NextDNS is the greatest thing since sliced bread. They offer:
ad blocking, tracker blocking, white lists, black lists, multiple user profiles, optional logging, DoH and DoT
Please, somehow, integrate NextDNS into the Peplink firmware. My preference would be to allow us to specify a NextDNS DoH or DoT hostname for the DNS servers on the untagged LAN and each VLAN.
Yes, it competes with Web Blocking but it offers better logging/reporting, much more flexibility and encrypted DNS. And, does Peplink really want to be constantly updating the internal blacklists? It seems not, as there has not been an update for an entire year (as far as I can tell).
The elevator pitch is that NextDNS is PiHole in the cloud. I have not used PiHole, so that’s the best I can do on comparing.
Their website is nextdns.io. The service is in beta now so its free. It will be a commercial product, eventually.
NextDNS currently offers two ways to integrate with a router, but each is a hack.
Off-topic: On Android 10, the Private DNS feature is a perfect match for NextDNS. It works system wide and even over-rides the DNS that a VPN tries to set. Ad-blocking, tracker-blocking and encrypted DNS. System wide. Like being in heaven. Private DNS exists on Android 9, but in my experience it gets over-ridden by VPNs.
Been using a PiHole for over a year. Works great. Had never heard of NextDNS until now but I guess they’re newly on the market?
Hope this isn’t a deep state organization setup in time to support contact tracing and control.
Just tried it on my iPhone. Wow, quite powerful. What I especially like over pihole is that it’s cloud based. I’m using my Pihole at home but on mobile I was using PrivacyPro from Disconnect at a yearly cost of $32 CDn (for more advanced features, ad/tracker block is free)
Using NextDNS frees me from that subscription and having to maintain a Pihole if at some point we can setup on our Peplink Surf router.
The other major NextDNS win over PiHole for me is parental controls. It’s got a ton of features. Enforce Google SafeSesrch, YouTube restricted mode, block child abuse sites, whitelist domains etc.
Analytics are great.
Downside is for iOS, requires app install and VPN.
This is ok for young kids, as you typically wouldn’t allow them to uninstall the app but wouldn’t fly for older kids or teens.
Is there any built-in ad blocking for Peplink? I see Content filtering and the “adware” category but no clue how I can see a list of what it blocks? I tried enabling it and it didnt seem to block any ads.
For many years I have used Merlin’s router builds for Asus routers. There are some options such as:
Well, that’s typically our easiest and lowest cost solution solution when blocking ads/crapware/snoopers/spear-fishers/etc is needed. Frankly, we don’t want our routers doing too much of that – that’s the domain of a specialized [almost free] appliance. (BTW, we’d consider “ads” and “adware” to be two different “animals.”)
YMMV.
Hi. We have a number of them in use and most are at locations connected either with PepVPN or SpeedFusion. No issues at all. All PH is really is a sophisticated “DNS intermediary.” They can do DHCP also but we very much prefer to have the routers to handle that function.
Thanks for your help. I ordered a kit. one question remaining is do I want the device to utilize my speedfusion smoothed tunnel or just let it use the fastest response algorithm on the wans directly? My Wans are unstable So the last thing I want is the DNS to be unstable and cause issues with performance. Thanks again!
I was just looking at another router and noted we did it a bit differently. Rather than specifying Port 53 we set the Source address to be the PiHole without specifying the port number. In the latter case, of course, all traffic from the PH would go out the lowest latency WAN – e.g., when you do a OS update/upgrade, etc. That may or may not be desirable.
You might want to play with it a bit and see what approach you like best. I’ll be curious as to what you find.
Let me mention something else… Not sure what your SF end-point is but one thing we’ve done is point the router’s DNS to the local PH and point the secondary DNS at another one which is accessible via SF or PepVPN. So, if the local one dies (rare) another takes over. We’ve found this appraoch to be quite resilient.
peplink device is set to pi-hole device IP and 1.1.1.1 OR 9.9.9.9 ?
does speedfusion hub solo need any tweaks or leave it alone?
hypothetically speaking, why wouldn’t one want to host pi-hole in the cloud alongside the fusion hub solo? bad idea for dns lookups to be performed in the speedfusion tunnel if it goes down? but might be OK if one is willing to lose pi-hole abilities if tunnel is down?
Which upstream DNS to use? Well, you’re fine, of course. We use 1.1.1.2 rather than 1.1.1.1 along side 9.9.9.9 as 1.1.1.2 is filtered.
No … We don’t put PHs in the cloud and have had no experience with that. These devices are behind Peplink Balance routers at the other end of SF or PepVPN tunnels.
Is there any good way to test my DNS response time? I would like to play with routing DNS requests through the Speedfusion Smoothed tunnel versus Fastest response versus Lowest Latency.
FYI, I had to remove the secondary DNS in my Peplink network settings for what is handed out during DHCP to clients. Having the secondary (non Pi-hole) DNS present, while a fail safe if the Pi-hole went down, meant a lot of traffic was skipping the Pi-hole. I dont know if that is by design, but it was enough for me to remove it. My worry is now if the pi-hole goes down, there will be no DNS to for the clients.
Exactly. That’s expected. If, for example, a DNS inquiry is made which cannot be serviced from PH cache it’ll probably be satisfied first by the secondary server. That’s why we use PHs in two different locations as primary and secondary DNS servers. FWIW, the weakest point in the PH appears to be the micro SD card. We’ve gone to using industrial cards. The 2nd most likely point of failure, from what we’ve seen, is the wall wart. But all-in-all we’ve seen very few failures.
