I ran a competing project[0] on my home network for a few years before I discovered NextDNS[1]. What I lost in performance (requests don't leave my house) I gained in portability: ALL my devices can take advantage – at home and away – and time-saved. PiHole works 90% of the time, but when it did stop working, I'd have to spend a bit of time fixing it. At $20/year, I simply couldn't compete with NextDNS.
Note: This isn't a shill for NextDNS; I love these kinds of projects and think they absolutely should exist, but NextDNS just happens to be one of those dead-simple SaaS tools that is an insanely good value.
> PiHole works 90% of the time, but when it did stop working, I'd have to spend a bit of time fixing it.
I don't know what problems you had with your Pi that resulted in 10% downtime, but that sort of hyperbole sounds a lot like shilling. Cases of SD card corruption are 99.9% due to the use of underpowered power supplies - just buy the official Raspberry Pi power supply if you can be bothered to search for a proper 2.5-3A USB power supply.
> At $20/year [...]
At $20 a year, I could buy a RPi Zero 2W and an SD card to keep as a spare every single year and have enough left over for a celebratory Sheetz sandwich. PiHole + WireGuard + $15 RPi Zero (once off) are unbeatable.
I think it's weird when people suggest that a self-hosted on-prem solution requires no maintenance and has so little downtime such that the time spent fixing issues doesn't matter.
I run a bunch of local services on RPis and a decade-old Mac Mini. I love having the control over things, but I don't pretend I don't spend a decent amount of time maintaining it. I only run things that don't need to be highly available, so something like Pi-Hole is off the table. The last thing I want is for our DNS to go out while I'm sleeping, and my partner has to wake me up because she has work to do.
You mention SD card corruption as the only reason why a RPi-based service might fail, but there are plenty of others: botched updates, random hardware failures, power supply issues, and likely other things I'm not thinking of.
And even if a Pi-Hole can keep three nines of uptime (I'm skeptical of this claim), many people will find significant value in giving someone else money so they don't even have to think about digging into fix a problem for the rare occasion it happens. Suggesting that a particular home-hosted solution is "unbeatable" is meaningless; "unbeatable" in this case is a subjective measure, and other people will value different things than you do.
> I love having the control over things, but I don't pretend I don't spend a decent amount of time maintaining it.
I don't know the nature of your maintenance, but I've had unattended security updates working for years, I automated a bunch of stuff and use etc-keeper.
> I only run things that don't need to be highly available
Redundancy helps. 2 (more!) RPis cam be primary/secondary/tertiary DNS servers to match paranoia levels. Even if you have a single PiHole, keeping a pristine copy of the PiHole on a $3 sd card will get one up and running instantly.
> Suggesting that a particular home-hosted solution is "unbeatable" is meaningless
Oddly I found myself upvoting this comment AND the parent. Neither are wrong. There is no right or wrong on this subject.
$20 a year spent on a hand-rolled RPi that you have full control over and enjoy tinkering with—amazing value!
$20 a year for something like NextDNS so you can spend your time worrying about more important (to YOU) things, amazing value!
It's wondrous the choices we have today. 30 years ago it would have taken a rack full of noisy servers and a few thick books to keep a DNS service up and running at anything even close to 99%.
Not addressing Pihole directly, as I don’t have much experience there. But have you maintained a router? Running open source firmware or not, router does require a certain level of maintenance, open source ones arguably more. But that doesn’t make it problematic enough to have a lot of downtime. Given some people runs pihole-like software directly on a router, I’m skeptical the down time there is significant enough to stay away from. I mean having high availability internet at home is hard, but I expect the rate of failure of a router to be similar of magnitude comparing to pihole. If you can’t tolerate the latter, I wonder how you solve the availability issue of the former?
Don’t want to jinx it but I’ve been running a pihole on a RPi 3 for a really long time - at least 6-7 years and the only thing I’ve had to do is an occasional upgrade.
I like the convenience and the fact that I’m blocking about 4M domains.
My TV is also forced to use it so ads don’t update on Android TV.
Not sure if NextDNS supports custom domain lists or not.
Back of envelope calculstion for my Rpi Zero 2W: 1W * 24h * 365 = 8.76kWh, which when rounded to the nearest dollar is $1 per year on electricity - so I guess I won't get the fancy Sheetz sandwiches, but it's not exactly breaking the bank compared to the $20 SaaS subscription
Effectively, yes, for how much it costs to run. You know if you pay for a service that your subscription partially goes toward their power bill, right?
I'm curious what issues you ran into with Pi-hole? I was running my instance for years without a single hiccup. I ended up moving to AdGuard Home about a year ago though because I wanted to run it on my OPNSense box.
I have an automatic WireGuard VPN set up on my devices to VPN into my home network when I'm not connected to my SSID, so my local DNS still works remotely.
> I'm curious what issues you ran into with Pi-hole?
My primary problem with Pi-hole or any other DNS-based blocker is that it silently breaks things. YouTube stopped saving my spot in videos. I couldn't click through on any link that involved a tracking service.
These things accomplish their stated task well, but leave behind an insidious trail of browser errors, broken pages, and broken apps without ever indicating to the user what the cause of the problem really is.
