Hey @nextdns team. I'm a long time customer of NextDNS. I've been using your service for a few years now, but it seems a large amount of your primarily offered services & blocklist offerings are SEVERLY out of date. I detailed that here on Reddit:
https://www.reddit.com/r/nextdns/s/IX2mUogHPK
Your input on this thread would be greatly appreciated, as the community wants NextDNS to be the best service it can be.
I do appreciate the addition of the Age Verification Bypass, though. Many users on r/nextdns are trying to guess how it works. Proxing specific domain requests to show the user is from another country is our best guess. But I would still be very interested in the specifics.
Thanks.
huhkerrf 2 hours ago [-]
I'm really surprised to see this pop up considering how the NextDNS team seems to have disappeared otherwise. Out of date offerings like you mentioned, coupled with 0 customer support when things break (and things break a lot). New features like this are fine only if the base service works. I can guess that this feature also is going to break soon, and I don't have high hopes for it getting fixed.
I moved over to ControlD about a year ago and I've been very happy. Nothing has broken, and they seem to be active about their service.
agos 1 hours ago [-]
I went to see ControlD's website to see if it was any good but the chat thingy was trying to convince me by saying "protect your connection like the Coliseum protected Rome, try ControlD's free DNS", which I guess is a way of trying something funny since I'm connecting from Italy, but it does not inspire much confidence in their protection abilities
leokennis 1 hours ago [-]
Same here...NextDNS randomly started intermittently breaking all connections to Apple (iCloud file sync, Apple Music etc.) and basically nothing was done about it.
Moved to AdGuard DNS, very happy with it. They have random sales throughout the year where you can buy a few years of discounted service in advance, so the cost is next to nothing...
deanc 2 hours ago [-]
+1 to this. I used to use their Samsung blocklist to prevent their shitty ADs being injected into my (pretty-old) tv but it's not been working for at least a couple of years.
freedomben 13 hours ago [-]
It may not be effective in the long term, but I think it's very much worth doing. The privacy nightmare of uploading government docs is appalling and should be resisted by all who can, so I think you're doing great work. If it provokes regulators to push harder, they might just get enough attention from voters to motivate a change. That would be my hope anyway
Alive-in-2025 13 hours ago [-]
It's a great idea to get rid of, I'm shocked a company is this brave to do this. It's not in the interest of any adult to upload their ID so the government can track their web browsing. I didn't want to expose my kid to porn when they were 5, somehow it wasn't a problem because the avg browser use was guided by me, but also the browser blocked porn. When they were a bit older, a teenager, I also lightly guided their computer use.
petcat 10 hours ago [-]
> More and more sites (especially adult ones) are now forcing users to upload IDs or selfies to continue.
> they might just get enough attention from voters to motivate a change
Unfortunately, guaranteeing anonymous internet porno is a terrible political beachhead to motivate "voters" to do anything.
selcuka 5 hours ago [-]
> Unfortunately, guaranteeing anonymous internet porno is a terrible political beachhead to motivate "voters" to do anything.
Reworded press release: "We protect children from being forced to upload their photos (on their IDs) to adult web sites"
SunlitCat 5 hours ago [-]
Another rewording:
"...to upload your photos (on your IDs)..." :D
topato 3 hours ago [-]
Oh yeah, that IS a good point, this verification technique is even stupider than CC number validation in the late 90s!
Then again, these laws aren't about censoring children's access, they're about censoring EVERYONE'S access (and it blows my mind that conservative leaders will come right out and say it, but the average layperson doesn't seem to care or comprehend what a massive slippery slope censorship is -- porn is just the start)
Spivak 9 hours ago [-]
You don't have to sell it like that. The bill that needs to be passed is default presumption that all websites on the internet not explicitly marked as such and who voluntarily accept a higher legal burden and standard of moderation may contain content not suitable for children. And that is up to parents to control their child's internet access to limit their usage to only these sites.
Because I don't actually care about pornography, if it magically disappeared I wouldn't really care, it's all the other "not suitable for kids" content I care about that will get caught up in these laws. I don't want to give gross concern troll political groups moralizing about their precious hypothetical children the legal tools to ban what they don't like.
topato 3 hours ago [-]
Ive had massive amounts of trouble convincing people that pornography is just the tip of the iceberg. That's why it's such an effective tool for broaching massive-scale surveillance: the architects of these laws have said that they want to be able to police all content with these laws, and anyone who tries to speak out against them can be painted as a pervert who hates the safety of kids.
tomrod 4 hours ago [-]
It's not about porn. It's about setting a legal beachead to force websites to deanonymize users.
5 hours ago [-]
notepad0x90 8 hours ago [-]
Even if this was a good idea, ID verification technology should not be outsourced to private parties. This is a service governments themselves must provide. I shouldn't need to upload an ID because the government already has it!
If they simply wanted age verification, the dumb and lazy way is to SSO through a government managed portal with OAUTH2 and you only share your age with the third party. You do a one time account setup (you already have to do this in the US for many government services at the federal level) with age verification, that's your gov portal login. This means the government will now which naughty sites you visit of course, but like I said, it is the lazy approach, and if you think about it, if they respect the laws then a law can be passed to prevent them from storing or using that association, if they didn't, they could still sniff your traffic and wiretap you.
A slightly smarter approach would be to directly auth against a government portal and be given a 24h expiring code for age verification, and the government will publish an updated list of codes to trusted businesses. Those codes could be leaked, but making it a felony should deter most cases, because who wants to go to prison to let some kids watch porn?
Smarter people than me can come up with smarter solution, that is really my point. Involving third-parties and requiring you to upload documents is done either out of extreme incompetence or opportunistic malice by elected officials (bribery).
franga2000 2 hours ago [-]
Every possible solution is terrible, many people have thought about this and nobody has found one that isn't.
The "24 hour code" one you suggest is something the EU is prototyping. Since there's nothing stopping an adult from sharing their code with a minor, or even code-sharing (or selling) websites to pop up, they want it to be bound to a particular device. So what they've done is added integrity checks to the app, so you can only run it on a locked down phone.
Want to run GrapheneOS for privacy and security? Or use an unofficial ROM to get updates on a phone the manufacturer stopped supporting? Just want to uninstall the bloatware and spyware the manufacturer installs? Want to use Linux? Have an old computer without a TPM? All of that and more - congrats, no "adult content" for you.
And no, it's not "porn", it's "adult content", which is a much broader and blurrier category. Is discussion of sexual orientation or gender issues adult content? Sex education? Medical information about "private parts"? News articles mentioning scary things like rape?
This is bad technology and it should never be developed. Do Not Create The Torment Nexus.
zimpenfish 50 minutes ago [-]
> the dumb and lazy way is to SSO through a government managed portal with OAUTH2
The weird thing is that UKGOV already has this for the NHS - my GP's app uses access.login.nhs.uk to log me in. That could easily verify my age to another system.
(Admittedly it's not sufficient for the wider case because not everyone is registered on nhs.uk but it does show that UKGOV has the capability to do this.)
kijin 7 hours ago [-]
South Korea has implemented something similar, but through private corporations, not directly by the government.
