NextDNS has been founded in May 2019 in Delaware, USA by two French founders Romain Cointepas and Olivier Poitrey. Olivier has been working on Internet infrastructures for the last 20 years. In 2005, he founded Dailymotion, the largest video sharing service after Youtube and the most popular European website in the world at the time. He is currently Director of Engineering at Netflix, working on Open Connect, Netflix's home CDN also known as the CDN moving about 30% of the total US Internet traffic. Romain and Olivier closely worked for years at Dailymotion on many different projects. Romain ended up leading the mobile & TV department.
We are true supporters of the net neutrality and Internet privacy. We believe that un-encrypted DNS resolvers operated by ISPs are detrimental to those two principles. Alternative solutions like Google DNS or Cloudflare DNS are great, but we think more actors need to step up and provide alternative services to avoid centralization of powers.
The Domain Name System (DNS) is like the phonebook of the Internet. Computers on a network need IPs, the equivalent of phone numbers to communicate. But IPs are hard to remember for humans, so DNS is here so domain names can be used instead. For instance, when going on
www.google.com is the domain name that DNS will convert is something like
A blocklist is a list of domains to block. Usually, a DNS resolver is supposed to always respond with the answer intended by the operator of the domain. But some DNS resolvers are said to be lying resolvers, as they sometimes hide the truth. Some resolvers operated by ISP are lying resolvers as they have to implement some form censorship dictated by their government.
NextDNS is another form of lying DNS resolver which can turn its lies to your advantage. By default NextDNS will never lie until you ask it to. In the NextDNS configuration dashboard, you have the choice to enable special purpose blocklists that can be used to block domains of certain types, like domains used by advertisers and trackers, or domains used by malware and phishing campaigns. When such blocklists are in use, your browsing becomes safer, faster and more private.
A tracker is a piece of software used to exchange information about your actions online with third-party companies. Their use can slow down Internet browsing, consume your network cap, waste your battery and expose your private data to advertisers, cyber criminals and governments.
NextDNS can block most trackers when the Ads & Tracker blocklist is enabled. All NextDNS blocklists are gathered from well known public sources, refreshed hourly and available on our Github
A malware (for malicious software) designates any type of harmful software, including viruses, worms, trojan horses, ransomware, spyware, adware, etc.
NextDNS can not replace an anti-virus but can prevent propagation of malwares by blocking the domains they use to proliferate. All NextDNS blocklists are gathered from well known public sources, refreshed hourly and available on our Github
Phishing is the practice of trying to get private information such as usernames, passwords, credit card details, social security numbers, and more through the use of imposter emails and websites.
NextDNS provides blocklists that can protect against phishing attacks. All NextDNS blocklists are gathered from well known public sources, refreshed hourly and available on our Github
for more information.
for more information.
With a default configuration (no blocklist or blacklist enabled), NextDNS does not filter any content, not even malicious ones. You have full control over the level of filtering wanted by tweaking your configurations.
A traditional ad blocker works at the browser level. While it can block more types of ads, it is also limited to the browser and it takes more CPU and battery to do the same thing. NextDNS works a level below, and thus work for all applications running on your devices, like games, etc. Even apps with with no ads sometime have tracking technology that can invade your privacy. Not to mention apps that run malicious operations in your back, like crypominers or trojan horses.
Yes. NextDNS is a validating DNSSEC resolver. This means that for domains implemeting DNSSEC, NextDNS will cryptographically ensure that the response provided matches the intended response of the domain operator. If the validation fails, NextDNS will return an empty answer. This ensures protection against domain spoofing or other attacks that attempt to provide false data. In the case of a query on a domain matching one of the blocklists enabled by a configuration, it is to be noted that DNSSEC validation is disabled in order to implement the blocking.
EDNS Client-Subnet (ECS) is an extension to the DNS protocol to include components of the end-user IP address data in requests that are sent to the authoritative DNS servers. This means that there is a privacy “leakage” for recursive resolvers that send ECS data, where components of the end user’s IP address are transmitted to the remote site. This is typically used to improve the performance of Content Distribution Networks (CDNs).
