NextDNS: Precision DNS for Homelab, Privacy, and Sysadmin Workflows

If you’re running a production-grade homelab like I do, or managing endpoints across a small business, or simply want forensic visibility into your DNS traffic, NextDNS is the upstream resolver you’ve been waiting for.

Here’s why I’m Using NextDNS

Encrypted DNS via DoH/DoT for privacy and ISP bypass
NextDNS supports DNS-over-HTTPS and DNS-over-TLS, which encrypt DNS traffic and prevents third parties like ISPs from inspecting or monetizing your personal query data. This is useful for maintaining privacy and ensuring that DNS activity isn’t being logged or sold without your knowledge or consent. In my setup, this helps maintain a clean separation between internal activity and external observation.

Real-time analytics with per-device breakdowns
The analytics dashboard provides detailed visibility into DNS queries, organized by device. This makes it easier to identify patterns, track unexpected behavior, and maintain oversight across the network. I use this regularly to monitor traffic and confirm that devices are operating within expected parameters.

Custom blocklists and DNS rewrites for operational hygiene
NextDNS allows you to define blocklists and DNS rewrites, which can be used to filter out unwanted domains or redirect queries. I use this to block advertising domains and to redirect certain services internally. It’s a straightforward way to reduce noise and maintain consistency across devices.  Not to mention, if it’s blocked at the DNS level, then that’s traffic my ISP and my personal network never have to see!  Not to mention, I don’t have to bother managing block-lists within my Firewall anymore.  One less headache to have to manage!

Multiple configurations for segmented environments
You can create separate configurations for different network segments, such as VLANs or subnets. Each configuration can have its own policies, logs, and upstream settings. This is useful for isolating traffic between zones like guest, IoT, and lab environments, while still managing everything from a central interface.

Data residency control (US, EU, UK, Switzerland)
NextDNS lets you choose where your DNS data is processed, which can help meet regulatory or policy requirements. I’ve set mine to US-based processing to keep logs within a known jurisdiction. This adds clarity to where data is stored and how it’s handled.

Zero trust assumptions—every query logged, every upstream accountable
NextDNS logs all DNS queries and provides visibility into which upstream resolvers are used. This fits well with a zero trust approach, where activity is verified and logged rather than assumed. I use this to confirm that queries are routed as expected, and that upstream behavior aligns with my configuration and expectations.

Whether you’re tracking NXDOMAIN spikes, enforcing policy across VLANs, or just want to know why your smart TV is phoning home, NextDNS gives you the tools to inspect and manage DNS traffic effectively.


Support the Blog & Get Started

I use NextDNS PRO in my own “homelab” environment now, and I have to say that I’m REALLY enjoying it.  All of this is yours to try out for free (up to 300,000 DNS Queries per month), so please give it a try to see if you agree, it’s probably the best DNS resolver I’ve come across yet.   And if you’re ready to take full control of your DNS stack and need unlimited queries, you can sign up for their “Pro” offering for only $19.95 a year, using my referral link below:

https://nextdns.io/?from=3hh3mtch

It doesn’t cost you anything extra, but it does help support the blog and keeps the lights on in my homelab.

Upgraded to Netgear Orbi WiFi 6 AX5400 Mesh System

I’ve been fighting my ASUS routers (in AP Mode) for the better part of 8 years now.  Their implementation for all of the bundled utilities is to farm all of it to a 3rd party who actually supplies all of the utilities.  None of the utilities are made by ASUS themselves, and you have to agree to an onerous set of terms to even unlock those utilities, so I have never used them.  Talk about shrink-wrap licensing.

Anyways, I opted for an older version so as not to pay through the nose: the Netgear Orbi AX5400, which offers WiFi 6 on a Tri-Band Mesh System, and supports up to 5.4Gbps network throughput, and comes with one Router and two Satellites, which I also placed in AP (Access Point) Mode.  AP Mode just means I’m not interested in using all the bells and whistles, just need the system for it’s AX5400 WiFi chops.  I really like the hardware and it’s performance so far. 

