I've been using https://nextdns.io/ for a while and I really like it. You can do DNS over HTTPS through Firefox (sadly not on an OS level in Windows for example, but that's fine -- I'm sure OS level support works better on Linux), and it supports a lot of user-level customization. You can add and remove entire blocklists, you can black/white-list specific domains, see logs of your blocks, some analytics, create your own redirects etc. and it doesn't cost you a thing. The main website does a pretty good job of explaining the selling points.
You can use it as-is but if you want user-specific configuration you'll get a custom URL that looks something like "https://dns.nextdns.io/c8g88a", and whatever comes in that way will use your settings and will be logged as per your configuration (of course, you can disable logging).
I’ve just looked into this - it looks excellent. Can I ask: is this an all-round superior solution to running your own pi-hole?
I set up dual redundant pi-holes on raspberry pi 4s on my home network but switching all devices to NextDNS would give me access to filtered DNS even when away from home, plus save me the trouble of running two raspis (including two Ubuntu instances) just for that purpose.
Could anyone knowledgeable in such things suggest any downsides to a wholesale switch?
I recently spent a bunch of time comparing NextDNS vs PiHole. The reality is their features-sets are pretty close, but I eventually settled on NextDNS and here were some of my takeaways:
NextDNS Pros:
* Can use NextDNS on any network (thanks to their apps or just regular DNS-over-HTTP/TLS).
* (Could get similar functionality on PiHole with a remote hosted PiHole + VPN, but much more complex to setup)
* NextDNS allows for multiple different configuration setups per account (so you can fine-tune your blocking/filtering differently for different devices).
* (PiHole AFIK only supports a single configuration)
* NextDNS IMHO had the superior UI. With more powerful config options.
* In reality with some extra manual config/coding you could probably get PiHole to do most of what is in the config for NextDNS, but it would take some work.
PiHole Pros:
* PiHole is open source.
* The NextDNS server code is closed-source, but they do have an open-source CLI client.
* PiHole is self-hosted (much better from a privacy perspective).
* But you do get all the downsides of being responsible for hosting something as central as a DNS server yourself...
-NextDNS is a product with a free tier. It will always be limited in that sense.
+Pihole is free and open. It is also yours to build,manage,customize as you please.
-NextDNS is also further away, meaning there will be much more latency for all your DNS queries. It is usually best to run your own resolver, or have a local DNS server in your network.
+Pihole sits on a device on your network. You can also enable recursion directly on the pihole by installing Unbound on the same device.
> NextDNS is also further away, meaning there will be much more latency for all your DNS queries. It is usually best to run your own resolver, or have a local DNS server in your network.
But your local PI resolver would likely have to pass on your request to an upstream DNS server if it isn't cached. Although its negligible, this extra hop would add latency. This is assuming the result isn't in the OS or browser DNS cache.
You could also setup PiVPN[1] on the same Raspberry Pi running Pi-hole with Wireguard and setup all your mobile devices to automatically connect back home when they're off the home wifi.I've had this setup running for a couple of months now and couldn't be happier with it.
The WireGuard apps for iOS and OSX have a configuration section titled “On-demand activation” that lets you do this. On the iOS app, I have it set to activate on cellular connection and WiFi connections to routers if the SSID != my home router’s SSID. Likewise on OSX, except for the cellular option.
You can also splurge and for under $10/mo set it up on a DigitalOcean (or similar) cheap hosting provider and have it available everywhere. And you can share with friends and family.
The cost in your example is far, far more than $10 USD a month. If you can set this up, your time is absolutely worth something and even if this is your area of expertise, you are now personally responsible for a critical piece of your internet browsing infrastructure.
There are tons of important details to keeping a critical service up and running almost all the time - even if you are competent in this, that is still time every month making sure it's running, secure and functional.
The only reasons in my opinion to DIY a solution would be a) learning, hobby or for fun or b) you have requirements that can't be met another way, like privacy goals.
The thing is that it's not really complicated anymore. It may be my area of expertise, but just following basic step-by-step instructions, it took me about 10 minutes to have a full ad-blocking, Wireguard VPN server on a DigitalOcean droplet by using Algo: https://github.com/trailofbits/algo , including the setup for my phone and iPad.
Algo is a great project and I also use it, but if you’re running it in production and not spending some time each month at least on security analysis and review, your self-assessd expertise may be more of the Dunning-Kruger variety.