When you sign up with a South Korean online service that might contain age-restricted content, you provide your name, date of birth, and phone number. The service operator uses a special telecom-provided API to have a 6-digit code sent to your phone. (The code is generated by the telecom, not the service operator.) When you enter the code, the telecom confirms the name and date of birth. No need for random online services to ask for government IDs, because they're allowed to pass the burden of proof to telecoms who have already verified it offline.
You could probably do something similar via banks, schools, the social security system, or any other regulated industry that has KYC rules.
phatfish 48 minutes ago [-]
Another childless internet warrior. Become an adult and raise a child. Then you will understand unlimited adult material available to minors is a bigger threat that some third party knowing you jerk off.
pjc50 27 minutes ago [-]
Imposing a policy on the whole internet in order to make it safer for children is like imposing a national 4mph speed limit on cars in order to make it safe for children to walk to school.
(personally I think there's a lot of non-sexual material which is bad for children but not covered by age verification, like Andrew Tate, but that's impossible to define or enforce)
v3xro 25 minutes ago [-]
Oh no, maybe I should just be uhhh a responsible parent and not give my kids unlimited access to a browser instead of imposing a privacy nightmare on everyone else :)
sksrbWgbfK 40 minutes ago [-]
Absence of parenting is a bigger threat than privacy. I accidentally agree with you, even if you're wrong.
phatfish 27 minutes ago [-]
Parents don't follow their child 24/7. Society has a responsibility too. There is also the possibility of minors not knowing what they are clicking or kids with shitty parents destroying your hard work.
Another non-parent with an irrelevant opinion.
easymodex 2 minutes ago [-]
Well I'm a parent and I disagree with you and agree with the other comments, what now?
carlhjerpe 12 minutes ago [-]
Sounds like offloading bad parenting onto others, you're supposed to communicate with your kids about safety, there are solutions to restrict their devices to make the impulse control barrier higher.
If your kid goes out of their way to use a third party device without age restriction you can't stop them if they're determined either way, and no matter how right you think you are it still doesn't warrant destroying privacy for EVERYONE.
bunnyfoofoo 4 hours ago [-]
Do not promote or use NextDNS, it's essentially abandoned. You will not get any support from the developer when something breaks, and it will break. I tried for a year to contact him before abandoning it. Just check the help forums.
topato 3 hours ago [-]
Considering this is a post from NextDNS themselves, showing off a NEW and awesome feature.... It doesn't seem abandoned? You don't seem to have even looked at the description lol
Congratulations to them, I suppose. They've temporarily returned after stealing money from me. Their service stopped working after renewing my annual subscription and when I went to try and find support, I got silence.
If you're one of the lucky few who's never had issues with NextDNS, I'm happy for you.
weird-eye-issue 2 hours ago [-]
Just email billing@nextdns.io
bunnyfoofoo 2 hours ago [-]
They do not respond, to any email address. Tried multiple times, over months. Just check the forums. I provided a link in my other reply.
import 3 hours ago [-]
Are you guys still active? I don’t remember how many of my questions went unanswered in the help forums, later switched to self hosted adguard.
skyzouwdev 10 hours ago [-]
That’s a bold move. Handing over IDs to random sites is definitely a privacy nightmare, so I get why you built this. The real question is whether it buys time for users or just accelerates the push for stricter regulation. Either way, it sparks an important conversation
dlcarrier 9 hours ago [-]
At least outside of countries that already limit their citizens access to the internet, censorship regulations tend to apply only to providers, not end users, so it would be extremely difficult to go after an extraterritorial VPN provider. In the US, extraterritorial jurisdiction includes not just providers outside of the country, but providers outside of the state. For example, see: https://en.wikipedia.org/wiki/Marquette_National_Bank_of_Min....
echelon 10 hours ago [-]
> Handing over IDs to random sites is definitely a privacy nightmare
They just need to leak all of the elected official internet usage. You'll see this rolled back faster than it was implemented.
I really can't wait for the video titles of the porn our government officials watch to be read out loud by newscasters. That's going to be such sweet karma.
As a remark, not a criticism, such a deliberate promotion is probably illegal in the UK market,
> "But Ofcom says platforms required to introduce "highly effective" methods to check user age must not host, share or permit content that encourages use of VPNs to get around age checks. The government has also told the BBC it would be illegal for platforms to do so."
NextDNS isn't a content platform required to have age checks, so no, that prohibition doesn't apply here and promoting the bypass feature isn't 'probably illegal'.
aydyn 2 hours ago [-]
"Illegal" is only what the government will go after you for, and I very much doubt ofcom will see it your way.
graemep 6 hours ago [-]
That only applies to those platforms that are required to do "highly effective age checks".
i.e. the top category of "harmful" site cannot point people to VPNs as a way to avoid age verification. Everyone else can tell people about VPNs as a way to avoid age verification. The media have been doing so for a start.
petcat 10 hours ago [-]
> must not host, share or permit content that encourages use of VPNs to get around age checks. The government has also told the BBC it would be illegal for platforms to do so
Holy. Crap. I knew the UK was going off the deep end with these laws, but this actually looks like China-level government reach.
Ms-J 9 hours ago [-]
Ignore the government crying. It is irrelevant when we spread the tech to get around their useless spying laws.
pas 10 hours ago [-]
next step is to try to make VPNs illegal (or require age verification for them, of course)
zarzavat 4 hours ago [-]
You need to introduce an invasive great firewall before you can effectively ban VPNs, since there's so many different ways to hide traffic.
Unlike banning porn, banning VPNs has no political value because the technically inept voters who support these age verification policies don't know what a VPN is.
miki123211 2 hours ago [-]
> You need to introduce an invasive great firewall before you can effectively ban VPNs
If you're China, yes. If you're a large and powerful western country, not so much.
The way to do it would be through the concept of "data laundering." Just like the US does with money laundering, the government would publish a list of all organizations and individuals engaged in the practice. All companies operating in that country would need to (globally) sever all ties with everybody who is on the list. Everybody else could choose between doing the same or ending up on the list themselves.
Only powerful countries could do this effectively, less powerful ones would just isolate themselves, just like China did. The US could definitely do it. The EU, UK, Japan and maybe India probably could, but it would be dicy. Everybody else would fail spectacularly.
zarzavat 28 minutes ago [-]
UK prisons are almost full. The last thing the government needs is to jail every 14 year old who sets up wireguard for his friends.
RiverCrochet 9 hours ago [-]
Age verification for VPNs would be awesome. I would rather hand ID over to a VPN provider than individual sites I visit.
tacticus 8 hours ago [-]
This would ensure you couldn't tie an Identity to an activity\user on a service which is of course why it's not where they're going
lttlrck 8 hours ago [-]
The VPN provider should hook into the existing government identify service.
walterbell 13 hours ago [-]
Can VPN/DNS providers independently market their services, if content providers cannot advertise VPN providers?
perihelions 13 hours ago [-]
> "content that encourages use of VPNs to get around age checks"
I think "...to get around age checks" is controlling. It isn't illegal to promote VPN's in that country; it's illegal to promote their usefulness in circumventing other laws.
neilcj 12 hours ago [-]
The law reads like it applies to platforms required to do the checks rather than third party service providers.
