On MacOS, I cannot get the green light to show up on NextDNS, which says I’m using “FASTLY as DNS Resolver.” I’m presuming this is because Private Relay is on.
If I disable Private Relay to use NextDNS, am I getting more of a benefit than just leaving Private Relay on?
Just turn off Block Page feature from NextDNS settings.
Ref: NextDNS Staff
You haven’t explained your reasons for using NextDNS and your reasons for using Private Relay. Its not possible to accurately answer ‘which is better?’ type questions without knowing your goals and your priorities.
Private Relay is similar to a VPN that only works in the browser
NextDNS is a DNS service
There is some overlap but considerable differences. And people who use these services have various goals that are not all the same. With more information about your goals it should be easier to give meaningfully advice.
Seems like a DNS leak. I’m guessing whatever IP address Apple/Cloudflare is using shows up on NextDNS profile? If you don’t mind then thats fine, but I’m pretty sure it’s a DNS leak. The only “easy” way around as far I know, is instead of downloading the configuration profile for your MacOS, you will need to manually enter the IP address of your NextDNS profile. You will also lose DNS-over-HTTPS ability I think. So when Private Replay or VPN is on, it will use their DNS service, when those are turned off your NextDNS profile will kick in.
There is def way around it, but it involves some software like YogaDNS for a more granular control of things. TBH I forgot how to do that, maybe someone else can show you. I had this issue with Windows 11, I can’t use DOH because when I connect to VPN it had a leak.
Private relay is an oblivous dns server
Thank you for your considerate answer. I want to reduce all the ads that appear on my device, and I want to also protect myself against trackers.
You have it backwards. There is no DNS leak in either case. When iCloud Private Relay is used, it forwards a blind DNS query to the egress proxy. If you setup an encrypted NextDNS profile instead, it uses that for DoH resolution before using Private Relay. In both cases there is never a double DNS or DNS leak.
If you use NextDNS I suggest following this configuration guide for maximal but still sane protection.
As to whether you should use Private Relay or NextDNS for maximum protection, I would look into whether you can use both. My understanding is that Private Relay only protects the browser, not the whole device/all apps. If this is true, what I would do is use NextDNS for device level protection, and private relay + adguard or uBlock Origin in the browser. This of course depends on it being possible to set it up that way, and I’m not sure if it is.
That’s very helpful, thank you. I’ll look into that.
Correct, Private Relay only works with Safari and Mail.
You can use NextDNS with a native profile to protect everything besides Safari, then use something like AdGuard in Safari and be pretty well covered.