I have had one up for around 2 years now and would say I have spent less than 5 minutes maintaining it over that time period. I did spend more than typical time setting it up because I added a custom php page so I could remotely add client ip addresses to the dns iptables whitelist, but I could have just done the basic setup in <20 minutes. It’s solid as a rock. Am I lazy about it? Sure. But I don’t quite consider it critical. It’s just personal use basic internet. And if something were to go wrong, most if not all client configurations have a backup/secondary dns option anyway so as long as that is configured things keep working fine, just with ads.
NextDNS is a commercial entity founded by a Netflix employee who is working on a Netflix CDN. Do the NextDNS terms of use address the potential for data sharing between the two entities.
Running NextDNS has costs. Given the absence of fees for using NextDNS, it has a commercial interest in collecting information about users. Like other third party DNS providers (middlemen), e.g., Google or Cisco/OpenDNS, NextDNS supports ENDS Client-Subnet. This extension has zero value in terms of ad-blocking and privacy and arguably should be "off" by default unless the user asks for it.
PiHole is non-commercial project AFAIK, although they have registered a trademark.
Third party DNS caches will always be inferior to DIY in respect of certain issues such as ad-blocking, privacy, security, reliablity, etc. (I am a DIY-er and when third party DNS has an outage, the applications I use are still able to use the internet without any problems because I have zero reliance of third party DNS providers.) When using third party DNS these factors are outside the user's control. Users cannot tell third party DNS providers what to do, nor can they execute quality control, they can only accept what is offered to them. Of course, third party DNS will always be superior in terms of convenience and perhaps "features". I personally do not need all of the "features" offered by third party DNS, but I cannot speak for other users.
The user's "choice" between DIY and third party DNS depends on what is important to the user and what the user is capable of doing herself. When the user is not capable of running DNS software herself, then DIY is removed from consideration and the "choice" is simply between one third party provider or another. The user has very little control in that situation.
When it comes to DNS, for me nothing beats having control. For me, "control", not convenience, is the best feature. I prefer whitelist to blocklist. Every user is different.
The only downside is that you're now using a free cloud service, so there's the obvious privacy concerns, and the possibility their servers will go down. It's really just a matter of the classic "free cloud vs. self hosted" pros/cons as usual.
I've been a user since it was first mentioned on HN and the major issue at the moment is the performance. I often have to turn it off to get sites to resolve at all, otherwise chrome hangs indefinitely.
Having said that it's free (beta) right now so that's a statement of fact and by no means a complaint
You're saying you have this issue with NextDNS? I've been using it since it was mentioned here, as well, and have had zero issues that were not self-created. FWIW.
Same. Been using NextDNS regularly since it was first announced on HN and have not seen any performance issues since the first few days. Highly recommend!
I saw someone mention NextDNS on HN about 2 months and decided to try it.
The only issue's I've had is:
1. Epic Game Store was blocked - not an issue now as I uninstalled it and bought Borderlands 3 on steam. Now EGS is blocked again.
2. Adverts display in Google now that I don't have an ad-block, but it prevents me clicking them so I'm not fussed.
3. raygun.io is blocked - not sure why as it doesn't track any information of value as it's primarily used for crash reporting, and they are GDPR compliant.
Other than that, this has been amazing. I'm definitely going to be a paid customer once its out of beta.
NextDNS is great. I have tried various DNS services -- OpenDNS, Cleanbrowsing, Cloudflare Gateway, Quad9, etc and I keep coming back to NextDNS. Would definitely recommend giving it a try if you're looking for a solid DNS-based security/privacy setup.
I've always thought if I owned any sort of fund, I would immediately have made basically this when I first saw pi-hole and then analyzed the data to estimate a given tech companies DAU numbers. I wonder who owns NextDNS. No idea if my idea would work or be per se legal but I bet you can grab some interesting insights.
i've used some of those as well, and finally settled on adguard pro for my ios devices. do you (or anyone else) know how nextdns and adgaurd compare on ios?
adguard pro allows customization of dns servers (including DoT), has a running local log of dns queries, and provides custom whitelists/blacklists functionality. their dns (or maybe the app) very occasionally hangs requests, making my device seem like it's disconnected.
i've considered switching to nextdns but haven't found a compelling reason yet.
The only annoying part is that it doesn’t give you any sys notification when blocking a site. You have to check the logs. So if gmail isn’t losing the inbox that means something needs to be whitelisted and you now have to dig.
Thanks for mentioning it - I just started using it and seems great. I particularly like being able to setup multiple profiles that lets me have strong parental control configuration for kids - ability to view logs is also good though the search can do with some improvements.
