I use Pi-Hole and works great. I’ve heard about AdGuard and seems the same thing as PiHole, but you have to install an app/extension. Everyone in this community recommend NextDNS. Whats the difference between them?
All kind of achieve the same thing, but in different ways.
Pi-Hole is the completely free way of doing ad and tracker blocking at the DNS level. Free as in free beer and free as in free speech.
AdGuard is free as in free beer but not as in free speech.
Both solutions mentioned above have to be self-hosted.
NextDNS is a managed service for which you have to pay a (very small) monthly fee for. The advantage is that - once setup - it pretty much just works (exception being custom updates to filter lists, but that applies to the other two as well). What’s cool about that is that it’s reachable from outside your local network, so you can use it on your phone or whatever even when you’re not at home (they offer apps and profiles for easy setup). You can expose your Pi-Hole/AdGuard DNS to the outside world, but this has some caveats and probably higher latency/worse availability.
Opinions differ when it comes to privacy, but I’d say they (NextDNS) are trustworthy/not selling your data as this doesn’t seem to be their business model. Obviously, with Pi-Hole you don’t have to trust anyone (except the code authors unless you study the code yourself), so when in doubt Pi-Hole wins in this regard.
Be careful when setting up either of these as the default DNS service in your home network, especially when other users are in your network, as the default configuration of either of these will break some websites, services and apps to stop working and you (the admin) would have to handle the errors your users are getting by adding exceptions and/or different filters. The good news is that there are more conservative filter settings available that will still block most ads and trackers while being way less likely to break anything.
Eli5 free as in free beer and free as in free speech?
Free beer is freeware, but it can be closed source.
Free speech is freeware that’s also open source with a permissive license, so you can create an opinionated version of it.
Free as in beer - Free in the sense of costing no money.
Free as in speech - Free in the sense of having no restrictions; libre.
AdGuard is free as in free beer but not as in free speech.
I think in the context of this discussion, they are talking about AdGuard Home, which is GPL. So it’s also free as in free speech.
Oh you’re right. Didn’t even realize AdGuard was GPL in its “Home” version.
Yeah, it’s essentially completely different software. Their naming scheme makes it even more confusing.
Pihole is most popular among self holsters. It has nice GUI, it’s capable and its solid. It’s basic in sense of DNS features. You need to use config files to customize from terminal and even then it’s limited.
Adguard in my experience has more advanced blocking features. DNS also allows you little more flexibility like wildcard records. You can have separate config for different clients (like guest/kids network blocking)
NextDNS is SaaS only. It has most advanced blocking features but free account only gets you limited queries monthly. You can choose to keep your logs on specific servers or not to keep at all… from privacy perspective it’s arguably worse because you have to trust another company but it’s a good middle ground. Self hosted still needs upstream DNS but it could be tunneled through VPN which would anonymize traffic. NextDNS is upstream dns and it can’t distinguish internal network source.
I would throw zenarmor to the mix https://www.zenarmor.com/. Paid home license costs 10$/month and allows 3 different profiles. It is more advanced as it sniffs all network packets and not only DNS. It’s not replacing dns. It has great reports/dashboards.
For best DNS capabilities I would recommend technitium https://technitium.com/dns/. It’s free. You have gui, dns blocking and full DNS capability with some advanced plugins. It’s not as fancy for dashboards like pihole or Adguard.
You would use combination of solutions and nextDNS could be your upstream if you don’t mind paying them. If privacy is your thing you want to have more generic upstream that everyone uses like quad9.
Wait, you tunnel queries to your upstream DNS through a VPN? Nice.
I’ll try to take a look at Blocky when I have the time
Wait, you tunnel queries to your upstream DNS through a VPN?
I use Tailscale to do this and it works quite well. I also use it to keep my pihole always reachable from my devices so I can continue to use it as my DNS server even when my phone is on cell data, etc.
I run a secondary Pihole on an AWS host that is also linked by tailscale as a fallback
Thanks, this is a great idea.
Yes! I have a split DNS setup with technitium using advanced forwarding plugin. You can set different upstream based on client IP or subnet. So this way you can send to vpn DNS to prevent leaking.
Also you can have multiple piholes (poor mans setup) and have each configured filtering for dedicated VLAN. For instance be more strict for guest kids and less on adults net. Adguard can do that without having to have many instances but then Adguard can’t forward traffic based on origin IP. You can make any kind of logic and send different clients to different upstreams. As far as I know only BIND provides this functionality through views but it’s more complicated setup and no lovely GUI. You can always send all traffic through tunnel but then some results may be not ideal if you will be detected to be in different country and content will be served in other language. I think results will vary based on VPN endpoint. You don’t need to tunnel through vpn if you use DNS over https. It’s completely invisible to the ISP. VPN is more of a use case if you want to be consistent with your exit IP and DNS queries.
I was planning to use UnBound as my recursive resolver with Blocky behind it. As for filtering by IP, multiple instances with some simple Network ACLs should do the trick. Thanks for the idea.
