Been using NextDNS for a few months now, I cant even find a single flaw. DNS is fast, Both founder must be expert in networking, I have tried literally all the third party DNS services, Ad blocking or not and NextDNS is actually one of the best / fastest DNS services. And I often think of myself as having latency intolerance so it is very good. Despite what I thought 300,000 DNS queries/month was low it turns out I never exceeded that limit.
And its Dashboard / Control Panel, it is very fast, extremely responsive. Basically I love everything about NextDNS, from DNS Speed, Ease of use and Design. Anyone who want Ad blocking should give it a go.
Edit: Not affiliate with NextDNS, just personal opinion. Not sure why the downvote.
I've added my relatives to my NextDNS and have yet to receive a single complaint while blocking a whopping 25% of all requests. (Off course I turned off logging.) I'd be happy to pay them even for my limited number of requests.
You could be logging all DNS queries of your relatives by a single click of a button? Did you inform them of this possibility, just curious, not judging.
Logging is on by default and per system. So yes, that is definitely possible. The majority of users are my children so I don't feel the need to inform them and the SO was not fully informed other than "tell me if it breaks something".
It's a good question to reflect on though. If I install this at my parents should I tell them. The whole world is monitoring their DNS now and after this only (potentially) me and NextDNS.
Thanks for your reply. I usually cant inform my SO more anyway, simply not understanding the technical limitations or reasons for something, but I do always tell.
I'll be checking out nextDNS for sure, even though its just for seeing what its about etc.
> Most of the speed-ups come thanks to caching anyway.
I'm afraid you trivially dismiss how hard this is.
For e2e response times as low as 10s from any ___location, one needs a global footprint behind an anycast network. Both these things aren't easy to do (on your own), especially for something as ubiquitous as name resolution which needs near 100% uptime and consistently low latencies.
Fast isn't the only thing here though, nextdns provides custom configuration and logging over multiple endpoints (including ipv4) served from 33 points of presence. I'm sure keeping lights on with this setup gets tricky pretty quick, let alone implementing features at the pace that they have been. Romain Contepas and Olivier Poitrus are the only reasons nextdns is what it is-- They are world-class experts in building such systems.
> I'm afraid you trivially dismiss how hard this is.
I ask, in what world do you have "slow DNS"? The choices out there is ISP run which virtually always low latency, an anycast run service, or running your own.
I don't care what technology you throw at the problem or who designed it, there really isn't "slow DNS", just bad choices of DNS servers that incur a round-trip latency penalty. I will assert again what keeps DNS "fast" is the aggressive caching of responses.
I've had the complete opposite experience to the author w.r.t. PiHole and WireGuard.
I run a PiHole on my home network and it's also my WireGuard "server". I will concede am lucky enough to have static IPv4/IPv6 addresses on my home connection.
On my iOS devices I have two connections set up: one for "access to home + DNS", and the other for all traffic.
When I'm on my home wifi the VPN connection is off, when I'm on cellular data the DNS is set to the PiHole, and when I'm on any other wifi I route all traffic via the VPN (all automatically via the WireGuard app).
For my other mobile devices... well, they're Linux, so I just set the DNS server correctly and leave WireGuard always connected. It's a UDP "connection" for crying out loud.
This all works flawlessly now to the point that my less technically-minded roommate has it set up on their phone, too: they can access the NAS all the time and ads are blocked in the web browser and in apps.
Can you describe in more detail the iOS configuration? This is basically what I've been wanting to do, but haven't found out how to get the experience right on my phone.
I use the official WireGuard app from the app store. I have two connections configured.
Assume that the endpoint (i.e. server running wireguard on port 500) is 8.8.8.8:500, the IP of my iDevice on the VPN should be 192.128.1.254, my home LAN is 192.168.1.0/24, my PiHole is 192.168.1.2, and my home wifi SSID is Ycombinator.
Is this redundant, since 0.0.0.0 should include the 192.168.1.0/24 subnet? Not being a smart alec, I'm actually asking: I have an okay-ish understanding of networking stuff but not an expert.
Yes indeed, that’s how I have it setup. I have one WireGuard configuration on iOS, for both cellular and WiFi (except my home SSID). And it works like a charm.
pfSense + pfBlocker ~ OpenVPN because I'm pretty old - along with DNS over TLS & ICR what else.
Sidebar: I also have a copy of my desktop Firefox hosted as a RemoteApp on a Win10Ent VM, for the odd time I need remote access to a credentialed account while I'm away.
