[HN Gopher] NextDNS Is Out of Beta
___________________________________________________________________
NextDNS Is Out of Beta
Author : jrnkntl
Score : 97 points
Date : 2020-05-26 19:25 UTC (3 hours ago)
(HTM) web link (nextdns.io)
(TXT) w3m dump (nextdns.io)
| greatjack613 wrote:
| Really happy to hear this. I have loved next dns since its start,
| not only for their product, but also due to the fact is is a
| clean sustainable business. No need for ads, a generous free
| tier, and a cheap full featured paid tiered. This is the way I
| would like to see most SaaS's go
| elliekelly wrote:
| And they give users incredible control over their data/privacy.
| Their privacy policy is fantastic[1].
|
| On my dashboard I can:
|
| - Enable/disable logs and decide whether logs include client IP
| address and domains
|
| - Clear logs and set log retention period (as short as 1 hour
| and as long as 2 years)
|
| - Select the country of the servers that store my logs to the
| US, EU, or Switzerland
|
| I really hope to see more tech companies follow their lead.
|
| [1] https://nextdns.io/privacy
| bretthopper wrote:
| I really wanted to like and use NextDNS but my latency was ~200ms
| vs maybe 10-40ms for my ISP resolver. I'm fine with paying a bit
| of a latency price for the extra features and privacy, but not
| that much. And I'm located in Toronto, not somewhere remote.
| nextdns wrote:
| Looks like a case of bad anycast routing, as we have a PoP in
| Toronto! It happens and is usually easily fixable, can you talk
| to us via the chat on our website (or at support@nextdns.io)?
|
| A map of our network for anyone interested:
|
| https://i.imgur.com/2uenEAZ.png
| dewey wrote:
| What's the difference between using the macOS app or just setting
| the DNS on a router level? Just the attribution to a specific
| device in the dashboard? I couldn't figure that out by reading
| the (actually very well written) FAQ.
| nextdns wrote:
| - Encrypted DNS (DNS-over-HTTPS)
|
| - Ideal routing (low DNS latency)
|
| - Bypass DNS-level censorship (inside a country, from your
| hotel Internet provider, your school, etc.)
|
| - Being able to identify your device in the logs (if you choose
| to)
|
| - Hardened Privacy Mode (if you are into that)
|
| Edit: this goes for all our apps
| (iOS/Android/macOS/Windows/Router client), not just macOS.
| ryan-allen wrote:
| The Windows setup doesn't like Windows 10 on ARM, it couldn't
| install the TAL driver. Very edge case I guess, I'm going to
| install on x86 when I get home :)
| dewey wrote:
| That's very helpful, thanks!
| ianmcgowan wrote:
| I literally (not figuratively) setup NextDNS yesterday and so
| far it's been great. The documentation is awesome, and love
| the features available. The only mild feedback I have is that
| the "Setup Guide" doesn't provide enough context about what's
| going on, and the implications of setting up on my PC vs
| mobile device vs router. It says:
|
| "Follow the instructions below to set up NextDNS on your
| device, browser or router."
|
| A couple more sentences there would be super helpful..
| PascLeRasc wrote:
| "Try it now. No sign up required"
|
| I love that phrase. This looks like a fantastic service!
| lucasverra wrote:
| It is, been using it since multiple months. I have no more ads
| on my iphone now, for free. The dns request pass throught
| Switzerland and i feel i have 007 level privacy. sweet !!
| buildbot wrote:
| I trialed nextDNS based on other people talking about it here,
| and have really liked it - it's really awesome to have an always
| on, dns-over-https solution for every device. I think it's really
| worth the 20$ per year, just for the slick ui and not having to
| manage a pihole somewhere.
| 40four wrote:
| I was not aware of this service before, but I'm very
| interested! The price seems very reasonable, and as you say,
| not managing a pi-hole device is very appealing. I have tried
| multiple times to setup pi-hole on a dev board on my home
| network, and could never get it to work properly so I gave up.
| k__ wrote:
| I like it, but it's sad that I have to run an extra VPN app on my
| Android because Xiaomi doesn't allow me to configure private DNS.
