Hi @Leo, you’ve been talking a lot about NexrDNS. Would be great if you could do a Hands On Tech show about it, eg seeing it up on a router, a browser, and which settings to use and why. Thanks!
Hey @tokyotony, I agree that @Leo should produce this segment. It’s far from trivial, and this is a necessary consequence of the features of the service. They need to be able to track each account so they have to find a way to give you a unique setting. This complicates matters.
If you go to their web page, they give a setup page, with a bunch of different ways to set it up. If you want it to apply to all devices in your home [WiFi] network, then you would want to apply it at the router. Here’s the relevant portion of the setup page:
This applies in your router, here is a pic from my router’s web config showing where this would apply. (Knowing, of course, that every router’s config will be somewhat different.) I don’t personally use NextDNS so don’t have the fields in the picture containing the correct DNS entries, but it will show you where to put it.
Since they offer services that track users, you would ultimately want to create an account, and I assume that process is more involved.
Thanks. I have given it a try and put it on my router and then the apps on my Mac and iPhone. I decided to remove it because I was finding websites and search results started to “break”. I know this is part of the Privacy section, but not sure which content blockers best to select. In addition, my wife is Japanese and used an IP TV feed and not sure if NextDNS will mess things up for her (and I am not home all the time).
So, I am looking for more practical advise on how to set it up from @Leo’s experience or others, i.e. which setting are best at a minimum, which are probably okay to use, and which ones are more advanced and probably best to avoid.
Just curious, do you use something else?
I use Quad-9. Its claim to fame is that it won’t resolve any IP addresses of known malware sites.
For the heck of it, I setup NextDNS last night.
Here are my initial thoughts, compared to what I expected based on Leo’s conversation with a caller on TTG.
- You only get useful analytics if you install their app. That’s the only way to determine which device is doing what. If you only point your router to their DNS servers with a linked IP, you get logs, but no way to determine which device is making the request. Leo had stated that the caller would be able to get this information without needing to touch devices.
- The filtering does not seem to apply per device. Only for everything on the account. Again, Leo made it appear that this could be enabled per device.
Right now I’ve got all filtering disabled so the service should act as a normal DNS service. I might add additional devices, but I’m not sure I’m going to stick with it.
Wait, Quad9 has filtering like OpenDNS now? Might give it a try, though I have been using 1.1.1.1 as they have servers in Adelaide where I live so lookups have been very fast.
In using it about 7 locations i found that the secure DNS settings worked as it should with browsers using the ‘https://x.nextdns.io’ setup per device on android i use the INTRA app to give each user their own DNS account.
for the res of the house i use the quad9, quad1 and Google DNS.
Other devices that are in my DMZ have their own dnscrypt services running.
Right, each user would need their own account to do per user/device filtering.
The way Leo advertised it, he made it seem that you would get this functionality just by changing your DNS to them, without having to touch individual devices. That isn’t the case.
I believe the core mission behind quad 9 was always security filtering. IBM’s security research division was a founding part of the org. The filtering is not customizable like OpenDNS however, to my knowledge.
This idea of it is the home network machines have a DNS setting for the general devices.
By being able to set unique dnscrypt accounts for each device then you can take them out of the home network and still get some of the same service for DNS resolution unique to the device.
I understand what you are saying.
But again, my comparison is solely against how Leo advertised the service to a caller. The reality is that the service, while good, is not what the caller was looking for and does not meet the caller’s requirements. But, with that said, I’m not aware of a service that will do what the caller wants without needing to touch machines. Unless they want a corporate solution for the enterprise, but that has its own requirements.
If you setup the DHCP in your router to send the DNS down to the clients instead of setting it up the router with the DNS servers then you can track by device.
Not all routers allow you to do this, so that will depend more on your equipment.
You could also setup a PI as your DHCP, but at that point you might as well do PI Hole instead.
Unfortunately, my router does not allow me to do that.
Maybe I’ll static a couple of devices and see what happens.
Thats why for my situation with my routeter being faily simple. I set the NextDNS.io DNS in IPv4 then used the integra APP and SimpleDNS crypt (on windows) to set the DoH per device as seperate accounts.
When I leave home i use a VPN but continue to use my DNS settings.
Definitely agree. Tried to set it up last week and learned that it was not possible on Comcast / Xfinity router/modem combo unit. I guess losing control of my data is bad for them.
I set up a PC is a gateway running Ububtu server then added a vpn account on that then set the DNS to the next dns IPs.
Spectrum… Zoom calls and all other traffic have improved significantly.
Did you install a certain GUI with the Linux installation?
If you can send the process you used I would appreciate it.
I tried to do the Linux Ubuntu (Kubuntu 20.04 desktop) install on this unit (HP Win10 touchscreen all-in-one Windows 10) and could not get it to read from the USB on boot up. One side note: I tried to upgrade installed Win 10 to professional 10 in the past but couldn’t downgrade when the trial was over. The screen still shows no license. There is no content I need on the unit and don’t need a dual boot, so wiping it with Linux only is ideal.
You don’t need to use a particular distro I used the default gui.
I’ve done it with the basic ubuntu desktop version too.
Once installed the OS you need two NICs one ethernet for the WAN and the other for the home.
-
from the command line i used this command to get to the advanced connection manager;
#: nm-connection-editor -
create a new interface and select the unused network cable to share with the rest of your house, then i selected the second ethernet port to share the connection and plug it into the routerswitch for the house. (I kept IPV6 disabled for ICS)
-
setup your VPN sevice on the gateway machine with the DNS set to
45.90.28.22
45.90.30.22
Go to the https://nextdns.io and then setup an account there to puck what you want to filter.
on your internal machines
Alternate solution that worked is to use a docker server online or self hosted; https://github.com/DNSCrypt/dnscrypt-proxy/wiki/How-to-setup-your-own-DNSCrypt-server-in-less-than-10-minutes
I just wanted to follow up on my saga. I decided to remove the configuration for NextDNS from my equipment. I was starting to have some issues with the way I work. I did this about a week and a half ago. This morning, I got an email that I was getting close to my quota and that I should subscribe (the price was reasonable). But according to the logs, there’s been no queries to them since May 9.
Still, depending on your use case, it can be a great product, just didn’t work for me.