More and more sites (especially adult ones) are now forcing users to upload IDs or selfies to continue. We think that’s a terrible idea: handing over government documents to random sites is a huge privacy risk.
This new setting workarounds those verification flows via DNS tricks. It’s available today to all users, including free accounts.
We’re curious how the HN community feels about this. Is it the right way to protect privacy online, or will it just provoke regulators to push harder?
The solution to this problem is not to provide YOUR ID but to provide AN ID, again and again, once per day. Again - cannot scale if a manual check is done by a human somewhere, flipside if it's fully automated now it's game-able
> they might just get enough attention from voters to motivate a change
Unfortunately, guaranteeing anonymous internet porno is a terrible political beachhead to motivate "voters" to do anything.
Reworded press release: "We protect children from being forced to upload their photos (on their IDs) to adult web sites"
"...to upload your photos (on your IDs)..." :D
Then again, these laws aren't about censoring children's access, they're about censoring EVERYONE'S access (and it blows my mind that conservative leaders will come right out and say it, but the average layperson doesn't seem to care or comprehend what a massive slippery slope censorship is -- porn is just the start)
[1] For example Ezekiel 23:20
Because I don't actually care about pornography, if it magically disappeared I wouldn't really care, it's all the other "not suitable for kids" content I care about that will get caught up in these laws. I don't want to give gross concern troll political groups moralizing about their precious hypothetical children the legal tools to ban what they don't like.
>And that is up to parents to control their child's internet access to limit their usage to only these sites.
This is an entirely unreasonable expectation on parents. I control web access at home, but I can't control it at school, or at their friend's houses. Nor do I have time, nor do I have access, to exert control over all the systems they come in contact with (even without their own device).
>it's all the other "not suitable for kids" content
Like what? Explicit violence?
If they simply wanted age verification, the dumb and lazy way is to SSO through a government managed portal with OAUTH2 and you only share your age with the third party. You do a one time account setup (you already have to do this in the US for many government services at the federal level) with age verification, that's your gov portal login. This means the government will now which naughty sites you visit of course, but like I said, it is the lazy approach, and if you think about it, if they respect the laws then a law can be passed to prevent them from storing or using that association, if they didn't, they could still sniff your traffic and wiretap you.
A slightly smarter approach would be to directly auth against a government portal and be given a 24h expiring code for age verification, and the government will publish an updated list of codes to trusted businesses. Those codes could be leaked, but making it a felony should deter most cases, because who wants to go to prison to let some kids watch porn?
Smarter people than me can come up with smarter solution, that is really my point. Involving third-parties and requiring you to upload documents is done either out of extreme incompetence or opportunistic malice by elected officials (bribery).
The "24 hour code" one you suggest is something the EU is prototyping. Since there's nothing stopping an adult from sharing their code with a minor, or even code-sharing (or selling) websites to pop up, they want it to be bound to a particular device. So what they've done is added integrity checks to the app, so you can only run it on a locked down phone.
Want to run GrapheneOS for privacy and security? Or use an unofficial ROM to get updates on a phone the manufacturer stopped supporting? Just want to uninstall the bloatware and spyware the manufacturer installs? Want to use Linux? Have an old computer without a TPM? All of that and more - congrats, no "adult content" for you.
And no, it's not "porn", it's "adult content", which is a much broader and blurrier category. Is discussion of sexual orientation or gender issues adult content? Sex education? Medical information about "private parts"? News articles mentioning scary things like rape?
This is bad technology and it should never be developed. Do Not Create The Torment Nexus.
The weird thing is that UKGOV already has this for the NHS - my GP's app uses access.login.nhs.uk to log me in. That could easily verify my age to another system.
(Admittedly it's not sufficient for the wider case because not everyone is registered on nhs.uk but it does show that UKGOV has the capability to do this.)
When you sign up with a South Korean online service that might contain age-restricted content, you provide your name, date of birth, and phone number. The service operator uses a special telecom-provided API to have a 6-digit code sent to your phone. (The code is generated by the telecom, not the service operator.) When you enter the code, the telecom confirms the name and date of birth. No need for random online services to ask for government IDs, because they're allowed to pass the burden of proof to telecoms who have already verified it offline.
You could probably do something similar via banks, schools, the social security system, or any other regulated industry that has KYC rules.
Your input on this thread would be greatly appreciated, as the community wants NextDNS to be the best service it can be.
I do appreciate the addition of the Age Verification Bypass, though. Many users on r/nextdns are trying to guess how it works. Proxing specific domain requests to show the user is from another country is our best guess. But I would still be very interested in the specifics.
Thanks.
I moved over to ControlD about a year ago and I've been very happy. Nothing has broken, and they seem to be active about their service.