My comment on the Earn-it act is it's the natural outcome of unqualified US voters choosing unqualified politicians, thanks to largely inept news coverage.
Or if you want something more topic specific, Feinstein co-sponsors it so we can fully assume it elevates the whims of The State over the welfare of us.
I’ve got Pi-Hole and PiVPN with WireGuard setup as well, however not the two part like yours - I only turn on VPN on my iOS devices as needed, have you setup yours to auto connect based on name WiFi SSID? If so how?
I do the same thing with Wireguard. I have a "LAN" which consists of my workstation, 2 dedis, random VMs on demand, iPhone, iPad, home devices and two resolvers, one of which is a PiHole.
It's a spectacular experience when it comes to accessing all your stuff without multiple logins (since none of it is exposed to the internet) and Wireguard is blazing fast.
"I will concede am lucky enough to have static IPv4/IPv6 addresses on my home connection."
A while back, some HN commenters in a Wireguard thread tried to argue that all home connections have static IP addresses, or at least ones that do not change frequently enough to be an issue. If I had a static IP address I, too, would consider myself lucky.
Why not use use a dynamic dns service? My router updates my VPN's dns entry automatically at cloudflare when it gets a new up. Everything works like magic just like the previous poster's setup, except without a static home ip.
Many ISPs, particular in EMEA, don't even hand out public IP addresses to their customers; cf. CGNAT [0]. End users, at home, will get RFC1918 or RFC6598 IPs from their provider.
While they could still use a dynamic DNS service, the public IP that it sees will actually be a public IP address that is shared by many customers.
This works for me, my Pi has a little script to get public IP and update DNS. The rare IP switch at home is updated in 10 minutes. Bonus the endpoint is in my ___domain.
A lot of people who erroneously turn on PersistentKeepalive on their phones wind up with battery drain for clear reasons. Mobile phone users very much should not be using PersistentKeepalive.
I'm not affiliated with the WireGuard project, but I would appreciate it if you could encounter the issue again, and then submit an account of your experience and the logs from your device.
Also, one extra nice thing about using NextDNS via DoH (as you would with Firefox) is that now everything except the fact you're talking to NextDNS is concealed from eavesdroppers even if you do have custom config.
If you use other methods, NextDNS needs to figure out which custom config is yours, and there's no way to hide that from an eavesdropper (at least not yet). For example with DoT the customisation is hidden as a server name, and travels plaintext in SNI during TLS connection.
But with DoH that indication is in the URL path component, which is just more encrypted data in DoH and so an eavesdropper can no more discover which (if any) customisation you use than they can discover my Hacker News password when I log in here.
I tried NextDNS out recently, and had a few technical questions about how it was interacting with some specialised DNS software I was testing. I clicked the livechat button on the website and was connected within seconds to someone who understood DNS at the protocol level. It was... unexpected and amazing.
Same. I got on the chat, which was answered by Romain (one of the founders), to request them to add yhosts [0] to the blocklists, and it was in production in less than 10 mins.
I went over their site. I'm a big fan of the nextdns project and the handshake project. DNS.live is a hub that lists top sites hosted with the TLDS from Handshake and offers free stuff. Basically the Handshake gTLD directory to make it easy to check out other people's sites as decentralized DNS evolves and see when names become available.
It offers free free NS Hosting, free web hosting, free blog hostting, and free URL redirection for Handshake.org TLDs. No account is required (as per their website): https://dns.live/hosting.html
Looks like Namebase requires ID verification before you can bid on a ___domain. Sounds like the new DNS is going to be even worse than the current one.
No sir, only if you want to transfer assets or get USD etc. You can bid still.
From their restrictions page:
Due to regulatory reasons in the US (we're not happy about it either), Namebase accounts are restricted in functionality until they have successfully been verified. Once an account has been verified, it'll be able to:
Trade on Namebase Pro (non-US only)
Withdraw HNS (non-US only)
Buy and Sell HNS with BTC (global)
Buy and Sell HNS with USD (US only)
Before an account has successfully verified, it'll still be able to:
Transfer HNS into its cloud wallet
Bid on Handshake names
Withdraw Handshake names
Hi I'm the CEO of Namebase. You're right that's the best way to bid anonymously on Namebase right now. We're also going to add the ability to bid anonymously directly on Namebase. The account verification is only required for purchasing HNS which we need to do due to regulatory restrictions in the US.
That makes sense, though I wouldn't expect it to be required when buying HNS with BTC. I signed up for the airdrop so I got a bunch of HNS I can play with, thanks.