Unfortunately, the installation process was designed for a beginner, and assumed every user is a beginner, which was really the worst part of the whole experience.  I was actively forced to wait 2 minutes per step to go from step to step.  Sadly, they did not build any provisions for those who might know what they are doing.  It took me about 3 hours to setup, but really, most of that time was spent figuring-out how to side-step their install process effectively. I think if they just offered an “admin” or “power user” mode, it would only take about 15-20 minutes total time to setup.  Oh well.

But, I have to say, our WiFi coverage is now rock solid!  I can even be down the street or in the farthest reaches of  our property and still have all-bars on the WiFi meter.  I picked up the refurbished (aka “renewed”) version via Amazon for just about $200, so money well spent!

Just pivoted from PiHole DNS to Technitium DNS

So on my recent attempt to get more bandwidth going, Pihole decided to start throwing errors, so I uninstalled it and attempted to re-install it.  Unfortunately, every install failed for one reason or another.  It’s like it got super brittle over the last year.  I spent two weeks trying to get it to work, but in a lot cases, it wouldn’t even launch after installation,.  So I decide to pivot to a new DNS Server that has built-in “Recursive-DNS” (aka “black-holing”), unlike Pihole that doesn’t support it natively.  Installing “unbound” was never a problem with Pihole, but for it to be built-in is a super nice reason to switch over.

It also provides a lot more options for me to customize my homelab networking, and I’m taking full advantage of them: mostly that it supports DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT), and Self-Hosting so it can act as a public nameserver. Supports conditional forwarding, zone delegation, and granular record control.

This is one of my best and easiest decisions in a long time.

Using AI as a helper for SysAdmin

I’ve used a lot of various AI’s over the last year, and I have to say that I’m actually kind of digging the Microsoft AI “Copilot” as a top contender.  I love the dedicated Windows App, the interface is nice and clean, and it’s validated most of the System Admin stuff I’ve been attempting of late. 

The key to using AI is to remember that it’s not a magic solution that will fix all of your problems.  Do not ask it an open-ended question unless you have an evening to kill going down all the various dark rabbit holes on the internet that it’s likely going to send you down.

Let me know via Discus if you have a favorite AI, and what you use it for.

Unable to avoid IOMMU after all

So it turns out that using TrueNAS is entirely dependent on accessing the Host Bus Adapter (HBA) directly, so the TrueNAS installation has hit a roadblock for now.  It also turns out after installing the Ipolex card that while I can set it to match the telco Gateway’s NBase-T Ethernet port, it won’t actually pass that traffic at a faster speed because of the way that Proxmox handles it’s Virtual Bridges (VMBRs),   So in both cases, in order to even access my NAS Hard Drive array, or really be able to pass traffic through the Ipolex 10G card (well, 5G for my purposes) at a faster speed, I will indeed have to cave-in and re-enable IOMMU after all…

Settled on IPOLEX 10G network adapter

Been doing quite a bit of research on finding the right card that will support NBase-T, the standard that my Telco is employing for the Ethernet Handoff from their Residential Gateway to my home network. 

I found plenty of cards that worked at the 10G side, and a lot claimed to support it, but when checking the base chipset their cards used, most of them were much older and could not possibly support this newer standard.  But Ipolex uses Intel’s X550-T2 Chipset, and Intel is an early supporter of that standard, so it would ostensibly work with the NBase-T standard.  I spent a few days chatting with the Vendor’s Tech Support team to ensure that they natively supported NBase-T, and they confirmed it’ was 100% compatible, so I’ve finally settled on that NIC for my pfSense installation.  Hopefully I’ll start to see the faster download speeds once I get that delivered.and installed!

Skipping IOMMU aspect of Rebuild process

This time I’m going to try skipping the IOMMU aspect of this rebuild process because it was honestly such a nightmare the first time I built the server. 