NextDNS has invented and implemented a technology to prevent privacy “leakage” while keeping the performance benefit of ECS. While we think it is a good tradeoff, you still have full control on whether any ECS information is transmitted at all. For more information on our smart ECS technology, read How we made DNS both fast and private with ECS
Anycast is a way to use Internet routing protocol (BGP) to steer traffic to the closest location in term of network hops. Basically, many servers around the world share the same IP address, and the traffic is routed to the closest available location automatically. If any of those servers becomes unavailable, the traffic is automatically re-routed. The advantage of this solution is two folds: it provides low latency and high availability.
NextDNS deployed its own anycast network (AS34939) to provide best latency and high availability. On top of anycast, NextDNS official apps implement advanced routing and fallback algorithms to further improve the latency and reliability of our service.
In order to associate a configuration with a network or a device, NextDNS uses different tricks depending on the DNS protocol used. For DNS over TLS (DoT), the configuration id is embedded into the hostname, for DNS over HTTPS (DoH), it is in the URL path and for UDP over IPv6, it is in the last bits of the IP. Unfortunately, for legacy UDP over IPv4, there is no such easy trick. Because IPv4 is a scarce resource, it would not be possible to attribute 2 IPv4 to every configuration. Instead, you have to associate the IP of your network with your configuration. We use a pool of IPv4 to let you link the same IP with different configurations if needed. You only need to link your IP when using unencrypted DNS over UDP/IPv4.
To link your IP, you just need to click on the link button in the setup tab of the interface. You will have to repeat this operation anytime your IP changes if it is dynamic. You can also opt for our DDNS solution: Instead of manually linking your IP, you give us a hostname that points to your IP, and use a DDNS solution to keep it up to date. The third option is to call a URL from a script whenever your IP changes.
DNS rebinding is a method of manipulating resolution of domain names that is commonly used as a form of computer attack. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network. In theory, the same-origin policy prevents this from happening: client-side scripts are only allowed to access content on the same host that served the script. Comparing domain names is an essential part of enforcing this policy, so DNS rebinding circumvents this protection by abusing the Domain Name System (DNS).
This protection is not turned on by default, because it could interfere with some configurations purposely working with private IPs. If it is not the case for you, it is a good idea to turn this one.
The blocking mode refers to the type of DNS response used to block a domain. You should not need to change this setting as the default should be the best option for most use cases.
UNSPECIFIED_ADDRESS: The address
0.0.0.0 (IPv4) or
:: (IPv6) is returned. Using this address does not leave the host and always return a fast error. It is also not considered a DNS error that could force some implementations to retry.
NXDOMAIN DNS error is returned. This is more "exact" in DNS term but also leads to some implementations retrying the DNS query, making the blocking slower.
NODATA: Returns an empty DNS response with no error.
DNS is an old protocol lacking all forms of security. Yet, it is one of the most fundamental protocols of the Internet. DoT and DoH are improvements to add transport security to the DNS protocol by reusing the same security layers used by HTTP: TLS. Both DoT and DoH use TLS. DoH adds HTTP/2 between DNS and TLS for the framing. DoT also has a framing layer inherited from DNS over TCP, but it is ridiculously simple compared to HTTP/2.
Both protocols offer similar advantages but they have some key differences:
- DoT uses a custom port (853) which can be easily blocked by firewalls while DoH uses the same port and protocol as used for HTTPS (443), making it harder to block or even detect.
- The HTTP/2 protocol used by DoH is significantly more complex than the basic framing employed by DoT. The advantage of DoH is that most HTTP/2 implementations are battle tested and offer good performance, while most DoT implementations get the DoT “spec” wrong, leading to poorer performance. When properly implemented, DoT offers lower complexity, which may theoretically have a small positive impact on battery usage, but it might be a drop in the bucket compared to TLS. The difference in latency should be non-perceivable though.
- As DoH uses HTTP, when implemented into a browser, there is the concern of having the same tracking capabilities as used on the web (user-agent, cookies etc.).
Some experts like Paul Vixie recommend DoT over DoH
. We don’t share this position and generally recommend DoH as it has less chances of being blocked and implementations are often better.
In our official apps we use a custom version of DoH that offloads more work (UDP/IP de/encap) on our server to reduce on-device workload. We think it is the best tradeoff between performance, compatibility and battery usage.
