this service before, but I’m very interested! The price seems very reasonable, and as you say, not managing a pi-hole device is very appealing. I have tried multiple times to setup pi-hole on a dev board on my home network, and could never get it to work properly so I gave up.

As a counter-example, I was amazed at how simple it was to set up Pi-Hole. I thought they had the setup workflow built pretty well. Took me ~10 minutes including flashing a SD card with Raspbian.

That’s fair. I do like the project, and everything is well documented and easy to follow.

I should have prefaced my statement with the fact that I was trying to install it on something other than a raspberry pi. I have only tried on my Rock Pro 64 board. But to be fair, they are pretty mature, well supported boards at this point.

I understand that it is designed to run on Pi boards first so the issue is likely my specific hardware. But Pi-hole is supposed to be compatible with Ubuntu 18.04 so I would have expected it to work regardless?

I’m not a networking expert though, if anyone has experience with pi-hole on Rock pro’s or other Pine boards I’d love to know!

Maybe I’ll just go ahead and invest in one of the new Pi boards with 4Gb memory :) That was the main reasons I got the Rock Pro 64 to begin with.

Certainly should work just fine - I've installed pi-hole a few times, and its never been on an actual RasPi. Not sure what Linux distro you're running on the Rock Pro, but I can't recommend Armbian enough for these sort of boards: https://www.armbian.com/rockpro64/

Install, and run armbian-config to get get an easy Pi-hole installer (among many other functions).

Thanks, I think I will try again with Arabian. It’s been a while since I tried, I think Armbian was not available at that time. Something must have been wrong with the other Ubuntu/ Debian builds I tried.


What's the difference between using the macOS app or just setting the DNS on a router level? Just the attribution to a specific device in the dashboard? I couldn't figure that out by reading the (actually very well written) FAQ.

- Encrypted DNS (DNS-over-HTTPS)

- Ideal routing (low DNS latency)

- Bypass DNS-level censorship (inside a country, from your hotel Internet provider, your school, etc.)

- Being able to identify your device in the logs (if you choose to)

- Hardened Privacy Mode (if you are into that)

Edit: this goes for all our apps (iOS/Android/macOS/Windows/Router client), not just macOS.

I literally (not figuratively) setup NextDNS yesterday and so far it's been great. The documentation is awesome, and love the features available. The only mild feedback I have is that the "Setup Guide" doesn't provide enough context about what's going on, and the implications of setting up on my PC vs mobile device vs router. It says:

"Follow the instructions below to set up NextDNS on your device, browser or router."

A couple more sentences there would be super helpful..

The Windows setup doesn't like Windows 10 on ARM, it couldn't install the TAL driver. Very edge case I guess, I'm going to install on x86 when I get home :)

That’s very helpful, thanks!

The macOS app stopped working for me a while back, but there's also a homebrew package for command line control which works flawlessly.

Hello an other alternative is https://libreops.cc/radicaldns.html . They also offer DNS over https and TLS https://libredns.gr/

Saw this when it first came out, never tried it until now.

Used it for around an hour and I've already made 2,000 requests and 15% of those were blocked. Can definitely see myself going over 300,000 requests (free monthly allowance) but it's looking great so far so would be happy to support it.

Currently use AdGuard on my phone, looks like this does almost everything AdGuard does (stats, logs, blocklists) with the added benefit of the processing being done elsewhere.

Signed up for a year as soon as I got the email announcement. Love NextDNS and excited to see where they go — particularly would love some sort of time-based scheduling or API for rule automations.

A year to the day: https://news.ycombinator.com/item?id=20012687

Making this a perfect snee-less dupe!

"Privacy Policy

1. We do not (and will never) sell, license, sub-license or share any of the data submitted directly or indirectly by our users with any person or entity."

This does not cover metadata. For example, NextDNS analyzes the data submitted directly or indirectly by the user and makes a note, "This user [something private]"

If NextDNS sells, licenses, sublicenses or shares that metadata they are not violating this Privacy Policy.