The problem with UnBound is that it doesn’t use TLS whilst connecting and communicating to root servers and the like. TBH your idea of using a VPN seems excellent with my use-case, and if I rotate my VPN server every now and then my ISP along with other trackers might just be lost trying to find and correlate my DNS queries to my identity. Thanks again, I need to think more about this.
+1 for technitium dns. It’s perfect. I use it along with nextdns.
I use Pi-Hole and works great. I’ve heard about AdGuard and seems the same thing as PiHole
Only if you’re talking about AdGuard Home, then yes. When you talk about AdGuard you usually just mean the adblocker app which is something completely different.
I used all three of them. While AdGuard Home has some nice features that Pi-hole doesn’t, it in my experience has much more problems and has been unstable on some updates. So since you prefer stability for your DNS server I’d recommend Pi-hole over AdGuard Home.
NextDNS doesn’t need to be self-hosted because it’s a service on the internet. The disadvantage is that you are offered a list of blocklists from which you can choose but unlike Pi-hole or AdGuard Home you cannot add more lists. But they offer many lists so that’s not a big problem. If you need more than 300k queries a month you need to pay for their service. But since NextDNS is a service on the internet it means that you can use it on all of your devices no matter where you are.Strange we’ve had differing experiences. I’ve only been using Adguard for a couple of months, but the reason I left Pihol was because of its instability! Or at least, the database would constantly get chowned elsewhere when running in docker so I couldn’t whitelist any domains.
Adguard’s been 100% stable so far for me.
As long as it works fine for you I’m glad. :)
If you’re interested here are my three bad experiences with AGH:- The “use AdGuard browsing security web service” option made all DNS queries so slow after a week to the point where nothing was resolved anymore. (That was 2 years ago, maybe fixed now)
- They removed some library with an update which caused a panic when booting AGH so it wouldn’t start anymore. That library was needed to use the DoH encryption of one of my upstream DNS servers. I had to remove that one from my config.
- The next update didn’t fix this issue but added another one: A few hours of running this version ( I don’t remember the version number) the AGH service suddenly crashed. I started it again but 5 minutes later it would crash again. That was the point where I stopped using AGH because it didn’t feel reliable anymore and updates only made it worse.
Fair enough!
It’s just worked out of the box for me - and TIL it actually existed two years ago, I hadn’t heard of it until about six months ago.
But yes - it’s great to have choices and pihole deserves some extra credit for blazing the trail in this area.
I currently selfhost AdGuard Home and it works very efficiently. I added custom lists plus personal filters, and as a plus, I exposed the DoT on the web, so I can use the device I “authorized” no matter where I am. Big plus for me
You are incorrect. You can add custom lists to NextDNSEdit: I am so sorry. Apparently I was completely misremembering my setup.
The contradict me directly.
I too was under the impression that you couldn’t add custom lists to NextDNS. Last time I researched this everything I found said you couldn’t as well. I know you can build your deny list but that can be time consuming. I do it, but would love to be able to pull block lists that are already compiled. Can you share more info on how to add custom lists to NextDNS? Thanks!
My memory is shit. I was wrong. I’ve updated my post.
Ahh no worries mate! I do it all the time! 😅
I have been intending to explore other options outside of NextDNS because I want custom block lists. Just means the plan remains the same! Thanks for the update!
A droplet running pihole on digital ocean work?
Really? How do I do that? I’d love to add the Neo Dev Host List to NextDNS.
I was dumb and wrong.
Removed by mod
NextDNS seems cool but it looks like it is for-profit and proprietary software, which is a deal breaker for me. Even if their “free” tier were good for me, for now, the price and my privacy would always be subject to the whims of a company who is going to be trying to get money from me. Fuck that.
I am honestly surprised to see it recommended here on Lemmy. When I first heard of it, I went to their website to see what it’s all about. I assumed it would be another self hosted DNS service, not a paid proprietary cloud service.
I wondered if it is astroturfing.
Just to clarify, you don’t need to install an app or extension to use AdGuard, you can just use its dns servers. I use their own dns for my phone, so that it works everywhere, but I use my self hosted AdGuard instance at home.
I haven’t needed to change anything in the filters yet, but by self hosting, I’ve got the option if it’s ever needed.
deleted by creator
You can also set up a VPN on your pi and always be connected to it while you are on cellular. Just take a little bit of extra work
Adguard
deleted by creator
Maybe because that’s just a firewall that can be installed on Windows, Debian/Ubuntu and Fedora. What about your mobile devices? This is where Pi-hole, AGH, NextDNS etc. win.
deleted by creator
Read the whole sentence. That “just” belongs to the fact that it’s only available on a few selected OSes and none of them are for mobile devices.
deleted by creator
It’s possible I’m misunderstanding something, I am admittedly a layman when it comes to much of this. That being said, I believe NextDNS is marketed as a DNS level firewall. I do use Postmaster, but for the secure DNS I use a profile on NextDNS so I can implement granular control over what is being blocked on my PCs.
