Ask HN: Which DNS based ad blocker do you suggest?

5 pointsv7engine3y ago8 comments

I use nextDNS, and I am wondering if there are any better adblockers that also protect privacy which is preferred by the HN community.

8 comments

8 comments · 3 top-level

eftepede3y ago· 3 in thread

I'm happy with blocky. I was using pihole before it, but blocky gives me DoH out of the box (without a second service/container for it). It also can bootstrap itself (download blocking rules) via DoH. Thanks to it, my DHCP broadcasts my blocky instance(s) as 'standard' UDP DNS servers for everything at home, but all the DNS traffic going outside my gateway is on DoH.

The next thing on my list is to craft my own set of blocking rules. Currently I'm using the set from a friend, who was using blocky before me.

duffyjp3y ago

I don't know enough about it, is DoH better/different from using DNSSEC upstream servers in Pi-hole?

eftepede3y ago

DNSSEC only makes you sure that the DNS response is 'correct' and 'legit', like 'no one has poisoned it during the transfer'. But the traffic is still unencrypted, so someone (like your ISP) can see what names you're trying to resolve and when. This can be a base for some profiling or even making opinions, like 'this guy goes to porn sites every evening' or 'this person likes to browse amazon, maybe they're addicted to online shopping'. Of course I exaggerate a lot here, but it's possible.

With DoH, or DNS-over-HTTPS, your DNS requests are traveling through the network encrypted. The first advantage is: man in the middle can't see what domain names are you trying to resolve. The second: they don't even know if the traffic they see right now is actually resolving a domain, or just browsing a website.

So DoH is a lot more private than DNSSEC. But it's fair to say it's a lot slower than standard DNS taffic (although it's not the difference a human can actually notice in most cases).

tptacek3y ago

Yes, for many reasons, the most important two being that DNSSEC doesn't encrypt traffic, and that DoH works even on the (vast, overwhelming majority of) zones that haven't and won't ever be signed with DNSSEC.

Brajeshwar3y ago· 2 in thread

I went from Pi-Hole to NextDNS to (now) AdGuard (alongside AdGuard DNS and their VPN).

maxbaines3y ago

I recently went from Pi-Hole to NextDNS - What made you move to AdGuard?

Brajeshwar3y ago

I don't recollect the exact reasons but here is the likely turn of events. In one of the macOS Major update (the one where Private Relay was introduced), it killed NextDNS. I waited pretty long enough for them to get fixed but NextDNS never did and there were hard to reach. I started looking for alternatives. I had already bought AdGuard Lifetime license for the family, and was offered or stumbled on AdGuard DNS (beta). It just happen to work and I stayed with it. Then I bought AdGuard VPN that bundles AdGuard DNS Pro/Premium.

I'm looking at AdGuard home and will hopefully tinker with it but the above setup is good for now.

runjake3y ago

NextDNS is the best I've found for my use cases[1].

1. Stuff like:

- Decent filtering, blocking, and logging.

- Remote/mobile use when away from home and

- Low latency servers using AnyCast and solid connections.

- Cheap/affordable.

j / k navigate · click thread line to collapse