If NextDNS acquires data from a third party (e.g., data brokers) that identifies NextDNS users, then that is not "data submitted directly or indirectly by our users" and they are not violating this Privacy Policy if, e.g., they pair that data with NextDNS metadata and store, sell, license/sublicense or share it.

This Privacy Policy also does not cover the event of NextDNS itself or a successor selling ads or ad services. If that ever happens, it would not violate this Privacy Policy.

So NextDNS is free to sell metadata. What is the extent of this metadata - is it like ‘this user spends 10 hours a day actively using the internet’, or ‘this user consumes a lot of streaming video content’, or this user ‘watches netflix every friday evening’, or ‘this user uses duckduckgo instead of google’? Can these examples be considered metadata?

They do not need to sell metadata. They can sell services. Neither Google nor Facebook need to sell data. They sell services.

Those companies are not obligated to disclose what metadata they might have. Neither is NextDNS.

If the Privacy Policy stated that NextDNS will not create, collect or acquire metadata about its users, then we would have less reason to be concerned.

However the NextDNS Privacy Policy is all of nine sentences. It is not very restrictive.

It’s a free service. If it’s free you are probably the product.

You can still put Pi Hole on a device in your home and use that. I do. It’s amazing.

35% or more of monthly requests are blocked.

Or... You can put your own DNS server on a device in your home and use that.

Personally I am not fond of dnsmasq or the patched version Pi-Hole uses.

100% of "monthly requests" are blocked. There are no third-party managed blacklists, only personally created whitelists. Individual DNS queries rarely leave the network. DNS data is gathered in bulk and stored.

If I'm following, you have a DNS server running that only permits requests to whitelisted domains?

When you browse hn, do you need to whitelist each domain to be able to load content? How many domains do you have whitelisted and how many new ones do you whitelist each month?

As someone recently considering Pi-Hole, can you explain why you aren't fond of dnsmasq?

The fact that I prefer other DNS software over dnsmasq should not have any bearing on anyone's decision whether or not to use Pi-Hole.

Just a perspective - 300k DNS queries is not very much. 1 full day of home use + work (most DNS goes over VPN for that) and I am at 130k queries. So you'll get a nice little trial, but don't expect it to last very long, imo

I'm genuinely surprised you've made 130k dns queries in one day.

I've been using NextDNS now for half a year or so and I have 1,021,075 queries in the last 90 days, or roughly ~11k a day. I have ~69k in the past 7 days.

I have this set up on all my devices.

Are you running a home server or something that could explain so many requests?

I have something on my network that has contacted pool.ntp.org 37k times in 5 days. That's a fifth of all my DNS requests.

Haven't managed to track it down.

I have ~50 docker containers running with various stuff I am working on. I am sure that contributes quite a bit.

2 Windows 10 machines make a LOT of phone-home queries.

Oh, and a Samsung TV, which gets really query-happy if you block its tracking domain

This. I guess if your router can install their software, and it maintains a local DNS cache, then it'll go further. But without that, it's repeatedly hitting their servers for the same entry, racking up queries.

> ...and it maintains a local DNS cache, then it'll go further. But without that...

Nextdns has a cache boost option now which sets TTLs to a minimum of 5mins. If the client is complaint (respects the TTLs), then that should help further.

On my work laptop (macOS Catalina), I get a bunch of `in-addr.arpa` - seems to be reverse lookups. Is that the case for you, too?

I have the same experience. I like them but will stop using them because I apparently do 900k queries a month, for some odd reason...

"Try it now. No sign up required"

I love that phrase. This looks like a fantastic service!

It is, been using it since multiple months. I have no more ads on my iphone now, for free. The dns request pass throught Switzerland and i feel i have 007 level privacy. sweet !!

DNS level blockers arent really for privacy - your ISP can still see all of the connections your device is making. It can however greatly reduce connections to known tracking domains.

