Trying Out NextDNS

I recently decided to take a little bit of time to set up NextDNS. While on the surface it’s similar to the myriad other DNS resolvers out there you can opt to use instead of the likely horrible DNS servers provided by your ISP, NextDNS is essentially a cloud-based Pi-hole. You can use some of the built-in blacklists in the product to block things like advertising, trackers, malware domains, and more. There are a few key benefits to blocking things at the DNS level rather than relying on something to do the blocking your web browser. First off, most mobile browsers don’t offer the same robust extension ecosystems we’re all used to with full computers; you might be able to toggle some settings to block trackers, for example, but advertising is often a different beast altogether (though the really bad advertisements typically also have egregious tackers, meaning that blocking the trackers will block the ads.) Additionally, there are some nefarious browser extension posing as ad-blockers, and there have been instances of legitimate extensions being sold and turned nefarious. Google’s extremely sleazy war on ad-blocking also makes DNS-based filtering attractive, though I’d still recommend people avoid Chromium-based browsers if at all possible. The other nice part is that you can easily configure DNS settings on a router, meaning the same degree of protection can apply to IoT devices with no accessible network settings of their own. This similarly applies to applications on your computer that connect to the network outside of a browser, as we’ll see later.

NextDNS handles this by allowing you to specify your public IP address in their portal, thus linking traffic from your home with your NextDNS profile and all of the configurations that are in place there. The only caveat to it is needing to configure DDNS in some way or simply remembering to go to the portal in order to update the IP address should it ever change. Additionally, they offer apps for basically every major platform for configuring your devices and pointing them to the appropriate account. While you can just update the DNS settings in your host operating system rather than using an app, the app is still required for linking your device to your profile so that it will leverage the appropriate block lists. What I found to be really nice was that the iOS and iPad apps are able to leverage the new iOS 14 DNS profiles, meaning that it doesn’t need to create a shell VPN tunnel just for your DNS requests; that’s a huge win.

To really test it out, for about 2 weeks I disabled the ad-blockers in my common browsers and tried to let NextDNS handle the brunt of my filtering needs. Getting it configured everywhere was fairly simple. The web portal will tell you what your current public IP is and offers a simple button to update your account to leverage that IP address. This made it simple to get basically everything in my home network using it after I modified the DNS servers in my router. I still went ahead and configured the settings individually on my devices, too, for the rare instance during a global pandemic when I’m on a network other than my home network. The iOS and iPad apps just need you to tap a button to add the new DNS profile to the device. Likewise, the macOS app simply adds a new icon to your tray at the top-right and offers a toggle for turning on your NextDNS settings. Unsurprisingly, there’s no Manjaro Linux app, though the service offers a bevy of examples for configuring your DNS settings on Linux; you’re just stuck in the position of not being able to link the device to your NextDNS account if you happen to leave the home network. The only real problem I ran into was that I had configured Firefox to use DNS over HTTPS and forgotten about it; once I realized I needed an additional change beyond the OS DNS settings, everything was fine.

Operating this way, for the most part browsing the web was business as usual. Not quite as many advertisements were being blocked as I would have expected with a browser extension enabled (more on that later), but on the whole the experience was still positive. What really surprised me, though, was the degree to which IoT devices are just an absolute dumpster fire; checking the metrics NextDNS generates showed that anywhere from 10 – 20% of my total DNS requests were being blocked, but nearly all of the top 10 blocked domains were based on under-the-hood queries being made by my devices phoning home rather than from actual advertising or tracking on web pages. All of this is nicely showcased with graphs in the NextDNS portal:

While I expected the combined privacy invasion of my two Amazon Echo devices to be the worst offender, my single Roku device actually took the top spot by a significant margin. My top 10 blocked domains were:

  • scribe.logs.roku.com – 17,226
  • device-metrics-us-2.amazon.com – 1,327
  • telemetry.dropbox.com – 1,121
  • giga.logs.roku.com – 1,095
  • device-metrics-us.amazon.com – 794
  • mads.amazon-adsystem.com – 717

The only non-device domain making the top 10 was from telemetry queries from Dropbox, the frequency of which was a bit disturbing. Roku really caught me off guard, though, with a single device making over 18,000 queries in just a couple of weeks. While using more domains, the two Echo devices made under 3,000 (which is still really bad!)

