If you want what they are selling, then it does work quite well.. but there are drawbacks.. one primarily.. that made me end up not using it for my whole network and only on my ipad when I don't want ads in a game.
As mentioned in other comments, you can whitelist domains, but unlike the whitelist in ublock or something in your browser, this means you need to know the exact ad server domain/domains. For example if I want ads on for certain websites to help support or troubleshoot my own site then I'm unable to do that or if the wife needs to see an ad in her game to get gems, you have to dig through the logs to find out what ad server its calling.. or set up another profile to not block any ads.
In short, you're not whitelisting the domain you're visiting, you need to whitelist every domain that website might call too. Perhaps most people are okay with then and if so then ignore :)
Another thing I didn't like, which I mean makes sense, but in order to label a device you need to run their client. I had set up nextdns on my router which worked great, but if I wanted different devices to have different rulesets they each needed to run the nextdns client. So good luck knowing which smart device is calling what because you're not going to be installing the client on your Alexa. One other downside of this which honestly I probably could have fixed was their client broke WSL network connections so on my primary device I ended up operating in logged out mode.
That said, I might end up giving it another shot at some point but running on a very limited set of rules rather then the pretty comprehensive rulesets I had enabled. I did like how it blocked the device telemetry calls.. perhaps that is all I need to block and then handle everything else client side.
Hope this helps someone!
I hope I understood you correctly. A feature recently introduced (Or perhaps I just recently noticed) is the ability to label devices without using their clients, you can do this by prefixing your unique DNS endpoint with the label and terminating it with a hyphen.
Re labeling devices: I set up descriptive hostnames and static LAN IPs on my router for all my devices (including smart ones). The NextDNS interface reports traffic using those hostnames without me having to run clients on any of my devices.
I'm curious how the ad blocking will work. I was running adblock on my router but had to disable it because a few legitimate sites were being blocked (i.e. school sites my kids needed access to). I'm hoping NextDNS provides easier to use controls and UI that would let me keep ad blocking enabled.
Been testing NextDNS for quite a while and I like it. Will continue as long as it serves what I'm looking for.
On a different note, unlike most of us, my wife and kids are worried that they can no longer see those 'interesting and useful' ads. They go on to those ads, spend long minutes browsing from one to the other, propelled by ads. My kids discovers 'these amazing games' via the ads. It is a different world out there.
Something wrong with the Pi-Hole, I have to sit down (likely at home), and do it -- even to add/edit something. NextDNS is much simpler, I can set up from anywhere and I can even ask my wife to fix herself stuffs.
Must be just personal but these days, I'm not too keen on doing everything myself the way I want. I'm learning to say NO to a lot of things.
I've noticed the same thing! Wife and kids actually do tap on (some) ads and discover new games, merchandise, etc. that way. They are also easily tricked into reading or watching stuff by this or that 'influencer', which is mostly just advertising under disguise. Maybe tricked is too strong of a word here, because they seem to enjoy it ... it just seems to be part of the way they interact with online world.
(especially kids) not being aware of 1) clicks/behavior being tracked and 2) perhaps being manipulated by exploiting this knowledge about their behavior sounds bad to me...
On my dashboard I can:
- Enable/disable logs and decide whether logs include client IP address and domains
- Clear logs and set log retention period (as short as 1 hour and as long as 2 years)
- Select the country of the servers that store my logs to the US, EU, or Switzerland
I really hope to see more tech companies follow their lead.
That's why I'll probably not move off of my pihole
Running your own Wireguard or OpenVPN on a cloud VPS is no solution, either. It's guaranteed that Amazon, Azure, etc. keep logs of all traffic, and will turn over the associated account without hesitation.
Right now it feels like I have to choose:
- Use my PiHole to block all sorts of content on filtering lists that are useful in cases like blocking unwanted tracking in mobile apps, but my ISP knows everything I access
- Use a VPN, where my ISP doesn't know what I'm doing, but every web service I use can use whatever tracking it wants (except where uBlock is used and such, but you don't get that luxury with, say, Samsung Smart TVs which are notorious for phoning home)
Edit: so ultimately, you'd be trusting whoever's on DNSCrypt's resolvers list. Better than trusting Comcast, in my situation.
Cloudflare is one of the world's largest networks, and a problem for anonymity and decentralization.
I would setup my own Pi-Hole if I wanted true privacy.
To be fair, there are also some advantages of using Pi-hole® over NextDNS:
1) You know who runs it. We can’t ask you to trust us more than yourself. We can provide all the guarantees you want, show who we are and make promises, it is understandably easier to trust a solution you manage yourself. Keep in mind though, that all your unblocked DNS queries are still visible by your upstream DNS. So there is still someone you need to trust with your data.
2) It’s free with no limits. NextDNS is cheap, very cheap, but it’s still a paid service if you use it over a certain limit. Pi-hole® is free to use. You still have to pay about $35 for a Raspberry Pi + an SD card, which is equivalent to several years of NextDNS subscription. You should also consider donating to the Pi-hole® project if you use their solution. After a few years though, yes, Pi-hole® should become less expensive than NextDNS.