> setup multiple profiles that lets me have strong parental control configuration for kids
I've been using it too, but I've found nextdns go down from time to time. How are you dealing with explaining how to change the DNS setting to people at home because "internet doesn't work"? I wish DoH client implementations had support for primary and secondary endpoints [0]. I've seen people straight up uninstall DoH clients from their devices in frustration.
I must point out that the Android implementation for DoT does fallback to OS or network provided DNS resolver (usually, dns.google), and that's a saving grace [1]. And so, I have no reservations setting up nextdns for everyone on the Androids.
[1] Speaking of DoH instead: Google's https://getintra.org falls back to last-known good DoH resolver, but then, never (?) switches back to primary unless restarted, from what I can recall.
> How are you dealing with explaining how to change the DNS setting to people at home because "internet doesn't work"?
I may be mistaken here but I thought the reason almost all operating systems allow you to specify more than one DNS is in case the primary one goes down. So if you specify NextDNS as the primary and say, Google or whatever, as the secondary: you likely won't see downtime (but obviously the filtering will disappear until the primary one comes back up and/or DNS caches reset etc)
That doesn't always work, because servers aren't always used in strict order.
For example, my default Kubuntu 19.10 installation flips the primary and secondary if the primary is unresponsive for a while. Since my laptop takes a moment to establish a WiFi connection upon waking up, it always decides that the primary server is down and to default to the secondary server. It has currently been 3½ hours since my laptop queried its primary server and it has queried the secondary server over 1000 times in the past 24 hours despite the primary having 100% uptime.
Most stub resolvers have an option to use strict order, but you can't rely on it as a network admin.
In my case, my daughter so far accesses internet primarily via specific apps on the family tablet so any websites not opening are not an issue yet. Moving to nextdns is more of an preemptive move as I just gave her my old laptop; eventually she will be on the internet by herself (intentionally or accidentally) so hopefully this helps with that.
> You can do DNS over HTTPS through Firefox (sadly not on an OS level in Windows for example, but that's fine -- I'm sure OS level support works better on Linux
If you're using a computer on which installing this software is an alternative, you can install a web browser with an ad blocker, which performs much better than DNS based filters.
If you're not using such a computer, Pi-Hole proves DNS filtering and this software doesn't.
What's the use-case between these two that isn't already covered?
I mean, ok. But you're allowing a chat client to run code on your PC... in the case I saw it was sudo. You can do a shitload more with sudo than you can with a browser extension.
People who want to learn and/or want something simple. This version is super simple with the whole application being a ~150 line shell script. This makes it very easy to understand and adapt.
Eg. I have a file-server that runs our DHCP and DNS. I've looked into using Pi-hole's setup on it before and it just wasn't worth the trouble due to mismatches between their setup and mine. OTOH this version is very easy to understand and tweak to my needs (eg. using unbound vs. dnsmasq).
No, the websites detect that a resource wasn't loaded which triggers the annoying stuff. This happens with a pihole, adblocker, maza, or plain ol' hosts file. Ad blockers aren't magic.
In fact it's a good argument for using in-browser adblockers, since in-browser adblockers are capable of blocking such nag screens whereas DNS-based ones are not
I found there is a docker container of pihole which means it can run on anything including Windows! I tried it and it works in a docker container on windows just fine!
pihole docker
steps:
(prereq: install docker https://www.docker.com/products/docker-desktop)
Similar to that I've been using NextDNS - in addition to the adblock you also get custom whitelist/blacklist, analytics... and also supports DNS-over-TLS (works well with Android's Private DNS feature) and DNS-over-Https
I've been using nextdns and I like it: for one thing, it can tell you the amount of blocked DNS queries, but it's also very helpful for troubleshooting since you can see the log of what was blocked, when, and why (which blocklist). You can then completely disable the blocklist, or whitelist specific entries if you prefer. It's a level of customization that I don't believe other DNS adblockers provide since many of them are designed to "just work".
Private DNS is what Android calls DNS over TLS. It's basically normal DNS but with a TLS connection wrapped around it.
DoT is very easy to self host if you already run something like a pihole (using nginx to proxy a tcpstream + having it wrap a TLS connection around it) and can be exposed to the internet because it can work over TCP (thus reducing the DDoS risk factor significantly).
In Android there's a setting to enable it in the network settings. The default will be "off", if you pick "on" you'll probably be using Google's DNS servers, if you pick "hostname" you can pick a different server.
It's more than that, private DNS is not just a different DNS server, it's a DNS over TLS (DoT) server. This means encrypting the lookups to prevent the ISP from tracking the host names you visit.