DNS just isn't the right tool for fixing shitty UX in the browser DOM or a mobile app. It's a happy coincidence that it works more often than not.
Yeah nextdns regularly blocks things I don’t want to see and many email tracking links fail, some online stores don’t work (https://www.thermoworks.com/) and it’s really easy to turn off on my phone.
I saw some people setup pihole 5min temporary off buttons one way or another to get by.
I run lockdown also.
Try disabling ublock or other privacy extensions. Thermoworks add to cart doesn't work on my regular browser with everything but works on my browser that doesn't have those extensions with NextDNS, again it might be one of your blocklists
Odd - I have a pi-hole on my home network and never hit the issue with YouTube. The only breakage I've found is the top "results" (actually sponsored ads) on Google search don't work, but I always scroll past those anyway to discourage bad behaviour.
In fact pi-hole works so well that I'm always struck by how awful the internet has become when I venture away from my home network. Doctorow's enshitification in action.
The YouTube thing was what turned me on to Pi-Hole's list of commonly-whitelisted domains[1], but even after adding it, the experience of things breaking was just ultimately too frustrating to keep using it.
It's really an issue with feedback, though. When my ad blocker breaks a page, it says that it blocked something. When pi-hole breaks a page, it just appears to be broken.
I have had to do the same to fix Youtube progress reporting, but not much more. That is one of few things the PiHole has ever broken for me (that I know of...). I agree that a problem with PiHole is that if something is not working and I disable uBlock as a debugging step, then I have to also browse and login to 2 different PiHole GUIs and temporarily disable it. Without knowing if PiHole actually blocked anything. It is especially inconvenient when on the phone. I have not looked if it already exist, but I would want a nice little app I can open and just click "disable for X time" which would disable the blocking on all my PiHoles at once. Also syncing all settings from a "master" instance would be great. Maybe the default lists should contain some of the whitelis domains or something aswell.
Still, these problems are so small compared to the value I get out of my PiHoles. Blocking ads for years on end while having troubles maybe 3-4 times in total. All the other time it just works.
I tried that too, but the Pi needs to be bridged to the network for it to show up properly and that caused issues with docker containers not being able to access it properly.
Most likely it can be made to work, but I have more money than time to spend on faffing about with stuff that should Just Work, so I threw $10 at NextDNS which solved all my issues instantly :)
The Pi needs a bit more power than most USB powerplugs deliver, did you get any warnings about underpower? The SD Card corruptions are often caused by this.
> I have an automatic WireGuard VPN set up on my devices to VPN into my home network when I'm not connected to my SSID, so my local DNS still works remotely.
Exact same setup for me also.
I also run Tailscale since I have run into some remote networks that blocked wireguard's port.
I like the idea and might set that up but my residential ISP doesn't have great peering and latency isn't great. I wonder if that extra roundtrip would be noticable or not.
I do this from my phone with crummy copper ADSL at home that gets <20Mbps in the uplink and don't notice the difference between it being on and being off. YMMV of course, and all I'm doing is basic web browsing, occasional youtube videos and chat apps but it's fine for that.
Too many false positives with Pi-Hole. I never felt comfortable putting my partner on the same vlan that it was serving DNS requests for fear that something would break for them when I was out of town, unable to get into the pi-hole and sort out the issue.
I also had my banking app stop working one day. Never could get it working. Eventually I just got fed up with having to switch vlans or to mobile data to check my bank and got rid of the pi-hole.
The blocker on PFsense eventually had the same issue.
Realistically, I was probably running too many overly restricting blocklists for my actual needs.
But, I also don't want to fiddle with messing with the out of the block blocklists that also caused me issues.
I can empathize with the sometimes aggressive blocking, and as you pointed out can be pretty block list dependent.
I generally will go in and whitelist things if a site breaks due to a DNS block, but of course putting your partner on the same VLAN can be problematic. I "got around" that by having a button in Home Assistant that will completely turn off Pi-hole (and now AdGuard). So my partner will go in and toggle that if there's a problem.
AdGuard Home does also have the ability to completely disable blocking for specific clients.
I had similar issues and the problem with a white list is it can be very difficult to figure exactly which cryptic subdomain of some major company is necessary for the service to work, without just allowing everything and defeating the purpose .
Sure, if you’re accessing it in your web browser. But when it’s an app on someone else’s phone that’s misbehaving, that’s where I throw in the towel. It’s not worth the effort at that point.
> I never felt comfortable putting my partner on the same vlan that it was serving DNS requests for fear that something would break for them when I was out of town
One potential workaround, if your hardware supports it, is to broadcast two separate SSIDs for general users: one with a blocklist, and one without as a fallback. Users just need to know when to use each.
"Just" is doing a lot of work in that sentence. That sounds like a lot of work, and it isn't always obvious which weirdly-spelled domain is causing the issue.
I did have several issues with adguard home, after some time (or packets?) the dns wouldn’t resolve and basically you can’t open any website, you can ping with no issues but not opening the site, only resolved by either restarting the server or waiting few minutes, didn’t bother to troubleshoot it but I tried it on several hardware and got the same issues with different interruptions time.
