A review of NextDNS. Stop unwanted content from ever reaching your internet connected device

Supersonic - June 20, 2022

Summary: This post goes over how to speed up your internet and stop unwanted content from ever reaching your device for free. It’s very easy and can be done in less than 15 minutes.

What is DNS?

In simple terms, it’s like a phone book of the internet. If you type https://theprepared.com into your web browser, that request is sent over to a DNS which converts that to the IP address (172.66.43.161) which computers can understand. This all takes a fraction of a second, but those fractions of a second can add up over time.

What DNS do I have?

Most devices by default are setup to query your internet service provider’s DNS registry. This not only gives your ISP more in-depth data on which sites you visit on the internet (so they can sell that valuable data and make more money on you by targeting you with ads), but it is often quite slow compared to other options. A faster option is using Google’s public DNS, full instructions here. While it is fast, many may not like Google having even more info on them because Google is not known to be the most privacy conscious company out there. Would you like an even better option though? The fastest DNS resolver out there, and one that doesn’t sell your data to advertisers is Cloudflare. You see in the below chart how your default internet service provider might have a query speed of 70ms, Google has one of 34ms, and Cloudflare is 14ms.

Another benefit of Cloudflare is that there are some optional malware and adult content blocking options. Click here for full instructions on how to set Cloudflare as your DNS resolver and/or enabling these minor blocking capabilities.

While it may not be as fast as Cloudflare, I’ve been playing around with a different DNS called NextDNS. The reason you might want to try this one out is because it has a free, stylish, and easy to use interface that allows you to add many more layers of filtering. By doing this, you will have even more control to stop the bad stuff of the internet from ever getting to your device. If you aren’t tech savvy at all, don’t worry there are some simple toggles you can click to set it and leave it. If you want to dive deeper and have more control though, you can.

How do I get started with NextDNS?

It’s super easy to get started, go to https://nextdns.io/ and click “Try it now”. No signup is required to try it out for a week and you have full control right out of the gate without any account creation necessary. If you do like it, create a free account and have control over things for longer.

Next, scroll down on the page and see step-by-step instructions on how to set it up on practically any device.

The next tab on top of the page, is security.

Each option you have to toggle on/off has an easy to understand description underneath so you know if that is something you want or not.

On the Privacy tab, there aren’t as many options, but instead you can add individual blocklists.

Don’t go all crazy and add every block list possible, just pick a few that call to you. I’d at least do “Energized Ultimate and NextDNS Ads & Trackers Blocklist”

These filters are very impressive and are updated very regularly. For example, some of the privacy filters I have enabled were updated 10 minutes ago, 4 days ago, and 3 hours ago.

On the Parental Control tab, you can set up specific times in which certain sites such as Facebook, Netflix, or Snapchat are blocked, like after 10pm so your kid will get to sleep.

You can also block entire categories of sites such as pornography, gambling, or social media websites.

The Denylist and Allowlist tabs are if you want to copy and paste specific websites to either block or allow them. Maybe a site you like is getting caught up in one of the filters, you can allow that particular site instead of disabling the entire filter.

The Analytics tab is fun because that shows a summary of how many queries were made and what percentage were blocked.

The Logs tab goes into more detail on which site was accessed. If you see repeated calls to Adobe for example, you can copy and paste that and add it to the denylist if you don’t want that ever happening again.

On the last tab, Settings, you can disable logging, change how long logs are kept for, download logs, or clear them.

This first test run of NextDNS works for a week and then you need to create a free account to save your settings and access them in the future. The free tier of NextDNS gives you 300,000 queries per month per device, which should be enough for most of us, but you can pay for more if you need it.

Overall I am quite happy with this service in the few days I’ve been testing it. I’ve set up a Raspberry Pi powered pihole DNS blocker before, which is similar to this but attached to your network, and I prefer this easy, quick, and free way over that.

Setting this all up takes only a few minutes and can be reversed in seconds if it’s not for you.