| nextdns wrote:
| It's a "fake" VPN, it only captures the DNS traffic (that's
| just the cleanest/most efficient way to do it).
| admax88q wrote:
| What I don't get about DNS, is why doesnt every device just run
| its own recursive caching resolver. Why ask ISPs and hotspot
| providers to resolve your requests?
|
| What would be the downside outisde of corporate networks?
| netcyrax wrote:
| But missing the point. If I am worried about privacy from cloud
| players, why to trust another cloud player?
|
| I would setup my own Pi-Hole if I wanted true privacy.
|
| Missing something?
| bad_user wrote:
| I'm more worried for my local ISP selling my browsing history,
| or exposing it due to incompetence, because something like that
| already happened and nowadays I'm worried they send that data
| to local authorities too.
|
| The "cloud players" you're worried of are big targets and the
| law protects me, since we have the GDPR and the EU is trigger
| happy in giving fines to big companies. Also my data is not
| that useful right now to a US company.
|
| Also the ad blockers for iOS Safari don't work well and I use
| iOS Firefox anyway, which can't use Safari's content blockers.
| So I'll take any help in blocking ads I can get.
|
| This will also be valuable for doing some content filtering for
| my son, without installing anti-virus crap on his devices.
|
| It really depends on your threat model.
| rsync wrote:
| "But missing the point. If I am worried about privacy from
| cloud players, why to trust another cloud player?"
|
| The workflow I am (not quite finished) setting up is as follows
| - I run a caching, recursive nameserver (unbound) in my own
| colo space. That DNS server, not me or my devices, is the
| nextDNS client.
|
| Then I set all of my own networks and devices to use my
| (unbound) DNS server.
|
| My goal is to receive all of the benefits of a paid nextdns
| account, but on the nextdns side, all they see is a single,
| fixed IP, in a fixed location, owned by a corporate entity,
| doing a bunch of DNS queries.
|
| In fact, I am a bit worried about this exact setup because
| although I am using this for my own, personal use, consistent
| with their expectations, I could just as easily be a full-blown
| ISP passing through my nameservice to nextDNS ... how do they
| deal with that ?
|
| Do they care ?
| cj wrote:
| 70% of HN readers probably don't have the technical knowledge
| (or hardware on hand) to set up pi-hole without investing 10+
| hours.
|
| For those of us with a raspberry pi or intel nuc on hand, sure,
| it only takes 30 minutes.
|
| This service is for people who want to kill ads at the DNS
| level without dealing with the hardware / setup of pihole.
|
| Also, not many people are going to bother setting up a VPN to
| access their pihole DNS when traveling or on cellular, which
| makes NextDNS attractive.
|
| The other argument is "just use ublock matrix". The counter-
| argument is it doesn't block native app ads / tracking. (One of
| the #1 blocked domains on my pihole is from Dashlane's MacOS
| app, constantly wanting to phone home)
| buildbot wrote:
| You aren't missing anything, your setup would be more private.
|
| There is a valid niche between no privacy and completely self
| hosted dns-over https, that a service like nextdns solves well.
| Just as Apple solves a by default more secure yet still not
| without flaws phone, or how using a vpn provider is a midpoint
| between a self hosted vpn and no vpn. I think the privacy trade
| off here is good for many.
| noodlesUK wrote:
| Whilst I completely agree with your comment, I have a nit to
| pick about the self hosted VPN part. What commercial VPN
| providers sell is _plausible deniability_ through multiple
| users having access to the same set of endpoints. A self
| hosted VPN does not provide that. If I have a server
| somewhere and route my traffic through it, that server doing
| something can easily be tied to _me_ doing something. Hence
| why you probably shouldn't self host a VPN. Now, if you're
| only afraid of your ISP or neighbours snooping, then a self
| hosted VPN makes sense. If you're afraid of advertisers or
| the MPAA, then a commercial VPN makes sense.
| ianmcgowan wrote:
| They're pretty upfront about this in the excellent
| documentation:
| https://help.nextdns.io/en/articles/3941241-what-is-the-adva...