For people who don't live in the UK, why should they care about UK law?
ac29 11 hours ago [-]
NextDNS is a company not a person. The have infrastructure in the UK and presumably have UK customers, so they should care about UK law.
retype 10 hours ago [-]
The US also has multiple states that have enacted similar laws.
rendaw 6 hours ago [-]
"Under no circumstances should you use Mullvad VPN (https://mullvad.net/en), available for 5Eur/mo - also payable in Bitcoin, to avoid our age verification checks!"
karel-3d 2 hours ago [-]
How can this work? What is "DNS tricks"? DNS is just telling you where the site is?
edit: ah it spoofs the EDNS subnet for the DNS request, so it gives you server "intended" for a different location. You will get slower connection but if it's poorly implemented and they have geofencing just on that layer, it will not do the age verification stuff.
It's interesting that it works, but... the website can still tell your IP through TCP handshake... it might fool some sites that have geofencing on DNS level.
AnonC 3 hours ago [-]
Sorry to get on to a related topic, since the NextDNS team may be looking at these comments. Is there any plan at all to revive the iOS app (last updated in 2020) so that the toggle in the app actually works? I don’t like installing a NextDNS profile because it doesn’t offer the flexibility to turn it off or on as needed. The app used to work pre-2020, but doesn’t now.
On my iPhone, at any given date and time, it’s just a random occurrence of whether NextDNS (with the app) works or not. Visiting test.nextdns.io may show “unconfigured” or a NextDNS endpoint.
Various posts on the forums by several people over the years have not been responded to.
I’d like to know if the team is ever going to work on this. If not, just remove the app from the App Store so that people don’t assume that it works when it doesn’t.
syntaxing 13 hours ago [-]
Easily one of the best $20 I spend a year. Makes iOS so much more usable and I really love supporting the vision of the developers from NextDNS
ethagnawl 3 hours ago [-]
Same here. I'd previously been using a Pi-Hole and Next is just so much simpler -- especially on the go.
drcongo 11 hours ago [-]
Same. I absolutely love NextDNS.
skybrian 14 hours ago [-]
Glancing at the front page, it looks like this product also has enforced SafeSearch and restricted mode to protect children, so... seems fine? They're doing the same thing themselves, and it's probably better since it's a local solution.
If you're running a product like this, it should be officially allowed to bypass age verification.
> the age verification or age estimation must be of such a kind, and used in such a way, that it is highly effective at correctly determining whether or not a particular user is a child
Unfortunately, it's hard to tell what this passage means, and I suspect it doesn't apply here. (But does that mean there's no law covering age-verification bypassing services? That seems like an unlikely oversight, and the Online Safety Act's badly-drafted enough that I'm not comfortable making a broad assertion here.) Hopefully case law sorts this out a little.
1vuio0pswjnm7 5 hours ago [-]
This sounds like a company using DNS to direct _other_ peoples' web traffic through _their_ proxies. Cloudflare started this way. That's why signing up for Cloudlfare requires using _Cloudflare's_ DNS servers
The so-called "DNS trick", which is defintely not a trick, is to redirect traffic though a proxy server. Whoever operates the proxy, e.g. Cloudflare, NextDNS, etc., has control over the HTTPS traffic and _could_ have access to the contents
HN commenters and other online commenters have criticised Cloudlfare in the past because it decrypts ("terminates") TLS connections and _could_ thereby have access to the contents of customers' traffic
For any doubters, this access was confimed some years ago when a coding mistake by someone at CF in a scanner generated with ragel caused customers'_decrypted_ web traffic contained in memory on Cloudflare's proxies to spill out all over the web. Leaked data became publicly available and remained discoverable via web search for a while; the data had to be scrubbed from search engines and web archives which took several days at least
NextDNS purports to be a "DNS service" but proxying HTTPS opens a new can of worms
NB. This comment is not claiming that NextDNS or anyone else does or does not do anything, nor that anyone will or won't do anything. This comment is about _what becomes possible through control over DNS_. The possibilities it allows for control are why I do not use third party DNS service and prefer to control own DNS; having control can be very useful
buttocks 7 hours ago [-]
As a subscriber of NextDNS I say, first, this is cool, but second, don’t do it. I don’t want NextDNS to face some sort of judgment that will get it shut down. Just publish the “DNS tricks” so that people can DIY but don’t make it part of your service.
blissofbeing 1 hours ago [-]
If you are already building a proxy network to handle this can you please implement redirects? I would love to redirect x.com to xcancel.com by just setting my DNS. I would pay more for this feature.
pyuser583 12 hours ago [-]
I'm a parent, and I try to keep my kids from the Internet in general, but adult parts in particular.
VPN's are great for this. Just install the VPN, have it block access to adult sites, and have it alert me of any suspicious attempts.
It's bewildering how VPN companies have branded their technology as "anti-censorship" and "privacy-focused." VPN's are a censor's best friend.
DNS services are taking the opposite approach: they start by having a censorship feature (blocking malware, adult ads, etc), and now are adding anti-censorship options.
There's nothing about connecting to a different network, or using a different DNS provider, that is anti-censorship.
ronsor 12 hours ago [-]
> There's nothing about connecting to a different network, or using a different DNS provider, that is anti-censorship.
In a sense, it allows you to pick your censors, or no censors. "Anti-censorship" doesn't necessarily mean that nothing is blocked; it means you get to control what's blocked for yourself.
pjc50 7 hours ago [-]
Making your own filter choices should not be referred to as "censorship". Censorship is when the choice is taken away.
pyuser583 3 hours ago [-]
I'm taking the choice away from my kids.
thaumasiotes 9 hours ago [-]
> VPN's are great for this. Just install the VPN, have it block access to adult sites, and have it alert me of any suspicious attempts.
> It's bewildering how VPN companies have branded their technology as "anti-censorship" and "privacy-focused." VPN's are a censor's best friend.
You're already using a router. That's where you would normally implement blocks.
A VPN necessarily does the same thing, and so you can implement routing blocks there too. But this is like saying that a virtual machine is a great technology to run software. OK. Why do you want a virtual one?
bongodongobob 12 hours ago [-]
VPNs have nothing to do with it. I guess yours has some kind of filtering service, but that's not at all related to a VPN. It's like buying a V8 engine because you wanted a turbo. V8's can have turbos, but it has nothing to do with being a V8.
rany_ 9 hours ago [-]
How does this "DNS trick" work? That to me is a much more interesting detail.
shitloadofbooks 8 hours ago [-]
It likely overrides DNS resolution to CDN/POPs in countries which don't require age checking, or routes the traffic through TCP proxies so your traffic appears to come from a different country without these laws.