Why this is relevant to this crowd

Be prepared against security and privacy threats by stopping it from ever getting to your device. If the website is totally blocked, no tracking or malicious software can even bother you. This can help you kick a bad habit of gambling or spending too much time on social media, or block unreliable news sources you may come across.

I am in no way an expert on DNS, but if you need help troubleshooting things let me know and I’ll see if I can help.

5  

What does it look like if you go to a site and it is blocked by your filter?

 

All you will see is your web browser’s default “site will not load” message. It will be a quicker response than if you were trying to load some other page because nothing is being downloaded and your quick millisecond short DNS query is coming back and saying not to load anything.

 

Hi Supersonic, thank you for posting this. This is an interesting concept.

I am also a fan of digital privacy and disabling or stopping tracking wherever I can. Reading news stories about e.g. the facebook pixel system connecting so much data online is concerning.

I am also running a DNS blocker on my local network – currently Pi-hole on a raspberry pi, though I have also set it up on old laptops that were not being used. I was thinking a guide on setting up Pi-hole might be a useful “Digital Security & Preparedness 102” type post. However, running Pi-hole is complex enough that it’s not something I want to administer or maintain for friends, family, or neighbours. The level of technical knowhow and tinkering is just slightly too high, and the consequences of breaking are tough – if your DNS queries don’t work, it is difficult to use the internet.

NextDNS looks like an interesting alternative, if you are able to set it up and don’t have to maintain hardware to enforce a block list.

Is NextDNS simple enough that you would consider advising non-technical family, friends, or neighbours to set it up also?
How about your thoughts on the company – how trustworthy would you say the service is?

I find Pi-hole usually blocks 10-40% of all network traffic (!!) with the default out-of-the-box blacklist.
The biggest culprits tend to be e.g. iPads playing games – you can see a noticeable difference in the amount of ad spam.

Thanks for sharing this. Would love to hear how you like it after a few weeks or months.

 

I’m sure people would love to see a pi-hole guide, I would. The nice thing about pi-hole is that you aren’t trusting a third party for your DNS and can keep it all local. The downside is more tinkering, and if your device leaves that home network you are unprotected. So I still like NextDNS for on-the-go devices like your smart phone.

I do think that NextDNS is very simple and easy to set up for the average person. The only thing the newbie might get caught up on is how to add a site to the Allowlist or how to identify which part of the site is being blocked. For example, site A might load fine but so many websites also talk to other sites and have imbedded plugins to function how the web designer intended. An easy enough fix and one that I do, is if I load a site and it looks weird, I go into the log section of NextDNS, then try loading the site again and the new inquery will show up at the top and you can see which part is being blocked. Just copy and paste that to the Allowlist and you are good to go. I’ve only had to do this once so far this week, which means that the filters don’t have many false positives for my use case.

Right now I am at 19,125 queries, 4,108 of those have been blocked, which means 21.48% of my traffic is stuff I don’t want even coming to my device. Almost 1/4! I definitely like using this. And it’s not just full sites that are being blocked, that would only be like 0.5%, most of what is being blocked is the back end of websites, plugins, and other creepy trackers.

A project I am going to be working on this week is to have NextDNS loaded on my laptop, boot up my other computer and watch all the queries come in from Windows trying to call home. I imagine there should be a lot. I then can notate all those addresses and add to my Denylist. 

Do I trust NextDNS? For my threat model, yes. They have a very short, clean, and impressive privacy policy and give users control over their data. Once I am done playing with them and know I want to stick with this service for a while, I will probably turn off logging for some additional privacy. 

One thing I would have liked to see implemented is 2FA on the user’s account.

 

The Brave web browser (https://brave.com/) is a Google Chrome alternative with built in ad and tracking blocking. One thing I like about it is that you can turn on stats to see how much it is actually blocking.

Here are my current stats with Brave. I’ve saved 11.7 hours of webpage loading time by not having to load ads and other junk. It also has saved me almost 8GB of traffic which always is nice if you have monthly bandwidth caps on your internet.

This is only protection in my Brave browser, where as Supersonic’s NextDNS option looks to protect your entire system and all the various apps. Just another option for everyone.