Many DNS servers don't support DoT and some support DoH (DNS over HTTPS) instead.
they recommend leaving it on because then all your dns queries go to google and no one else by default--their "private dns" defaults to the very unprivate google dns servers.
I was a happy Adguard user for several years but found that some ads have come through lately. I did some research and switched to Blokada, which works well--sometimes too well; I have to temporarily deactivate it to use certain apps when I'm not on WiFi.
The use case is when you don't have a pihole. If you already run pihole I agree, this is not a useful addon. But what if you're at school or work with just with your laptop. Is it possible one might want run Maza instead pihole locally? I think possibly yes.
> For use on a laptop that you take into other networks
I VPN to my home (and by extension my Pi-hole server) when on that kind of network. A local ad-blocker doesn't prevent MITM or malicious DNS servers. Maza won't help if DHCP is handing out the IP for a server that claims google.com is a CNAME to hereisyourvirus.xyz or if the router is transparently redirecting DNS traffic so you don't even know what DNS server you are hitting. Which means you have to use DoH or DoT as well.
I learned this the hard a few years back. The lookup performance was good enough, but every time I woke the computer up from sleep or rebooted it, it would spend ten minutes maxing out one or two cores trying to process a hosts file blocking all known malware/spyware/adware domains.
This took me ages to find the cause of, I had to use a lot of highly-escalated debuggers and such to figure out what the "system" process was trying to do that was costing so much time. Once I cleared out the hosts file, the problem was resolved.
I have a large hosts file on my Mac with Steven Black's blocklists. It takes a few seconds to load in vim but doesn't seem to cause any problems with lookups.
NextDNS is a commercial solution, there will be more limits to the free plan when it will be out of beta. DNSCloak is just a tool that let you choose different DNS resolvers, even your very own.
For anyone running OpenWRT, you can install the adblock package to accomplish roughly the same thing as Pi-hole does. I don't believe it supports some advanced features like DoH/DoT or DNS resolution (e.g. a1b2c3.example.com -> ad-server-that-should-be-blocked.com), but it does the basics - custom host file sources, additional blacklist rules, whitelisting, and quick enable/disable for troubleshooting.
It also has an option to force all DNS traffic (port 53, so again it won't catch DoH/DoT) to go through the router. Occasionally I forget I've done this and tried `dig foo.bar @1.1.1.1` and gotten confused until I remember that my router is forcing that DNS lookup to go through it first, and then through the router's configured DNS resolver.
I use pihole for my entire home network as primary DNS and opendns for secondary (long time user of opendns, since before Cisco bought it). I also have VPN setup for remote access (esp. for mobile). I use ublock origin at the browser level.
These are layers of protection from undesired content (ads, malware, porn, etc.). If one fails, hopefully the next layer will provide desired protection.
I have kids approaching teen years. There is no magic bullet, and we still monitor and limit their screen time.
Are you trying to shield your teenage kids from seeing porn by accident or actively seeking it out? If it's the later you've already lost - presumably they have 4G.
Anyway, it's free software. Anyone in the world can do that if they want. You can do that.
Also, it's poorly scoped. Pihole is just an app. Any ownclowd provider can more efficiently host it along with a bundle of every other app people
want to "own" but not run locally.
While this is true, I'd put much more trust in the PiHole team than I would some random corp - by the very nature of what they've built, and how they licensed it, I'd expect them to be privacy centric. By paying for such a service, I'd also feel like I was contributing to the ongoing maintenance of PiHole by the core team.
I don't think it does, dnsmasq is optional. It does configure dnsmasq regardless, but that configuration only applies if you install and enable dnsmasq. As far as I can see, the script does none of that nor does it change /etc/resolv.conf. The readme is very clear about needing dnsmasq for wildcard blocking.
The script also modifies the host file which will apply regardless.
How is it supposed to be harder to hack? I thought the main point is to have the blocking enabled in the whole network, including devices like smartphones.
Because the Pi-Hole doesn't run untrusted code, like a personal computer does (e.g. Javascript, installed applications, etc.). Same holds for smartphones.
I'd consider the web-based administration interface to be "untrusted code" -- and there just a remote code execution vulnerability (due to very insufficient input validation of MAC addresses) discussed here yesterday [0] .
You can use it as-is but if you want user-specific configuration you'll get a custom URL that looks something like "https://dns.nextdns.io/c8g88a", and whatever comes in that way will use your settings and will be logged as per your configuration (of course, you can disable logging).