nextdns VS Unbound

You may try something like Blokada (https://blokada.org) or NextDNS (https://nextdns.io/)

PiHole will do this for your entire network. There's also NextDNS if you'd rather use a cloud service (easier setup). Once you start using a network wide DNS blocker you'll never want to go back.

nextdns.io became top root domain after I installed nextDNS app on iPhone and MAC and wondering if this is known. Before when I only was using NextDNS cli on router I didn't have this issue

DNS blocking, if you aren’t technically astute try NextDNS

I use nextdns.

You can also install NextDNS on your router (if supported), which will let your router cache the requests, which may improve latency : https://github.com/nextdns/nextdns/wiki

I have setup NextDNS on my computer and I can recommend you to try it. It should filter a lot of microsoft trackers and you can try it and see in log on my.nextdns.io.

Hey, try a DNS alternative like NextDNS which allows you to block ads. Just go to https://nextdns.io and you can find steps there

Depending on what you're trying to accomplish, you can also load the blocklists directly onto your hosts. For example, hblock (https://github.com/hectorm/hblock) has a few scripts to format its blocklist for your platform. The StevenBlack list's github page has instructions for adding to a range of platforms and links to several hosts/blocklist managers (https://github.com/StevenBlack/hosts). You can also point your router at an adblocking public DNS such as https://adguard-dns.com/en/public-dns.html (free) or https://nextdns.io/ (might cost). Lastly, depending on what router you run, you could load the host lists directly onto the router.

The next logical step in this chain usually looks something like "OK, so my queries and their responses are secure, but why do I trust [my ISP/this third party/this faceless megacorporation] exactly?", and...honetly, you shouldn't. One or two more questions and the next thing you know you're running your own full recursive resolver stack.

I wasn't personally particularly happy with any one provider's offering, and didn't want to needlessly include a third party, so I stood up my own APDNS proxy with an iterating nameserver behind it.

I have nextdns CLI installed on OPNSense but I'm looking for a plugin for OPNsense since I have zero visibility with the CLI Anyone know if this is coming soon or in the works? this page says "coming soon": https://github.com/nextdns/nextdns/wiki and this says that nextdns doesn't work with with unbound: https://github.com/NLnetLabs/unbound/issues/132

The HTTPS query type is not to be confused with the protocol of the same name. The handling of this query type was only implemented recently in unbound and hasn't been introduced in a major release yet. These queries are basically blocked by unbound not knowing what to do with them. This should not have any negative consequences, though, as the HTTPS query type itself is not standardized yet and is only specified in a draft so far. Domains will continue to be resolved via A or AAAA resource records.

Does it actually support upstream DoH? I can't find any documentation on it, this pull request is still open. From what I can tell they only added support for Unbound to accept downstream DoH requests when acting as a server.

unbound support DoH to the client (they call it downstream), but it doesn't support DoH to the DNS provider (which at least someone else call upstream)

Noteworthy here is that unbound currently doesn't handle these new query types, but implementation is ongoing.

not really true. https://github.com/NLnetLabs/unbound/issues/411

opn sense stil uses unbound 1.13.1 and unbound has a bug that causes it to crash that is investigated and it affects not limited to pfsense. https://github.com/NLnetLabs/unbound/issues/411