1

NextDNS remains in use despite its removal (macos)

I'm trying to stop using NextDNS (and use PiHole via Tailscale, so that I can access my PihHole from my devices not matter where I'm connecting from).

On all my devices, I removed NextDNS and I see DNS requests going through my PiHole... Except on my Mac. I've read many posts about this, I have no NextDNS "profile" anymore, I tried to push a new NextDNS profile and remove it, tried to hardcode my PiHole Tailscale IP as my DNS... No matter what I do, my PiHole does not get DNS queries from my Mac, and my.nextdns.io keeps on showing "you are using NextDNS with this profile"!

Can you please assist me in fully removing NextDNS from my Mac?

Thanks!

3 replies

null
    • Calvin_Hobbes
    • 12 days ago
    • Reported - view

    Did you install the CLI?  If so, you need to remove it.   Once you switch to pihole you’ll wonder why you wasted so much time with NextDNS.   I recommend trying AdGuard Home instead of pi hole.  It’s much more refined and easier to configure.  Plus you don’t need to install third party software to enable modern DNS protocols for upstream servers, it has them built in.   Plus the ability to temporarily turn off filtering without needing to change DNS servers or remember to re enable blocking.   I switched a few months ago and just checked back here to see the same tired issues that NextDNS doesn’t seem to be interested in fixing.

      • fuchsia_bear
      • 12 days ago
      • Reported - view

       thanks a lot! I share your view on the support from

      nextdns, it seems to fully depend on the community (thank you again 🤩).

       

      pihole, I'm a bit afraid of lack of redundancy, and slightly lower performance. Plus, if my family and I want to use it from everywhere, I need Tailscale and I have no parental controls available (like impossibility to prevent my son from turning Tailscale off).

      you seem to be a fan of pihole AND AdGuard Home. Do you use one or both?

      • Calvin_Hobbes
      • 10 days ago
      • Reported - view

       I started with Pi Hole, but then switched to AGH.   They have alot in common, but AGH is more polished and it had features built-in that either need to be added for PH or that PH just can't do.   AGH has DOH/DOT/QUIC built-in, no need for installing third party solutions.

      You mentioned redundancy.   I think PiHole might have ways to create two instances with shared configurations for redundancy.   I recall reading about how to do that, but never looked into it.   I haven't seen much mention of doing that with AGH.   Either way, you'd need to instances on separate hardware.   If you're connecting through tailscale and the home internet connection goes down you can't reach either one.   A good UPS is helpful if you have frequent power outages.

      I've installed on of these to help keep the internet connection alive  https://www.johnson-creative.com/shop/keep-connect/router-rebooter-by-keep-connect/.    This makes the assumption that the problem is on your end.   It merely power cycles your internet hardware if it detects a problem.  I have it on my cable modem, router and wireless accees point.   I haven't yet added my Rasberry Pi to it, but will eventually.    If the ISP itself has an outage, there's not much you can do unless you want to get super fancy and install another instance connected to a separate ISP,  perhaps at a different location.

      You mentioned "slightly lower performance" for self hosting.   I was pleasantly surprised to find the opposite to be true (I really didn't expect it).    For anything on the block list, AGH and PH answer instantly (0ms) because they have the answer already and it's local on your network.   For many other queries, the answer is often cached and those replies are also instant (0ms).    

      AGH has a really a couple nice features that increase performance.  You can configure multiple upstream providers to be queried in parallel and it will try all of them simultaneously and provide the client device with whichever one answers first.   Their dashboard shows the average response time for each upstream provider.   I currently have 11 configured but there's some obvious winners and obvious losers in the group of 11.   You can also mix different types of upstream servers.  I have a combination of DOH, DOT and QUIC.   Two of the QUIC are the fastest.  The exact same provider has DOH servers and they are not as fast.

      The other feature to increase performance wit AGH, is they have a setting for "optimistic caching."   When a TTL expires for a given query, this setting tells AGH to continue to store the stale result in cache and provide the expired answer, while simultaneously retrieving fresh answers.   I don't see any stats on how often the expired results are still valid, but it's probably fine more than it's wrong.   There might be edge cases where assets are coming from frequently changing IPs, but that's probably rare.  It would be cool to see stats though.

      I have discovered an issue with Tailscale in that they claim you can force clients to use a global dns server that you specify.  See this article  https://tailscale.com/kb/1054/dns.     I'm nearly certain this worked when I first set it up, but doesn't seem to work now.   I opened a support case with them, and while waiting for an answer their AI suggested a work around which I'm using now.   They told me to set tailscale to use my AGH on each of the clients (the IPs that start with 100.x.x.x).   It works, but must be configured on the client rather than globally through tailscale.   The idea that you can force the setting from their console doesn't seem to work for me (anymore).    I don't know if it's a bug they're planning to fix or if it's something with my particular configuration.

      That brings me to your last question about parental controls:   I personally do not use parental controls, and I'm not sure if there's any bulletproof way of enforcing parental controls.   I'm using AGH  (and previously NextDNS and previously PH) because I WANTED the protection they offer.  That means I voluntarily configure my own client devices to use them.    As you probably already know, sometimes you WANT/NEED to bypass those protections for troubleshooting by switching to an unfiltered DNS server.   I have never made any attempt to create a way to prevent bypassing them from someone who actively wants to.

      Lastly, the NextDNS forums are probably not the place for this conversation. Here's an alias email address you can use to contact me directly. convent-uproot-shy@duck.com I'll disable it in a few days.

      Good luck!

Login to reply

Content aside

  • 1 Likes
  • 10 days agoLast active
  • 3Replies
  • 94Views
  • 2 Following