Show HN: NextDNS Adds "Bypass Age Verification"

It may not be effective in the long term, but I think it's very much worth doing. The privacy nightmare of uploading government docs is appalling and should be resisted by all who can, so I think you're doing great work. If it provokes regulators to push harder, they might just get enough attention from voters to motivate a change. That would be my hope anyway

Alive-in-2025 · 7 months ago

It's a great idea to get rid of, I'm shocked a company is this brave to do this. It's not in the interest of any adult to upload their ID so the government can track their web browsing. I didn't want to expose my kid to porn when they were 5, somehow it wasn't a problem because the avg browser use was guided by me, but also the browser blocked porn. When they were a bit older, a teenager, I also lightly guided their computer use.

amy_petrik · 7 months ago

The solution to spam is that everyone replies to the spam and engages up to the point that human labor is required, thus making it financially impractictable

The solution to this problem is not to provide YOUR ID but to provide AN ID, again and again, once per day. Again - cannot scale if a manual check is done by a human somewhere, flipside if it's fully automated now it's game-able

petcat · 7 months ago

> More and more sites (especially adult ones) are now forcing users to upload IDs or selfies to continue.

> they might just get enough attention from voters to motivate a change

Unfortunately, guaranteeing anonymous internet porno is a terrible political beachhead to motivate "voters" to do anything.

Spivak · 7 months ago

You don't have to sell it like that. The bill that needs to be passed is default presumption that all websites on the internet not explicitly marked as such and who voluntarily accept a higher legal burden and standard of moderation may contain content not suitable for children. And that is up to parents to control their child's internet access to limit their usage to only these sites.

Because I don't actually care about pornography, if it magically disappeared I wouldn't really care, it's all the other "not suitable for kids" content I care about that will get caught up in these laws. I don't want to give gross concern troll political groups moralizing about their precious hypothetical children the legal tools to ban what they don't like.

selcuka · 7 months ago

> Unfortunately, guaranteeing anonymous internet porno is a terrible political beachhead to motivate "voters" to do anything.

Reworded press release: "We protect children from being forced to upload their photos (on their IDs) to adult web sites"

backscratches · 7 months ago

Because there are so many explicit Bible verses[1], require ID verification to read scripture (online at least) and get the religious on your side!

[1] For example Ezekiel 23:20

Deleted Comment

notepad0x90 · 7 months ago

Even if this was a good idea, ID verification technology should not be outsourced to private parties. This is a service governments themselves must provide. I shouldn't need to upload an ID because the government already has it!

If they simply wanted age verification, the dumb and lazy way is to SSO through a government managed portal with OAUTH2 and you only share your age with the third party. You do a one time account setup (you already have to do this in the US for many government services at the federal level) with age verification, that's your gov portal login. This means the government will now which naughty sites you visit of course, but like I said, it is the lazy approach, and if you think about it, if they respect the laws then a law can be passed to prevent them from storing or using that association, if they didn't, they could still sniff your traffic and wiretap you.

A slightly smarter approach would be to directly auth against a government portal and be given a 24h expiring code for age verification, and the government will publish an updated list of codes to trusted businesses. Those codes could be leaked, but making it a felony should deter most cases, because who wants to go to prison to let some kids watch porn?

Smarter people than me can come up with smarter solution, that is really my point. Involving third-parties and requiring you to upload documents is done either out of extreme incompetence or opportunistic malice by elected officials (bribery).

franga2000 · 7 months ago

Every possible solution is terrible, many people have thought about this and nobody has found one that isn't.

The "24 hour code" one you suggest is something the EU is prototyping. Since there's nothing stopping an adult from sharing their code with a minor, or even code-sharing (or selling) websites to pop up, they want it to be bound to a particular device. So what they've done is added integrity checks to the app, so you can only run it on a locked down phone.

Want to run GrapheneOS for privacy and security? Or use an unofficial ROM to get updates on a phone the manufacturer stopped supporting? Just want to uninstall the bloatware and spyware the manufacturer installs? Want to use Linux? Have an old computer without a TPM? All of that and more - congrats, no "adult content" for you.

And no, it's not "porn", it's "adult content", which is a much broader and blurrier category. Is discussion of sexual orientation or gender issues adult content? Sex education? Medical information about "private parts"? News articles mentioning scary things like rape?

This is bad technology and it should never be developed. Do Not Create The Torment Nexus.

kijin · 7 months ago

South Korea has implemented something similar, but through private corporations, not directly by the government.

When you sign up with a South Korean online service that might contain age-restricted content, you provide your name, date of birth, and phone number. The service operator uses a special telecom-provided API to have a 6-digit code sent to your phone. (The code is generated by the telecom, not the service operator.) When you enter the code, the telecom confirms the name and date of birth. No need for random online services to ask for government IDs, because they're allowed to pass the burden of proof to telecoms who have already verified it offline.

You could probably do something similar via banks, schools, the social security system, or any other regulated industry that has KYC rules.

zimpenfish · 7 months ago

> the dumb and lazy way is to SSO through a government managed portal with OAUTH2

The weird thing is that UKGOV already has this for the NHS - my GP's app uses access.login.nhs.uk to log me in. That could easily verify my age to another system.

