Experiment: the ultimate filter for ads, malvertisers, spies and scammers

Those who worry about their phone spying, tracking, listening, and sending information to advertisers or an intelligence agency can finally relax a little. God bless private DNS.

It started as an experiment to protect against high-tech spyware such as Pegasus, which, delivered via ad networks, is used to target activists, journalists, politicians, minorities, or other oppressed people. I managed to set up a Pi-Hole, a home network solution for DNS filtering, which, while great, did not work outside my home and needed a lot of tinkering.

After the hassle of setting up a Pi-Hole, Cybernews readers gave me the best advice this year. There’s a simpler and more effective solution that’s affordable or even free and will block most ads, trackers, malicious sites, and scam attempts on your phone without the need for any additional apps.

“Try out NextDNS. It’s like running Pi-Hole in the cloud and provides offnet protection for smartphones, and it is much easier to set up for non-techies,” Cybernews reader Rick suggested in the comment section.

There were other suggestions for alternatives, too. Another reader shared that he uses Control D for private DNS on the phone, which “got a friendly, tuneable interface.”

I tried them both, and what can I say – these services blew my mind. Not only do they filter advertising, but they also disable tracking and protect you from accidentally clicking a malicious link sent by scammers or served by malicious ads. They give you many controls on how you want to see the web, including extensive parental control.

True, they don’t cover all your security or privacy needs. And there’s one elephant in the room: using private DNS requires you to trust the service provider that handles your requests. You can only hope that they truly delete all the logs. However, the same trust issues come with any DNS provider, be it your ISP, Google, Cloudflare, or any other.

For this experiment, I used a burner email to register and found out that the benefits highly outweigh the risks.

What’s your phone doing while you aren’t using it?

The first service I tested was the NextDNS. The website preconfigures a temporary account for any visitor automatically, and setting it up is as easy as entering a single URL address in the phone settings. After seven days, it will be deleted unless signed up.

So I opened Android phone Settings, went to Connections, then More Connection settings, and in the Private DNS option, entered the provided DNS-over-TLS address.

That’s it – now all my phone’s traffic is routed through this server, and I can choose what I want to do with it.

The DNS server is like the phone book of the internet – when the device tries to access a particular website, say www.cybernews.com, the DNS server checks its current IP address, which usually is not constant, and returns it to the device. TLS part encrypts the communication from your ISP or anyone in the middle of your traffic.

NextDNS enables a lot of protection from the get-go, such as Threat Intelligence Feeds, Google Safe Browsing, Cryptojacking protection, and more. For ad filtering, only one filter list is enabled by default with 145.880 entries. Disguised third-party trackers are also blocked.

NextDNS settings

One could leave it as it is, but I wanted more. I enabled almost all the features and added all the blocklists to see what happens to my phone.

Immediately, I disappeared from the radars of all the big tech corps and small app developers that spy constantly, tracking my every move. Millions of URLs were filtered out from my traffic.

The log section was an eye-opener. Each minute, my phone tried to access some server online to send information to Microsoft, Google, Amazon, Facebook, or Huawei. I don’t even have any Meta or Huawei apps installed (I check social media on a web browser). Big tech has subdomains for user location data, statistics, analytics, and who knows what else. Various phone services constantly try to access those.

I’m not a common user in a sense, as I only have a few dozen apps installed on my phone. I don't have a single game, and almost all apps are forced into a deep sleep state, meaning they should not sync when not in use. However, the logs revealed that the phone still sends and receives information when not in use. It would be much worse if my phone had any games or apps that were allowed to run in the background.

Logs of blocked queries

After maxing out on all of the dozens of ad filters provided, I noticed that it worked a little bit too well, as I couldn’t access Google or social media websites. I immediately had to disable “No Google” and “No Facebook” filters. I need my Google apps to work, and sometimes I still check facebook.com, for now.

Still, many Google, Facebook, and other URLs are no longer accessible. You are no longer counted as a website visitor, as analytic services often use tracking links or pixels embedded within the web pages. Some may argue that blocking analytic services prevents us from getting better service and relevant content, but for me, it is a pro, not a con.

While browsing the web, most of the ads are now gone. You can still see the placeholders for them, as this service isn’t supposed to mess with source code. Private DNS won’t block ads on YouTube as those are served by YouTube itself. For that, you need a browser-level ad blocker. But trying to click ads on YouTube no longer opened the corresponding landing page.

Alternatively, you can block YouTube or any website entirely.