Idk what mobile device you are using, but I know on Android you can use NextDNS by updating your “Private DNS” in the Android settings. If you set it to a NextDNS profile it eliminates the need to install an app, and allows NextDNS to block ads and trackers even while not at home and utilizing your mobile data (or any other network you might need to connect to). Can also be implemented in conjunction with a VPN (if that is something the user is trying to implement based on their threat model) because it is built into the system settings rather than an app using a VPN-esque connection as a sinkhole for trackers. There is also a setting that allows you to prevent bypass if activated. I use that on our router.
Hope this helps! If I am wrong, please feel free to educate me. Always happy to learn more. 🍻
deleted by creator
Gotcha! My bad, I clearly misinterpreted the discussion. Thank you for the clarification!
Your setup sounds pretty legit. as far as “too paranoid”, I don’t think that’s a factor as long as the effort required to maintain your system is something you’re comfortable with upkeeping and you don’t feel these concerns are getting in the way of your mental well-being. I do more than work probably most of the people I know, but that’s because I like to tinker and this is sort of a hobby for me. My family and partner think it’s extreme, but I feel it’s good to know how to implement different procedures, countermeasures, and security levels. Do I need them all? Definitely not. But there was a situation at work the other day where I was able to consult on remediation because I have exposed myself to a wide array of different tools and methodologies that most people I work with don’t care to bother with. All of that to say, " do you, boo!" Follow your info tech/cyber sec bliss.
NextDNS is cool but it also doesn’t sound necessary for your use case. My primary use for it was because of the limitations of my stock OS when it comes to features like built-in firewalls. Then since I was already using it on my mobile, I just decided to experiment with wrapping it into things like Postmaster and my router to control things like smart TVs.
My goal with my next mobile is a custom ROM where I can implement a setup similar to yours. That day can’t come soon enough! 😂
deleted by creator
It can’t bypass my network DNS if only my DNS server is allowed to send out via port 53.
It’s really fun to see how some devices are completely panicking. (I only have some chromecast music devices which do not need any internet) Anyway, I do hate that there are manufacturers who hardcode a dns into MY devices.
For the time I’m outside my network I do have a VPN which allows me to acces my pi-hole from outside (I never felt that the speed or latency is especially low)
There are even routers which allow you to re-route specific ports to specific devices. So, even if the device wants 8.8.8.8 the firewall would reroute it to my dns server
If you want a privacy friendly option that works from in/and outside your network without all the hassle above I can also recommend proton VPN which also procides tracker and ad blocking.
deleted by creator
… any app can bypass easily your DHCP DNS provided…
In my network it can only do that if the app has a hardcoded encrypted DNS server because I use NAT rules to force all unencrypted DNS to be processed by my OPNsense (which uses NextDNS as upstream DNS servers). And I highly doubt many apps even have a hardcoded DNS server anyway (no matter if unencrypted or encrypted).
and as I said, I don’t install any weird app on my phone, I just use it as a phone, to communicate, chat and to download podcasts to listen on night.
That’s your personal use case but not everyone elses. I do much more with my phone. For example browsing. And I think most people do it too. Anyway, as long as you use mobile internet even your OS on your phone could spy on you with tracker domains. Most people don’t use a custom ROM so you’re just one of few people who this doesn’t apply to.
While you just win at your local home network… xD
Wrong. I use NextDNS so I have it everywhere. ;)
deleted by creator
and I was talking about Pi-Hole
Well, you said “you” so I thought you were talking about me since you replied to my comment.
Firefox and Telegram for example has built-in DNS if I’m not wrong. (you can disable it easily)
Right. I don’t know about Telegram but in Firefoxes case I think it’s disabled by default. I specifically checked that on my Firefox so it won’t bypass my OPNsense.
We are sharing our use cases. And my context was “I don’t understand why people even talks about Pi-Hole”
You don’t see it, do you? First you talk about your use case but then you talk about other people. So not your use case anymore. In their use case a Pi-hole, AdGuard Home, NextDNS or whatever else maybe makes sense and isn’t a bad choice.
EDIT: Also, I think using your phone for other things is wrong, they aren’t really designed for that, they aren’t that secure as a PC can be.
Erm… what?? Smartphones are designed for many different things. Browsing the internet is just one of many things it’s made for. It’s called “smartphone” for a reason.
deleted by creator
Ah, Portmaster. I tried to use this about three times over the past years but I find it extremely complicated and unituitive. Might be just me, though.
I can see the appeal of blocking stuff on network level with Adguard/Pihole (though I’ve never succeeded implementing them into my home network), so you just have to install it once and not on every device but you’re argument that it doesn’t work on the road is obvie true.
deleted by creator
Adguard is a VPN. And does what essentially Mullvad does by sending ads or malware or anything they have marked malicious into a void. Pi-hole works very similarly.
NextDNS works similarly by funnelling all your requests through their DNS which has been set up to remove some of the bad stuff out there. Cloudflare (1.1.1.1) also has a similar service (though they just stick to malware): https://avoidthehack.com/best-dns-privacy