> Despite how much I like Cloudflare and this specific service, I want to block trackers at the DNS level. 1.1.1.1 is probably the most reliable and fastest resolver there is on earth, but that does not fit my use case either.
Isn't this a bit poorly timed, considering the recent Cloudflare DNS announcement?
> In the coming months, we will provide the ability to define additional configuration settings for 1.1.1.1 for Families. This will include options to create specific whitelists and blacklists of certain sites. You will be able to set the times of the day when categories, such as social media, are blocked and get reports on your household's Internet usage.
Yeah. No. Many advertisers rely on Cloudflare. If Cloudflare would choose to block ads, I'd imagine that lots of folks would ditch them and use some other DNS provider instead.
They made a mistake, promptly realized it, put fixes in place, and updated their procedures. Then, their CEO wrote a post apologizing. Whatever your view is on Cloudflare, it is not fair to say that they didn't react properly to this specific issue and I don't think it is fair to criticize them (again, for this specific issue).
I've started using NextDns on my phone (Android) for its simplicity and thoroughness.
One of the harder parts about DNS based blocking is that it's significantly more effort to unblock something like clicks from tracked deals sites than ublock browser extension.
For my routers, I'm mostly happy with last week's announced 1.1.1.2 malware blocking from Cloudflare.
NextDNS is also my new favorite DNS service - especially since they've been supporting Handshake name resolution at the click of a button since March 20th. [1]
I'm hosting my own DNS server with DoT/DoH as reverse proxy of PiHole server. The latency might not as impressive as NextDNS' (7~10ms on my phone via TMobile), and I can have full control of the stack.
I use Cloudflare Workers (their generous free-tier covers 3 devices worth DNS queries, with much room to spare), but the 128MiB RAM limit restricts the number of domains in my blocklists: https://news.ycombinator.com/item?id=22208988
Started using NextDNS a week ago and it's quite good so far. One of my concerns was how hard it would be to debug websites/services that stop working but it their logging being instant made it superbly easy. I can turn on logging, go to the website/app that doesn't work correctly, go right back to the NextDNS logs to see the requests instantly. You can then filter for the blocked ones too.
I tested the ipv6 latency to nextdns https://my.nextdns.io and opennic https://servers.opennic.org –– I'm impressed with the newcomer, with 21㎳ median it's very close to the 17㎳ median I currently enjoy.
This looks great, but unfortunately CloudFlare has 1ms ping for me but NextDNS has 50ms. I'm not quite sure how it can reply in 1ms, but that's what I'm getting.
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_req=1 ttl=58 time=0.661 ms
64 bytes from 1.1.1.1: icmp_req=2 ttl=58 time=0.638 ms
64 bytes from 1.1.1.1: icmp_req=3 ttl=58 time=0.615 ms
64 bytes from 1.1.1.1: icmp_req=4 ttl=58 time=0.654 ms
I do have a fiber connection to my ISP, but still, 1 ms is pretty low. I wonder if something else is replying, but I tried 1.1.1.2 as well and the latency is the same.
I use it as my DNS server, so it's working fine, but that's a good idea. Unfortunately, my home router intercepts all DNS queries and reroutes them to its own dnsmasq (which forwards to 1.1.1.1), so I can't do a proper benchmark unless I disable it.
I do wonder what's going on, but here's my traceroute to 1.1.1.1:
Interesting. Looks like I have the same thing going on at home, because I have 2.8 ms to 1.0.0.1 and 0.5 ms (!) to 1.1.1.1: https://i.imgur.com/5qpMbuh.png. Both answer to DNS queries, though.
For me it's not so bad, just 10ms, but my ping to Google and CloudFlare DNS is 0.8ms.
The weird thing is that on their front page they claim to have a PoP in Zürich, the nearest city, yet my traffic is going via DE-CIX. My ISP (AS13030) even peers with Misaka Network (AS57695), which appears to be their backend.
I was pleasntly surprised and happy to see that I could use this service or Cloudflare on the latest version of Android natively by just typing in a URL into the settings rather than having to install a 3rd party app!
> Even worse, iOS forces you to use a fake VPN to change DNS servers at all on cellular!
This is a major pain point for me - I'm trying to use both NextDNS and Tailscale on my iPhone SE 2016, and confirmed that they clash with each other. :(
I switched from pointing various things to cloudflare to simply using NextDNS a while ago, and it's just excellent. The onboarding flow was way faster and easier than I thought it would be (fantastic setup documentation). Configurations are really great for customization at per-device granularity. Extremely slick and fast web UI. Great DNS latency + performance overall.
