Almost a year ago we published a Privacy Cookbook chapter about NextDNS. They have improved, we have used it on our phone and even the routers so it deserves an update.
NextDNS is easy to set up and works on every device regardless, Linux, Mac, Windows, iOS or Android. And the best of all is that you can even make it work with your existing VPN.
NextDNS is basically a DNS service, with an 'integrated Pi-hole' to the cloud. They use their own proprietary software (parts has been open-sourced since our last review) but it is not actually a Pi-hole.
It is similar in that it blocks domains across networks, however, Pi-hole needs to be installed locally and only functions when the device is running whereas NextDNS provides those cloud-based features without the need for installation or any maintenance.
It also provides IPv6 coverage, DNS over TLS (DoT) and DNS over HTTPS (DoH) as standard. They are privacy-friendly and their terms & conditions state that they do not retain any user data.
Their UI (user interface) is straightforward with a dashboard accessible via any internet connection.
Setting up is reasonably simple, all well detailed on their site and you can start to quickly build up your Deny and Allow list.
NextDNS’s adblock DNS Service – Special & Noteworthy Features lists categories to block.
It is possible to choose from lists of categories or areas which you want to block or allow and in the advanced setup mode you can identify individual URLs for ‘treatment’.
This is something really cool as you can select a big amount of blocks and have literally millions of websites, trackers and analytics blocked before they ever reache your device.
The blocklist also has No Facebook and No Google as an option. It also has blocklists for Smart TVs which are sending metadata "home".
Overall even with an pi-hole setup you won't get many lists easier to pick and all without the headache of searching through github or forums to make your home safe, it's easy just select what you need and what you don't and you are set!
On the same page you can also select some Block Native Tracking Protection:
This includes Xiaomi, Huawei, Samsung, Amazon Alexa, Windows, Apple, Ruko and Sonos. On the same page again you can also block third-party trackers or allow (not recommended) 'Affiliate & Tracking Links'.
On Parental Controls, you can deselect services like WhatsApp, Discord, Twitch, TikTok, Instagram, Facebook and the like, if you so choose, and even have that featured time-barred to 'on and off' when you want to allow your kids to use it.
There is also a Category section that includes Porn, Gambling, Privacy, Dating and Social Media.
The rewrite feature allows users to redirect a domain to a differing domain or IP and their analytics can be set to provide graphs and lists of the blocked and most accessed domains.
These settings allow you to monitor logging, data retention periods, DNS Rebinding Protection and the DNS blocking modes.
Which brings me to the Allow and Deny list. If you have, like me, a kid at home but have blocked everything Google, you might have a hard time as YouTube won't work! So you can add the needed domains to the Allow list or, of course, introduce and explain invidious to your kids and give them a link to proxified instances so you do not need to have any Google servers on the allow list.
I can't stress this enough, you do not need to use YouTube to watch YouTube! Invidios has everything YouTube has, but without the tracking, the ads and you can even let it run when the screen is off to, for example, listen to music on your phone.
The iOS version of NextDNS now also has a feature where you can select a nearby but private destination, in our case we have recently ‘moved’ to Hong Kong! However, I strongly recommend setting up your phone not with the official NextDNS app but with iVPN or Mullvad (wireguard) and link the VPN IP to NextDNS. This way NextDNS does not know your actual IP address and you have the filter and encryption list on an IP address in a different country!
On Android you can make things even easier, just start any VPN location then go to Settings → Network & internet → Advanced → Private DNS, select the Private DNS provider hostname option and enter the DNS provided by nextdns xxxxx..dns.nextdns.io, then simply hit 'save' and you are now using the blocklist and safe DNS that NextDNS is providing. This stays on even when you switch the VPN location.
This all sounds really good, right?
10 months ago we criticized NextDNS for using Google Analytics and that it was hosted in the USA. This has changed a bit, the site no longer has Google Analytics and you can switch off all logs or chose EU, USA or Switzerland as your log location. These logs can be totally disabled or alternatively set to 1 hour, 6 hours, 1 day, 7 days and so on. Logs are for you and it can be interesting to see where your traffic went and what has been blocked.
The blocklists NextDNS offers are massive but you will probably always find some sites or apps that call somewhere, in which case you just block them manually. A really neat feature on top of a great list.
The stats will show you what happened and what was blocked the most:
Overall, I still say that Pi-hole is the best solution when it comes to privacy setups at home, but if you like one for 'on the go', at home and DNS encrypted and which desn't need much skill and/or knowledge to set up then NextDNS is a solid solution for all your devices!