I experience similar issues with Cloudflare Zero Trust (I have it setup to work as an ad blocker, using a Terraform config to update blocklists pulled from eg uBlock Origin sources). It'll work great most of the time, but when it stops working I need to disconnect and reconnect. Hard to complain since it's free, though.
The one (fairly huge) issue that I have is that it cannot handle captive portals when its enabled on my iPhone. So if I'm joining the wifi on a plane, etc, I need to remember to turn it off. This means that I cannot recommend it to my non-technical friends.
Most likely it's due to the different lists you can add or use on NextDNS. I also have issues with captive portals (I run a number of lists on NextDNS) and I just flip it off and on when I need to.
I just checked, and I don't use any lists, except for an allow list I just started with captive portal domains. Eg .aainflight.com, .captive.apple.com, etc
Interesting -- for me pi-hole has worked for so long that I've forgotten my login even, but when I redo my home network in the near future I definitely intend to re-evaluate the options. Sounds like I've got 3 now...
This is also my issue with pi-hole, I still use it but I lost the password. Every now and then I take a crack at getting back in so I can update it. I have been thinking of switching to NextDNS so I could have blocking everywhere.
Other than this problem, Pi-Hole has always been great
Haven’t used NextDNS but have used PiHole and currently running AdGuard Home. But if you are paying $20/year just for DNS encryption/blocking, you may consider upgrading to Mullvad which gives you DNS Ad blocking but also IP anonymity, tunneling etc.
The two are not the same; with NextDNS I can choose to enable logging and see all requests from each device, as well as allowlist/denylist any domain/subdomain I want.
Except all of these third party VPN and DNS type services are literally NSA honeypots and privacy nightmares. I get that you have to do DNS lookups somewhere, but I'm not going to make it ridiculously trivial for a bad actor to scoop up all that data conveniently in a central location.
It is up to you to decide what you believe, but Mullvad is a swiss company that does not ask for your personal information for signup and even allows payment in cash. You hurt your own credibility each time you make an unqualified claim without looking into it.
NSA tapped the phones of the German Prime Minister.
They are the same spooks that intercept router gear in transit, flashed it with secret firmware, then put it back in the mail. Like, of course the United Stated Intelligence apparatus, agencies with an unlimited budget, a national security mission, and is completely exempt from all laws has 100% capability to spy on some tiny company in Sweden.
I agree there's a very high chance they and the majority of other VPNs are - or if not the US some other intel org.
The US government has form (what was that early crypto machine they sold to allies and it was backdoored?), and they'd be foolish to miss such a strategically obvious play.
I setup Pi Hole with tailscale on an inexpensive cloud server. It is configured to serve DNS requests over the tailscale interface. Also added tailscale IP address of the Pi Hole to tailscale DNS override to ensure that all devices on the tailnet use it without any additional reconfiguration. For redundancy, I have multiple DNS servers on my tailnet. Family and friends can use it without worrying about portability and be protected at all times, especially on cell networks.
Tried this. Latency of DNS so critical, wasn't loving the self host option. Plus Tailscale wasn't quite reliable enough for all DNS traffic outside the house.
I ended up with Pi-Hole on local network (manual DNS tied to Wifi SSID), NextDNS as default/fallback on other networks.
Happy nextdns user here who used to have an overly-complicated setup with pihole and vpns etc. The only thing I have to complain about is the iOS app- I really wish it had a builtin way for viewing logs and white/blacklisting domains from the app, without having to go to the site. (Other settings would be nice too, sure, but as aggressive as I run it I find myself fiddling with the whitelist the most)
I've used ControlD [https://controld.com/] for this and liked it. Does anyone know how NextDNS compares to it?
ControlD has worked well for me, outside a few UI complaints I have with their site. I do have some concerns with trust as I don't know much about ControlD, and I'd rather use the most trusted service for this.
I've been a NextDNS user for years now, and am trying out ControlD (last week) before I commit to switching. NextDNS development seems to have stalled and there are a number of conveniences missing, such as being able to label allowlist entries (ControlD supports this). Also, running the NextDNS app on a device that use a different profile then the one on my home router results in constant issues when the device wakes from sleep (not able to resolve domains for a noticeable amount of time on wake). NextDNS claims this is an Apple issue, but I don't think that's entirely true. Certainly not a problem for other similar services.
I'm seeing ControlD as much more feature-rich and the service is evolving faster. I also personally like the UI a bit more vs NextDNS. Prices are comparable.
With your link, I'm only seeing "Free Trial". While I'm not seeing any pricing for personal use (without signing up at least), I'll take you at your word.
I ran Pi-hole along with my OpenBSD router running unbound for some period. Then I realized I can download the same entries used for Pi-hole, AdGuard, uBlock, etc. I created a simple script that generates an unbound configuration that I can include in my unbound.conf file.
One advantage over Pi-hole I noticed is I can return NXDOMAIN which makes more sense to me. I didn't see how I had that option with Pi-hole.
I just checked, and the generated unbound configuration comes in at 218000 lines, so takes a moment on my Celeron J3060 class router when loading unbound.