I was planning on setting up my own recursive resolver one day (tm) but NextDNS really just makes everything so seamless + easy.
NextDNS works great for me,
I use it as a second layer to ublock origin and it still catches things.
Only downside I have is when something does break, and it happens occasionally, I have to whitelist the ___domain on their dashboard.
You can only whitelist the ___domain for all requests, which is not what I would like. Would prefer to whitelist it on a specific page and for a temporary time.
Otherwise when something break I have to go to their dashboard, whitelist the ___domain, use the website and then go back and blacklist it again.
Would be nice if they had a browser extension that can do that in the browser without having to go to their dashboard
I deployed NextDNS for my family months ago. The Handshake resolver locked in NextDNS for my home network. I've been considering setting up PiHole as well — Handshake resolution would lock that in.
It's in a docker container so any changes will just get wiped on next version upgrade. I just checked and it does have the right IP in it though (IP of device hosting pihole). So doesn't seem to be obviously misconfigured. Weird.
.hole doesn't seem to be a valid TLD so not much of a security risk
also a fan of NextDNS. i have been using the service for a few weeks, since i saw them mentioned on twitter. looks like the aggregate number of queries from the many devices on my home network will exceed 300,000 per month, so i am happy to start paying as soon as they start charging.
We use NextDNS to access Handshake ___domain names and it's been working great. The privacy features are great too, although email links sometimes don't work because of them (more of a feature than a bug imo).
PiHole at it's core is easy access to a bunch of blocklists. Why not just run a local resolver and import the blocklists if your usecase is mobile and you don't want to vpn your traffic?
I’ve moved from a local resolver with regular block list updating to NextDNS - here’s why I’d recommend it over a diy solution:
1. Easy to turn on and off. My block lists were pretty aggressive and worked beautifully 90% of the time. However, occasionally I’d need to hit a site that was registered in a list that wasn’t immediately obvious. The O’Reilly site is (was) a good example - they were loading a script on their login page at one point that failed because I’d blocked the source. I’ve encountered other site that fail in similar ways. Being able to temporarily disable adblocking (OSX via the app) is tremendously convenient.
2. The blacklists and blocking categories offered by NextDNS are at least as good as what I’d managed to pull together (I was pretty proud of mine), they update frequently, and again it’s very easy to opt-in/opt-out
3. CName cloaking - unless you update your own lists very frequently, there’s a good chance you won’t be as effective at catching third-party trackers masquerading as first parties.
I had fun running a local resolver and updating it from various block list sources with a cron job. I’d add new entries manually as I encountered them, but after a while it got old. Additionally, I wanted the same protection outside of my network. The same setup on a FreeBSD droplet worked well, but was more maintenance. NextDNS does at least as good a job, and it’s way more convenient.
You might have enabled some pretty aggressive blocklists with nextdns. If you can't be bothered, Adguard DNS is more accommodating but configuration-less, give it a try [0].
As for sites, I use startpage's anonymous-view [1] or brow.sh [2] at times.
DNS Made Easy (Which, by the way, is great and fast, although I'm using HE for some domains) is for your domains.
NextDNS is for your devices. Is a DNS provider for your network and devices that allows you to block ads, custom configs and the like. Seems an advanced version of what OpenDNS used to offer back in the day (not sure if they still do it after Cisco acquisition).
When the browser tries to load an ad, let's say from "ads.com", the DNS service responds to that ___domain with 0.0.0.0, which prevents the ad from loading. You enable lists to customize which domains should be considered ad domains and can optionally blacklist other domains.
It's also fairly easy to run your own recursive resolver in case you don't want to use an external DNS service. I use Unbound and ad-blocking lists and it works great.
Used Adguard for about 2.5 years, and literally switched to NextDNS yesterday after reading this article. I've got a blog post about DNS ad-blocking [0], updating stuff now and then. I hope it points out some of the different features and reasons to use one over the other. Let me know what you think!
Adguard DNS works fine out of the box, but you can't configure it and more importantly have no way to whitelist sites. If you block ads you _will_ have page damage and no way to fix it with that service. Nextdns solves that problem.
And its Dashboard / Control Panel, it is very fast, extremely responsive. Basically I love everything about NextDNS, from DNS Speed, Ease of use and Design. Anyone who want Ad blocking should give it a go.
Edit: Not affiliate with NextDNS, just personal opinion. Not sure why the downvote.