Love this service. Gladly paying a subscription now. It’s like a pihole without having to worry about keeping it running, updated etc. So ideal for not-super-techy people like me.

One feature request if the team is reading along a pause button to disable blocking for 1/5/15/60 minutes.

I really wanted to like and use NextDNS but my latency was ~200ms vs maybe 10-40ms for my ISP resolver. I'm fine with paying a bit of a latency price for the extra features and privacy, but not that much. And I'm located in Toronto, not somewhere remote.

Looks like a case of bad anycast routing, as we have a PoP in Toronto! It happens and is usually easily fixable, can you talk to us via the chat on our website (or at support@nextdns.io)?

A map of our network for anyone interested:


I figured I'd activate it again and test it first... and of course it's way better now! Consistently getting around 40ms now so I'll keep it enabled and try again :)

Definitely try again! I'm also in Toronto and I haven't had latency problems.

I've been using NextDNS for the past few months and it's a fantastic product!

I don't need Blockada on my phone anymore and I can block whatever I want at the router level instead of doing it on each devices.

Keep up the good work!

Where is the pricing information? I couldn't find it on the homepage or in the help page (even searching there doesn't help). Even the article on 300K free queries a month [1] doesn't have anything related to pricing.

Where is the announcement that it's out of beta? I don't see that in the homepage either. What am I missing?

[1]: https://help.nextdns.io/en/articles/3962038-what-happens-aft...

Pricing information is at https://nextdns.io/pricing, there's a link to this on the homepage.

I didn't found their releasing news too, maybe their announcement is just deleting “free during the beta” on the pricing page?

What I don't get about DNS, is why doesnt every device just run its own recursive caching resolver. Why ask ISPs and hotspot providers to resolve your requests?

What would be the downside outisde of corporate networks?

A cache shared by a couple thousand people would have lots of stuff already cached. Running your own would be add latency as you'd need to fully resolve more domains.

Only on initial use. Most DNS records have a cache time of 24 hours, so if you're using the internet every day, you're unlikely to notice.

Some latency when visiting a new site seems like a small price to pay for side-stepping all the shenanigans that ISPs have been doing to DNS, without having to defer trust to yet another cloud provider.

DNS is not an encrypted protocol.

The people routing your DNS traffic can inspect it and even tamper it (e.g.: your ISP) even if you pick DNS servers other than the ones provided by your ISP. Your privacy is not guaranteed.

DNS over HTTPS/DNS over TLS is encrypted and may offer better privacy, if you trust them, that is.

I'm a fan of their service, and because most browsers support DNS-over-HTTPS natively I can put the configuration right into my browser settings and have the same level of DNS filtering even when I'm outside of my home network without VPN.

Google Chrome (and some Chromium forks) will also be supporting custom DNS-over-HTTPS providers very soon (it's already being rolled out to some users).

It's in my chrome://flags/#dns-over-https currently 81.0.4044.138 (Official Build) (64-bit)

I meant this:


As far as we know, it's slowly being rolled out and not behind any flag (unfortunately).

Oh that's in Canary now? Will give it a try

How is this actually different from using Cloudflare DNS (

For ads, I already use AdGuard.

If we all use enough of things like NextDNS then all ads will go away. Oh wait, suddenly all websites except those with a paywall will exist. No more news reports of any kind. No more free services. Nothing but a few sites that sell T-shirts to struggle to survive. I don't like the present web either, but somehow people have to make money. Unless we build in an infrastructure that easily allows me to pay you to run a business online, I fail to see how in the long run this total blockage of ads is a benefit for all.

Of course we live in HackerNewsLand, where the rest of technologically illiterate humanity pays by watching ads so that we don't have to.

Somehow we have to use technology to find a way to balance the needs of those who are online serving us content/information/etc with a less irritating and horrific way to pay for it. Without a solution for that, the future is going to be a lot less diverse and a lot more frustrating, although in a different way.

