"""
To be fair, there are also some advantages of using Pi-hole® over NextDNS:
1) You know who runs it. We can’t ask you to trust us more than yourself. We can provide all the guarantees you want, show who we are and make promises, it is understandably easier to trust a solution you manage yourself. Keep in mind though, that all your unblocked DNS queries are still visible by your upstream DNS. So there is still someone you need to trust with your data.
2) It’s free with no limits. NextDNS is cheap, very cheap, but it’s still a paid service if you use it over a certain limit. Pi-hole® is free to use. You still have to pay about $35 for a Raspberry Pi + an SD card, which is equivalent to several years of NextDNS subscription. You should also consider donating to the Pi-hole® project if you use their solution. After a few years though, yes, Pi-hole® should become less expensive than NextDNS.
"""
They can't, but it might make sense to do so anyway.
I always explain this when it comes to running your own private CA as well. In principle you might do a better job than anybody else, and certainly if you fall down you'd know exactly who to blame. But you also might do a pretty shoddy job and cut corners you know you shouldn't, and knowing whose fault it is will be cold comfort if things do go wrong.
People who do this for a living can never be as trustworthy as you could be, but they might very well be more trustworthy than you are in practice and it's worth a moment's honest introspection to consider that.
"But missing the point. If I am worried about privacy from cloud players, why to trust another cloud player?"
The workflow I am (not quite finished) setting up is as follows - I run a caching, recursive nameserver (unbound) in my own colo space. That DNS server, not me or my devices, is the nextDNS client.
Then I set all of my own networks and devices to use my (unbound) DNS server.
My goal is to receive all of the benefits of a paid nextdns account, but on the nextdns side, all they see is a single, fixed IP, in a fixed location, owned by a corporate entity, doing a bunch of DNS queries.
In fact, I am a bit worried about this exact setup because although I am using this for my own, personal use, consistent with their expectations, I could just as easily be a full-blown ISP passing through my nameservice to nextDNS ... how do they deal with that ?
Totally guessing here. If they saw one IP making ISP-rate queries they could contact you and negotiate a different price. Even with caching you are very likely going to see much higher query rates occasionally when a whole network of people are using it.
You personally make a many DNS queries as a full-blown ISP? The fact that your server does it's own caching may keep your query rate lower than others.
I'm sure they can refuse service to customers in certain cases.
No, I wouldn't make anywhere near that number of DNS requests, but the setup would be the same - a caching, forwarding nameserver doing a MITM between my networks and nextDNS.
So I assume they allow (or, rather, can't really disallow) such a setup but I wonder what ramifications it has when someone decides to front their entire customer base behind their nextDNS acount ...
You aren’t missing anything, your setup would be more private.
There is a valid niche between no privacy and completely self hosted dns-over https, that a service like nextdns solves well. Just as Apple solves a by default more secure yet still not without flaws phone, or how using a vpn provider is a midpoint between a self hosted vpn and no vpn. I think the privacy trade off here is good for many.
Whilst I completely agree with your comment, I have a nit to pick about the self hosted VPN part. What commercial VPN providers sell is plausible deniability through multiple users having access to the same set of endpoints. A self hosted VPN does not provide that. If I have a server somewhere and route my traffic through it, that server doing something can easily be tied to me doing something. Hence why you probably shouldn’t self host a VPN. Now, if you’re only afraid of your ISP or neighbours snooping, then a self hosted VPN makes sense. If you’re afraid of advertisers or the MPAA, then a commercial VPN makes sense.
Am I alone in the feeling that a lot of privacy related solutions are just paying for a promise? For example, a VPN can record all my requests, they just promise not to and I can’t verify it.
You are not, at some point you'll just have to trust someone. Just like that the app you submitted to the App Store is the same one you are downloading and hasn't been tampered with.
As always it's a matter of tradeoffs, if you just don't want to get tracked by ads it's probably a good solution. If you are afraid of some nation state trying to track you down, then probably not.
How do you block unwanted DNS requests outside of the Pi-Hole’s radius (e.g. Home Network)? If I’m on mobile, NextDNS let’s you disable on user specified WiFi networks and then re-enables when you leave range.
NextDNS can also be used as a fallback if your Pi goes down for whatever reason too. Might as well have options in this space.
70% of HN readers probably don't have the technical knowledge (or hardware on hand) to set up pi-hole without investing 10+ hours.
For those of us with a raspberry pi or intel nuc on hand, sure, it only takes 30 minutes.
This service is for people who want to kill ads at the DNS level without dealing with the hardware / setup of pihole.
Also, not many people are going to bother setting up a VPN to access their pihole DNS when traveling or on cellular, which makes NextDNS attractive.
The other argument is "just use ublock matrix". The counter-argument is it doesn't block native app ads / tracking. (One of the #1 blocked domains on my pihole is from Dashlane's MacOS app, constantly wanting to phone home)
> 70% of HN readers probably don't have the technical knowledge (or hardware on hand) to set up pi-hole without investing 10+ hours.
That seems pretty dismissive of our audience. I cant think of many things easier to set up than pi-hole, unless even using SSH is too difficult to understand.
1) Buy a rasp-pi (or pretty much any other device support a reasonably standard Linux distribution)
2) Copy one of many Linux distributions to an SD card with something like etcher: a couple clicks. Or buy one of the many pre-made kits with Linux already on the card.
3) Run a single line linux command via SSH and follow prompts.
4) change DNS settings in router to use the pi-hole.
Although I agree, it's not terribly complex to follow the steps. Lack of time to fiddle with self-managing a device seems like it could be a bigger limiter.
Sure, but presumably the type of people who are willing to run their own DNS resolver are capable of changing a setting on their router. There's substantially more effort in de-breaking sites broken by pi-hole or other ad-blocking software than there is in maintaining the blocking device.
70% of many audiences, even of tech news sites? Sure. But of Hacker News' audience? I would expect many here could follow the basic setup tutorial relatively easily.
I'm more worried for my local ISP selling my browsing history, or exposing it due to incompetence, because something like that already happened and nowadays I'm worried they send that data to local authorities too.
The "cloud players" you're worried of are big targets and the law protects me, since we have the GDPR and the EU is trigger happy in giving fines to big companies. Also my data is not that useful right now to a US company.
Also the ad blockers for iOS Safari don't work well and I use iOS Firefox anyway, which can't use Safari's content blockers. So I'll take any help in blocking ads I can get.
This will also be valuable for doing some content filtering for my son, without installing anti-virus crap on his devices.
Does GDPR and other EU laws not protect you from your ISP also? I'm not sure how your home ISP is less trustworthy than your VPNs ISP if they're both in the EU (and if you arent, GDPR doesnt apply to you).
I would setup my own Pi-Hole if I wanted true privacy.
Missing something?