NextDNS
- Thread starter shoman94
- Start date
rcfw
Occasional Visitor
Yes NextDNS is amazing I’ve used it since it was in beta
rcfw
Occasional Visitor
The CLI or app is best to use if you can use it. since it forces clients to use the nextdns configuration and uses encrypted dns to stop your isp from snooping on your dns requests
Tech9
Part of the Furniture
Free alternative is OpenDNS. It also has user selectable filtering categories. Many servers around the world and good performance.
XIII
Very Senior Member
Isn’t that only free for basic features?
I believe more advanced features require VIP Home (with a similar price as NextDNS Pro).
Mr Tvardovsky
Regular Contributor
Another happy NextDNS user here. The additional advantages include “portability” - they have apps for every OS, so you can have the same level of protection everywhere. I also appreciate parental controls (much better than e.g. on Asus routers natively) and customizability of filtering. If you like, you can play with various blocklists yourself.
And back to the OP: yes, you can just input addresses of your NextDNS servers into respective fields of your router’s web GUI. What you lose is encryption of your DNS queries. If you don’t feel comfortable with the CLI app, you can check out the DOT option available in RMerlin’s firmware and copied by Asus in some beta versions of their stock firmware.
And back to the OP: yes, you can just input addresses of your NextDNS servers into respective fields of your router’s web GUI. What you lose is encryption of your DNS queries. If you don’t feel comfortable with the CLI app, you can check out the DOT option available in RMerlin’s firmware and copied by Asus in some beta versions of their stock firmware.
LoPro
Occasional Visitor
Yeah, free OpenDNS is a simple unencrypted dns, has no client filtering, and very crude control over blocking. Hasn’t been updated in years either.
LoPro
Occasional Visitor
I only recently went beta, and believe DOT was in my latest stock firmware too. I use DOH via the nextdns cli on a separate device though for client filtering. If you don’t need that (although I read DNS Filter is coming back in asuswrt in a later beta) another benefit with router DOT (vs dns ip4 address) is not having to fiddle with DDNS to get it pointed at your config at nextdns.
Last edited:
Tech9
Part of the Furniture
Yes, phishing/malware + about 50 user selectable blocking categories. Some network graphs and stats. DoH is there, but no DoT. This is what they offer for free and it may be enough for @shoman94. No doubt NextDNS has way better interface and per client stats (if the app is used), but it's a paid service.
LoPro
Occasional Visitor
I thought the DOH was only for their preconfigured Standard or «FamilyShield» DNS and not the free somewhat configurable «OpenDNS Classic» which is what we’re talking about here (newer Home and VIP products are paid services).
It says here there are only 2 DOH endpoints, one for the preconfigured Standard and one for the FamilyShield dns servers:
Tech9
Part of the Furniture
I'm using OpenDNS on 2 networks, but I don't use DoH. Must be working for user configurable account. I don't like DoH idea on port 443 in general. With or without DNS queries your ISP still knows your browsing history with good accuracy, if this is the concern. The ISP's around me don't hijack DNS queries, no issues. I prefer ports 53, 853 for more control. Known DoH servers are blocked on my home network. NextDNS is like rental Pi-hole. What it does can be done locally without subscription services and logs/stats in foreign countries. Current Pi-hole does more and faster, actually.
LoPro
Occasional Visitor
Well there’s now also DNS products like Cloudflare Warp which, in addition to encrypted DNS queries, makes it a bit harder for ISPs to analyze the following traffic in general. Faster and in lieu of full on VPNs.
I usually prefer processing things locally, but apart from my nextdns CLIs local cache or encryption job, the dns queries are going out to a company anyhow, so why not use their excellent hosted UI and features too. I also bet (not locally cached) queries directly sent to their server farms are faster than forwarding them to filtering and processing on my tired raspberry pi’s pi-hole first too. Maybe indistinguishable encrypted traffic is also not slowed down by logging/analysis of unencrypted queries on port 53 by my isp before they forward it ? But then again maybe my isp buys enterprise dns services for this from Cisco (opendns) or other fast huge specialists anyway
Also additional signed and authenticated dns techniques like DNSSEC makes you absolutely sure you have not been hijacked or tampered with.
“logs/stats in foreign countries” and other mature jurisdictions is usually thought of as beneficial privacy wise with regard to one’s own government or other potential abusers closer to home.
