We've been working super hard on nextdns.io, a cloud-based private DNS service that gives you full control over what is allowed or blocked on your devices.
Here is a few things you can do with it:
- Block malicious websites, trackers, ads, and more by combining the most popular blocklists out there, all updated in real-time (100+ lists to choose from).
- Set your own privacy requirements: you decide what type of logs are kept (and for how long) depending on the level of analytics you want. Down to absolutely NO logs.
- Automatically use DNS-over-HTTPS on all networks (including cellular) with our apps for Android, iOS, Windows and macOS. They are all tiny, tightly integrated with the OS and have negligible battery usage. (Some of them are still being worked on.)
- Bypass nearly all forms of government/ISP censorship without the need for a slow/costly VPN, and make it way harder for your ISP to know what you are doing on the Internet.
- Get in-depth analytics and real-time query logs so you can measure the efficiency of your blocking strategy, see when the apps on your devices are calling home, etc. And choose what is logged down to absolutely no logs, you decide.
- Easily protect your family (you can create as many configurations as you want on one account, each with different settings, and you can use multiple different configurations while being on the same network).
It also supports all the latest DNS technologies (DNS-over-HTTPS/TLS, Query Name Minimisation, DNSSEC validation, etc.), and it's fast (for most countries, we are or will very soon be as low-latency as Google DNS, Cloudflare and the likes).
There are tons of other cool stuff we built into that service (like the fact that each configuration gets its own DoH/DoT endpoint and IPv6) but that post is already way too long :)
You can create your first configuration and test it right away without signing up (you can sign up later and "save" it).
We would really appreciate if you could try the service, tell us what you like, what you don't like, what you would add, etc. We will happily answer all questions (even the technical ones).
It's free during beta, then freemium with low pricing tiers (something like free up to 500,000 DNS queries a month, then $0.99/month). We will tweak later based on actual costs at scale, but it will follow this logic.
I love this model. Get people in for free, let them discover how fabulous it is, then by the time they need a pro-grade thing they're happy to throw money at you.
I tried using it. I'm in India, and while Cloudflare and Google DNS consistently resolve in 60-70ms, nextdns takes between 400-700ms for the first resolution and consistently 250ms for the same query repeated (I presume it caches the results?)
Should I assume you've gotten a huge spike in traffic because of this HN post? If yes, I don't mind trying again in a few days, but unless things improve, I wouldn't be able to use it despite loving it in concept (the UI of your implementation is great too). I don't want to discourage you folks, since you've done a great job with the rest of it.
India is difficult. I run our anycast network and we have coverage in India but I look forward to improved routing there in the future with additional transit providers.
Great idea for service, but it has to be lightning fast to be in the middle of thousands of requests a minute as someone is surfing the web without making the web feel sluggish.
In NYC on the largest metro ISP. Earlier in the day, was getting 25-43 msec to the typical major DNS providers (1.1.1.1, 4.4.4.4, 8.8.8.8, 9.9.9.9, as well as AdGuard), and usually 71 - 73 msec to you.
After a while, started getting as slow as 280 msec to you.
Last hour or so, mostly just getting timeouts to you, making the web, as well as apps, unusable.
Had to revert.
AdGuard DNS:
dig @176.103.130.130 news.ycombinator.com
; <<>> DiG 9.10.6 <<>> @176.103.130.130 news.ycombinator.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6879
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;news.ycombinator.com. IN A
;; ANSWER SECTION:
news.ycombinator.com. 56 IN A 209.216.230.240
;; Query time: 29 msec
;; SERVER: 176.103.130.130#53(176.103.130.130)
;; WHEN: Sun May 26 15:32:11 EDT 2019
;; MSG SIZE rcvd: 85
nextdns.io
dig @5.182.208.100 news.ycombinator.com
; <<>> DiG 9.10.6 <<>> @5.182.208.100 news.ycombinator.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14810
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;news.ycombinator.com. IN A
;; ANSWER SECTION:
news.ycombinator.com. 0 IN A 209.216.230.240
;; Query time: 282 msec
;; SERVER: 5.182.208.100#53(5.182.208.100)
;; WHEN: Sun May 26 15:32:17 EDT 2019
;; MSG SIZE rcvd: 85
This looks really cool. I'm nervous about entrusting someone with stuff as sensitive as DNS. If this is all it appears to be, I may be a paying customer (tho I try to only use/pay for free-as-in-speech software).
>I try to only use/pay for free-as-in-speech software
I would like to see more software adopt this model. Can you give a few examples of things you support? Are they all pay-for-hosting services, or are there cases where the software itself is for sale?
What does "free-as-in-speech" mean in the context of software?
A strict interpretation would suggest something along the lines of "we don't censor what the customers of our software do with it", which is true for almost all software (aside from social media platforms). I don't see how this would apply here, since this software isn't being used for the creation of anything.