This will increase the latency of all traffic to that site though.
lelanthran 3 hours ago [-]
> It likely overrides DNS resolution to CDN/POPs in countries which don't require age checking,
I don't understand what this means:
1. It resolves DNS requests - got it.
2. The resolution sends back an address to a CDN - okay, not sure that I got it
3. The resolved address is in a country which doesn't require age checking - Totally don't get it: how will this help?
selcuka 5 hours ago [-]
A DNS provider can not route your traffic through TCP proxies, so it must be the former.
cluckindan 3 hours ago [-]
Sure they can. When your browser resolves a host, they replace the actual IP with the IP of a proxy that is configured to forward traffic according to the Host HTTP header.
okasaki 39 minutes ago [-]
You would have to install a certificate for that to work.
aaronmdjones 22 minutes ago [-]
No you wouldn't.
The current situation:
- You ask Foo DNS Provider for the IP address of pornhub.com
- Foo DNS Provider responds with the real IP address
- You connect to that address, send a TLS ClientHello containing a Server Name Indication extension of "pornhub.com"
What could happen:
- You ask Foo DNS Provider for the IP address of pornhub.com
- Foo DNS Provider responds with one of their own IP addresses
- You connect to that address, send a TLS ClientHello containing a Server Name Indication extension of "pornhub.com"
- Foo DNS Provider now knows that you intend to connect there, so it connects there for you and relays your ClientHello to it
- Foo DNS Provider then just acts as a dumb relay, passing everything back and forth with no modifications
- The certificate verifies fine because the traffic was not modified and it was presented by the party who controls the corresponding private key
- The website thinks you are connecting from Foo DNS Provider, not your real address
The only thing that would break this is ECH (Encrypted ClientHello), currently supported only by CloudFlare and Google Chrome (and its derivatives) as far as I know. This security feature is provisioned with ... DNS records! So Foo DNS Provider can simply indicate that the records required for ECH do not exist, and your web browser wouldn't encrypt the ClientHello. It's already tampering with the responses to address lookups anyway, so DNSSEC wouldn't be an issue -- you simply would not expect to be able to validate anything.
pkulak 10 hours ago [-]
That’s really cool. I thought you guys had stopped development altogether.
tky 9 hours ago [-]
Same; I switched to ControlD when it appeared NextDNS was on autopilot without support or fixes.
cedws 6 hours ago [-]
I love NextDNS. Can you explain what exactly the DNS tricks are and where they do/don’t work?
FiReaNG3L 12 hours ago [-]
Better than that at least in the UK, they are not handing the data to the government, but to unregulated, diverse third parties - what could go wrong.
cedws 6 hours ago [-]
Free VPNs are also at the top of the UK App Store. All of them look extremely dodgy, probably ran by foreign adversaries seizing the opportunity to slurp data.
OldfieldFund 8 hours ago [-]
it's all gonna get leaked every quarter
qwertox 4 hours ago [-]
I wish they would add a dropdown box where I can select English as the main language.
If they pretend they're a product targeted at anyone in the DACH region by offering the pages only in German, then they also must add an imprint: who they are, who is responsible, where they are, how I can contact them via email and phone.
baby_souffle 12 hours ago [-]
> We’re curious how the HN community feels about this. Is it the right way to protect privacy online, or will it just provoke regulators to push harder?
Both. May the mouse forever elude the cat in this game!
If you’re proxying all traffic, that’s going to get expensive and - in theory - makes you as easy to block as VPN providers. I wish you the best of luck!
10 hours ago [-]
luxurytent 9 hours ago [-]
I don't have a strong opinion here, but I did want to say thank you for your service! I was previously running a pi-hole but switched my family and my household to NextDNS. Great $20/home spent
atonse 7 hours ago [-]
I use NextDNS to BLOCK porn sites, etc from my kids’ devices. I hope you aren’t changing your ethos as a company, although I don’t know, maybe your customers are changing and causing you to pivot.
Because I don’t want any chance of this stuff affecting the blocks we use for minors, etc.
6 hours ago [-]
Ms-J 9 hours ago [-]
Thank you for doing this! You are helping spread freedom. If everyone were to create more tools like this, it would shape the future to our liking.
tester89 11 hours ago [-]
At least for my discord, I still can't access channels marked NSFW, instead of showing me the verification screen it just says "failed to load messages".
wolfy1993 11 hours ago [-]
Likewise, unable to get it working myself (tested with reddit and bluesky - both ask for verification still).
Will be keeping an eye on this though, hopefully this can be an alternative to my Irish VPN in the future.
paradox460 14 hours ago [-]
Where is the setting configured? I just looked through my admin page and didn't see any switch for it
thewisenerd 14 hours ago [-]
i can see this in the settings page for a profile under the section "Bypass Age Verification"
Does this create any new liability for the sites that are legally required to check ID?
puppycodes 13 hours ago [-]
amazing... we need more of this on the dns level
HocusLocus 9 hours ago [-]
Seeking DNS with 'furry exemption' for fully clothed furries.
j45 5 hours ago [-]
Handing over Government IDs to private websites and apps is a highly risky and attractive target for identity theft and fraud.
1a527dd5 13 hours ago [-]
I love you guys, even before this.
mytailorisrich 9 hours ago [-]
Features that are only aimed at breaking the law will tend to backfire...
Imustaskforhelp 14 hours ago [-]
I am a user of nextdns and okay, this is really neato team! I find this really interesting.
If I may ask, what are the dns tricks, is there a blog post about what you added, I am sooo curious about what sorcery is nextdns using.
Edit: I searched on ddg and there was a ghacks.net link and a alternativeto.net article and sadly ghacks was taking a long time to load and I just read the alternativeto.net article and it was kinda cool, let me paste it here
NextDNS has introduced a new DNS-level feature that allows users to bypass age verification checks commonly found on adult websites. This update enables users to avoid submitting personal documents, such as photos or government-issued IDs, to unfamiliar websites when accessing age-restricted content.
To enable the feature, users can activate it directly within the NextDNS settings. The technical approach is straightforward: the DNS resolver intercepts requests to target websites and routes traffic through proxy servers in countries where age verification is not required by law. This means that while users visit the same websites, the sites perceive the traffic as originating from a country without mandatory ID checks.
These changes are particularly relevant for individuals in the European Union and the United Kingdom, regions where certain governments have introduced strict ID requirements for accessing adult content websites. Looking at community reaction, user feedback on Reddit and social media has been largely positive since the announcement, with some users ironizing that “NextDNS developers know their clientele!”.
---
TLDR/my-thoughts: Nextdns can use something similar to vpn and I am wondering how much more efficient is this for this usecase compared to a vpn, like I am sure that vpns can be banned by a country, see china.