Anyway, I tried pi-hole some weeks ago and it looked a bit crude in comparison, although open source with modifiable code. It doesn’t do client filtering without running the dhcp server either, and lacks all of the later encrypted dns transports. I think open source Adguard Home is coming to dethrone it as the local option too. The latter looks slick, has client filtering (without doing dhcp too), has native configurable DOH and DOT btw, and can easily run on even a router with open firmware.
Pi-home is highly commendable for having been a pioneer though.
I usually prefer processing things locally, but apart from my nextdns CLIs local cache or encryption job, the dns queries are going out to a company anyhow, so why not use their excellent hosted UI and features too. I also bet (not locally cached) queries directly sent to their server farms are faster than forwarding them to filtering and processing on my tired raspberry pi’s pi-hole first too. Maybe indistinguishable encrypted traffic is also not slowed down by logging/analysis of unencrypted queries on port 53 by my isp before they forward it ? But then again maybe my isp buys enterprise dns services for this from Cisco (opendns) or other fast huge specialists anyway
Also additional signed and authenticated dns techniques like DNSSEC makes you absolutely sure you have not been hijacked or tampered with.
“logs/stats in foreign countries” and other mature jurisdictions is usually thought of as beneficial privacy wise with regard to one’s own government or other potential abusers closer to home.
Anyway, I tried pi-hole some weeks ago and it looked a bit crude in comparison, although open source with modifiable code. It doesn’t do client filtering without running the dhcp server either, and lacks all of the later encrypted dns transports. I think open source Adguard Home is coming to dethrone it as the local option too. The latter looks slick, has client filtering (without doing dhcp too), has native configurable DOH and DOT btw, and can easily run on even a router with open firmware.
Pi-home is highly commendable for having been a pioneer though.
Last edited:
Tech9
Part of the Furniture
I don't run Pi-hole, but it can pick-up host names and do per-client filtering without DHCP server part, also DoT and DoH, with or without Unbound. It's pretty straight forward configuration. I may check it again when I have the time. Any RPi works good enough, even RPi Zero W. Folks on this forum have a lot of tools available and enough knowledge/support to avoid external paid services. There is Unbound, Diversion, Pi-hole, AdGuard. I personally use pfSense firewall and filter locally what I don't need on my network. I don't do network wide ad-blocking, everyone is free to decide what they want to see.
LoPro
Occasional Visitor
I have kids and their friends who are too connected for my taste so everyone is *not* free to decide what they want to (or happen to) see here
Also their ad-riddled surfing isn’t going to slow me down.I didn’t have those options in my version of pi-hole (which I thought was latest) but it was only a matter of time before they included those popular features too of course. But adding more and more stuff in hindsight can also make it a resource hog compared to a new slick surgically architected software for just those things. Then again I tend to prefer well orchestrated minimalistic, mature, isolated and specialist software components as opposed to a new do-it-all-er. I agree there are certainly lots of options and am happy about all the competition. And learning about them while chatting in a forum
Tech9
Part of the Furniture
It's there. You have to configure groups with associated blocklists and clients. I don't have it running right now, but I remember playing with it after one of the updates months ago. With no DHCP server running reserved IP's on the router is good enough, local hostnames on Pi-hole to make it prettier. Here is an example:
Redirecting...
docs.pi-hole.net
Unbound, DoT, DoH is also there, with a bit more work. Forwarder or resolver, your choice. There are guides how to do it. It's more configurable than NextDNS, actually. One time RPi investment and it does everything locally. Cached queries with 1ms response time, feels faster too.
Last edited:
XIII
Very Senior Member
An important factor in choosing a (commercial) service for me is running it on mobile devices (mainly iPhones & iPads) on the go and on devices of family members living somewhere else.
I’d rather not have them being dependent on my Raspberry Pi (or an additional one installed at their homes) and thus gladly pay around €20/year for someone else to keep the service up and running.
Similar threads
Latest threads
-
DDNS, AX86U-PRO, inadyn isn't called after wan IP change ?
- Started by JackJack
- Replies: 1
-
-
Accidentally flashed XT12 latest merlin on a ET12 Asus Zenwifi Pro. Can't flash back stock FW.
- Started by zapahacks
- Replies: 3
-
-
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!