I gave up on using anything that isn’t the default/auto DNS for when I’m on the go more, as it breaks every single public wifi hotspot that has a login/I-agree-to-not-do-illegal-shit-etc page that obv cannot be resolved
On my Pixel I just set Private DNS. Yea I had to setup a SSL certificate but that's easy to do. So when I leave home, I still use my Adguard server for adblocking without having to touch settings etc (except, as mentioned, captival portals)
I could do the same with "vanilla" DNS (udp port 53) as well, but I don't.
Pihole can't, easily, do Dns vis TLS/QUIC etc without 3rd party stuff being bolted on etc. Adguard Home is a single binary, it's great.
I run a pihole server for myself- and access it over VPN when I’m traveling. But I’ve tried NextDNS and can confirm it works pretty well. Set my grandmother up on the free tier and within the first week it stopped her from getting phished, because the scam text she clicked went to a site that wouldn’t resolve.
I also switched from pihole, because of the random disservice, I’d have it working, the suddently it would just stop, without changing anything, and even having it in their own docker container, unbelievable, I am quite happy with adguardhome, but now I kinda would try this nextdns
I love nextdns - pihole was fine but required admin, and I also had challenges vpn’ing in to use it out side of home. Whereas nextdns is simple to use, and effective.
No idea how I have been living under a rock. I was using Google dns forever, but just switched my router over to next! This looks amazing, and great to see so many people using it with positive feedback.
i paid for NextDNS back in 2020 but discontinue the following year due to services such as streaming from PBS app and websites not working properly. I knew this maybe related to aggressive blocking DNS but I wasn't having the time to investigate. I have no complain about NextDNS. Their service works and pricing is fine. I just use Adguard premium now and have no issue for a year.
Have you looked into their privacy/data collection policies?
Generally prefer local solutions but gave up on Pi-hole some time back after recurring issues. Currently using client-specific adguard; however the centralized management with nextdns is enticing.
One of the major reasons why I don't use or recommend NextDNS is because they force you to use their DNS resolver when a DNS resolver like Quad9 has vastly superior threat intelligence.
NextDNS sends EDNS client subnet (ECS). If challenged on privacy grounds they can claim it is for performance but a primary benefit of ECS, whether intentional or not, is to serve online advertising interests.^1
1. Dishonest people might try to debate intentionality. But forseeability is indisputable. The privacy issues created by ECS were known when it was introduced by Google. If ECS is truly for performance _that benefits the user_ then it stands to reason that it should the _user's_ choice whether to send it. That is, ECS should be optional. This is not merely a personal opinion. It was a consensus. See: https://yacin.nadji.us/docs/pubs/dimva16_ecs.pdf
AFAIK, NextDNS, like Google and OpenDNS, will not allow any user to disable sending ECS.
For example, Cloudflare when it launched 1.1.1.1 decided not to send EDNS subnet and they have claimed this is based on privacy grounds.
Whether anyone cares about privacy is their business, not mine. And whether anyone believes ECS improves peformance for them is for them to decide, not me.^2 Here I am just presenting some facts for consideration. Anyone is free to disregard these facts.
2. When considering "performance" we might differentiate between performance in requesting the resource the user is trying to access versus performance of ad servers or tracking servers. Needless to say, ads are not the resource the user is trying to access. And tracking is not even a resource. The speed of ads and tracking are obviously very important to Google, the company behind ECS. When we see a campaign for a "faster internet" from so-called "tech" companies such as Gooogle and Facebook we should keep in mind that "the internet" as envisioned by these middlemen is an internet full of advertising and tracking. As such, "faster internet" does not necessarily mean better speeds when downloading a resource. Ads and tracking are the not resources that users are intentionally requesting. They only serve to add delay and impede the user's retrieval of a desired resource. Hence the need for "ad blocking".
Personally, I do not use third party DNS services, i.e., shared DNS caches operated by third parties. Historically these shared caches are the source of various problems. There are plenty of alternatives available today what with the enormous advances in network speeds and local storage that have occurred since the days when shared DNS caches were a necessity. For example, all the DNS data I use is stored locally and served from loopback addresses, either in the memory of a forward proxy or from authoritative DNS servers. Requests never leave the computer. (NB. PiHoles send requests to upstream third party DNS providers by default. Unless the parent commenter changed the PiHole's i.e., dnsmasq's, configuration to use a local DNS server serving locally stored DNS data then requests would by default be sent to the internet. In the case the configuration is changed to point to a local DNS server serving local DNS data and the user is satisfied with DNS-based blocking, like what NextDNS provides, then the utility of a PiHole would be questionable. Just omit DNS data for ad/tracking servers. I have been doing this for decades; I began using DNS for "blocking" before "adblockers" or PiHole existed.)
I looked at Pi-hole recently but went with AdGuard Home. Nicer UI and nicer everything by all appearances. There's also a surprising amount of customization for something this slick, like being able to defer to my internal DNS for local private domain queries, etc.
I'm not entirely sure why AdGuard is giving this away, and maybe I should look into that, but seemed like a relatively low-risk decision to go with this for now. And I can't say enough about how much more pleasant using things like the NYTimes app has been without the obnoxious ads.
Yes, it’s really awesome. The split-dns feature has all the options you would imagine.