But nextdns.io is still available in china?, how would that work, and so can this feature be actually expanded to make it a general purpose vpn too if need be but honestly a lot of vpn use cases might be for bypassing verification itself, so basically the only few use cases I can think of vpn is to bypass censorship and maybe verification and also changing vpn for lets say watching content that's available in other country
Can nextdns add other features too, like imagine you can use nextdns with netflix and change it to anime mode and you can get netflix as in of japan, I don't have netflix but I am just giving an example because that's a lot of times what I hear from all those youtube vpn shills
Or can they provide some vpn service itself while at it, and since nextdns still uses dns and dns can operate over https. I imagine that it might be even harder to detect such vpn traffic because I know for sure that some vpn's can be tracked implementation wise (as in wireguard)[i can be wrong, i usually am] but I am pretty sure that https can't be tracked in the same manner, and we can use dns over https in nextdns using this feature..
Can you guys maybe comment on what you think about it? adding general purpose vpns / japan/country switching/enabling vpns itself though I guess it might make you a vpn app which can have its own logs/rules and regulations and I am currently fine/really happy with protonvpn which I also think can run on top of https with their proxy option atleast in browser and maybe even in their apps I am not sure.
cricketsandmops 13 hours ago [-]
I've been using Getflix for years to have my location spoofed to another country. It is a pay product though. I've used it on Amazon and mainly use it for BBC Iplayer. I couldnt ever get netflix to play nice using it or a vpn, so for it I just tunnel to my traffic to a residential address i have in mexico
cprecioso 12 hours ago [-]
IIRC there was this service called Tunlr which offered VPN-like location spoofing with similar DNS tricks.
ignoramous 11 hours ago [-]
> If I may ask, what are the dns tricks, is there a blog post about what you added, I am sooo curious about what sorcery is nextdns using.
The way this works is, for preset domains, you always answer with the IP of your SNI proxy, which then forwards the connection to the real IP based on the domain in TLS's SNI extension. This "trick" only works for TLS connections that send SNI in the clear, and will not work with QUIC (HTTP/3) or with TLS v1.3 with ECH (encrypted client hello). For non-TLS connections, like cleartext HTTP/2 or HTTP/1, the proxy would look at the Host header. Similar heuristics may exist for other popular cleartext protocols.
If you own enough public IPs (like a /64 IPv6 or a /22 IPv4), you can vend time-limited unique IP per domain per client IP and support all transport protocols (and not just TLS/HTTP).
combyn8tor 10 hours ago [-]
so does it work like this?:
- Client makes a DNS request to ageblockedsite.com using NextDNS server
- NextDNS server returns an IP to a proxy server they control
- Client connects to the site through the proxy server
dizhn 10 hours ago [-]
That's actually pretty neat. I thought they need software running on the client to do the proxying but this scheme doesn't need it.
throwpoaster 13 hours ago [-]
[flagged]
can16358p 13 hours ago [-]
Speak for yourself please.
No one can dictate who can watch something or not.
crooked-v 13 hours ago [-]
Porn is just the excuse used to put more systems of control and oppression in place, as can be seen by US and UK conservatives attempting to get the mere existence of trans and LGBT people classified as 'obscene' and thus any mentions of them banned under the same laws.
888632798 13 hours ago [-]
What would the regime do without people like you?
ltbarcly3 12 hours ago [-]
Presenting government ID to random entities is literally what government ID's exist for. Paranoia about this is silly.
Additionally, intentionally aiding someone (especially a minor) in circumventing the law is very likely to not be legal, especially when legality is largely determined by a jury, and especially^2 when the facts of the case against you are the most egregious that the government can find, especially^3 when you are profiting from it. It will be something like a 12yo using your service to access something absolutely shocking, and you or someone else will be forced to read a detailed text description of it in front of a jury. This doesn't even begin to address civil liability.
I'm not saying what you are doing is 'wrong', I'm saying you should talk to a lawyer who specializes in this sort of thing before you are forced to.
pas 10 hours ago [-]
showing a plastic card in a store to buy the yearly Cum Companion Calendar or whatever is one thing, because the clerk likely is not a savant with eidetic memory, whereas online there's this little thing happening called data processing which starts with the only thing we usually don't want with our ID. copying.
HappMacDonald 5 hours ago [-]
I wonder what the legality would be for the brick and mortar stores (especially the big chain ones) to just start asking customers for ID and then swiping them through scanners that can do all of the eidetic memory work for them?
sitkack 4 hours ago [-]
Kroger already does this, they will get sued for millions and millions of dollars when they have a data breach.
Squeeeez 11 hours ago [-]
> Paranoia about this is silly.
Having had to deal with some clients with slightly sensitive data, I wish. Photocopies and printed screenshots lying around in the open, CC data copy-pasted manually to other fields or to generic excel sheets because otherwise "it disappears and we can't book late fees" etc.
Not even only the "random third-party" companies vetted and specialised in ID verification, but then they get a new support contract down the road, and a fourth- or fifth-party agent who had the cheapest offer now has remote admin access to those desktops.
Probability is low, true. But all it takes is one compromised access.
We all choose our battles probably.
protocolture 10 hours ago [-]
>Presenting government ID to random entities is literally what government ID's exist for.
Wrong lmao. All forms of Government ID are PII and should be treated as sensitive.
>Nearly every app, social media platform or website asks you for at least some personally identifiable information. But this data can be stolen or misused. That’s why it’s important to keep it as private and secure as possible. If you have to share it, make sure it’s only used by trusted services with your knowledge and consent.
Wow thats great advice.
prism56 11 hours ago [-]
Is it though? Unfortunately this could have been implemented much better with a decentralised approach.
Its not the showing the ID its having it potentially tied to your accounts and usage. Having your ID tied to your selfie which could be leaked.
smallnix 11 hours ago [-]
Please post a link to a picture of your national ID. /s
ltbarcly3 9 hours ago [-]
I've had to upload my ID card to send money, open a bank account online, verify my identity for a dating app, book an international flight, and ironically to register for the app to have an electronic version of my id on my phone, and weirdly to pay a traffic ticket (why do they care who pays it?), get a discount on my Amazon Prime subscription, and finally to reset my password for my ID.me login for government websites. So all of those are 'fine' I guess, but god forbid you upload it to a third party verification service (the same one that was used for one or more of the above cases where I uploaded my id) to watch pornography, that's where we draw the line?
You are being absurd.
I don't agree with this requirement, but I'm also not so dishonest that I would pretend that it's a security issue.
HappMacDonald 4 hours ago [-]
So think through what you've just said.
If you were able to do all of those things to prove your identity using your ID.. then any identity thief with a copy of your ID could use it to impersonate you in every one of those venues.
That means that somebody else can send your money wherever they wish.. create bank accounts to perform nefarious deeds that tie back to you.. book flights, and subscribe to services on your dime or on a stolen credit card behind your name so that after the chargebacks all debt collection activity aims at you. And finally convince the government to send your tax refunds to them.
In light of this what is absurd about being parsimonious with who and how we share copies of our ID, and why should virtually every website online be deputized into keeping copies of them to provide dog standard content services that might not always be suitable for all audiences?
sitkack 4 hours ago [-]
Bro already has a disease, doesn't care if everyone else gets it too. What kind of argument is ... I already sent my ID all over the internet multiple times?
jofla_net 7 hours ago [-]
Its not the 'voluntary' services that may or may not want to see your ID, its the existence of any and all Mandatory legislation, which would be a nightmare.
