Often compared to “the phone book of the internet“, a DNS or Domain Name Server essentially stores and correlates the IP addresses of websites and servers with their registered hostname or domain name (like prats.co!), which are human-readable and generally easier to remember.

When searching the web for a specific domain, our computer (client machine) will reach out to a DNS resolver, which then through a series of queries, will reach to additional TLD, Root and authorative nameservers to find the IP address of the website associated to that domain:

If the domain is a very well-known domain or used very often, your DNS may have that information cached, speeding up the process of accessing the website or service.

Generally, when setting up a new network, the Dynamic Host Configuration Protocol (DHCP) will automatically configure your system to use your Internet Service Provider (ISP) DNS. And whilst ISP-supplied DNS servers may vary in speed, they are often very opaque and lack many features than other DNS providers are offering for enhanced privacy and security.

As most of our computers, tablets and laptops are constantly connected to the internet, our devices will be in constant communication with many different applications, websites and remote servers. This communication proves a privacy challenge, as it would require constant communication with external servers through DNS, starting with our ISP DNS. And whilst most of these connections can be expected (there’s no surprise in seeing a DNS call to one of Meta’s servers when you access Instagram, right?), most of the websites and apps we use everyday also contain trackers, which will creepily follow your activity online and will create a profile of your internet activity, searches, hobbies and even location. These online profiles will then be sold to data brokers, who will use it to bombard you with highly-targetted ads.

Do you know that unsettling feeling when you are looking to buy a new pair of shoes, or a new phone, just to then be pestered with a million Amazon ads for these products during the next couple of weeks, independently of the application or web page you browse? That’s part of this process – You’ve been targetted for a specific ad campaign.

And as you may have guessed, this post is about solving the eternal-tracking issue through DNS, while simultaneously adding an extra layer of security on your network, all at once! And whilst there are multiple ways to achieve this, even through really interesting self-hosting options like Pi-hole (highly recommended if you have a spare Raspberry Pi – I tinkered with Pi-hole for a bit but I’ve changed my home lab since, I may write about this in the future!), this time I’d like to focus on an awesome free service, NextDNS.

Using NextDNS as a Network Firewall

NextDNS is not just a DNS provider. Whilst they will of course resolve all your DNS queries (in a very speedy and low-latency manner, by the way!), they also implement tons of security and privacy built-in features in the process of resolving your DNS queries. They essentially turn DNS resolution into a complete network firewall, which can be easily set up in all your devices and networks in just a couple of minutes. They offer many excellent features, from blocklists based on threat intelligence feeds or blocking website tracking in a DNS level, to even parental control settings.

You can try their services without registration, or you can also sign up for a free account to access custom settings and usage logs. When signing up, all email alias providers such as SimpleLogin or Anonaddy should be accepted, so you can opt for using an alias for additional privacy. They do not require any additional personal information or payment method when signing up.

Whilst they offer paid services, they also offer a free tier, which allows 300,000 monthly DNS queries at no cost – I’ve been using their services on some of my devices and of course, depending on usage and configuration, 300,000 queries may run short if you’re using it on multiple devices simultaneously, so you may want to test and depending on your usage, add or remove devices. Generally 300,000 queries for a single device is plenty and could last an entire month without any issues.

After signing up, you will be forwarded to your user portal, which will display your unique DNS addresses and servers. This portal will also include detailed setup instructions for most devices, including computers (Linux, Windows, macOS and Chrome OS), mobile devices (Android and iOS), web browsers and even home routers:

There are multiple different ways to set up NextDNS on your device, from network settings to CLI or even using their own app on mobile, so this would depend on your personal preference. Once configured, you can quickly if NextDNS is up and running and has been configured correctly:

Security

After NextDNS has been correctly configured on your device, you can start setting up the security and privacy features of NextDNS. Their security tab offers tons of features, from ai-driven threat detection or cryptojacking (bad actors using your devices CPU power to mine cryptocurrencty) to some neat features like blocking newly registered domains (for domains registered less than 30 days ago, very popular among threat actors when launching phishing campaigns) and even blocking child abuse material. You can of course also add custom Top-Level Domains (TLDs) to the blocklist.

Privacy

Their privacy tab focuses on trackers and tracker blocklists. By default, NextDNS will use their own ads & tracker blocklist (which at the moment of writing this post, it has 134,262 entries) – And whilst their blocklist is very extensive and is updated often, you can also add any additional blocklists like for example DuckDuckGo’s tracker blocklist too! They are also testing a native tracking protection feature, blocking trackers at an operating system level (Think of telemetry, or how some OS like Windows or MacOS will make calls to Microsoft and Apple to provide device usage metrics).

Real time logs & analytics

And we reach my favorite part. Next DNS offers some amazing real time analytics and logging. They provide an excellent breakdown of your resolved domains, as well as blocked domains, broken down by devices used (if using NextDNS in multiple devices), reasons for the domains to be blocked, and even additional insights on your internet usage:

The Logs tab also provides detailed logs on all your queries, allowing you to search by blocked queries only, as well as to check the reason for each blocked query:

NextDNS also provides extensive control over your data. It will let you select how your navigation logs are stored, where in the world are they physically stored, and for how long should they be retained. It also has some privacy tweaks in case you want to record logs without client IPs or domains, or not record any logs at all!

Depending on your device, you can now do some tests and check the logging capabilities of NextDNS. If using a Windows or MacOS machine (which have very heavy telemetry and like to “call home” often), you can do some tests by rebooting your computer and see all the Windows or Apple native trackers being blocked even before you launch any application – Linux wins yet again 😉

Depending on your internet usage and number of connected devices, it is possible that the 300,000 queries per month included in the free tier may not be enough, so if you enjoy NextDNS, you may want to consider a paid plan, or instead, you can of course mix and match with other similarly awesome services. Some alternatives I’ve been testing in the last few months included NextDNS or Pi-hole on my computers, the App Tracking blocker feature of DuckDuckGo for Android, or of course the ad and tracker capabilities in my VPNs of choice; NetShield Ad and tracker blocker in ProtonVPN and MullvadVPN DNS Filtering.