Self-Hosted Diaries (2025.2)
I run a Pi-Hole at home to filter out ads/malware at a network level and it’s been wonderful. But what about when I’m out and about? Previously, I had setup NextDNS to handle on-the-go filtering but found that it was interfering with how I used Pi-Hole, so I abandoned it. Now that I have a bit of time, I wanted to find a way to automatically toggle NextDNS on/off depending on whether I’m at home or not.
Self-hosted Series
This post is part of a series, check out the other posts!
Quick Links
Starting point
A few years ago, I switched to using Pi-Hole as a network-wide ad/malware sinkhole and generally speaking it’s been great - I even deployed a second Pi to act as a secondary DNS for my network.
Phones in particular, can be tricky to blanket protect as your protection mechanism needs to work at home (Wi-Fi) and on the go (data). At the time, I mentioned that I was hoping to go with a two-prong solution: Pi-Hole whilst at-home and NextDNS while out and about.
For Pi-Hole, there’s nothing to do — it’s configured as the DNS server on the router, so in general, everything on the entire network is protected. For NextDNS, there are a few ways to get things hooked up; thankfully, in Android, I can manually specify Private DNS settings (and skip having to install any VPN-esque apps or do any per-network configuration tinkering). There’s only one catch: Android uses this private DNS setting regardless of whether I’m out and about (using data), or if I’m at home on Wi-Fi (under the coverage of Pi-Hole).
The bottom line is that, yes, everything will still work but there are some nuances that made me reconsider just setting this blanket setting. As a simplified example, consider making a request to example.com:
Example of what happens when we use the Private DNS setting in Android (super simplified)
In both cases, we ultimately get the IP address that we’re looking for (1.2.3.4) and for the purposes of this example, we’re going to disregard any extra (likely negligible) latency required for performing the initial lookup to NextDNS. Everything works. If this is all you’re after: then you can likely just set the Private DNS setting on your phone and be done with it.
So what’s the big deal? Things are a bit different when we look at the Pi-Hole logs:
Example of Pi-Hole logs when we have Private DNS set in Android
For my use case, this is a bit of an maintenance annoyance: because Android is now obfuscating my actual request (to example.com) via a request to NextDNS,
None of the log-entries in Pi-Hole tell me anything (this would be pretty similar to running a higher privacy level in Pi-Hole)
None of the blocking rules provided by Pi-Hole ever kick in (because NextDNS isn’t on a block list)
If I’m running all of my queries through NextDNS (and especially with multiple devices), I’ll hit the 300K/month limit for the free-tier
The big deal though, is having different blocked/not-blocked resolution depending on the device, while at home, on Wi-Fi. This is because my Pi-Hole and NextDNS have different blocking rules in place (broadly speaking - I’m sure there are some overlaps).
Turning off the Private DNS setting would solve the problem at home but this removes all of the filtering and protection while on data and honestly, if I have to toggle something (even if it’s a simple toggle) every time I connect/disconnect from Wi-Fi, that’s just too much friction — it needs to be automated in some way.
Automating Private DNS
In an ideal world, we would have something like this:
If connected to home Wi-Fi, disable Android’s Private DNS — filtering is done by Pi-Hole
Otherwise, enable Private DNS and let NextDNS handle it
We can leverage Tasker to do the automation, but before we get started, we need a few things:
Obviously, setup a NextDNS account, define your rules etc.
Your phone needs to be rooted. You may be able to do this without root, but I don’t know, it’ll certainly be more involved.
You need to set the Private DNS endpoint in Android in advance - Tasker will just toggle between ‘off’ and ‘Specified DNS’
Create the Tasks
Create the Profiles
![Click the [+]](https://images.squarespace-cdn.com/content/v1/6020ac0b21a9b86f0577e29e/1740246528353-I7ZEC9AT76YP2P8BPTTJ/02_s.jpg)
This is a super simplified starting point to get you started. There are a couple easy ways to spruce things up:
You can add [persistent] notifications to the each of the Tasks to add a visual cue to indicate whether you are in ‘Pi-Hole mode’ or ‘NextDNS mode’ (as I have in a few of my screenshots). If you go down this route, make sure you also add a ‘Notify Cancel’ action (to clear the previous persistent notification)
You can react to users clicking on the notification using ‘Notification Click’, by triggering a Browse URL action (a useful NextDNS URL would be https://my.nextdns.io/YOUR_NEXTDNS_ID/analytics)
Novel use case: parental controls
Just thinking about this for a moment, there’s definitely a novel use case specific for parents here. At home, you might go down the route of adding in protections, filtering and parental controls but what if your kid goes to a friend’s house and connects to Wi-Fi there? Now with this automated Private DNS, regardless of what filtering may or may not be in place at the friend’s house, there everything will still go through NextDNS.
As a bit of a corner case if you happen to use a generic SSID (i.e., ‘Guest’, or ‘Kids’): you may want to consider specifying the MAC address of your router/AP instead of just the SSID. This way, when your kid goes to a friend’s house and connects to the ‘Kids’ network, there will still be filtering in place.
Of course, permanently setting the Private DNS setting will always provide you with the protection and you only need to look for logs in one location (in NextDNS) but, depending on the number of kids/devices, you will be more likely to hit the 300K/month query limit/
One more neat thing: you can add some identifiers to the DNS logging. For example, if your NextDNS identifier is A1B2C3, then you might set your Private DNS for multiple kids/devices:
john-phone-A1B2C3.dns.nextdns.io
john-tablet-A1B2C3.dns.nextdns.io
susy-phone-A1B2C3.dns.nextdns.io
shared-device-A1B2C3.dns.nextdns.io
Now, when you go to your NextDNS analytics, you can see which device/user is going where.
Summary
As I mentioned above, everything still works if you permanently set the Private DNS for all devices — just that we bypass the value of having Pi-Hole protecting our home network. Yes, by having a two-pronged approach, we will still need to maintain two sets of rules (I’m a bit more lax with my NextDNS settings) but there is consistency in having “all home devices are covered by Pi-Hole and nothing else”.
Product links may be affiliate links: MinMaxGeek may earn a commission on any purchases made via said links without any additional cost to you.
