NextDNS is new Firefox DNS-over HTTPS partner

oldschool

Level 81
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,043
Mozilla announced yesterday that NextDNS has been added to the list of official partners for Firefox's DNS-over-HTTPS feature. NextDNS is a new DNS provider that launched in March 2019 that is "a fully customizable, modern, and secure DNS provider" according to Mozilla.
The service is listed as beta currently on the NextDNS website and is completely free during the beta period. NextDNS offers options to enable filtering lists to block known malicious sites, trackers, and other unwanted requests.
The company plans to introduce a paid option after the beta period ends for $1.99 per month for unlimited DNS queries. Free customers are limited to 300,000 DNS queries per month. It is unclear what is going to happen when the limit is reached.

 

Kubla

Level 8
Verified
Jan 22, 2017
355
I have been testing NextDNS for about three weeks you can black list, and white list sites, there is also built in lists you can select.

Right now I have these three set to be blocked and there is a lot more to choose from;


Security
Contains the worst of the worst. Sites that are known to distribute malware, launch phishing attacks or botnet command-and-control servers used to communicate with already infected machines.
Ads & Trackers
Includes the most comprehensive ads and trackers blocking lists out there. Also blocks third-party trackers disguising as first-party trackers.
State Surveillance
Block domains that are known to be involved in spying.

It keeps track of your queries which you can view under Analytics

So far I have 288,818 queries and 36, 607 of them got blocked:

Security 1
Ads & Trackers 34, 095
CNAME Cloaking Blocklist 2,512

It also shows you who you are connecting to and how many times, I put this DNS on my router so it shows what devices have been making queries as well.

This is a great tool that gives you more control and a lot more information on your internet usage, and it is pretty fast when I tested it using the DNS Benchmark.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
This is my record for the last 3 months. But this is for my Android smartphone only, it would be a lot more if I used it on my PC as well. I use a lot of filter lists so it covers almost everything that can be blocked by DNS. It's amazing 👌
n.PNG
 

notabot

Level 15
Verified
Oct 31, 2018
703
This is my record for the last 3 months. But this is for my Android smartphone only, it would be a lot more if I used it on my PC as well. I use a lot of filter lists so it covers almost everything that can be blocked by DNS. It's amazing 👌
View attachment 231137

Thanks for sharing your experience. Would it be possible to show the types of content it lets you filter? also how effective is the mapping between content type in config vs actual content type - does it match a spade to a spade, or spades get mapped as animals occasionally ?
 

Kubla

Level 8
Verified
Jan 22, 2017
355
Thanks for sharing your experience. Would it be possible to show the types of content it lets you filter? also how effective is the mapping between content type in config vs actual content type - does it match a spade to a spade, or spades get mapped as animals occasionally ?

Here is the built in list:
  • Security
    Contains the worst of the worst. Sites that are known to distribute malware, launch phishing attacks or botnet command-and-control servers used to communicate with already infected machines.

  • Ads & Trackers
    Includes the most comprehensive ads and trackers blocking lists out there. Also blocks third-party trackers disguising as first-party trackers.

  • Cryptomining
    Blocks all cryptomining services that mine cryptocurrency in your browser (most often without your consent).

  • Fake News & Clickbait
    Sites that intentionally, but not necessarily exclusively, publish hoaxes and disinformation for purposes other than satire.

  • Safe Search
    Filter out explicit results from major search engines and content platforms like YouTube.

  • Porn
    Blocks all sexually explicit content. Handy on kid-friendly networks and those morally opposed to pornography.

  • Social Networks
    Blocks all social networking sites.

  • Gambling
    Blocks all gambling sites.

  • State Surveillance
    Block domains that are known to be involved in spying.

  • VPNs & Proxies
    Blocks VPNs and proxies that could be used to circumvent DNS-level blocking or other network-level rules.

  • P2P
    Blocks bittorrent websites, trackers and other related domains.

  • Piracy
    Blocks all piracy-related websites, including illegal streaming websites. This also includes piracy-oriented torrent websites (thepiratebay.org) and streaming hosts (openload.co).

  • Gaming
    Blocks all games on Windows, iOS, Android and all other platforms. Does not block gaming-related websites.
You can also restrict access to these specific websites, apps and games :


Facebook

WhatsApp

Instagram

Twitter

Snapchat

Messenger

Twitch

Discord

Pinterest

Netflix

Hulu

YouTube

Spotify

Fortnite

Steam

reddit

Tumblr

TikTok

Vimeo

Dailymotion

Tinder

Imgur

9GAG

Amazon

eBay

Minecraft

League of Legends

Plus add your own block lists.
 

oldschool

Level 81
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,043
I tried NextDNS based on this NextDNS added CNAME Uncloaking support, becomes the first cross-platform solution to the problem and thishttps://medium.com/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a.
I found it broke some websites and had some other trouble. The free beta version will most likely be a fairly short trial if you use it on desktop.

According to the two articles, their approach is or will prove superior to ad blocking extensions, presumably even the Firefox API available to µBO and others. Maybe only time will tell which strategy or platform is best for dealing with cname cloaking.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Thanks for sharing your experience. Would it be possible to show the types of content it lets you filter? also how effective is the mapping between content type in config vs actual content type - does it match a spade to a spade, or spades get mapped as animals occasionally ?
It's host based blocking so it has its limitation. It lets you choose among many filter lists provider. You can visit their site and trial it without creating an account, that should help you understand it better.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
I'm not so sure of this DoH/DoT thing. IMO, I'll choose a dedicated VPN instead and let the provider handles the DNS queries through its dedicated metal servers. A few VPN providers do come with good content filters e.g. Perfect Privacy, NordVPN etc. And malicious scripts, phishing sites, browser fingerprinting and other browser privacy-associated issues still need to be addressed by the user either through a 3rd-party software or the use of extensions
 

oldschool

Level 81
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,043
Do you know if there's any website to confirm if Adguard doh is enabled? I know cloudflare has one.

The Adguard DNS setup page How to set up AdGuard DNS will show you if you're using its DNS and configuration type but won't specify DOH. If you enable it in your OS and you have the appropriate flag enabled in Chromium you can be sure it's working at the Adguard page. For use in FF (without enabling in OS) the test will be accurate as well, though again it won't indicate DOH.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
@Azure For Firefox, after setting your desired DoH, in about:config change "network.trr.mode" to 3 and set "network.trr.bootstrapAddress" to the ip4 address of your DoH provider. This would ensure no matter what Firefox is always using DoH.

network.trr.mode modes explained:
  • 0 - Off (default). use standard native resolving only (don't use TRR at all)
  • 1 - Reserved (used to be Race mode)
  • 2 - First. Use TRR first, and only if the name resolve fails use the native resolver as a fallback.
  • 3 - Only. Only use TRR. Never use the native (This mode also requires the bootstrapAddress pref to be set)
  • 4 - Reserved (used to be Shadow mode)
  • 5 - Off by choice. This is the same as 0 but marks it as done by choice and not done by default.
*TRR = Trusted Recursive Resolver
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top