They can't, but it might make sense to do so anyway.
I always explain this when it comes to running your own private CA as well. In principle you might do a better job than anybody else, and certainly if you fall down you'd know exactly who to blame. But you also might do a pretty shoddy job and cut corners you know you shouldn't, and knowing whose fault it is will be cold comfort if things do go wrong.
People who do this for a living can never be as trustworthy as you could be, but they might very well be more trustworthy than you are in practice and it's worth a moment's honest introspection to consider that.
The workflow I am (not quite finished) setting up is as follows - I run a caching, recursive nameserver (unbound) in my own colo space. That DNS server, not me or my devices, is the nextDNS client.
Then I set all of my own networks and devices to use my (unbound) DNS server.
My goal is to receive all of the benefits of a paid nextdns account, but on the nextdns side, all they see is a single, fixed IP, in a fixed location, owned by a corporate entity, doing a bunch of DNS queries.
In fact, I am a bit worried about this exact setup because although I am using this for my own, personal use, consistent with their expectations, I could just as easily be a full-blown ISP passing through my nameservice to nextDNS ... how do they deal with that ?
Do they care ?
I'm sure they can refuse service to customers in certain cases.
So I assume they allow (or, rather, can't really disallow) such a setup but I wonder what ramifications it has when someone decides to front their entire customer base behind their nextDNS acount ...
There is a valid niche between no privacy and completely self hosted dns-over https, that a service like nextdns solves well. Just as Apple solves a by default more secure yet still not without flaws phone, or how using a vpn provider is a midpoint between a self hosted vpn and no vpn. I think the privacy trade off here is good for many.
As always it's a matter of tradeoffs, if you just don't want to get tracked by ads it's probably a good solution. If you are afraid of some nation state trying to track you down, then probably not.
NextDNS can also be used as a fallback if your Pi goes down for whatever reason too. Might as well have options in this space.
For those of us with a raspberry pi or intel nuc on hand, sure, it only takes 30 minutes.
This service is for people who want to kill ads at the DNS level without dealing with the hardware / setup of pihole.
Also, not many people are going to bother setting up a VPN to access their pihole DNS when traveling or on cellular, which makes NextDNS attractive.
The other argument is "just use ublock matrix". The counter-argument is it doesn't block native app ads / tracking. (One of the #1 blocked domains on my pihole is from Dashlane's MacOS app, constantly wanting to phone home)
That seems pretty dismissive of our audience. I cant think of many things easier to set up than pi-hole, unless even using SSH is too difficult to understand.
1) Buy a rasp-pi (or pretty much any other device support a reasonably standard Linux distribution)
2) Copy one of many Linux distributions to an SD card with something like etcher: a couple clicks. Or buy one of the many pre-made kits with Linux already on the card.
3) Run a single line linux command via SSH and follow prompts.
Although I agree, it's not terribly complex to follow the steps. Lack of time to fiddle with self-managing a device seems like it could be a bigger limiter.
The "cloud players" you're worried of are big targets and the law protects me, since we have the GDPR and the EU is trigger happy in giving fines to big companies. Also my data is not that useful right now to a US company.
Also the ad blockers for iOS Safari don't work well and I use iOS Firefox anyway, which can't use Safari's content blockers. So I'll take any help in blocking ads I can get.
This will also be valuable for doing some content filtering for my son, without installing anti-virus crap on his devices.
It really depends on your threat model.
NextDNS appears to implement DNS over HTTPs (DoH) and Firefox ships with it as an option, next to Cloudflare.
UPDATE — Took it for a test drive:
* Logs are concerning, but look good for optimizing the traffic and notice odd communications; I already noticed telemetry sent by my browser that I switched off
* Ad blocking seems to work, not as good as desktop uBlock Origin, but I'll take anything for my iPhone
* Latency is around 30 - 100 msec, which seems a bit high? (server I connect to seems to be 400 km away)
Mozilla is running some Firefox experiments with different DoH providers. Eventually Firefox may automatically select whichever DoH provider is the fastest for each user. This would improve performance for users and reduce the privacy concerns about DoH consolidation with one provider (the current Firefox default Cloudflare).
Have you found Handshake useful in any way?
I bought tieshun.txt on https://gateway.io (in beta). The owner of .txt set up their own registry and they're selling .txt domains. That's another aspect of Handshake that I'm excited about. To get an ICANN TLD you need to be a big corporation that can pay for the $200k application fee (and you're not even guaranteed to get the name), whereas anyone can create a registry on their own TLD with Handshake.
The cryptocurrency aspect is unintuitive (if possible it would've been ideal to not require it), but it's actually needed in order to have a more secure root of trust alternative to CAs. This article expands on this point: https://www.namebase.io/blog/meet-handshake-decentralizing-d...
I should have prefaced my statement with the fact that I was trying to install it on something other than a raspberry pi. I have only tried on my Rock Pro 64 board. But to be fair, they are pretty mature, well supported boards at this point.
