Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Which DNS based ad blocker do you suggest?
5 points by v7engine on Feb 16, 2023 | hide | past | favorite | 8 comments
I use nextDNS, and I am wondering if there are any better adblockers that also protect privacy which is preferred by the HN community.


I'm happy with blocky. I was using pihole before it, but blocky gives me DoH out of the box (without a second service/container for it). It also can bootstrap itself (download blocking rules) via DoH. Thanks to it, my DHCP broadcasts my blocky instance(s) as 'standard' UDP DNS servers for everything at home, but all the DNS traffic going outside my gateway is on DoH.

The next thing on my list is to craft my own set of blocking rules. Currently I'm using the set from a friend, who was using blocky before me.


I don't know enough about it, is DoH better/different from using DNSSEC upstream servers in Pi-hole?


DNSSEC only makes you sure that the DNS response is 'correct' and 'legit', like 'no one has poisoned it during the transfer'. But the traffic is still unencrypted, so someone (like your ISP) can see what names you're trying to resolve and when. This can be a base for some profiling or even making opinions, like 'this guy goes to porn sites every evening' or 'this person likes to browse amazon, maybe they're addicted to online shopping'. Of course I exaggerate a lot here, but it's possible.

With DoH, or DNS-over-HTTPS, your DNS requests are traveling through the network encrypted. The first advantage is: man in the middle can't see what domain names are you trying to resolve. The second: they don't even know if the traffic they see right now is actually resolving a domain, or just browsing a website.

So DoH is a lot more private than DNSSEC. But it's fair to say it's a lot slower than standard DNS taffic (although it's not the difference a human can actually notice in most cases).


Yes, for many reasons, the most important two being that DNSSEC doesn't encrypt traffic, and that DoH works even on the (vast, overwhelming majority of) zones that haven't and won't ever be signed with DNSSEC.


I went from Pi-Hole to NextDNS to (now) AdGuard (alongside AdGuard DNS and their VPN).


I recently went from Pi-Hole to NextDNS - What made you move to AdGuard?


I don't recollect the exact reasons but here is the likely turn of events. In one of the macOS Major update (the one where Private Relay was introduced), it killed NextDNS. I waited pretty long enough for them to get fixed but NextDNS never did and there were hard to reach. I started looking for alternatives. I had already bought AdGuard Lifetime license for the family, and was offered or stumbled on AdGuard DNS (beta). It just happen to work and I stayed with it. Then I bought AdGuard VPN that bundles AdGuard DNS Pro/Premium.

I'm looking at AdGuard home and will hopefully tinker with it but the above setup is good for now.


NextDNS is the best I've found for my use cases[1].

1. Stuff like:

- Decent filtering, blocking, and logging.

- Remote/mobile use when away from home and

- Low latency servers using AnyCast and solid connections.

- Cheap/affordable.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: