The last few years, the concern about secure internet browsing, as well as, privacy have become a pretty big concern for most people I know. I am pretty sure at this point most websites we use are secure with SSL, if they are not something is truly wrong. However, for some time there has still been the concern of your DNS queries, ads, and trackers monitoring your activity. While the sites you visit may be encrypted traffic DNS is not, but then coupled with ads and trackers it’s a two fold problem. Recently CloudFlare released 188.8.131.52 which while providing DNS over HTTPS does not add any tracker blocking. Most people I know then layer in something like Pi-Hole on top of that and/or OpenDNS. My goal for a while has been to run NO SERVERS in my house anymore other than my QNAP NAS for Plex media. I wanted a solution that provided Secure DNS lookups, as well as, ad and tracker blocking in a single hosted solution. Enter NextDNS.io to my world.
Take a look at @nextdnsio …
— WillFulmer (@WillFulmer) November 14, 2019
It all started with one reply to a tweet I sent out trying to solve this problem. Most of the people I know don’t mind running servers, or multiple servers for that matter in their house, but my requirement is to not have that in my life anymore. Will Fulmer started a chain reaction with one reply to my tweet that has done wonders. So What is this thing all about.
What’s Important To Me
For me there was a few primary things in looking at services or apps like Pi-Hole, OpenDNS, Cisco Umbrella, or even NextDNS
- Network Level Protection in the house
- Device Level Protection inside and outside the house
- Extensive filtering lists
- Logging and analytics
- Multiple Profiles
- Information Block Page
- Easy to use and edit settings for myself and Julie
- No Servers or Containers in the house
The challenge is I am not an “MVP” kind of guy. I want all the functions I can get out of the gate. I have been a user of OpenDNS Home VIP for years as well as their Cisco Umbrella client on laptops for out of the house protection, but as things like Pi-Hole cam around it was going to introduce more management and more layers. That may have been okay at one time, but given all my requirements I needed to make a switch. Let’s just see first where the OpenDNS stuff did well and where it lacked.
The OpenDNS Story
First the network level protection was always great with Home VIP. It also provided stats and logs and filtering lists along with whitelist and blacklists. It was a set it on the gateway and forget it product. Where it became a challenge is that they need your external IP for the mapping, which is okay, but you have to run their updater client, or something else. For me I used the Dynamic DNS updater in the Ubiquiti gateway to do the updates which was fine. Actually I used their aggregator product DNS-o-Matic because I had multiple services and records to update. Again, it worked but it was multiple touch points. They also included a nice block page for sites that were blacklisted manually or via the lists. All in all a very solid solution for anyone that wants network level protection using DNS lookups from malware and email links that contain bad links. Lastly secure DNS lookups using DNS over HTTPS are not easily possible from the Unifi Gateway Edge.
The second OpenDNS product I used on my laptops was Cisco Umbrella. This essentially was the same lists and filters, but loaded as a client onto a laptop. It DID use encrypted DNS lookups, but it was a separate dashboard for reporting from the Home VIP network based. I paid for the SMB package which also did not include the ability to disable the local client when on a protected network, so in the house my laptop stats/blocks were always the other dashboard so effectually….two pains of glass.
The big place it starts to recently fall off is the lack of tracker and ad blocking.
First off this is an amazing project. It’s capabilities are simply awesome and everyone I know running it and in my tests if just worked. They even have options to couple this with OpenDNS as the upstream DNS so that you get the layered protection. You can control all the lists and filters yourself. The downside for me was it’s got to be something you run in the house. At that, in order to ensure my wife doesn’t call with an issue running it on a single container was not an option, so I would have been forced to use two PI devices to make sure it was redundant during upgrades, etc. This would have meant 2 more services to manage along with the two dashboards already in use. My goal here was to simplify not complicate.
The Solution Is NextDNS
So now we come back to my tweet and Will’s response about Pi-Hole aaS using NextDNS. So when compared to my list, and the differences between the other three services combined I get just about everything I was looking for.
- Network Level Protection in the house – YES
- Device Level Protection inside and outside the house – YES
- Extensive filtering lists – YES
- Whitelisting – YES
- Logging and analytics – YES
- Multiple Profiles – YES
- Information Block Page – NO
- Easy to use and edit settings for myself and Julie – YES
- No Servers or Containers in the house – YES
With a single account I can create multiple “profiles” and assign those to different things. For example I can use a profile for my parents devices and their house separate from mine. Or better yet you can have a profile for your kids devices, one for the entire network, and one for your personal machines. All in the same interface, with a single pane of glass. Also for the network level dynamic DNS protection they give the option to simply update the profile with a DNS record lookup so you don’t need to do anything special if you already have some dynamic DNS updates and records out there. I thought that was pretty cool out of the gate. The client based apps exist for multiple devices, (no apple watch but I am hoping for that)
The stats are broken down by device provided the app is installed and then “everything else” for things on the network like IoT devices and other non app capable devices. So pretty much everything is protected. They have lists that block malware like OpenDNS but they ad in all the ad blockers and other tracking blockers that Pi-Hole offers. You can also block by individual apps as well on another tab.
Requests from the apps are encrypted but not yet from the Ubiquiti Gateway yet. They are working on something for that is my understanding as well. All and all it’s turned out to be a great solution that’s currently FREE but they will eventually charge for it. However, for me that will replace the cost of OpenDNS Home VIP and Umbrella in one place without the cost of purchasing PI devices as well.
So while this does include most of the things I needed it is missing a few things. Mainly the block page as right now it’s hard to determine if the site is down or it’s getting blocked. If there was a block page it could be perfectly clear that it was NextDNS blocking it. I believe they told me that was also in the works as well. Also there is no indication of all the queries which were “new” vs cached and as they move to a paid model I think this is a bit important. As you can see in 30 days I have over 4 millions queries but no idea which were cached lookups. Outside of those things it’s a pretty solid platform and it’s been working well for about a month now. I’d really suggest more people try it out to help provide feedback and stats as they move to the paid model. There is a lot more you can play with like rewrites which you an even black hole stuff or send to your own block page. Bottom line….give it a try and let them and myself know what you think.