by on May 18, 2020, in

Improved Home Network Privacy With NextDNS

This article is for you if you want to improve privacy and block ads on all devices on your network without installing any software, simply by configuring a modern DNS service, yet with the ability to override settings for individual sites, and with nice dashboards thrown in for good measure.

Why a Privacy Solution Based on DNS?

You probably have been using browser ad blockers like uBlock Origin, AdBlock Plus, or Ghostery for some time and with good success. Why something else? After all, browser ad blockers are working great, right!?

They are, indeed. I would not use DNS as a replacement for your ad blocker, I see it as complementary. A DNS solution has advantages that browser-based ad blockers cannot provide:

  1. DNS covers all devices on the network, including:
    • iOS/Android phones or tablets (which do not support OS-level blocking of network requests)
    • Smart TVs (which are notorious in their tracking)
    • IoT devices
    • Guest PCs or phones
    • Your wife’s laptop, your children’s gaming rig
  2. DNS works at a very early stage in the connection, reducing the load on the endpoint
  3. DNS is one of the few unencrypted protocols left, so you should be working to secure it anyway

Why Not Pi-Hole?

Let me be clear: I love what the Pi-hole project is doing! They provide a fantastic free (!) product that you can install on any device on your network to filter DNS traffic and increase the security of your devices. Those were exactly my goals, too. The only reason I did not choose Pi-hole is that I do not want to set up and maintain yet another machine. I went for a SaaS solution purely out of laziness.

Why Not AdGuard DNS or Some Alternative?

Before I found NextDNS I tested AdGuard DNS, which initially seemed like the perfect solution: it is free and does not require an account, yet blocks most of the undesired stuff on the net. However, there are downsides, too: no configuration options, no dashboards, no statistics. But worst of all: no quick way to get a domain off the list that is blocked by mistake.

The last point turned out to be a deal-breaker when AdGuard DNS suddenly started blocking one of our important business apps and I could not get it unblocked. Being forced to switch back to regular DNS servers I started looking for a more flexible alternative.

Why NextDNS?

Why did I choose NextDNS? My reasons included:

  • The service is free for little traffic (up to 300,000 queries/month) and inexpensive for more (USD 20/year)
  • Nice dashboards, modern UI
  • Easy to configure
  • Supports home networks with changing IP addresses via dynamic DNS (DDNS)
  • Support for all important privacy technologies including DoT (DNS over TLS) and DoH (DNS over HTTPS)
  • Extensive configuration options including the abilities to choose filter lists, and to add sites to blacklists or whitelists

How NextDNS Identifies Clients

DNS is a stateless protocol. There is no authentication built-in. Nevertheless, NextDNS needs some way to identify which of the millions of queries arriving at its servers originate from your network in order to apply your customized configuration. If you cannot use DoT or DoH (which Fritz!Boxes, unfortunately, do not support yet), this only leaves your router’s public IP address as an identifiable element. Unless you have a business account, IP addresses change. NextDNS supports a clever alternative, though: it allows you to specify a dynamic DNS name, which makes it perfect for home networks.

Configuration

In the following sections, I am describing how I set up NextDNS for my home network, connected to the internet by a Fritz!Box router.

Step 1: Fritz!Box Dynamic DNS Without Opening the Router to the Internet

Fritz!Boxes come with a dynamic DNS service built-in: MyFritz. That is not obvious, though. The documentation only mentions MyFritz as a means to access your Fritz!Box via the internet, something I most definitely do not want to do. Quite the opposite: I want to be sure my router or anything behind it cannot be accessed from the internet at all.

That is possible with MyFritz, even easily so. To set up MyFritz as a dynamic DNS service without granting access to the Fritz!Box itself or the network behind it:

  • Open the web UI of your Fritz!Box
  • Make sure you’re in advanced mode (top-right corner)
  • Go to Internet > MyFritz! Account
  • Enable the checkbox MyFRITZ! enabled for this FRITZ!Box
  • Register with your email address and confirm the address
  • Reload the page Internet > MyFritz! Account
  • You’ll see the dynamic DNS address of your Fritz!Box. It has the format: CRYPTICSTRING.myfritz.net

The resulting page should look similar to the following:

Step 2: Configure NextDNS

Once you have dynamic DNS set up in your router you can proceed to configure the dynamic DNS name in NextDNS:

  • Create an account
  • Log in. You are now on the dashboard My First Configuration
  • Link your network’s public IP address in the section Linked IP > Advanced by entering the dynamic DNS name you registered previously

Step 3: Configure Your Router to Use NextDNS

Now that NextDNS knows your network’s public IP address you can finalize the setup by configuring your router with the NextDNS servers as follows:

  • In the Fritz!Box UI, navigate to Internet > Type of Connection > DNS Server
  • Enter the following:
    • DNSv4: enter the two DNS servers from the Linked IP section of the NextDNS dashboard
    • DNSv6: enter the two DNS servers from the Endpoints section of the NextDNS dashboard
  • Restart the Fritz!Box to clear its DNS resolver cache

The NextDNS dashboard should now look similar to the following:

Previous Article Linux Config File Version Control & Backup on GitHub
Next Article Azure DevOps: Restricting Credentials to a Single Repository