|
| """ To be fair, there are also some advantages of using Pi-
| hole(r) over NextDNS:
|
| 1) You know who runs it. We can't ask you to trust us more than
| yourself. We can provide all the guarantees you want, show who
| we are and make promises, it is understandably easier to trust
| a solution you manage yourself. Keep in mind though, that all
| your unblocked DNS queries are still visible by your upstream
| DNS. So there is still someone you need to trust with your
| data.
|
| 2) It's free with no limits. NextDNS is cheap, very cheap, but
| it's still a paid service if you use it over a certain limit.
| Pi-hole(r) is free to use. You still have to pay about $35 for
| a Raspberry Pi + an SD card, which is equivalent to several
| years of NextDNS subscription. You should also consider
| donating to the Pi-hole(r) project if you use their solution.
| After a few years though, yes, Pi-hole(r) should become less
| expensive than NextDNS. """
| halfmatthalfcat wrote:
| How do you block unwanted DNS requests outside of the Pi-Hole's
| radius (e.g. Home Network)? If I'm on mobile, NextDNS let's you
| disable on user specified WiFi networks and then re-enables
| when you leave range.
|
| NextDNS can also be used as a fallback if your Pi goes down for
| whatever reason too. Might as well have options in this space.
| bauerd wrote:
| Dynamic DNS and a redundant Pi-Hole setup
| moreorless wrote:
| VPNs are generally pretty easy to setup these days. If
| redundancy is needed, can always run it on a cheap VPS
| provider.
| chickenpotpie wrote:
| Am I alone in the feeling that a lot of privacy related
| solutions are just paying for a promise? For example, a VPN can
| record all my requests, they just promise not to and I can't
| verify it.
| dewey wrote:
| You are not, at some point you'll just have to trust someone.
| Just like that the app you submitted to the App Store is the
| same one you are downloading and hasn't been tampered with.
|
| As always it's a matter of tradeoffs, if you just don't want
| to get tracked by ads it's probably a good solution. If you
| are afraid of some nation state trying to track you down,
| then probably not.
| m-p-3 wrote:
| I'm a fan of their service, and because most browsers support
| DNS-over-HTTPS natively I can put the configuration right into my
| browser settings and have the same level of DNS filtering even
| when I'm outside of my home network without VPN.
| nextdns wrote:
| Google Chrome (and some Chromium forks) will also be supporting
| custom DNS-over-HTTPS providers very soon (it's already being
| rolled out to some users).
| Already__Taken wrote:
| It's in my chrome://flags/#dns-over-https currently
| 81.0.4044.138 (Official Build) (64-bit)
| nextdns wrote:
| I meant this:
|
| https://i.imgur.com/tZh6p0x.png
|
| As far as we know, it's slowly being rolled out and not
| behind any flag (unfortunately).
| firloop wrote:
| Signed up for a year as soon as I got the email announcement.
| Love NextDNS and excited to see where they go -- particularly
| would love some sort of time-based scheduling or API for rule
| automations.
| Gimpei wrote:
| I've been using NextDNS and really enjoy it. I've found it a lot
| easier to manage than pihole. Only issue I have is that it
| doesn't seem to work with the Economist.
| foob4r wrote:
| That's awesome and I've tried nextdns and loved it. But - and
| this is just me - I just don't trust anyone to delete my logs or
| not log in the first place.
|
| That's why I'll probably not move off of my pihole
| bad_user wrote:
| This is cool.
|
| NextDNS appears to implement DNS over HTTPs (DoH) and Firefox
| ships with it as an option, next to Cloudflare.
|
| UPDATE -- Took it for a test drive:
|
| * Logs are concerning, but look good for optimizing the traffic
| and notice odd communications; I already noticed telemetry sent
| by my browser that I switched off
|
| * Ad blocking seems to work, not as good as desktop uBlock
| Origin, but I'll take anything for my iPhone
|
| * Latency is around 30 - 100 msec, which seems a bit high?
| (server I connect to seems to be 400 km away)
| pvg wrote:
| A year to the day: https://news.ycombinator.com/item?id=20012687
|
| Making this a perfect snee-less dupe!
___________________________________________________________________
(page generated 2020-05-26 23:00 UTC)