DNSCrypt is another improvement of DNS adding security on its transport invented by our French (cocorico!) friend Frank Denis
. Unlike DoT and DoH, DNSCrypt does not use TLS, but re-invent a transport security layer with the specificities of DNS in mind.
The main advantage of DNSCrypt over DoT/DoH is that it can work over UDP. Because UDP is a non-connected protocol, DNSCrypt is not slowed down by TCP and TLS handshakes (those can be mitigated with TCP Fast Open and TLS 1.3 0-RTT resumption though). There is still a sort of handshake over plain DNS to exchange the keys though. Additionally, in case of packet loss, the recovery implemented by TCP might not play well with DNS, which has been designed for UDP.
Like DoT, DNSCrypt uses a custom port (UDP/443) which can be easily blocked by firewalls. But it can fallback on the same port as HTTPS when UDP is not reachable. This is harder to detect, but still simpler than DoH, as magic bytes in the head of the protocol is used to distinguish it from HTTPS.
Because DNSCrypt is a custom security protocol, there is not as many implementations as for TLS. The main implementation is done by its author and is bundled with a proxy solution. There are other implementations embedded into different DNS servers. We plan on adding support for this protocol in the future, but we first have to extract the protocol implementation from DNSCrypt-proxy or re-implement it in order to adapt it to our solution.
The main advantages of using NextDNS over Pi-hole® are:
- Ease of installation and maintenance. You don’t need to setup a Raspberry Pi and maintain a software up to date on your network.
- Works outside of your home network. We have apps for mobile as well as desktop OS so you can benefit from your DNS configuration wherever you go, either on cellular or on other Wifi networks like coffee shops, friends place or office networks. Note that you could install Pi-hole® on a cloud service by yourself, but then it goes back to point 1. and you would quickly realize that it would cost you more than NextDNS for lower performance (we run an anycast network to guarantee the lowest latency and you benefit from our shared cache, monitoring, maintenance).
To be fair, there are also some advantages of using Pi-hole® over NextDNS:
- You know who runs it. We can’t ask you to trust us more than yourself. We can provide all the guarantees you want, show who we are and make promises, it is understandably easier to trust a solution you manage yourself. Keep in mind though, that all your unblocked DNS queries are still visible by your upstream DNS. So there is still someone you need to trust with your data.
- It’s free with no limits. NextDNS is cheap, very cheap, but it’s still a paid service if you use it over a certain limit. Pi-hole® is free to use. You still have to pay about $35 for a Raspberry Pi + an SD card, which is equivalent to several years of NextDNS subscription. You should also consider donating to the Pi-hole® project if you use their solution. After a few years though, yes, Pi-hole® should become less expensive than NextDNS.
Some services like Youtube are using techniques to prevent ad-blockers from blocking their ads. It is unfortunately impossible to block them using DNS ad blocking at this time.
Our apps create a split VPN in order to capture the DNS traffic and forward it to our servers using a secured (TLS) connection. The way this VPN is setup does not capture any other type of traffic, and thus does not slow down your connection or use more battery.
The TTR mode 3 of Firefox guarantees the browser won’t fallback on system DNS when a response cannot be obtained through DNS over HTTPS. Because NextDNS blocks some DNS requests based on the blocklist you configured, other modes like mode 2 would make those blocks ineffective and would leak some DNS traffic.
Users of solutions like Pi-hole® are used to be able to choose an upstream resolver. While NextDNS can be thought as a Pi-hole® in the cloud, it does not work the same way. NextDNS is itself a DNS caching resolver, so it does not make sense to setup a different upstream. Keep in mind that if we would allow custom upstream resolver, you wouldn’t benefit from our shared cache and all your DNS request would have to pay for double latency (you → NextDNS → upstream resolver).
This is expected. The Cloudflare test page does only test if you are using Cloudflare DNS over DoT or DoH, not another service. If you want to ensure you are connected using a secure protocol, you can get the info on your analytics page under the “Secure DNS” section as well as under the logs tab.
NextDNS is a validating DNSSEC resolver. This means that we block any response that has an invalid DNSSEC signature or is not signed on a zone that is DNSSEC enabled. Unfortunately, many big domains are not DNSSEC enabled, which is why this number is so low.
Unfortunately, this is not doable at the DNS level. You need a browser extension like uBlock Origin for that.