I wrote a review of NextDNS two years ago back in February 2022. You can check it out here if you want to.
- Do I still use it?
- Do I still like it?
- How is it performing?
What is NextDNS (aka DNS Firewall)?
You may have heard of Pi Hole, a popular application you can self-host on a Raspberry Pi to protect against ads and spyware. NextDNS is the same thing, but it is provided as a service for $20/month, or free if you are under 300,000 queries/month.
Technically, both products will take a hostname like ads.google.com and remap it to 0.0.0.0 so it effectively stops working. You are probably more familar with AdBlock and uBlock Origin that you use in the browser. NextDNS accomplishes this same thing.
So why not use a browser plugin?
I do! It is also the best protection you can get as it is the only way to block YouTube ads, which in my opinion are most invasive ads. But if I want to block ads on my TV, mobile phone, Steam Deck, and while I am on the road, I need something different as these devices don't support browser plugins.
I am a big fan of the Pi Hole project, but one advantage of NextDNS being a service, it works while I am away from home. If I only cared about when I was at home, I'd just use Pi Hole, which is a fantastic and free project.
The primary reason I use NextDNS is the ability to use it while I am on the go, but there are other advantages as well. Most of these you can get using additional software and advanced configuration. NextDNS is just easier, and much faster. NextDNS has ultra fast local resolution which can't be matched with self-hosted solutions. I generally prefer to self-host as much as I possible can for security, price, and privacy. NextDNS is one of the few services I use that I choose not to self-host.
Do you still use it?
So to answer, do I still use it? The answer is yes.
Do you still like it?
Do I like it? Yes, very much. But I am completely aware there isn't a whole lot of support with the project. I know many have said they haven't been able to get in touch with someone when they needed to. I haven't had any problems and this is a simple service that really doesn't have issues, so that doesn't bother me. I can have two Pi Hole up and running inside of an hour or so if I had any major problems.
How is it performing?
Quite well. I already use Brave with maximum protection enabled. Even after that (which is basically equivilent to AdBlock/uBlock Origin), I am blocking over 14% of queries in the last 30 days.
In my initial review, I was blocking just over 10%.
I've made a lot of changes since then, and made my rules even more aggressive. My primary protection is HaGeZi - Multi ULTIMATE list, which is a very aggressive but very well maintained block list. Most people recommend using the Pro list, but I have had little to no lists running the much larger Ultimate list. You can run many lists, but most of them are just made redundent when using HaGeZi's list.
As you can see, this is the majority of what is blocking traffic. I rarely if ever have to whitelist a site. In fact, the only time I really have to do this is when a site is less than 30 days old, as I by default (with NextDNS) block these sites. I do have a list of top level domains (TLD) blocked, Russia being one of them you see showing up here.
I do run a very short manual deny list to block specific sites but most importantly events.gfe.nvidia.com which can get pretty spammy with Nvidia GPU drivers. At one point, I was getting 30K blocks a day, but they either toned down their software or it leanred it isn't getting out and stopped trying.
NextDNS does include a few native tracking protections for Windows, Apple, Amazon, Samsung, Roku, and so on. I do enable these to prevent them from calling home.
I have most every feature enabled on NextDNS, even the more aggressive ones like AI-Driven Threat Protection and Threat Intelligence Feeds. I almost never run into a problem, I might whitelist a site once every 2-3 months, half the time it is just a domain under 30 days old. There is a feature you can enable that gives you a specific block page when something is blocked, this makes it easier to tell it is being blocked rather than a technical issue. It's not always obvious there is a problem when a page is just blank. Another cool feature is blocking dynamic DNS names, these are almost always bad news unless you are are a geek and use it for your own networking, which you can easily whitelist yours.
While $20 is pretty cheap, you can run a Raspberry Pi for about $2-5/year in electricity costs as well as do other things with it at the same time. I'm even running mini PC's with nearly 100 docker containers, so running Pi Hole as well wouldn't be a big deal. I may eventually switch back, but for now I really appreciate the the ability to use it while outside of my house and the very quick local nodes they run.
One cool trick you can do using NextDNS is re-writing public addresses.
You can even re-write public addresses to local IPs, a trick I use at times for some very specific use cases. Like for example, I run my own version of Hive Engine, so I can re-route hive-engine.com to 192.168.12.18 if I wanted to.
Run a browser without Web3 support for things like IPFS? It has a proxy that can enable that if you wanted.
It's a pretty cool service, and relatively cheap ($20/year) for unlimited usage. You can also run multiple profiles so if you want to lock a profile down for your kids, and set their devices to use it, while having a less restrictive version for the adults.
The amount of security you can get by having a much more secure DNS can drastically increase your security. It also drastically reduces the information your ISP has on you and can potentially sell. I have a little stink bomb for them in additional to this.
I have a docker container that starts at wikipedia, then just randomly travels around the Internet creating noise making snooping or selling my data very difficult. I also run custom DNS and a full-time VPN. Over the years I have grown far more protective of my data even less critical data as third parties will always sell and/or leak it due to incompetence.
Posted Using InLeo Alpha
I use this list for updating my hosts file every now and again for blocking stuff. In addition Brave with max shields and a version of Firefox with everything turned to the max (The so called "hardened Firefox"). But of course these only secure my Mac. Other gadgets connected are out of luck. I missed your earlier post on nextdns. I'll have to check it out!
Reading this kind of posts makes me think I definitely have to up my security game, since I basically rely on using Windows defender and brave browser...
Nvidia with 30,000 queries a day 😫 wtf