[tmslnz]

I found NextDNS to be relatively convenient and easy to set up even for a lay audience. Definitely easier than a PiHole or a custom `dnsmasq` setup, and it offers mobile configuration client apps.

What I do not know is if it will work also when apps begin using DNS over HTTPS… I suppose not?

[tristor]

NextDNS offers a DoH endpoint and is a selectable TRR in Firefox. Unfortunately that doesn't help with apps doing DoH to bypass DNS blocking. The current state of the Internet / computing is a bit problematic, but there are ways forward.

What I do and recommend everyone to do is:

1. Run an edge network device using network access controls and filter which devices on your network get outbound network access (in my case just the gateway device). Block all inbound traffic except what you choose to pinhole, block all outbound traffic except ports you choose to add to the allow list.

2. On every client device run a local application firewall (I like Vallum and Little Snitch on MacOS as examples) and filter applications by domain + port on outbound requests, block all inbound requests.

3. On every client device force it through a VPN to a gateway device internal to your network to get internet access, anything that falls off the VPN is then blocked from the internet. The gateway device can forcibly route traffic and perform additional filtering

4. On every client device, configure it to use an internal DNS on your network with a fallback to a trustworthy external provider, have the internal DNS use a trustworthy external provider over DoH. Block outbound DNS at the edge device (blocks all non-encrypted lookups).

It's kind of a pain, and a mess, but it does greatly restrict the damage that rogue IoT / Smart devices can do.

[Dah00n]

Unless they provide a VPN it is only blocking the not-so-bad-actors. Everyone else use hardcoded DNS IPs. If you look at traffic from an Android phone you will get lots of DNS requests to Google DNS no matter if you use NextDNS or not. If you only provide one (primary) DNS IP in android 8.8.8 8 (Google DNS) will even be used by default together with your DNS provider. Same is going on in iOS. If they do provide a VPN then it isn't really for a lay audience IMO but it is the only thing that isn't like pissing in the wind.

[lucasverra]

IOS have the NextDnS app as a vpn setup. So I guess yes?

[rdslw]

I personally use doh_blacklist with around 170ips, where I block outgoing traffic for known (publicly and not so) internet reachable doh resolvers. There is no problem(+) - everything works perfectly.

ipset create blist_doh hash:ip hashsize 1024

for ip in `cat /etc/bin/blist_doh.txt`; do ipset add blist_doh "$ip"; done

iptables -A <insert some iptables placement specific to your outgoing/forwarded traffic> -m set --match-set blist_doh dst -j DROP -m comment --comment 'SPY:all ext DoH BLOCKED'

Still, as of 2021, doh rule is around 2% traffic logged compared to my other rule, where I simply block outgoing 53/udp (except my resolver). a LOT of your devices ignore your dhcp dns settings and try to circumvent it going directly to shady 8.8.8.8 etc.

(*) you shall every few months check and update it.

[dgan]

I have been using NextDNS for couple of days, but since I don't have a static IP, it's obviously not so convenient, I have to reset my IP every time it changes But otherwise, absolutely great, awesome statistics about blocked/requested domains, countries, etc...

[perryizgr8]

They have ways to automatically detect your IP so you don't have to update it manually.