Don't Pi-Hole, NextDNS
It's time for a subject matter which will make most of us Yawn, however, is intrinsic to how we use the Internet. Domain Name Servers (DNS) are that bit of the internet which changes from numbers to words so you can find the websites you love.
What is DNS?
💡 DNS ensures the internet is not only user-friendly but also works smoothly, loading whatever content we ask for quickly and efficiently. It's one of the cornerstones of how the internet operates. Without it, we'd be stuck memorizing long lists of numbers (IP addresses) to access the content we want. If a DNS cannot translate the domain name with the right IP address, you won't be able to access the website you're looking for.
If you've done any form of home networking or owned a Raspberry PI then you'll immediately think of Pi-Hole as the kind of Defacto DNS Server and Adblocker. It's quick and easy to install, you can run it on anything from a Linux server to a Raspberry PI. It's got a simple interface, it's also well supported and generally speaking once it's running you can leave it in the corner and just let it run.
There are some good reasons to run you're own Pi-Hole server, firstly PI-Hole is more than just a DNS server, it's a sinkhole server which checks the DNS names you're trying to reach and if they are dodgy and will stop access to those sites protecting you from DNS Attacks.
Then there is the fact that you own the server, run it, know how and where it is configured and It's also unlimited and free, aside from the costs of running the server it's on the software itself has no cost against it.
Personally, I've been through the self-hosting everything phase of my home lab, and the host on a cloud provider phase as well and during this journey, a few things have become apparent to me personally.
Life is too short to be running IT Systems during the day and troubleshooting issues at home as well.
Keeping software patched, monitored and running on home hardware costs quite a bit in electricity and replacing hardware that dies.
There are some amazing self-hosted tools out there, I'm a lot more choosy about which ones I use and which ones I'd rather use a SaaS product for.
💡 Now remember keyboard warriors out there, these are my personal circumstances, they won't be the same as yours.
I've been through a few Self-hosted DNS servers and while Pi-Hole (and Adguard) stand out in the setup I've noted they were slow and resource-hogging.
This being said I wasn't looking to do anything about it until I saw an announcement from Tailscale.
What is NextDNS
extDNS is a personalized DNS nameserver, that can be used to increase the security of your network by blocking malicious domains, block ads and trackers, and limit the browsing experience for your kids. Tailscale only uses NextDNS with DNS over HTTPS (DoH).
You can configure NextDNS as a global nameserver in Tailscale, and set different NextDNS profiles for different devices.
This got me to at very least take a look at NextDNS, and to be honest I liked what I saw.
Right off the bat let's get one thing out of the way, NextDNS is free for the first 300000 queries in a month, after that, it keeps working, but doesn't stop any bad guys. For that, it is either a monthly or yearly charge.
Personally, I don't see under £20 a year for this service as too much of an overhead.
It probably costs me more than that in electricity and other costs to keep Pi-Hole running and fix issues with it.
However, this won't be to everyone's taste and that's fine.
Free or paid NexDNS provides the following features
If you use Tailscale you add the IPv6 endpoint addresses, on the Google Wifi Mesh, I linked my external IP (I have a static one, DynDNS is also available) and added the IPv4 endpoints. Doing this ensures that all my devices either at home or outside (when using Tailscale VPN) use NextDNS.
For those times or devices off my Tailscale network, there are apps for
These on mobile platforms and chromeOS mimic a VPN and pass the network traffic to the NextDNS servers for your account.
Endpoints and connections aside, the value add for a system like this is protection and security
From a security perspective there at the time of writing about 20 items in a toggle on/off list ranging from protecting against newly registered domains and child porn sites to implementing things like google safe search.
All of the options are there to help ensure if the "wrong links" are clicked on in chats or emails that nextDNS will block access to that site and a blocking page can be put up to tell the person why it was blocked so if the site is legitimate it's possible to allow it in an allow list.
Privacy is all as the name suggests about stopping you from being tracked on the internet.
Using Ad and Tracker Block lists
DNS Blocklists are a common form of network-accessible database used in spam detection. They're also referred to as "DNSBLs", "DNS Blacklists" and "RBLs"
Now you've got your link security and ad trackers under control NextDNS has a good set of controls for keeping the younger (or elderly or less tech-inclined) safe.
The option which really stood out for me was the Youtube Restricted Mode which did a good job when enabled of filtering out specific categories and videos which have swearing in them.
And for the tech-savvy teenager in your life, there are the Block Bypass methods which in all honesty can be bypassed but only because I'm aware of how network protocols work on Linux and it's a faff to do.
Analytics and Logging
Who doesn't like information, if nothing else its sometimes surprising just home much DNS traffic is being generated on your home network with smart devices and phones.
There is enough information with this and Logging to get a really clear picture of whats going on in your house with the internet and why something may have been blocked or not working
Setting up Local DNS
Then of course there is the section to set up the DNS for the devices on your home network. This is found under Settings -> Rewrites
I can't disagree that Pi-hole is a great product, and I can't disagree that all of this can be done using a PiHole including the Tailscale bit. I do however like NextDNS, It is easy to use, easy to control and seems to be very quick at what it does.
Over the last year of using it I've linked it in as an integral part of my Tailscale infrastructure ensuring that I have the same protection I have at home while I'm travelling.