This is a tech site so I imagine the average user has some deeper understanding than most(technically), but I guess imagination is off the table.
What this would do (requiring all sites) is basically be the end for any and all attempts against identity fraud protection. Indulge a bit of imagination for a moment. If EVERY site is now required to do some form of verification, than everyone's infrastructure now becomes prime targets for PII and troves of identity information, and wherein amazon, banks, and ID.me can be considered to be at or near the top (i'd hope) for keeping their machines tied down, the reality is that EVERYONE'S servers ARE NOT so will maintained.
They WILL be attacked, and shims inserted to steal such identity information, as people have ZERO idea, as they're being shunted around to all thees angel-invested ID startups, as to what is or isn't legit, during signup. Wholly, identical pages/domains, as are often seen to steal traditional PCI information, will now be repurposed to this. Its not that the reputable ones are likely to fall, its the small vendors who don't understand that once a customer is EXPECTED to fork over ID to sign up, any hiccup in the process will be unnoticed, and it'll be ripe for abuse if the server/service is ever compromised.
SoftTalker 6 hours ago [-]
It would be a great thing, because it would finally force us to have somthing better than "I can present a piece of plastic with my picture and some numbers on it" as proof of identity.
ltbarcly3 5 hours ago [-]
ID verification is done by 3rd parties. Nobody wants to hold a photo of your ID because it's a compliance nightmare. You aren't uploading your ID to some porn site, you are uploading it to some real-person verification company.
scarface_74 8 hours ago [-]
You don’t see the difference between it getting out some place I travelled to, opened a bank account to, etc than if I visit grandmamidgetporn.com?
ltbarcly3 5 hours ago [-]
Nobody uploads their ID to some porn site, they work with some reputable id verification company.
scarface_74 4 hours ago [-]
Out of curiosity, I wanted to see how the five most popular porn sites handled age verification since I live in Florida. One of the states that require it. I started here (safe for work - just list of the most popular websites overall - not porn sites)
Your input on this thread would be greatly appreciated, as the community wants NextDNS to be the best service it can be.
I do appreciate the addition of the Age Verification Bypass, though. Many users on r/nextdns are trying to guess how it works. Proxing specific domain requests to show the user is from another country is our best guess. But I would still be very interested in the specifics.
Thanks.
I moved over to ControlD about a year ago and I've been very happy. Nothing has broken, and they seem to be active about their service.
Moved to AdGuard DNS, very happy with it. They have random sales throughout the year where you can buy a few years of discounted service in advance, so the cost is next to nothing...
> they might just get enough attention from voters to motivate a change
Unfortunately, guaranteeing anonymous internet porno is a terrible political beachhead to motivate "voters" to do anything.
Reworded press release: "We protect children from being forced to upload their photos (on their IDs) to adult web sites"
"...to upload your photos (on your IDs)..." :D
Then again, these laws aren't about censoring children's access, they're about censoring EVERYONE'S access (and it blows my mind that conservative leaders will come right out and say it, but the average layperson doesn't seem to care or comprehend what a massive slippery slope censorship is -- porn is just the start)
Because I don't actually care about pornography, if it magically disappeared I wouldn't really care, it's all the other "not suitable for kids" content I care about that will get caught up in these laws. I don't want to give gross concern troll political groups moralizing about their precious hypothetical children the legal tools to ban what they don't like.
If they simply wanted age verification, the dumb and lazy way is to SSO through a government managed portal with OAUTH2 and you only share your age with the third party. You do a one time account setup (you already have to do this in the US for many government services at the federal level) with age verification, that's your gov portal login. This means the government will now which naughty sites you visit of course, but like I said, it is the lazy approach, and if you think about it, if they respect the laws then a law can be passed to prevent them from storing or using that association, if they didn't, they could still sniff your traffic and wiretap you.
A slightly smarter approach would be to directly auth against a government portal and be given a 24h expiring code for age verification, and the government will publish an updated list of codes to trusted businesses. Those codes could be leaked, but making it a felony should deter most cases, because who wants to go to prison to let some kids watch porn?
Smarter people than me can come up with smarter solution, that is really my point. Involving third-parties and requiring you to upload documents is done either out of extreme incompetence or opportunistic malice by elected officials (bribery).
The "24 hour code" one you suggest is something the EU is prototyping. Since there's nothing stopping an adult from sharing their code with a minor, or even code-sharing (or selling) websites to pop up, they want it to be bound to a particular device. So what they've done is added integrity checks to the app, so you can only run it on a locked down phone.
Want to run GrapheneOS for privacy and security? Or use an unofficial ROM to get updates on a phone the manufacturer stopped supporting? Just want to uninstall the bloatware and spyware the manufacturer installs? Want to use Linux? Have an old computer without a TPM? All of that and more - congrats, no "adult content" for you.
And no, it's not "porn", it's "adult content", which is a much broader and blurrier category. Is discussion of sexual orientation or gender issues adult content? Sex education? Medical information about "private parts"? News articles mentioning scary things like rape?
This is bad technology and it should never be developed. Do Not Create The Torment Nexus.
The weird thing is that UKGOV already has this for the NHS - my GP's app uses access.login.nhs.uk to log me in. That could easily verify my age to another system.
(Admittedly it's not sufficient for the wider case because not everyone is registered on nhs.uk but it does show that UKGOV has the capability to do this.)
When you sign up with a South Korean online service that might contain age-restricted content, you provide your name, date of birth, and phone number. The service operator uses a special telecom-provided API to have a 6-digit code sent to your phone. (The code is generated by the telecom, not the service operator.) When you enter the code, the telecom confirms the name and date of birth. No need for random online services to ask for government IDs, because they're allowed to pass the burden of proof to telecoms who have already verified it offline.
You could probably do something similar via banks, schools, the social security system, or any other regulated industry that has KYC rules.
https://en.wikipedia.org/wiki/Red_flag_traffic_laws
(personally I think there's a lot of non-sexual material which is bad for children but not covered by age verification, like Andrew Tate, but that's impossible to define or enforce)
Another non-parent with an irrelevant opinion.
If your kid goes out of their way to use a third party device without age restriction you can't stop them if they're determined either way, and no matter how right you think you are it still doesn't warrant destroying privacy for EVERYONE.
Congratulations to them, I suppose. They've temporarily returned after stealing money from me. Their service stopped working after renewing my annual subscription and when I went to try and find support, I got silence.
If you're one of the lucky few who's never had issues with NextDNS, I'm happy for you.
They just need to leak all of the elected official internet usage. You'll see this rolled back faster than it was implemented.
I really can't wait for the video titles of the porn our government officials watch to be read out loud by newscasters. That's going to be such sweet karma.
> "But Ofcom says platforms required to introduce "highly effective" methods to check user age must not host, share or permit content that encourages use of VPNs to get around age checks. The government has also told the BBC it would be illegal for platforms to do so."
https://www.bbc.com/news/articles/cn72ydj70g5o
i.e. the top category of "harmful" site cannot point people to VPNs as a way to avoid age verification. Everyone else can tell people about VPNs as a way to avoid age verification. The media have been doing so for a start.