I thought i would need a second dns server behind it, but i could add all the rules I need right into adguard home. It even supports DoT and DoH upstreams, which is still not a thing with many home routers.
About the give-away-for-free aspect I was also wondering. Do they maybe configure their dns servers as default upstream and hope many people keep the defaults? DNS is one of the best technologies to do data mining and sell the data. I guess it's also why all those easy to remember dns servers like 8.8.8.8 and 1.1.1.1 exist. Google and Cloudflare for sure don't do it just to be nice.
Disclaimer: adguard claims not to sell any customer data.
> I'm not entirely sure why AdGuard is giving this away
Here is my reasoning. I can read up the documentation and set it up and get it working. I'm going to brag to my friends about how my home network has no pesky ads and stuff. They will ask me to “Set up for me, Set up for me.”
I cannot help them maintain, even if I do set it up for them, so -- I'm going to say, “You know what, instead of that complexity, they have a simple app-based setup that just works for just $29 a year for your whole family.”
See, I just got five of my friends to download and buy the service in that dinner party.
I believe this is the same philosophy of todays' tech Startups -- have an Open Source Product but build a commercial business on top of that.
AdGuard is a Russian company, with Russian engineers, the majority of AdGuard developers and other employees working from Moscow, registered in Cyprus. Not a great recipe. Hard pass on security grounds.
MacPaw lists Russian-developed software as a risk because the government can access your data at any time — this is self-hosted open-source software though.
The FSB can’t just access your local server with an arbitrary court order.
Therefore this doesn’t feel like a legitimate concern but more like Russophobia, which I understand but also think is utterly unasked for as I know first hand how much Russian developers are suffering from the stupidity of their government.
Technically, yes you can. But do you really have the time to sit down to understand a piece of software enough to know if it's doing anything nefarious?
True. But I think they have the means to do that on a lot of (non-russia-associated) repositories. They even probably wouldn't pick this one because it's under too much scrutiny.
One other neat thing about AdGuard is that it is available as a Home Assistant addin - and it does integrate with the rest of HA, so you can e.g. have a switch to enable/disable blocking as part of your dashboard.
AdGuard Home is amazing! I used PiHole for a time but did run into small issues quite at lot. Mind you nothing serious but things like these are only really useful if they just work.
Adguard Home works without any issues on my Pi setup via docker-compose [1] and it even runs on a second Pi as backup using a cool container called adguardhome-sync [2] to keep their configurations in sync. I am not seeing any ads in my network anymore and it is quite interesting to see how many tracking/ad requests are sent by some devices...
The real eye-opener is when you start redirecting DNS 53 requests to your own DNS server and block DoT/DoQ/DoH – so many devices/apps just trying to reach out to their hardcoded DNS servers for tracking/ad targeting.
Unsurprisingly, Google and Facebook IoT junk is the worst. They both hardcode their own DNS, and I've caught Google devices ignoring the DNS IP from DHCP (not the gateway) and attempting to resolve from the gateway (with external blocked)
PiHole isn't natively recursive, but you can easily set up a service alongside pihole on the pi (or in another docker, if your pihole is a container) called Unbound which provides recursive DNS.
And you can load the ad blocking lists into anyway so you get solid DNS, ad blocking and none of those random youtube spinners from rando dns issues. For nothing but a little configuration.
Because it’s written in C# and relatively new. Unbound is written in C so should consume less resources, has been around longer and has been vetted – FreeBSD and OpenBSD replaced BIND with Unbound.
The one downside to Unbound is that there’s no GUI so it can be a bit intimidating to set up. But the docs are excellent and Unbound defaults are secure, so it’s not as hard as it seems.
There are a few mostly positive comments here about NextDNS but I'll start a new comment since I'm thinking about switching away from NextDNS. Why? I'm on a Mac / Safari now and would like to enable their "Hide IP address from trackers" feature but if I do, then I start seeing advertisements on websites that would normally be blocked by NextDNS. So I have to uncheck this option and can't use Apple's feature. Overall, I guess the two can't be used together, per an issue reported on the NextDNS Help site:
Are you referring to iCloud Private Relay? If so that's expected behavior for with any DNS based ad blocker. Turning on the relay proxies your connection and your local network's DNS server will not be used. Doesn't matter if it's PiHole, NextDNS, or AdGaurd.
It does with encrypted DNS (I think - still mid setup). If you use a configuration profile [0] to explicitly set a DNS over HTTPS or DNS over TLS server this is still honoured within private relay.
IMO vanilla private relay is much neater and simpler if privacy is your goal. It uses Oblivious DNS over HTTPS [1] which is pretty neat.
To trade some of that privacy to reduce ads setting up encrypted DNS restores filtering control. This does mean you then need to funnel those queries somewhere likely less oblivious though. Current setup I'm playing with in the homelab uses Adguard Home for filtering. This then forwards to a local Unbound instance acting as a recursive resolver with strict DNSSEC [2] and QNAME minimisation [3]. End result is the DNS traffic is still open, but does not all go to any one single entity (apart from my ISP, which can see TLS SNI anyway).
You're using one product that blocks ads and trackers, but then bypassing that with another product that deliberately provides access to ads and trackers, but via a third party.