The messaging around the change was very much "FYI we're deleting everything in 7 days in that region whether you're good or not, feel free to do what you want", e.g. creating problems with no interest in helping with solutions to those problems. This would all be fine for a free-tier service, but I was a paying customer. Even as a paying customer though, I paid virtually nothing.
Overall, NextDNS felt like it had the worst possible combination startup, passion project and beer money project features: I paid for it for a couple of years and got fed up because the amount talk about it gave the impression to me there was a fair and growing customer base but NextDNS were missing either the capability or focus to grow the service at the time. I'm conscious they'll be reading this - it was 2 years ago this happened, so maybe things have changed.
“Unlock the full potential of your network with Control D's advanced filtering and security features, perfect for the land of the free.”
"Explore your network's potential with Control D's advanced DNS analytics, perfect for a tech-savvy Canadian like you."
Moved to AdGuard DNS, very happy with it. They have random sales throughout the year where you can buy a few years of discounted service in advance, so the cost is next to nothing...
Congratulations to them, I suppose. They've temporarily returned after stealing money from me. Their service stopped working after renewing my annual subscription and when I went to try and find support, I got silence.
If you're one of the lucky few who's never had issues with NextDNS, I'm happy for you.
> "But Ofcom says platforms required to introduce "highly effective" methods to check user age must not host, share or permit content that encourages use of VPNs to get around age checks. The government has also told the BBC it would be illegal for platforms to do so."
i.e. the top category of "harmful" site cannot point people to VPNs as a way to avoid age verification. Everyone else can tell people about VPNs as a way to avoid age verification. The media have been doing so for a start.
Holy. Crap. I knew the UK was going off the deep end with these laws, but this actually looks like China-level government reach.
Unlike banning porn, banning VPNs has no political value because the technically inept voters who support these age verification policies don't know what a VPN is.
If you're China, yes. If you're a large and powerful western country, not so much.
The way to do it would be through the concept of "data laundering." Just like the US does with money laundering, the government would publish a list of all organizations and individuals engaged in the practice. All companies operating in that country would need to (globally) sever all ties with everybody who is on the list. Everybody else could choose between doing the same or ending up on the list themselves.
Only powerful countries could do this effectively, less powerful ones would just isolate themselves, just like China did. The US could definitely do it. The EU, UK, Japan and maybe India probably could, but it would be dicy. Everybody else would fail spectacularly.
I think "...to get around age checks" is controlling. It isn't illegal to promote VPN's in that country; it's illegal to promote their usefulness in circumventing other laws.
Which section of the Online Safety Act 2023 is that in, please?
If you're running a product like this, it should be officially allowed to bypass age verification.
> the age verification or age estimation must be of such a kind, and used in such a way, that it is highly effective at correctly determining whether or not a particular user is a child
Unfortunately, it's hard to tell what this passage means, and I suspect it doesn't apply here. (But does that mean there's no law covering age-verification bypassing services? That seems like an unlikely oversight, and the Online Safety Act's badly-drafted enough that I'm not comfortable making a broad assertion here.) Hopefully case law sorts this out a little.
VPN's are great for this. Just install the VPN, have it block access to adult sites, and have it alert me of any suspicious attempts.
It's bewildering how VPN companies have branded their technology as "anti-censorship" and "privacy-focused." VPN's are a censor's best friend.
DNS services are taking the opposite approach: they start by having a censorship feature (blocking malware, adult ads, etc), and now are adding anti-censorship options.
There's nothing about connecting to a different network, or using a different DNS provider, that is anti-censorship.
In a sense, it allows you to pick your censors, or no censors. "Anti-censorship" doesn't necessarily mean that nothing is blocked; it means you get to control what's blocked for yourself.
> It's bewildering how VPN companies have branded their technology as "anti-censorship" and "privacy-focused." VPN's are a censor's best friend.
You're already using a router. That's where you would normally implement blocks.
A VPN necessarily does the same thing, and so you can implement routing blocks there too. But this is like saying that a virtual machine is a great technology to run software. OK. Why do you want a virtual one?
edit: ah it spoofs the EDNS subnet for the DNS request, so it gives you server "intended" for a different location. You will get slower connection but if it's poorly implemented and they have geofencing just on that layer, it will not do the age verification stuff.
It's interesting that it works, but... the website can still tell your IP through TCP handshake... it might fool some sites that have geofencing on DNS level.
I guess it will work for some sites, but it would be interesting to know what fraction.
On my iPhone, at any given date and time, it’s just a random occurrence of whether NextDNS (with the app) works or not. Visiting test.nextdns.io may show “unconfigured” or a NextDNS endpoint.
Various posts on the forums by several people over the years have not been responded to.
I’d like to know if the team is ever going to work on this. If not, just remove the app from the App Store so that people don’t assume that it works when it doesn’t.