I understand that it is designed to run on Pi boards first so the issue is likely my specific hardware. But Pi-hole is supposed to be compatible with Ubuntu 18.04 so I would have expected it to work regardless?
I’m not a networking expert though, if anyone has experience with pi-hole on Rock pro’s or other Pine boards I’d love to know!
Maybe I’ll just go ahead and invest in one of the new Pi boards with 4Gb memory :) That was the main reasons I got the Rock Pro 64 to begin with.
Install, and run armbian-config to get get an easy Pi-hole installer (among many other functions).
- Ideal routing (low DNS latency)
- Bypass DNS-level censorship (inside a country, from your hotel Internet provider, your school, etc.)
- Being able to identify your device in the logs (if you choose to)
- Hardened Privacy Mode (if you are into that)
Edit: this goes for all our apps (iOS/Android/macOS/Windows/Router client), not just macOS.
"Follow the instructions below to set up NextDNS on your device, browser or router."
A couple more sentences there would be super helpful..
Used it for around an hour and I've already made 2,000 requests and 15% of those were blocked. Can definitely see myself going over 300,000 requests (free monthly allowance) but it's looking great so far so would be happy to support it.
Currently use AdGuard on my phone, looks like this does almost everything AdGuard does (stats, logs, blocklists) with the added benefit of the processing being done elsewhere.
Making this a perfect snee-less dupe!
1. We do not (and will never) sell, license, sub-license or share any of the data submitted directly or indirectly by our users with any person or entity."
This does not cover metadata.
For example, NextDNS analyzes the data submitted directly or indirectly by the user and makes a note, "This user [something private]"
Those companies are not obligated to disclose what metadata they might have. Neither is NextDNS.
You can still put Pi Hole on a device in your home and use that. I do. It’s amazing.
35% or more of monthly requests are blocked.
Personally I am not fond of dnsmasq or the patched version Pi-Hole uses.
100% of "monthly requests" are blocked. There are no third-party managed blacklists, only personally created whitelists. Individual DNS queries rarely leave the network. DNS data is gathered in bulk and stored.
When you browse hn, do you need to whitelist each domain to be able to load content? How many domains do you have whitelisted and how many new ones do you whitelist each month?
I've been using NextDNS now for half a year or so and I have 1,021,075 queries in the last 90 days, or roughly ~11k a day. I have ~69k in the past 7 days.
I have this set up on all my devices.
Are you running a home server or something that could explain so many requests?
Haven't managed to track it down.
2 Windows 10 machines make a LOT of phone-home queries.
Nextdns has a cache boost option now which sets TTLs to a minimum of 5mins. If the client is complaint (respects the TTLs), then that should help further.
I love that phrase. This looks like a fantastic service!
One feature request if the team is reading along a pause button to disable blocking for 1/5/15/60 minutes.
A map of our network for anyone interested:
I don't need Blockada on my phone anymore and I can block whatever I want at the router level instead of doing it on each devices.
Keep up the good work!
Where is the announcement that it's out of beta? I don't see that in the homepage either. What am I missing?
I didn't found their releasing news too, maybe their announcement is just deleting “free during the beta” on the pricing page?
What would be the downside outisde of corporate networks?
Some latency when visiting a new site seems like a small price to pay for side-stepping all the shenanigans that ISPs have been doing to DNS, without having to defer trust to yet another cloud provider.
The people routing your DNS traffic can inspect it and even tamper it (e.g.: your ISP) even if you pick DNS servers other than the ones provided by your ISP. Your privacy is not guaranteed.
DNS over HTTPS/DNS over TLS is encrypted and may offer better privacy, if you trust them, that is.
As far as we know, it's slowly being rolled out and not behind any flag (unfortunately).
For ads, I already use AdGuard.
Of course we live in HackerNewsLand, where the rest of technologically illiterate humanity pays by watching ads so that we don't have to.
Somehow we have to use technology to find a way to balance the needs of those who are online serving us content/information/etc with a less irritating and horrific way to pay for it. Without a solution for that, the future is going to be a lot less diverse and a lot more frustrating, although in a different way.
- Obnoxious ads that take away from you browsing experience
- Tracking, spying, privacy, monopolies from ad tech and all that stuff.
And those even combine, as all the tracking makes sites slower.
Hacker news works on the sponsored content way. (but it's just one sponoer which it's also its owner) The site is kept low cost as possible, and YC uses it to promote its startups
One YC posts on the front page, don't really bother us too much, as long as they don't become obnoxious.
Third party ad networks are an anomaly and it's time for them to go.
Otherwise 4oD think you have an ad blocker enabled and the video refuses to start.
On my desktop systems I can configure it in the network options and never think about it again. On Android I always close it if I don't think about it when closing all apps, then I forget to restart it.
The network stuff is not accessible.
It only needs one feature :)
Is anyone of nextdns reading this? Possibility to contact?
almost everything obeys hosts on android, works great on lineageos