(Admittedly it's not sufficient for the wider case because not everyone is registered on nhs.uk but it does show that UKGOV has the capability to do this.)

Dead Comment

Hey @nextdns team. I'm a long time customer of NextDNS. I've been using your service for a few years now, but it seems a large amount of your primarily offered services & blocklist offerings are SEVERLY out of date. I detailed that here on Reddit: https://www.reddit.com/r/nextdns/s/IX2mUogHPK

Your input on this thread would be greatly appreciated, as the community wants NextDNS to be the best service it can be.

I do appreciate the addition of the Age Verification Bypass, though. Many users on r/nextdns are trying to guess how it works. Proxing specific domain requests to show the user is from another country is our best guess. But I would still be very interested in the specifics.

Thanks.

huhkerrf · 7 months ago

I'm really surprised to see this pop up considering how the NextDNS team seems to have disappeared otherwise. Out of date offerings like you mentioned, coupled with 0 customer support when things break (and things break a lot). New features like this are fine only if the base service works. I can guess that this feature also is going to break soon, and I don't have high hopes for it getting fixed.

I moved over to ControlD about a year ago and I've been very happy. Nothing has broken, and they seem to be active about their service.

1dom · 7 months ago

Same here, I left NextDNS because I didn't trust it anymore. I started using it personally in homelab and just found it to be randomly a bit sluggish at times. Saw other similar reports. Tried to get support and failed. I saw it trying to sell itself as business capable DNS, and considered if it would fit in at work. Then I got an e-mail giving 7 days for me to disable and move all my logs out of the EU region. I was working at a large fintech firm at the time, and if a vendor had given us 1 week to rearchitect and figure out a new logging solution for DNS, we would have dropped them immediately due to the massive compliance issues they would have created.

The messaging around the change was very much "FYI we're deleting everything in 7 days in that region whether you're good or not, feel free to do what you want", e.g. creating problems with no interest in helping with solutions to those problems. This would all be fine for a free-tier service, but I was a paying customer. Even as a paying customer though, I paid virtually nothing.

Overall, NextDNS felt like it had the worst possible combination startup, passion project and beer money project features: I paid for it for a couple of years and got fed up because the amount talk about it gave the impression to me there was a fair and growing customer base but NextDNS were missing either the capability or focus to grow the service at the time. I'm conscious they'll be reading this - it was 2 years ago this happened, so maybe things have changed.

agos · 7 months ago

I went to see ControlD's website to see if it was any good but the chat thingy was trying to convince me by saying "protect your connection like the Coliseum protected Rome, try ControlD's free DNS", which I guess is a way of trying something funny since I'm connecting from Italy, but it does not inspire much confidence in their protection abilities

leokennis · 7 months ago

Same here...NextDNS randomly started intermittently breaking all connections to Apple (iCloud file sync, Apple Music etc.) and basically nothing was done about it.

Moved to AdGuard DNS, very happy with it. They have random sales throughout the year where you can buy a few years of discounted service in advance, so the cost is next to nothing...

deanc · 7 months ago

+1 to this. I used to use their Samsung blocklist to prevent their shitty ADs being injected into my (pretty-old) tv but it's not been working for at least a couple of years.

Deleted Comment

freedomben · 7 months ago

pogue · 7 months ago

bunnyfoofoo · 7 months ago

Do not promote or use NextDNS, it's essentially abandoned. You will not get any support from the developer when something breaks, and it will break. I tried for a year to contact him before abandoning it. Just check the help forums.

topato · 7 months ago

Considering this is a post from NextDNS themselves, showing off a NEW and awesome feature.... It doesn't seem abandoned? You don't seem to have even looked at the description lol

https://help.nextdns.io/search?v=p&q=refund

Congratulations to them, I suppose. They've temporarily returned after stealing money from me. Their service stopped working after renewing my annual subscription and when I went to try and find support, I got silence.

If you're one of the lucky few who's never had issues with NextDNS, I'm happy for you.

spiffotron · 7 months ago

I've used nextDNS for years but the past few weeks its been breaking websites left, right and centre so I gave up on it entirely. Everything feels much snappier since I dropped them for a different option too

You definitely want to be following yokoffing's NextDNS Configuration Guide [1] to set it up. You basically only want to be using one of the Hagezi blocklists [2] and a possibly a few other options based on your preferences.

I have it running on every device in my household and it works absolutely fine. I keep it on Hagezi Pro++, and that requires me to go through and whitelist some sites I use. That can be annoying, so in that case Hagezi Light or Normal should work just fine to block ads/trackers and not break things you have to go in and manually fix.

OTOH, Control D offers free DNS [3] that includes using the Hagezi blocklists and other lists, but it's just a set and forget type setup as you can't look at log files to see if it's blocking stuff you don't want or anything like that. Scroll down to "3rd Party Filters" to see their offerings.