I don't thing most people are against ads. What's the issue with a simple .png add in a banner or at the side as long as it's not screaming at you? or the occasional sponsored content. There are 2 big issues that people hate about ads:

- Obnoxious ads that take away from you browsing experience

- Tracking, spying, privacy, monopolies from ad tech and all that stuff.

And those even combine, as all the tracking makes sites slower.

Hacker news works on the sponsored content way. (but it's just one sponoer which it's also its owner) The site is kept low cost as possible, and YC uses it to promote its startups One YC posts on the front page, don't really bother us too much, as long as they don't become obnoxious.

If this happens we might get healthier Internet where every service is either a) actually free b) croudfunded on services like SubscribeStar c) has paid tiers d) uses first party ads from sponsors. There are plenty of services monetised like this already.

Third party ad networks are an anomaly and it's time for them to go.

If you're in the UK and your family like watching Channel 4's 4oD, I had to whitelist *.fwmrm.net for it to play.

Otherwise 4oD think you have an ad blocker enabled and the video refuses to start.

I've been using NextDNS and really enjoy it. I've found it a lot easier to manage than pihole. Only issue I have is that it doesn't seem to work with the Economist.

I had it on my phone for a while, sadly it breaks URLs in the twitter app because it was blocking the analytics redirect. Nice service otherwise

I believe you can whitelist certain domains. That might be a solution if that was the only thing which wasn’t working for your needs.

You can choose what blocklists you use and whitelist individual domains, so you can make it not block the t.co links.

I like it, but it's sad that I have to run an extra VPN app on my Android because Xiaomi doesn't allow me to configure private DNS.

It's a "fake" VPN, it only captures the DNS traffic (that's just the cleanest/most efficient way to do it).

Yes, I thought so.

Still sad.

On my desktop systems I can configure it in the network options and never think about it again. On Android I always close it if I don't think about it when closing all apps, then I forget to restart it.

They do have custom DNS provider setting, but it's a bit hidden (also it's different among various MIUI versions). So to find it better try old QuickShortcuts: https://play.google.com/store/apps/details?id=com.sika524.an... and see the Settings->Network Dashboard (or something similar).

I tried multiple of these apps, and nothing worked.

Using this app, you can access DNS settings which are typically hidden in MIUI


Yes, I know about these apps, they don't work.

The network stuff is not accessible.

I can think of an entire niche that could grow nextdns into the public domain.

It only needs one feature :)

Is anyone of nextdns reading this? Possibility to contact?

I absolutely love NextDNS and I don't think I've ever been so pleased for a product to start charging me.

Request to NextDNS, if you are listening, can we have servers in the Southern Part of India too? Thanks.

Am I “grandfathered in” if I was using NextDns during beta?

I got a warning that I was approaching the limit of free queries, so it appears that the answer is no.

No, they’ll email you if you go over the free limit.

For me Pihole on hosted vps has less latency than NextDNS

I hope they introduce MFA for the web config console

I’ve just set it up, and so far I quite like it.

I don’t want “in depth analytics” from anything really especially a DNS provider. How about a truly non-logging, ad-blocking, DNS provider that does DNSSec?

They actually have the ability to turn off all logging and analysis, pretty easy and front-and-center, not buried deep in a hidden settings page like some companies. Or you can limit it to a timeframe that makes sense for you. I have mine set to delete everything after one hour. That way if I ever have issues I can pretty easily debug the problem by going to my account details within the hour.

Consider reading IETF docs for how things like DNSSEC were intended to be used.

Care to expand on what you are talking about? I've been very curious for a few years about CurveDNS and less so dnssec, but I admit I haven't read the ietfs yet.

recently discovered this opensource hosts solution for android


almost everything obeys hosts on android, works great on lineageos

You can add AdAway to your blocklist in NextDNS super easily https://imgur.com/a/VVKM8TF

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact