nextdns VS Unbound

uBlock Origin still works in Firefox. https://addons.mozilla.org/en-US/firefox/addon/ublock-origin...

And you can, I believe, still just modify your hosts table to block out ads in Chrome. https://github.com/StevenBlack/hosts

Or your router's DNS using something like NextDNS. https://nextdns.io/

Ads suck. Support content where you can, but even when you pay they still serve ads / tracking scripts. So fuck 'em. Block all the ads.

I've used NextDNS for years to keep our home internet safe for the kids and it works really well. Fortunately NextDNS offers API access that you can use to automate turning different internet filters on and off. Unfortunately their API docs are horrible.

I think that we'll need to adopt network-level filtering if we want to outsmart the browsers. I haven't looked back since adopting NextDNS and configuring my router to filter all traffic through it. It does a great job of stripping ads out of all my devices connected to it, and that's something I don't mind paying a few bucks for a year (I think it's like $19/year).

Check it out here: https://nextdns.io/

NextDNS is very much alive, although progress is measured and calm¹ as compared to Control D. But it's also been rock-solid for me for years, where Control D seems to be less so².

¹ https://github.com/nextdns/nextdns/releases ² https://www.reddit.com/r/ControlD/comments/1irgehp/178ms_lat...

One of the most values I get out of a SaaS service is NextDNS [0]. There are competitors like ControlD [1] that are also very good. At the end of the day they both check all the boxes for me.

But, the piece that really got me with NextDNS when I started using it was the unlimited number of profiles. This allows me to target any device, no matter where it is (this is fantastic for mobile devices) and keep my filtering lists in place. I selfhost a lot but still find the annual cost of NextDNS more than fair.

[0] https://nextdns.io/

Use NextDNS (https://nextdns.io) on your mobile phone as a Private DNS provider, and switch as many apps as allow it to be web apps, i.e. https://m.uber.com works just fine, and use Firefox on mobile and enabled about:config as it's at chrome://geckoview/content/config.xhtml , from there switch beacon.enabled to false.

Far less requires an actual app than most people imagine. It's the apps that leak so much.

- Pi-Hole can run on a Linux box, in a Docker container, and on a Synology. You don't need a Raspberry Pi to run it.

- Look at https://nextdns.io as an alternative.

- I use uBlock Origin and NextDNS at home.

" appears to have blacklisted it on the basis of its model name"

Why is that?

I think Pixel was always good for this. The problem with rooted phones is that many bank applications wont run anymore.

"of systemwide adblocking"

Your alternative would be to use another DNS service like https://nextdns.io

dnsmasq and unbound are impacted to

https://github.com/NLnetLabs/unbound/releases/tag/release-1....

https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/20...

As are any other DNSSEC validators that followed the specifications.

Bind9 has its problems but this is not its fault this time.

Are you familiar with https://pi-hole.net/ ?

In my house I want DNS resolution to be performed by my own DNS resolver (https://github.com/NLnetLabs/unbound), after I block ad domains.

DoH circumvents that.

So yep it's an unbound thing: https://github.com/NLnetLabs/unbound/issues/438 there was a PR to allow a user to change the depth of a chase. I doubt F5 would have that version of unbound in any current software but support may be able to check or look at a lab 17.1 to see what version it is--you could then manually edit the conf file but it wouldn't persist through upgrades..

That's confirms in issue#362 I found.

The last time I checked, Unbound does not support upstream DoH. You can configure it to reply to DoH requests from clients, but you can't use it to forward queries to another DoH provider like Cloudflare or Quad9. Has that changed? The pull request has been open for 3 years.

And, while the documentation for unbound.conf doesn’t say a whole lot about the iterator module specifically as far as I can tell, the code says:

Gravity-Sync won't do that. But searching around on GH, I found this : https://github.com/NLnetLabs/unbound/blob/master/contrib/unbound_cache.sh

Version 1.15.0 Configure line: --with-libexpat=/usr/local --with-ssl=/usr --disable-dnscrypt --disable-dnstap --with-libnghttp2 --enable-ecdsa --disable-event-api --enable-gost --with-libevent --with-pythonmodule=yes --with-pyunbound=yes ac_cv_path_SWIG=/usr/local/bin/swig LDFLAGS=-L/usr/local/lib --disable-subnet --disable-tfo-client --disable-tfo-server --with-pthreads --prefix=/usr/local --localstatedir=/var --mandir=/usr/local/man --infodir=/usr/local/share/info/ --build=amd64-portbld-freebsd12.3 Linked libs: libevent 2.1.12-stable (it uses kqueue), OpenSSL 1.1.1n-freebsd 15 Mar 2022 Linked modules: dns64 python respip validator iterator BSD licensed, see LICENSE in source package for details. Report bugs to [email protected] or https://github.com/NLnetLabs/unbound/issues

"Unbound" for example https://github.com/NLnetLabs/unbound