[1] https://github.com/yokoffing/NextDNS-Config

[2] https://github.com/hagezi/dns-blocklists

[3] https://controld.com/free-dns

nipperkinfeet · 7 months ago

It would appear that you are not familiar with its proper use. You can identify which rule is causing the issue by reviewing the log, and then add it to your allowlist.

esperent · 7 months ago

What different options are there that provide anything like the same features and control?

weird-eye-issue · 7 months ago

Just email billing@nextdns.io

They do not respond, to any email address. Tried multiple times, over months. Just check the forums. I provided a link in my other reply.

perihelions · 7 months ago

As a remark, not a criticism, such a deliberate promotion is probably illegal in the UK market,

> "But Ofcom says platforms required to introduce "highly effective" methods to check user age must not host, share or permit content that encourages use of VPNs to get around age checks. The government has also told the BBC it would be illegal for platforms to do so."

https://www.bbc.com/news/articles/cn72ydj70g5o

MistahKoala · 7 months ago

NextDNS isn't a content platform required to have age checks, so no, that prohibition doesn't apply here and promoting the bypass feature isn't 'probably illegal'.

aydyn · 7 months ago

"Illegal" is only what the government will go after you for, and I very much doubt ofcom will see it your way.

riedel · 7 months ago

But HN might be Ofcoms next target now I guess, giving all the comments and post an circumvention...

graemep · 7 months ago

That only applies to those platforms that are required to do "highly effective age checks".

i.e. the top category of "harmful" site cannot point people to VPNs as a way to avoid age verification. Everyone else can tell people about VPNs as a way to avoid age verification. The media have been doing so for a start.

> must not host, share or permit content that encourages use of VPNs to get around age checks. The government has also told the BBC it would be illegal for platforms to do so

Holy. Crap. I knew the UK was going off the deep end with these laws, but this actually looks like China-level government reach.

Ms-J · 7 months ago

Ignore the government crying. It is irrelevant when we spread the tech to get around their useless spying laws.

pas · 7 months ago

next step is to try to make VPNs illegal (or require age verification for them, of course)

walterbell · 7 months ago

Can VPN/DNS providers independently market their services, if content providers cannot advertise VPN providers?

> "content that encourages use of VPNs to get around age checks"

I think "...to get around age checks" is controlling. It isn't illegal to promote VPN's in that country; it's illegal to promote their usefulness in circumventing other laws.

buyucu · 7 months ago

For people who don't live in the UK, why should they care about UK law?

ac29 · 7 months ago

NextDNS is a company not a person. The have infrastructure in the UK and presumably have UK customers, so they should care about UK law.

calgoo · 7 months ago

Because the tech that is being implemented for the UK will now be available for any other country on request. Its one thing to try to force the companies to implement the solutions, its another to get your country added to the config of said implementation.

jansper39 · 7 months ago

Because it's becoming the standard everywhere.

rendaw · 7 months ago

"Under no circumstances should you use Mullvad VPN (https://mullvad.net/en), available for 5Eur/mo - also payable in Bitcoin, to avoid our age verification checks!"

syntaxing · 7 months ago

Easily one of the best $20 I spend a year. Makes iOS so much more usable and I really love supporting the vision of the developers from NextDNS

ethagnawl · 7 months ago

Same here. I'd previously been using a Pi-Hole and Next is just so much simpler -- especially on the go.

drcongo · 7 months ago

Same. I absolutely love NextDNS.

brees504 · 7 months ago

Yep its my top IT reccomendation to everyone I know

skybrian · 7 months ago

Glancing at the front page, it looks like this product also has enforced SafeSearch and restricted mode to protect children, so... seems fine? They're doing the same thing themselves, and it's probably better since it's a local solution.

If you're running a product like this, it should be officially allowed to bypass age verification.

wizzwizz4 · 7 months ago

Arguably, the UK's Online Safety Act already allows these products to bypass age verification: see s. 12(6) https://www.legislation.gov.uk/ukpga/2023/50/section/12/6):

> the age verification or age estimation must be of such a kind, and used in such a way, that it is highly effective at correctly determining whether or not a particular user is a child

Unfortunately, it's hard to tell what this passage means, and I suspect it doesn't apply here. (But does that mean there's no law covering age-verification bypassing services? That seems like an unlikely oversight, and the Online Safety Act's badly-drafted enough that I'm not comfortable making a broad assertion here.) Hopefully case law sorts this out a little.

import · 7 months ago

Are you guys still active? I don’t remember how many of my questions went unanswered in the help forums, later switched to self hosted adguard.

karel-3d · 7 months ago

How can this work? What is "DNS tricks"? DNS is just telling you where the site is?

edit: ah it spoofs the EDNS subnet for the DNS request, so it gives you server "intended" for a different location. You will get slower connection but if it's poorly implemented and they have geofencing just on that layer, it will not do the age verification stuff.

It's interesting that it works, but... the website can still tell your IP through TCP handshake... it might fool some sites that have geofencing on DNS level.

alphabetter · 7 months ago

Thanks for answering the one thing I wanted to know about this. It wasn't at all obvious to me how this might be possible using DNS only.

I guess it will work for some sites, but it would be interesting to know what fraction.