The so-called "DNS trick", which is defintely not a trick, is to redirect traffic though a proxy server. Whoever operates the proxy, e.g. Cloudflare, NextDNS, etc., has control over the HTTPS traffic and _could_ have access to the contents
HN commenters and other online commenters have criticised Cloudlfare in the past because it decrypts ("terminates") TLS connections and _could_ thereby have access to the contents of customers' traffic
For any doubters, this access was confimed some years ago when a coding mistake by someone at CF in a scanner generated with ragel caused customers'_decrypted_ web traffic contained in memory on Cloudflare's proxies to spill out all over the web. Leaked data became publicly available and remained discoverable via web search for a while; the data had to be scrubbed from search engines and web archives which took several days at least
https://en.wikipedia.org/wiki/Cloudbleed
NextDNS purports to be a "DNS service" but proxying HTTPS opens a new can of worms
NB. This comment is not claiming that NextDNS or anyone else does or does not do anything, nor that anyone will or won't do anything. This comment is about _what becomes possible through control over DNS_. The possibilities it allows for control are why I do not use third party DNS service and prefer to control own DNS; having control can be very useful
When a customer gives a third party recursive DNS provider, e.g., NextDNS, etc., permission to "block" certain domains then the third party may act as an authoritative nameserver. Queries with RD==1 for A RRs of "blocked" domains not already cached do not need to be forwarded to an authoritative nameserver chosen or operated by the domain owner. The third party can answer these queries with whatever address it chooses, e.g., 0.0.0.0, rewrite the answers, etc.
Whether any third party DNS provider is abusing this permission^1 is not the point of this comment. The point is that delegating DNS to a third party makes it possible^2
1. This could be difficult to discover
2. For example, I have seen DNS caches that return A records for certain domains that do not match the A records returned by the domain's authoritative nameservers; sometimes the responses even falsely claim they are authoritative answers. Academic papers have been published about countries that implement censorship via DNS. Even in the US, it's common for third party DNS providers such as hotels and certain ISPs, including cellular providers, to intercept DNS traffic and direct it to their own caches, rewrite answers, etc. This includes nonrecursive queries to a domain's authoritative nameservers
This will increase the latency of all traffic to that site though.
I don't understand what this means:
1. It resolves DNS requests - got it.
2. The resolution sends back an address to a CDN - okay, not sure that I got it
3. The resolved address is in a country which doesn't require age checking - Totally don't get it: how will this help?
I also can't find anything different in the returned A/AAAA records compared to my standard resolver.
The current situation:
- You ask Foo DNS Provider for the IP address of pornhub.com
- Foo DNS Provider responds with the real IP address
- You connect to that address, send a TLS ClientHello containing a Server Name Indication extension of "pornhub.com"
What could happen:
- You ask Foo DNS Provider for the IP address of pornhub.com
- Foo DNS Provider responds with one of their own IP addresses
- You connect to that address, send a TLS ClientHello containing a Server Name Indication extension of "pornhub.com"
- Foo DNS Provider now knows that you intend to connect there, so it connects there for you and relays your ClientHello to it
- Foo DNS Provider then just acts as a dumb relay, passing everything back and forth with no modifications
- The certificate verifies fine because the traffic was not modified and it was presented by the party who controls the corresponding private key
- The website thinks you are connecting from Foo DNS Provider, not your real address
The only thing that would break this is ECH (Encrypted ClientHello), currently supported only by CloudFlare and Google Chrome (and its derivatives) as far as I know. This security feature is provisioned with ... DNS records! So Foo DNS Provider can simply indicate that the records required for ECH do not exist, and your web browser wouldn't encrypt the ClientHello. It's already tampering with the responses to address lookups anyway, so DNSSEC wouldn't be an issue -- you simply would not expect to be able to validate anything.
But that’s when I thought this was a sort of blocklist of ID processors. If what you’re doing really is forcing the site to be served from a different geolocation then maybe just have that as a top level feature. “Use foreign DNS” or something, maybe allow configuring a list of domains I want to happen that on, or geographies I’m ok with connecting to.
Both. May the mouse forever elude the cat in this game!
If you’re proxying all traffic, that’s going to get expensive and - in theory - makes you as easy to block as VPN providers. I wish you the best of luck!
Off-topic: I've been reading some of the comments and I notice a bunch of HN-members are unhappy about their product. My experience: things never broke for me, never needed to contact support, ads are blocked, etc (But I also use uBlock, etc)
(P.s. - My only complaint is that -- like so many other SaaS offerings -- administrating payments is not easy enough. - No option to pay by year - So every month you have to go the website, login, go the admin, click download invoice - Instead of: click download PDF from monthly invoice email)
Regarding payments, I pay yearly. At the time I signed up I think it was the only option. They do have a $1.99/month option now, but they still offer yearly pricing.
