NextDNS is a relatively new DNS service with so many benefits that it deserves a spotlight. In this review, I will cover its most important features with an emphasis on what makes it different than traditional DNS services and how it helps to improve security and privacy.
NextDNS has been founded in 2019 by two French tech-guys with a solid background in network infrastructure and video streaming platforms. Does “Dailymotion” ring a bell? well, one of them has founded it.
The founders are positioning themselves as supporters of net neutrality and online privacy, and this is essential considering the purpose of a DNS service.
What is wrong with tradditional DNS and how does NextDNS fix it?
DNS is broken: it lacks security and privacy by design, it is the most widely method used for online censorship, it can tell almost all about your online activity (the websites you visit, the apps you use, the games you play).
NextDNS isn’t re-inventing the wheel, but it is putting together the good features meant to solve most of the DNS problems and give control to the user:
- a clean, very well-built web dashboard to control the settings
- privacy-enabled DNS with support for encryption and no-logging
- ads, malware, tracking, cryptojacking blocking
- apps, sites, games restrictions and parental control
- activity analytics
All these features combined, make NextDNS a powerful service that can address the needs of different user types, from privacy minded geeks to average users such as parents who want to limit their kids’ access to Fortnite, TikTok and Instagram.
NextDNS supports DNS encryption using DoH, DoT and it is IPv6 enabled. Encryption is supported with compatible devices natively, such as Android 9+ using the “Private DNS” feature in network settings. Firefox and Chrome/Chromium-based browsers can also make use of DNS security natively.
NextDNS has official apps for devices not supporting DoH/DoT encryption out of the box: Windows, Mac, iOS, Android (if you don’t have or don’t want to use the “Private DNS” Android feature). The mobile apps act like a local VPN in order to incercept and encrypt the DNS traffic. The downside to the mobile apps is that you can’t use a “normal” VPN at the same time.
They operate their own ASN (AS34939) and have servers hosted in over 50 countries across the world.
In the dashboard, you can have different profiles and set different settings for each profile, so that different devices would use different settings. This helps in scenarios where you can impose a stricter policy on a network/some devices and less strict on others.
Ad-blocking uses hosts blocking lists mantained by NextDNS and from numerous 3rd party sources: AdGuard, Disconnect, EasyList, oisd, EasyPrivacy, AdAway, FanBoy’s and many more. It isn’t possible to add your own list, if that matters.
Logging of DNS queries can be disabled completely or enabled. When enabled, it is possible to choose where the DNS logs to be stored: USA, EU, UK and Switzerland. The logging settings also allow the user to choose the data retention period from 1 hour to 2 years, disable the client IP or domain logging. Privacy-minded users will probably want to disable the logging facility completely, though I found it helpful to audit the activity of a specific device listing all its DNS requests.
Rewrites are also possible, in case you want to force some domains to resolve to specific IP addresses.
A “Cache boost” feature can enforce a minimum TTL. This feature may also help reducing the number of queries you generate if that matters (i.e. by using their free, query limited plan).
This is a must-have feature for parents who want to restrict their kids/teenagers access to some of the most popular games and social media services: TikTok, Facebook, Instagram, Tinder, Snapchat, Whatsapp, Fortnite, League of Legends, Minecraft, Roblox, Reddit, Netflix, Hulu, Youtube, Twitter and many more.
You can also block specific sites/apps categories: porn, gambling, piracy, social media and dating.
The restrictions can be either permanent or scheduled by a “Recreation Time” setting, allowing access to the blocked resources during specific days and hours intervals.
How easy is it to enforce the parental control feature?
There is no simple answer to this. Setting up the NextDNS servers on your network is easy, and the restrictions will be applied immediately. But you may want to make it as harder as possible for the restrictions to be by-passed, because they can be by-passed by changing the DNS servers individually on devices, unless they are set as admin and the kid logs in with a non-privileged account.
Even if it is called “Parental control”, this may come useful for business use too, where network admins can easily restrict employees’ access to social media sites and other unwanted services/sites.
Compatibility and ease of use
NextDNS can be used in different ways:
- As DNS servers on any device allowing to set custom DNS servers: routers, desktop and laptop computers, mobile devices. When set on routers, all devices in the same network would use NextDNS so it is not necessary to set it individually across your devices. This scenario still allows you to benefit from the use of ad, tracking, malware blocking and parental control but the DNS traffic won’t be encrypted.
- By making use of DNS encryption to secure the DNS traffic between your device and NextDNS servers: using their official apps available for Win, Mac, iOS and Android. On Android 9+ you can use NextDNS through Android’s built-in “Private DNS” feature. On Linux it is possible to make use of DNS encryption using Stubby, DNSCrypt, Knot Resolver. Some routers like Mikrotik and pfSense can use DNS encryption.
- By setting up the NextDNS servers in browsers supporting DNS-over-HTTPS like Firefox and Chrome.
The dashboard is very clean, the setup instructions they provide are clear and easy to follow. Almost certainly, you don’t need to be a technical guru to understand what each option is doing or how to set a DNS server on your device.
NextDNS can be used for free with a monthly limit quota of 300,000 DNS queries and the paid plans starting at $20 / year would allow unlimited queries.
In my testing, I’ve found that the 300,000 DNS queries per month can be reached quite easily when the NextDNS servers are set on a router serving a small network of 5-10 different devices. For a single or even a couple of mobile devices, the limit should be sufficient.
Total queries in 24 hours, NextDNS servers set on LAN router:
Total queries in 24 hours, NextDNS servers set on a single Android phone:
It is worth noting that if you reach the monthly limit, the DNS servers won’t stop processing requests but will simply go into “normal” mode without filtering capabilities:
When exceeding the free monthly quota, NextDNS will continue to answer
DNS queries like a classic non-blocking DNS service.
The difference between free and Pro is clear, but the other two plans (Business and Education) are confusing and raise some questions and needs clarifications. For instance, if the number of allowed queries is unlimited, how would there be a difference in being used by 30 employees or 500 in the same network?
- feature-rich DNS service, bringing together capabilities normally found segregated in different services
- intuitive, very well-built dashboard for a great user experience
- all features available for free with a reasonable monthly quota
- many filtering capabilities, security and privacy settings
- the network infrastructure is decent, but don’t expect the same performance and maybe reliability you would get from a giant like Cloudflare
- the pricing plans need clarifications
- no option to choose a specific location where the DNS servers are hosted like they allow to choose the retention location for logs
NextDNS checks almost all boxes to make it a perfect DNS service. There are still some aspects that need improvements, though they aren’t a deal breaker. All things considered, we enjoyed NextDNS so much that it is now our secure DNS service of choice. Give it a try and don’t hesitate to share your experience in the comment section below.