As a bit of an aside, I was curious if the devices would simply give up on whatever they were phoning home about and drop the information or if they were storing it locally to upload in a bulk at the first opportunity. I ended up disabling NextDNS on my router around 9 AM and checked on the traffic of both my Echo and my Roku, neither of which were being actively used at the time. The Roku showed zero data use since the time I had been streaming with it the night before:

The Echo, on the other hand, immediately spiked with network usage to transmit who-knows-what. That’s nice and terrifying:

The other insight I found particularly interesting was just how deeply some of the biggest players on the web have their claws embedded across the Internet. For example, I don’t think any big Internet company is more evil than Facebook (though Google is trying hard), so I created a custom blocklist preventing facebook.com from resolving. This prevents not just Facebook from loading but also some of Facebook’s other properties. For example, I hate and don’t use Instagram, but some friends occasionally send me posts from there. Instagram straight up won’t work if the main Facebook domain can’t be resolved. How gross is that?

NextDNS operates by giving you 300,000 customized DNS queries per month where your policies and blacklists will be applied. After 300k queries, the service will act like a normal DNS resolver; while your devices won’t suddenly stop having functioning DNS, they won’t be benefiting from any of the blocks you might be expecting. For just a couple of dollars a month, you can get access to unlimited DNS queries, and subscribing for a year gives a month for free. I found staying on top of my query usage to be a bit confusing, though. As is shown in the screenshot above, my total number of queries for the month is provided, along with how many were blocked. I was averaging around 30,000 queries per day on this graph. I realized after the first week, though, that going into my account settings in the NextDNS portal gave me a different metric on how many of my free queries had been used, and the data there was significantly lower. I ended my testing after using 280,000 queries according to the analytics graph, while my account settings showed that I had used just shy of 200,000 queries. I have no idea how those two numbers are different by 80,000 queries, especially when the two weeks of testing were done in the same month.

While I liked NextDNS, it wasn’t perfect. I had mentioned previously that the blocking wasn’t quite as good as what I’d expect from just relying on an extension when browsing the web. The main reason I could see for this is that some companies host trackers and advertising on the same domain they use for other, more legitimate purposes. For example, checking the blocked tracking metrics within Safari 14 showed that bing.com was still high in the running. Naturally a service like NextDNS can’t just block the entire Bing domain without breaking plenty of services people actually might want to use. If “close enough” satisfies your needs for blocking ads then I could see NextDNS being a good solution. If you’re like me and want to block everything, though, then you’re still going to need extensions in your browser, and that makes the value proposition for paying for something like NextDNS for unlimited queries a bit less tenable. What ultimately made the decision for me, though, was that I ended up running into a handful of issues with the app I used the most: the one on macOS. I’m willing to own that the issue might stem from my setup or my device, as my MacBook has 4 different VPN clients on it that I use (and frequently switch between) for work, the network stack on the device crashes with semi-regular frequency, and my home network is significantly more convoluted than most. What I saw, though, was that my DNS queries would periodically just fail. Trying to dig from the CLI would give me a timeout error, like the NextDNS servers weren’t responding. Pings to known IP addresses worked fine. If I turned off the NextDNS macOS application, then everything worked fine. Toggling it back on would result in broken queries again. Fixing this was a mixed back that ranged from completely closing and re-launching the app to disabling my wireless network in macOS all the way to rebooting my laptop. Between that problem and the fact that it wasn’t a standalone blocking solution for me, I opted to not dive into paying for the service, even though it has a lot of promise and does keep my Roku from being the chattiest device possible.