A looser interpretation would suggest that, if the software is used to access content (eg. web browser) then, aside from technical limitations, it doesn't censor content that it could otherwise display. I can see how this might apply to a DNS.
I don't see, however, how "free-as-in-speech" has any reference to open or closed source. (Not sure if that was what was meant.)
"free-as-in-speech" is usually intended to contrast with "free-as-in-beer", thereby disambiguating the word "free" in English. Some software is "free-as-in-speech", which means you aren't limited with what you can do with it or its code -- "free" means that the user has certain rights. I think Stallman introduced this way of talking about software; people sometimes use "libre" instead. https://ssd.eff.org/en/glossary/open-source-software
Yes, this is exactly what I meant with my usage of the word. free-as-in-speech (where you can easily recreate the speech yourself) versus free-as-in-beer (where you can't easily recreate the beer since it is closed source) (at least this is always how I have interpreted the meaning personally).
The most recent example would be FileBot which I bought a subscription for mostly because it is high quality and is free software (as-in-speech). I would have used less functional free (as in speech and beer) alternatives had the filebot source not been available to me.
While I now understand "free-as-in-speech" is meant to refer to "free in the sense of Stallman's ideology", I still don't think the following makes any sense:
> free-as-in-speech (where you can easily recreate the speech yourself)
Freedom of speech has nothing to do with recreating the speech. The term "free speech" means "no censorship".
The connection, as I now understand it based on other comments here, is that "free speech" refers to a freedom relating to people's rights as opposed to "free beer", which refers to cost. In that sense I can understand the connection to free software in the sense that Stallman advocates for.
That's an interesting one. I had heard of filebot but don't have any personal use case for it. The license probably qualifies as libre but definitely isn't GPL compatible, for the record: https://github.com/filebot/filebot/blob/master/LICENSE.md
Edit: Actually, it's worth noting that the statement in the README arguably makes filebot non-free. "You may NOT use the source code to publish binary builds without explicit authorization." If that's actually supposed to be enforced by the terms of the license, filebot is definitely not libre software.
On the other hand, it's not clear at all whether this is prohibited by the license. It prohibits "Publishing binaries or competing clones that undermine the ability of the original author to make money from his work." I don't see why publishing a binary for free on a new platform would undermine this in most cases, given that the author already publishes free binaries for most platforms on the official website.
Yeah that's a good point regarding publishing binaries. I would guess that he wants to keep tight quality control (since in the past there were crap binaries being passed around). But yes I don't consider it GPL compatible, but it (was, see below) close enough for me ¯\_(ツ)_/¯ (I try not to let perfect be the enemy of good).
That said I just tried to build it for the first time (wanted to make a small improvement) and there are no documented build steps and a standard ant build doesn't work. There are open github issues where the author is very dismissive and just says basically "code not supported, just for educational purposes."
I poked at it for about 15 minutes but I've never used ant before and couldn't get the build working. That really saddens me. Unless things improve I won't be renewing my subscription. I'm pretty disappointed to say the least.
By default mtr will do reverse DNS lookups on all hops. Several of the traces I ran showed the route to nextdns's /24 transiting over NTT and from the DNS name you can figure out where each router is.
Here is a few things you can do with it:
- Block malicious websites, trackers, ads, and more by combining the most popular blocklists out there, all updated in real-time (100+ lists to choose from).
- Set your own privacy requirements: you decide what type of logs are kept (and for how long) depending on the level of analytics you want. Down to absolutely NO logs.
- Automatically use DNS-over-HTTPS on all networks (including cellular) with our apps for Android, iOS, Windows and macOS. They are all tiny, tightly integrated with the OS and have negligible battery usage. (Some of them are still being worked on.)
- Bypass nearly all forms of government/ISP censorship without the need for a slow/costly VPN, and make it way harder for your ISP to know what you are doing on the Internet.
- Get in-depth analytics and real-time query logs so you can measure the efficiency of your blocking strategy, see when the apps on your devices are calling home, etc. And choose what is logged down to absolutely no logs, you decide.
- Easily protect your family (you can create as many configurations as you want on one account, each with different settings, and you can use multiple different configurations while being on the same network).
It also supports all the latest DNS technologies (DNS-over-HTTPS/TLS, Query Name Minimisation, DNSSEC validation, etc.), and it's fast (for most countries, we are or will very soon be as low-latency as Google DNS, Cloudflare and the likes).
There are tons of other cool stuff we built into that service (like the fact that each configuration gets its own DoH/DoT endpoint and IPv6) but that post is already way too long :)
We recorded a short GIF of us browsing through the interface: https://gfycat.com/LinedVerifiableBellfrog
You can create your first configuration and test it right away without signing up (you can sign up later and "save" it).
We would really appreciate if you could try the service, tell us what you like, what you don't like, what you would add, etc. We will happily answer all questions (even the technical ones).
Cheers, and thanks!