I subscribed + configured my router to use NextDNS years ago so ads + trackers are blocked on my IoT devices. More recently, I inherited a MacBook and now an iPhone and naturally enabled their built-in blocking capabilities. I think I assumed two blockers are better than one but now I just leave Apple's IP limiting features off and let NextDNS do its thing but it just feels weird to deliberately turn off a privacy feature.
This is not two ad blockers. One is an ad blocker the other is a tracking blocker. They conflict simply.
If you want both across all apps (not just the Browser) you need a VPN service with included as locking, such as protonVPN, IVPN, Etc. There are a lot.
Yes, they are a DNS ad blocker. iCloud private relay is a tracking blocker, to hide your IP. Both are not compatible in general, unless the "IP tracking blocker" explicitly allows to configure nextDNS as a DNS server, which is not the case of private relay.
I guess nextDNS should list exceptions like private relay, but the list is long and it's confusing. For all intend and purposes I agree with the statement, they block ads on most devices.
They also have help articles specifically for VONs:
I contributed improved ipset support to this project. As far as I know, it’s one of the few off-the-shelf DNS servers that can insert result records into Linux ipsets to enable domain-based firewall policy. I run it on OpenWRT and use the ipset support to open the default drop firewall from my “smart” projector on my IoT subnet to NetFlix and YouTube. It sets the ipset entry expiry to the DNS TTL. Now, the only way for the machine to connect to the internet is to resolve a whitelisted domain and it can only access while the record is fresh. I haven’t encountered any issues so far. I take it that some Chinese users use this same functionality to selectively VPN domains to evade GFW.
Also runs on home assistant. The only thing to remember is when your updating HA (or you forget that your HA pi is not on the UPS, and you trip your GFI when doing home maintenance on your ring main) that your DNS also goes down.
Happy AdGuard user here. It's running directly on my EdgerouterX so no need for an extra device to maintain. I really love the high level service blocking as well, blocking the whole of Facebook is just ticking a checkbox!
With a self-hosted DNS internally, how do you handle fallback?
For example if the box with Adguard Home or pihole crashes, can you configure your router or your devices in a way that would instead go to say cloudflare or google DNS?
My router (Mikrotik Hex) redirects all DNS requests it receives to the Adguard server (with masquerade.) DHCP hands out the router for DNS.
A recurring script attempts to resolve a domain from Adguard every 30s, and if that fails, the NAT rules are disabled and the router would handle the DNS directly.
Downside to this approach is AG doesn't have client IPs, since they all come redirected by the router. I think DNS has a way to tag original IPs, but AG doesn't support it. I just use multiple DHCP configs to hand out AG directly to devices that are bad actors (and not critical), and critical stuff gets the method above.
I dealt with a less-than-ideally reliable pihole by configuring the pihole as the primary DNS, and an external DNS server as the secondary (most devices accept 2 or more IPs for DNS).
Honestly? Have two instances and point to both via your router dhcp dns. Very Client will use them and you are good to go. There are also solutions like adguardhome-sync to keep both installations in sync.
I believe this only works if your ad blocking DNS is configured to return 0.0.0.0 for all blocked domains rather than NXDOMAIN, since then services might try using the secondary DNS instead and that would result in nothing getting blocked. Ideally your secondary DNS should be a copy of the primary.
do you know if pihole or Adguard can configured to support confirming to the router or the client that resolution took place, rather than try the secondary DNS.
If i understand you correctly, if you have a blocking internal DNS running pihole or Adguard and an external general DNS such as google or cloudflare, unless what you described can be configured, the requests that come back "blocked" from pihole would then simply be resolved by google/cloudflare, thus negating the point of pihole.
AdGuard Home should by default be configured to return 0.0.0.0, you can check whether that's the case in Settings -> DNS Settings -> scroll down to Blocking Mode. I don't know about Pi Hole but it probably also has a similar setting.
There is no primary and secondary dns on windows. Both dns servers are queried, if one goes down you are fine but you won’t hit your local dns all the time.
I'm experienced in DNS but have never seen the point in DNS blocklists. It feels like the wrong layer.
I do adblocking with a browser extension. The adblocking has more context, can modify the page, and has easy UI integration for debugging and turning it off.
What else are DNS blocklists for? Clients except browsers?
For the record, on my desktop I use systemd-resolved (for DNSSEC) and dnscrypt-proxy2 (for encryption). On my router I run unbound as recursive resolver for other devices.
On my phone I use quad9, and adblocking via Firefox.
Adblocking via the browser is the best option if it's available.
All the games the kids play on their iPad try to insert ads, track them, all that sort of stuff and DNS based Adblocking stops that. My wife's iPhone isn't subject to ads when she's reading the news in Safari. On my Google Pixel I don't see ads in browsers either, Firefox I use uBlock but even the Google Newsfeed uses Chrome for webview, so DNS adblocking stops me having to see the sponsered stuff in there.
There's so many places other than "the browser" to see ads, to even question that seems like not really having knowledge of what the Internet is used for in 2024. Edit: Sorry that's a bit rude, I just meant maybe you don't use it the same way a lot of others do. Sorry for sounding obnoxious and rude.
