In the past I played with AdBlock, pi-hole, now with NextDNS. In this article, I will show you the major differences, then at the end I will show a step-by-step guide for installing and setting up dnsmasq+netxdns client (so you can skip the first part, if you just need the install guide 🙂 ).
Why DNS based ad and tracking blocking?
- Using browser plugins might get pain in the ass, as sites can detect if you use it and make you disable it.
- Sites can load slower, as your browser needs to deal with the not needed ads as well
- Your internet usage is higher when you load additional ads
- Companies can track, what sites you visit and show ads based on that (Facebook, Google, etc…)
What solutions can you use?
There are several options with which you can do DNS based ad-blocking:
- Add lists to your hosts file (client or server)
- Use an on-premis service like pi-hole
- Use a cloud service like NextDNS
- Use a hybrid solution: on-premis server + cloud provider
Add lists to your hosts file (client or server)
This is the most simple solution, there are bunch of lists on the internet, basically these are key-value pairs. If the name is in the list, then your host will resolve it to it’s local address, so your browser will not be able to reach that resource.
Pros | Cons |
You can set it up without a server in your network | Hard to keep it updated, have to mess with it |
Provider independent | Will only do ad blocking on the local machine |
Works on all platforms (Windows, Linux, Mac) |
Set up an on-prem system (like pi-hole)
When you have multiple hosts in your home (and probably you have: PC, Laptop, Smartphones, TVs, Home automation tools, etc..), you might want to have one centralized server for your DNS filtering. Pi-hole is a great solution for this, it was originally created for Raspberry Pis, which are small boards, on which you can run Linux (like a small home server). You can easily install it on bare-metal or via Docker.
Once you installed it, you can load any lists, what you can find on the internet.
Pros | Cons |
You have total control over it, as it’s running on your device | You have to know, how to manage Linux |
It’s free to use | You have to buy the hardware |
You can easily manage pi-hole via it’s admin interface | You have to keep it running, update it, manage it, etc.. |
Most security/privacy, as it’s running on your device | You can only reach it from outside of your home via a VPN |
For a security expert, this would be a great solution, as you have total control in your hands. However it gets messy, when you want to make your phone/tablet to use it, when your are out from home, as you have to use a VPN to stay secure.
Using a cloud provider like NextDNS
Using a cloud provider can make your life much easier, you just need to set their DNS servers and that’s it. NextDNS even has some client tools (which.. are really not necessary, but convenient for the masses).
Pros | Cons |
You don’t need any technical knowledge | You loose privacy at one point, as this service is managed by “someone else” |
You can easily manage it via their web-admin | You might need to pay for it |
You can also set it up on your smartphone, tablet, pc | You can’t really set it up on your no-to-smart smart devices, like TVs, Home automation tools |
Using a hybrid solution with an on-primes server and cloud provider
If you have a little Linux knowledge and you have a home server/Raspberry Pi or anything, which is capable running Linux, you can easily set up a local server, then you can advertise it’s local IP address via DHCP from your home router.
Now I will show the steps needed for setting up dnsmasq and netxdns cli on a Linux box.
- dnsmasq is a dns server, we will use it for caching, as once we have the resolved DNS address, then we don’t want to go to the cloud provider anymore (so we maybe need to pay less 😉 )
- nextdns cli is a simple cli app created by NextDNS, it can act as a DoH (DNS over HTTPs) proxy, so your DNS traffic will be encrypted towards the internet but will be regular non-encrypted on the local network.
Setting up NextDNS cli
NextDNS cli is an open-source project, it’s managed by NextDNS. The repository can be found on github: https://github.com/nextdns/nextdns
The installation is easy, this will add the NextDNS repo to your repo manager (yum, apt, etc), the list of supported systems is reachable here: https://github.com/nextdns/nextdns/wiki
sh -c 'sh -c "$(curl -sL https://nextdns.io/install)"'
The installation is a next-next-finish script, it will ask for basic things like you NextDNS ID. It will create a basic configuration, so you can edit it later. It will also make the nextdns client to start on startup of the system.
After installing it, we need to configure it to listen on the local address of the server (localhost/127.0.0.1). To do this, the setup-router must be set to false! (It’s not for this use anyways..)
/etc/nextdns.conf
log-queries true
report-client-info true
detect-captive-portals false
hardened-privacy true
timeout 5s
setup-router false
auto-activate false
listen 127.0.0.1:53
config <REMOVED>
bogus-priv true
use-hosts false
After changing the settings, restart the service
service nextdns restart
And check the logs, if everything is fine
nextdns log
Ad this point, nextdns is listen on 127.0.0.1:53, so non of your clients should be able to reach it. But this is fine. To check, you can use netstat:
netstat -dnlp | grep nextdns
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 3762/nextdns
udp 0 0 127.0.0.1:53 0.0.0.0:* 3762/nextdns
Setting up dnsmasq
Dnsmasq is part of most of the basic repositories, so just try to install it (if it’s not found, then you need to find and add the proper repo)
yum install dnsmasq
Add the following to the dnsmasq configuration (/etc/dnsmasq.conf)
domain=local.local
resolv-file=/etc/resolv.dnsmasq
min-port=4096
cache-size=10000
listen-address=<IP of your server>
bind-interfaces
port=53
In the resolv-file, we will tell dnsmasq, to use our nextdns client as the upstream DNS server. The listen-address must be the address of your server (like 192.168.X.X or 10.X.X.X etc)
Add the server to the resolve file (/etc/resolv.dnsmasq)
nameserver 127.0.0.1
This means, that dnsmasq will be the only, who can directly acccess the nextdns client.
Restart dnsmasq and make it start on system startup
service dnsmasq restart
systemctl enable dnsmasq
To verify, use netstat again:
netstat -dnlp | grep 53
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 3762/nextdns
tcp 0 0 <IP>:53 0.0.0.0:* LISTEN 3589/dnsmasq
udp 0 0 127.0.0.1:53 0.0.0.0:* 3762/nextdns
udp 0 0 <IP>:53 0.0.0.0:* 3589/dnsmasq
Enable your new service on all your hosts in the network
Now your server is ready to take requests. You need to add the server’s IP address to the DHCP server settings of your home router, so it will tell the clients to use dnsmasq.
Setting up this can be different among different brands, so please contact your router’s manual if you need help.
Is it working?
To check, if dnsmasq is doing caching properly, you can execute the following on your server:
pkill -USR1 dnsmasq
This will send a special signal to dnsmasq, so it will just put some statistics into the logs. If everything is fine, you should see something like this in /var/log/messages:
cat /var/log/messages | grep dnsmasq
[...]
dnsmasq[3589]: queries forwarded 9519, queries answered locally 1220
[...]
This shows, that around 10k queries were sent to nextdns client and around 1.3k queries were answered locally from the cache.
Conclusion
At this point, all your home systems are using NextDNS via your home server. Yes, even your coffee maker, so now more ads on that. But what’s with your Smartphone/Laptop/Tablet when you are not at home?
- You can install the NextDNS app on them (but why would you?)
- You can add the DNS-over-TLS address to them in the network settings. I’m sure you can find a bunch of how-to’s, for Android: https://www.techrepublic.com/article/how-to-enable-dns-over-tls-in-android-pie/
So now your queries are encrypted on the internet, and your ads are blocked. (You just gave up a little on privacy, as now NextDNS is the one, who knows everything 😉 )