I even tried clicking on the malicious links in spam SMS – they didn’t open, as the DNS service included “typosquatting protection” and blocked newly registered or automatically generated domains. I wouldn’t trust that to work 100% of the time, as malicious actors also try to bypass protections. But this may cover you when you wish you hadn’t pressed that malicious link received from a friend on social media.

I used the service for a week, leaving almost all the filters enabled, and only had a single instance when the legitimate service did not work – my gym app. I opened NextDNS logs, found the blocked URL, and added it to “Allowlist,” and now it is working again.

You have the option to not keep any logs on the service, but I choose to see my traffic statistics. The analytics section reveals that about 60% of my phone’s queries are now being blocked. For all devices, the ratio is at 50% of traffic.

NextDNS analytics

Apps on your phone usually respect your DNS settings. In theory, malicious apps could try to bypass settings or directly access IP addresses, but those are prone to changing, meaning the app should update it constantly.

A private DNS server is not a silver bullet against all threats online, but it is a great filter that limits your exposure in the first place.

NextDNS can be used for free for up to 300,000 queries each month (I managed to reach around 20,000 queries in a week). For unlimited use, the price is $1.99 a month.

Control D: flashy but with a higher price tag

When you sign up to Control D, it looks much more polished visually. However, it’s a bit too shiny for my liking.

Functionality-wise, it was also a treat. There are as many or maybe even more options for filtering the web. You can lose yourself among the plethora of native and third-party filter lists and rules.

Sometimes, it was a bit hard to understand what was behind a particular option or filter – descriptions were short and could provide a link to technical documentation or a GitHub page with the actual filter.

For example, there is a filter for Clickbait, but it is not clear how it works, as the explainer reads: “Sites that intentionally, but not necessarily exclusively, publish hoaxes and disinformation for purposes other than satire.” Who would be the judge of this?

Control D settings

I didn’t try to max out all the settings this time. For example, why would I want to block government websites? There is an option for all that.

Control D has a good explanation of what users cannot and should not try to achieve with a private DNS service – it can block torrent sites, but not prevent BitTorrent protocol from working.

It doesn’t do enough to provide, for example, life-critical anonymity for whistleblowers, dissidents, or political activists living in dangerous countries. It does not replace the need for a virtual private network (VPN), as it redirects rather than hides unencrypted traffic.

“Control D is not magic – it will not solve wealth disparity or world hunger, and it will also not help you with any of the following.”

Would I recommend Control D service? Absolutely. After using it for a while, I also came to love it. The experience was similar – only my gym app required some attention, but I had a browsing experience cleaned from most trackers, ads, and malware.

Control D analytics

However, this is a paid service. Users can try it for one month free of charge, then it costs $2.00 per month or $20.00 per year for “Some Control,” which is more than enough for most. “Full control” is twice the price. For $4.00 per month, users gain the privilege of getting around geo-restrictions by redirecting DNS queries, making them appear to be from another country, and some other options.

For some, for example, gamers, this redirect option can increase latency or even break the services, therefore it should be enabled with care.

“If, for some strange reason, you decide not to use our service anymore, you can delete your account at any time in the “My Account” section. All data is immediately and permanently deleted from our database,” the Control D Privacy Policy assures.

What do cyber pros have to say?

I couldn’t only trust my personal feelings and experience, therefore I asked the Cybernews Research Team to provide some insights on whether users should or should not use private DNS services.

“In general, using a managed DNS is a one-stop solution for some of the hassles of a common user: ads, trackers, ISP-blocked websites, and so on. On the other hand, trusting a private DNS vendor with your browsing history is rather risky, especially when it comes to handling addresses that are not indexed on Google and are for internal use only, as now they are traveling through some third-party vendor, be it folks behind NextDNS name or some other company,” Cybernews Research team commented.

Another thing to be wary about is the speed.

“Some providers are better than others at handling traffic routing. This is one of the key features of a speedy internet connection, meaning correctly choosing the steps needed for data to travel from your computer to a remote website and vice versa. This is one of the main tasks for a DNS provider,” they said.

The fewer steps and the smaller the distance, the faster your request goes through.

Processing every query against a blocklist or some network-specific rule costs valuable resources and time, which may penalize the speed and browsing experience.

While there don't seem to be any apparent red flags, cybersecurity specialists advise that the "no-logs" policy should not be trusted unless it has been audited by a reliable third party.


Mark Russell
prefix 6 months ago
I use an app developed in Germany called Blokada. It blocks most attempts by my phone to send data to external sites, and the list of sites is configurable. There are free and paid versions but I've only ever used the free version. It's available for Android in the Play Store and on F-Droid. I got it from F-Droid, and I think the two versions are slightly different.
Leave a Reply

Your email address will not be published. Required fields are markedmarked