DNS blocking doesn't stop stuff like ads in Instagram, or Youtueb etc, but it certainly helps in a lot of other situations like Ads in the Imgur app etc etc.
> There's so many places other than "the browser" to see ads, to even question that seems like not really having knowledge of what the Internet is used for in 2024.
I understand that many people use apps and smart TV sticks, but I'd forgotten that many have ads. I use some apps, but none that have ads.
My family use apps but say that they appreciate targeted ads.
Yea sorry I've updated my comment to reflect the fact the way I phrased that was quite rude - my apologies.
For the silly games my kids play on their iPad, blocking ads means they can "skip" ahead quite often instead of being forced to watch an ad before they're allowed to try again/progress to the new level. They're subject to enough advertising with Youtube anyway, just from all the content they watch that's subtle advertising.
My ISP-supplied router tries to ping back to some “AI driven wifi analytics” bullshit every 30 seconds. I put in a custom block for that. My TV would also probably love to phone home if I connected it to wifi to use the applications on it.
The value is not just that I can block at the network level rather than the application/device level, it’s also that I can see what random connected devices that aren’t general computing devices are trying to do. If they have hard-programmed DNS servers, blocking 53 for any device besides my Adguard server quickly solves that.
I used Pi-Hole, then went to NextDNS, then to AdGuard DNS, tinkered with AdGuard Home, and currently testing Control-D. They are all actually pretty good, similar features, and it has become just a matter of personal choice.
In all fairness, when I have some time and can invest in decent hardwares, I might go back to AdGuard Home with one of the paid services as backup for travel, and for the other family members.
Pi-Hole works really well but once-a-while, when I'm traveling, it will decide to act up and it's a whole IT support with the family over phone for minutes if not hours. I'm not smart enough to setup a secure enough tunnel and the like, and haven't read up enough on the topic. This follows similar pattern with AdGuard Home.
NextDNS, AdGuard DNS, Control-D are easy and just works, especially with the devices that the family uses. I think I bought one of those AdGuard Lifetime license, so I use that to block client-side rendered ads in conjunction with either AdGuard DNS or NextDNS or Control-D. Right now, Control-D is doing pretty good with my test-drive.
Edit: The other reason is that many websites such as the Governments’, Banks (at-least in India) seldom works with Pi-Hole or AdGuard Home. With the other tools, I can turn off for a while, and go Internet-Naked and do the transactions, pay the insurance, etc.
I wonder how much DNS blocking would contribute to a unique browser fingerprint? Like a tracker could use a range of domains, some of which are known to be blocked by certain end-user software, to build a fingerprint.
I currently use a vanilla LibreWolf which has uBlock Origin and reasonable defaults out of the box for this reason.
My only other line of thinking is that a combination of DNS, IP and in-browser blocking could be more effective than just in-browser alone.
Coincidentally I just set up OpenWRT [1] on a NanoPi from FriendlyElectric.
How would this fit into using Wireguard? Or, how would I go about that? It seems like there might be something conflicting about running both, but I am very new to it all.
[1] It is actually running their FriendyWRT variation which came with the precompiled drivers for getting a Realtek USB wifi adapter to work, otherwise stock OpenWRT would work as well
It entirely depends on which blocklist(s) you use. I had to stop using the StevenBlack list because it started breaking a lot of things, apparently intentionally.
I recommend using only one list, rather than a combination of several. I switched to the https://oisd.nl Big List, which has been great... although it did break GitHub yesterday. That was the first breakage since I switched, and it was fixed when I reported. But still, keeping an eye on it.
OISD is what I use as well. It's great, the family don't have any issues like we used to with the other lists I used. It doesn't block as much, but I'll take the odd thing slipping through vs not being able to load a page we need.
I use PiHole, it does break some stuff here and there, and sometimes useful things like Private Relay or iCloud in iOS; or once YouTube history stopped working for me (apparently they use a separate domain to track watched videos and progress!). It also depends on the block lists you upload. It’s pretty easy to unblock, especially web, as you just look on which domain cannot resolve in the browser dev tools and add it to the allow list.
Yet, DNS-based blockers have a limited usefulness at this moment as some major ad-providers started using the same primary domain for serving ads. For example, YouTube, partially Google, Yandex. I guess they cover everything with top level load-balancer and then route internally to specific service ingresses
I use AdGuard home as part of my HomeAssistant setup and have had no problem at all. Only thing is to turn off the enforced safe search as that quite reduces results.
I don't know much about how adtech works, but if I were Google I'd provide ad blocking detection to all of my clients. And it should be pretty simple to detect if parts of the network that are essential to my ads are being blocked.
Sadly for the AdGuard team, there isn't much of an audience for this. It's one of those things everyone says they want but few people will actually install one, much less maintain one over time. Add to that the wife-forced uninstalls and the total long-term audience for this is (no kidding) in the thousands.
What is the reason for someone in the network to not want the filtering? Does this break some websites?
My own devices are covered, I definitely want full filtering even when not at home and my devices are completely hackable, but I'm wondering if such a tool would be a convenience for other people using the network in particular with less hackable devices, and people likely to use my network are likely totally uninterested in ads, but I don't want this to be a pain.