Holy. Crap. I knew the UK was going off the deep end with these laws, but this actually looks like China-level government reach.
Unlike banning porn, banning VPNs has no political value because the technically inept voters who support these age verification policies don't know what a VPN is.
If you're China, yes. If you're a large and powerful western country, not so much.
The way to do it would be through the concept of "data laundering." Just like the US does with money laundering, the government would publish a list of all organizations and individuals engaged in the practice. All companies operating in that country would need to (globally) sever all ties with everybody who is on the list. Everybody else could choose between doing the same or ending up on the list themselves.
Only powerful countries could do this effectively, less powerful ones would just isolate themselves, just like China did. The US could definitely do it. The EU, UK, Japan and maybe India probably could, but it would be dicy. Everybody else would fail spectacularly.
I think "...to get around age checks" is controlling. It isn't illegal to promote VPN's in that country; it's illegal to promote their usefulness in circumventing other laws.
Which section of the Online Safety Act 2023 is that in, please?
https://news.ycombinator.com/newsguidelines.html
edit: ah it spoofs the EDNS subnet for the DNS request, so it gives you server "intended" for a different location. You will get slower connection but if it's poorly implemented and they have geofencing just on that layer, it will not do the age verification stuff.
It's interesting that it works, but... the website can still tell your IP through TCP handshake... it might fool some sites that have geofencing on DNS level.
On my iPhone, at any given date and time, it’s just a random occurrence of whether NextDNS (with the app) works or not. Visiting test.nextdns.io may show “unconfigured” or a NextDNS endpoint.
Various posts on the forums by several people over the years have not been responded to.
I’d like to know if the team is ever going to work on this. If not, just remove the app from the App Store so that people don’t assume that it works when it doesn’t.
If you're running a product like this, it should be officially allowed to bypass age verification.
> the age verification or age estimation must be of such a kind, and used in such a way, that it is highly effective at correctly determining whether or not a particular user is a child
Unfortunately, it's hard to tell what this passage means, and I suspect it doesn't apply here. (But does that mean there's no law covering age-verification bypassing services? That seems like an unlikely oversight, and the Online Safety Act's badly-drafted enough that I'm not comfortable making a broad assertion here.) Hopefully case law sorts this out a little.
The so-called "DNS trick", which is defintely not a trick, is to redirect traffic though a proxy server. Whoever operates the proxy, e.g. Cloudflare, NextDNS, etc., has control over the HTTPS traffic and _could_ have access to the contents
HN commenters and other online commenters have criticised Cloudlfare in the past because it decrypts ("terminates") TLS connections and _could_ thereby have access to the contents of customers' traffic
For any doubters, this access was confimed some years ago when a coding mistake by someone at CF in a scanner generated with ragel caused customers'_decrypted_ web traffic contained in memory on Cloudflare's proxies to spill out all over the web. Leaked data became publicly available and remained discoverable via web search for a while; the data had to be scrubbed from search engines and web archives which took several days at least
https://en.wikipedia.org/wiki/Cloudbleed
NextDNS purports to be a "DNS service" but proxying HTTPS opens a new can of worms
NB. This comment is not claiming that NextDNS or anyone else does or does not do anything, nor that anyone will or won't do anything. This comment is about _what becomes possible through control over DNS_. The possibilities it allows for control are why I do not use third party DNS service and prefer to control own DNS; having control can be very useful
VPN's are great for this. Just install the VPN, have it block access to adult sites, and have it alert me of any suspicious attempts.
It's bewildering how VPN companies have branded their technology as "anti-censorship" and "privacy-focused." VPN's are a censor's best friend.
DNS services are taking the opposite approach: they start by having a censorship feature (blocking malware, adult ads, etc), and now are adding anti-censorship options.
There's nothing about connecting to a different network, or using a different DNS provider, that is anti-censorship.
In a sense, it allows you to pick your censors, or no censors. "Anti-censorship" doesn't necessarily mean that nothing is blocked; it means you get to control what's blocked for yourself.
> It's bewildering how VPN companies have branded their technology as "anti-censorship" and "privacy-focused." VPN's are a censor's best friend.
You're already using a router. That's where you would normally implement blocks.
A VPN necessarily does the same thing, and so you can implement routing blocks there too. But this is like saying that a virtual machine is a great technology to run software. OK. Why do you want a virtual one?
This will increase the latency of all traffic to that site though.
I don't understand what this means:
1. It resolves DNS requests - got it.
2. The resolution sends back an address to a CDN - okay, not sure that I got it
3. The resolved address is in a country which doesn't require age checking - Totally don't get it: how will this help?
The current situation:
- You ask Foo DNS Provider for the IP address of pornhub.com
- Foo DNS Provider responds with the real IP address
- You connect to that address, send a TLS ClientHello containing a Server Name Indication extension of "pornhub.com"
What could happen:
- You ask Foo DNS Provider for the IP address of pornhub.com
- Foo DNS Provider responds with one of their own IP addresses
- You connect to that address, send a TLS ClientHello containing a Server Name Indication extension of "pornhub.com"
- Foo DNS Provider now knows that you intend to connect there, so it connects there for you and relays your ClientHello to it
- Foo DNS Provider then just acts as a dumb relay, passing everything back and forth with no modifications
- The certificate verifies fine because the traffic was not modified and it was presented by the party who controls the corresponding private key
- The website thinks you are connecting from Foo DNS Provider, not your real address
The only thing that would break this is ECH (Encrypted ClientHello), currently supported only by CloudFlare and Google Chrome (and its derivatives) as far as I know. This security feature is provisioned with ... DNS records! So Foo DNS Provider can simply indicate that the records required for ECH do not exist, and your web browser wouldn't encrypt the ClientHello. It's already tampering with the responses to address lookups anyway, so DNSSEC wouldn't be an issue -- you simply would not expect to be able to validate anything.
If they pretend they're a product targeted at anyone in the DACH region by offering the pages only in German, then they also must add an imprint: who they are, who is responsible, where they are, how I can contact them via email and phone.
Both. May the mouse forever elude the cat in this game!
If you’re proxying all traffic, that’s going to get expensive and - in theory - makes you as easy to block as VPN providers. I wish you the best of luck!
Because I don’t want any chance of this stuff affecting the blocks we use for minors, etc.
Will be keeping an eye on this though, hopefully this can be an alternative to my Irish VPN in the future.
https://my.nextdns.io/$id/settings
If I may ask, what are the dns tricks, is there a blog post about what you added, I am sooo curious about what sorcery is nextdns using.
Edit: I searched on ddg and there was a ghacks.net link and a alternativeto.net article and sadly ghacks was taking a long time to load and I just read the alternativeto.net article and it was kinda cool, let me paste it here
here is the article link : https://alternativeto.net/news/2025/8/nextdns-rolls-out-new-...