In that particular situation, I didn’t have everything built into the server from the get-go, and nothing in the network was depending on it’s presence yet.  I added pfSense next, and that took a while to get it to the point where the config worked for me, and I had the main wireless router performing all of my DHCP.   I didn’t “cut” everything over to pfSense and Pihole until months after I had installed them.  But this time, I was under a little more pressure to restore things to the way that they were back when we had Proxmox and pfSense/Pihole/TrueNAS working for us.  So just to simplify my life, I decided not to employ IOMMU this time around.

What is IOMMU you ask?  It’s short for Input/Output Memory Management Unit, and is a hardware feature that sits between your system’s memory and I/O devices (like GPUs, NICs, or storage controllers), and it plays a crucial role in:

Memory Protection
•     Prevents devices from accessing unauthorized memory regions
•     Shields the system from faulty or malicious DMA (Direct Memory Access) operations
Address Translation
•     Maps device-visible virtual addresses to physical memory addresses
•     Enables devices to access non-contiguous memory as if it were contiguous (scatter/gather)
️ Virtualization Support
•     Essential for PCI passthrough in Proxmox and other hypervisors
•     Allows guest VMs to use real hardware securely and efficiently

I decided this time I was going to only rely on native Proxmox systems to get things up and working.  Sadly, the use of IOMMU when I first provisioned the server were exceedingly difficult to find or research on the web, because it was the proverbial “wild-west”, and for every post I could document that said to do something using Method-A, I found at least 10 other posts that said Method-A was entirely wrong.  So even with the best of tools at my disposal, it was for me a veritable nightmare.  Mostly it’s about the fact that if you do select the wrong method, you could literally destroy your hardware.

So this time, going to take it nice and slow to try to keep my sanity.  Let me know if you had similar problems employing IOMMU.

Manual rebuild of Proxmox

So once the server failed to boot, I lost access to everything that I had stored on that box.  Classic case of keeping all of my eggs in one basket.  No one to blame but myself. 

Thankfully, I was able to pivot to using the local telco’s “Residential Gateway” as my DHCP Server, and had the network back up and working again within 30 minutes.  Obviously, no access to our personal shares on the NAS, no blocking of Ads via PiHole, and worse, now our personal data gathered by the local telco on our usage and DNS

I’ve been giving it a lot of thought since the SSD in the server went kaput last month, and decided that I was going to approach this build a little differently.  Not much mind you, but enough to hopefully keep this kind of a problem from happing to me again. I’m not going to deal with the whole IOMMU config at this time (I’ll expound on that in another post), and a few other minor changes.  I’ve already installed the base Proxmox OS (using EXT4 FilesSystem of course!), and will be starting to install pfSense and PiHole with it’s “Recursive DNS” option in the next day or so.

Going to spend the next few weeks fine-tuning things…

So it’s official. I killed SSD w/ZFS FileSystem choice.

So today I had to power down the server to perform some maintenance.  It was also the day that my local electric utility decided to replace a pole in my neighborhood.  They were kind enough to warn us that power would be down, so I took the opportunity to power down the server in the morning before they began their work.  I went to work, and when I got home, I did some moving around of equipment around the Server that I had been wanting to do for a while.  Unfortunately, when I powered the server back on, it started-up just fine but threw the dreaded “no bootdrive detected”.  

SSD’s by their very nature are perfect for most every situation, EXCEPT WRITE INTENSIVE applications.  Turns out that I was NOT paying attention when I originally installed Proxmox on the SSD with ZFS format.  Or more specifically, I wasn’t aware of the bad choice I was making. I should have gone with EXT4 as the type of FileSystem instead of ZFS.  Bad sysadmin!

Errors are really starting to stack-up

So those errors are really starting to stack-up on that SSD. 

Cracked open the chassis for like the third time this week, not really expecting to find a physical problem, most because I don’t think it’s a hardware problem.  I suspect that it’s more likely a configuration choice / issue on my part.   I bought a replacement drive just in case this one goes down hard.  It’s now up to:

Device: /dev/sda [SAT], ATA error count increased from 175188 to 175201