I used to need my wife's devices on the whitelist too - she had a job working with tracking and needing to see trackers fire when she loaded webpages etc. I once made a mistake and she got unwhitelisted and waited 4 hours wondering why her tracking codes "weren't working"
I don't get this comment. It is basically the same kind of tool as the Pihole only much easier to install and maintain. (It's a single go binary) Isn't this a popular class of software?
It is not a popular class of software to the masses, it is a popular class of software to a niche audience. I don't share as pessimistic attitude as OP though. I'm pretty sure the audience is in the tens of thousands!
What's funny is that I was once extremely optimistic about the potential for such a device, to the extent of having sold and delivered a few million in product.
Hard experience taught us that churn is just crazy high, no matter how compatible it easy to use you make it. Getting tens of thousands of stars is not the hard part because it's such an easy concept to like. But I would be surprised there are more than let's say ten thousand piholes in active use.
They have that many stars on GitHub. They actually also have thousands of forks each. The api probably still has a way to count downloads but I didn't bother. I wasn't claiming users in the millions anyway. :)
I guess I'm the exception to the rule, I spent a fair chunk of my previous weekend upgrading the hardware on my opnsense router/firewall so that I could virtualize opnsense and be able to glom on related services exactly like AdGuard Home easily.
Been 4 months and I'm pretty happy with the following setup: PiHole + RaspberryPi + Tailscale
With Pihole running on a tailnet all my devices use it by default as long as they're on the same tailnet. That way I have seamless ad-blocking even when I'm on cellular data or my friends' wifi networks.
Anyone know of an Adguard home or pihole equivalent service I can run as part of OPNSense?
I currently have a different machine dedicated to pihole, but it would be intriguing to have something built in. I would imagine split DNS and firewall rules would be simpler this way.
I'm in the process of migrating my OPNSense to a virtual machine so that I can run whatever network-related services I want right along side it in a container or VM. I used to scoff at those enterprising homelabbers who apparently stuck their firewall in a VM just because they could but I get it now. It's super nice to be able to just snapshot and back up the whole VM, and run whatever you want alongside it. (Although I will limit the box to specific network management things like AdGuard Home.)
I run AdGuard Home on a Pi and it's fantastic. I was running PiHole previously and found it endlessly problematic, I rarely have to even think about AdGuard Home.
Doesn’t work for YouTube ads – they no longer load ads via DNS and instead embed them directly into the video feed.
Ublock origin via the browser is the best way to block them. If you wish to use a client app, best bet is to sideload a 3rd party app like like SmartTubeNext for Android TV or YTLitePlus for iOS.
Depends on the blocklists you're using. I broke Google search sponsored links, some Slickdeals links, and the meta quest app store. You have the ability to whitelist as well if you want to unblock some things.
I'm running it in a docker container and then pointing my router at it.
Perhaps obvious, but if you’re using mixpanel or posthog for analytics on anything you build, you’ll have to put them on exclusion lists, in order to be able to use their analytics platform.
Standing reminder that any device smart enough to run a real web browser shouldn't use one of these and doesn't need one. uBlock Origin works much better for any device capable of running it, both in terms of user experience (the browser understands a block rather than a mysteriously failing request) and because it can block first party ads and clean up page layout.
The primary use case for these is for blocking ads on devices that don't allow running a real browser and yet still shows ads, such as "smart home" devices, TVs, etc.
> Standing reminder that any device smart enough to run a real web browser shouldn't use one of these and doesn't need one.
Why not? Or why not use both?
> The primary use case for these is for blocking ads on devices that don't allow running a real browser and yet still shows ads, such as "smart home" devices, TVs, etc.
What about non-browser apps on mobile devices or even desktops? Lots of apps have invasive ads and are unlikely to offer an extension api to block them with.
Because DNS-based blockers aren't visible to the browser, so they just look like HTTP errors or worse, and cause a variety of misbehavior. They're much more likely to produce errors that feel like the site just doesn't work. They can't distinguish between requests to different URLs on the same server, and many sites distribute both ads and content from the same servers. So they're always either going to miss ads or break sites, or both.
Browser-based blockers can block some URLs while allowing others, in addition to many many other improvements like substituting no-op scripts for things the site expects to call (preventing sites from hanging because they're waiting on tracking, for instance).
> What about non-browser apps on mobile devices or even desktops?
Ignore "download our app!" prompts and stick with mobile websites wherever possible; Firefox Mobile has excellent adblocking via uBlock Origin. Look for ad-free alternative apps. If that isn't an option, purchase ad-free paid apps.
>What about non-browser apps on mobile devices or even desktops? Lots of apps have invasive ads and are unlikely to offer an extension api to block them with.
Simple answer: don't use those apps. Do you really need them?
Don't do this. Network firewalls are harmful. Let people configure their own firewalls on device. Having to VPN around network blocks is annoying to say the least. Network firewalls are harmful and just a lazy excuse for bad client security.
Note: This isn't a shill for NextDNS; I love these kinds of projects and think they absolutely should exist, but NextDNS just happens to be one of those dead-simple SaaS tools that is an insanely good value.
0 - https://pi-hole.net/
1 - https://nextdns.io