NextDNS has introduced a new DNS-level feature that allows users to bypass age verification checks commonly found on adult websites. This update enables users to avoid submitting personal documents, such as photos or government-issued IDs, to unfamiliar websites when accessing age-restricted content.
To enable the feature, users can activate it directly within the NextDNS settings. The technical approach is straightforward: the DNS resolver intercepts requests to target websites and routes traffic through proxy servers in countries where age verification is not required by law. This means that while users visit the same websites, the sites perceive the traffic as originating from a country without mandatory ID checks.
These changes are particularly relevant for individuals in the European Union and the United Kingdom, regions where certain governments have introduced strict ID requirements for accessing adult content websites. Looking at community reaction, user feedback on Reddit and social media has been largely positive since the announcement, with some users ironizing that “NextDNS developers know their clientele!”.
---
TLDR/my-thoughts: Nextdns can use something similar to vpn and I am wondering how much more efficient is this for this usecase compared to a vpn, like I am sure that vpns can be banned by a country, see china.
But nextdns.io is still available in china?, how would that work, and so can this feature be actually expanded to make it a general purpose vpn too if need be but honestly a lot of vpn use cases might be for bypassing verification itself, so basically the only few use cases I can think of vpn is to bypass censorship and maybe verification and also changing vpn for lets say watching content that's available in other country
Can nextdns add other features too, like imagine you can use nextdns with netflix and change it to anime mode and you can get netflix as in of japan, I don't have netflix but I am just giving an example because that's a lot of times what I hear from all those youtube vpn shills
Or can they provide some vpn service itself while at it, and since nextdns still uses dns and dns can operate over https. I imagine that it might be even harder to detect such vpn traffic because I know for sure that some vpn's can be tracked implementation wise (as in wireguard)[i can be wrong, i usually am] but I am pretty sure that https can't be tracked in the same manner, and we can use dns over https in nextdns using this feature..
Can you guys maybe comment on what you think about it? adding general purpose vpns / japan/country switching/enabling vpns itself though I guess it might make you a vpn app which can have its own logs/rules and regulations and I am currently fine/really happy with protonvpn which I also think can run on top of https with their proxy option atleast in browser and maybe even in their apps I am not sure.
It is likely they use some form of SNI-based proxy, similar to: https://github.com/celzero/midway
The way this works is, for preset domains, you always answer with the IP of your SNI proxy, which then forwards the connection to the real IP based on the domain in TLS's SNI extension. This "trick" only works for TLS connections that send SNI in the clear, and will not work with QUIC (HTTP/3) or with TLS v1.3 with ECH (encrypted client hello). For non-TLS connections, like cleartext HTTP/2 or HTTP/1, the proxy would look at the Host header. Similar heuristics may exist for other popular cleartext protocols.
ControlD, a similar DNS provider, has supported redirections for a long time now: https://controld.com/features/traffic-redirection
If you own enough public IPs (like a /64 IPv6 or a /22 IPv4), you can vend time-limited unique IP per domain per client IP and support all transport protocols (and not just TLS/HTTP).
- Client makes a DNS request to ageblockedsite.com using NextDNS server
- NextDNS server returns an IP to a proxy server they control
- Client connects to the site through the proxy server
No one can dictate who can watch something or not.
Additionally, intentionally aiding someone (especially a minor) in circumventing the law is very likely to not be legal, especially when legality is largely determined by a jury, and especially^2 when the facts of the case against you are the most egregious that the government can find, especially^3 when you are profiting from it. It will be something like a 12yo using your service to access something absolutely shocking, and you or someone else will be forced to read a detailed text description of it in front of a jury. This doesn't even begin to address civil liability.
I'm not saying what you are doing is 'wrong', I'm saying you should talk to a lawyer who specializes in this sort of thing before you are forced to.
Having had to deal with some clients with slightly sensitive data, I wish. Photocopies and printed screenshots lying around in the open, CC data copy-pasted manually to other fields or to generic excel sheets because otherwise "it disappears and we can't book late fees" etc. Not even only the "random third-party" companies vetted and specialised in ID verification, but then they get a new support contract down the road, and a fourth- or fifth-party agent who had the cheapest offer now has remote admin access to those desktops.
Probability is low, true. But all it takes is one compromised access.
We all choose our battles probably.
Wrong lmao. All forms of Government ID are PII and should be treated as sensitive.
https://www.esafety.gov.au/young-people/protecting-your-iden... Heres basic information from a government looking to enact these same laws.
>Nearly every app, social media platform or website asks you for at least some personally identifiable information. But this data can be stolen or misused. That’s why it’s important to keep it as private and secure as possible. If you have to share it, make sure it’s only used by trusted services with your knowledge and consent.
Wow thats great advice.
Its not the showing the ID its having it potentially tied to your accounts and usage. Having your ID tied to your selfie which could be leaked.
You are being absurd.
I don't agree with this requirement, but I'm also not so dishonest that I would pretend that it's a security issue.
If you were able to do all of those things to prove your identity using your ID.. then any identity thief with a copy of your ID could use it to impersonate you in every one of those venues.
That means that somebody else can send your money wherever they wish.. create bank accounts to perform nefarious deeds that tie back to you.. book flights, and subscribe to services on your dime or on a stolen credit card behind your name so that after the chargebacks all debt collection activity aims at you. And finally convince the government to send your tax refunds to them.
In light of this what is absurd about being parsimonious with who and how we share copies of our ID, and why should virtually every website online be deputized into keeping copies of them to provide dog standard content services that might not always be suitable for all audiences?
This is a tech site so I imagine the average user has some deeper understanding than most(technically), but I guess imagination is off the table.
What this would do (requiring all sites) is basically be the end for any and all attempts against identity fraud protection. Indulge a bit of imagination for a moment. If EVERY site is now required to do some form of verification, than everyone's infrastructure now becomes prime targets for PII and troves of identity information, and wherein amazon, banks, and ID.me can be considered to be at or near the top (i'd hope) for keeping their machines tied down, the reality is that EVERYONE'S servers ARE NOT so will maintained. They WILL be attacked, and shims inserted to steal such identity information, as people have ZERO idea, as they're being shunted around to all thees angel-invested ID startups, as to what is or isn't legit, during signup. Wholly, identical pages/domains, as are often seen to steal traditional PCI information, will now be repurposed to this. Its not that the reputable ones are likely to fall, its the small vendors who don't understand that once a customer is EXPECTED to fork over ID to sign up, any hiccup in the process will be unnoticed, and it'll be ripe for abuse if the server/service is ever compromised.
https://conversion.ag/blog/top-websites-in-the-world/
Do any of these alternatives seem like something you would want to use?
#10 doesn’t require any age verification.
#12 doesn’t allow you to sign in at all unless you are a creator
#14 no verification needed
#25 requires you to use your Google or Twitter account or an email address.
#61 requires you to log in with your Google account.
#69 wants you to upload your drivers license or passport to a site called
https://saas-onboarding.incodesmile.com/multimedia214/flow/6...