If they pretend they're a product targeted at anyone in the DACH region by offering the pages only in German, then they also must add an imprint: who they are, who is responsible, where they are, how I can contact them via email and phone.
Will be keeping an eye on this though, hopefully this can be an alternative to my Irish VPN in the future.
Because I don’t want any chance of this stuff affecting the blocks we use for minors, etc.
In HN comment thread for another post, I had hoped that we could come up with a rating system like we have with Movies, TV, Apps, mediated by HTTP Headers.
I feel that is all we actually need. Then I can configure a browser a certain way, and the site publisher can just send a header saying "X-Content-Rating: Mature" or something along those lines, and that's it. It would be anonymous and opt-in.
If I may ask, what are the dns tricks, is there a blog post about what you added, I am sooo curious about what sorcery is nextdns using.
Edit: I searched on ddg and there was a ghacks.net link and a alternativeto.net article and sadly ghacks was taking a long time to load and I just read the alternativeto.net article and it was kinda cool, let me paste it here
here is the article link : https://alternativeto.net/news/2025/8/nextdns-rolls-out-new-...
NextDNS has introduced a new DNS-level feature that allows users to bypass age verification checks commonly found on adult websites. This update enables users to avoid submitting personal documents, such as photos or government-issued IDs, to unfamiliar websites when accessing age-restricted content.
To enable the feature, users can activate it directly within the NextDNS settings. The technical approach is straightforward: the DNS resolver intercepts requests to target websites and routes traffic through proxy servers in countries where age verification is not required by law. This means that while users visit the same websites, the sites perceive the traffic as originating from a country without mandatory ID checks.
These changes are particularly relevant for individuals in the European Union and the United Kingdom, regions where certain governments have introduced strict ID requirements for accessing adult content websites. Looking at community reaction, user feedback on Reddit and social media has been largely positive since the announcement, with some users ironizing that “NextDNS developers know their clientele!”.
---
TLDR/my-thoughts: Nextdns can use something similar to vpn and I am wondering how much more efficient is this for this usecase compared to a vpn, like I am sure that vpns can be banned by a country, see china.
But nextdns.io is still available in china?, how would that work, and so can this feature be actually expanded to make it a general purpose vpn too if need be but honestly a lot of vpn use cases might be for bypassing verification itself, so basically the only few use cases I can think of vpn is to bypass censorship and maybe verification and also changing vpn for lets say watching content that's available in other country
Can nextdns add other features too, like imagine you can use nextdns with netflix and change it to anime mode and you can get netflix as in of japan, I don't have netflix but I am just giving an example because that's a lot of times what I hear from all those youtube vpn shills
Or can they provide some vpn service itself while at it, and since nextdns still uses dns and dns can operate over https. I imagine that it might be even harder to detect such vpn traffic because I know for sure that some vpn's can be tracked implementation wise (as in wireguard)[i can be wrong, i usually am] but I am pretty sure that https can't be tracked in the same manner, and we can use dns over https in nextdns using this feature..
Can you guys maybe comment on what you think about it? adding general purpose vpns / japan/country switching/enabling vpns itself though I guess it might make you a vpn app which can have its own logs/rules and regulations and I am currently fine/really happy with protonvpn which I also think can run on top of https with their proxy option atleast in browser and maybe even in their apps I am not sure.
It is likely they use some form of SNI-based proxy, similar to: https://github.com/celzero/midway
The way this works is, for preset domains, you always answer with the IP of your SNI proxy, which then forwards the connection to the real IP based on the domain in TLS's SNI extension. This "trick" only works for TLS connections that send SNI in the clear, and will not work with QUIC (HTTP/3) or with TLS v1.3 with ECH (encrypted client hello). For non-TLS connections, like cleartext HTTP/2 or HTTP/1, the proxy would look at the Host header. Similar heuristics may exist for other popular cleartext protocols.
ControlD, a similar DNS provider, has supported redirections for a long time now: https://controld.com/features/traffic-redirection
If you own enough public IPs (like a /64 IPv6 or a /22 IPv4), you can vend time-limited unique IP per domain per client IP and support all transport protocols (and not just TLS/HTTP).
- Client makes a DNS request to ageblockedsite.com using NextDNS server
- NextDNS server returns an IP to a proxy server they control
- Client connects to the site through the proxy server
The mistake that UK, and probably others, have made is that the government isn't actually able to provide the required infrastructure.
If the solution is anonymous in the sense that the government doesn't see that I visit some site, and the site doesn't see who I am, then I struggle to see problem. This assumes that it's only applied to services and products that are already age restricted in the physical world already.
I think one can say that about alcohol too? How do they plan to avoid kids drinking the wine?
Maybe if the parents leaves knifes, wine and medicine and an unlocked mobile phone where the kids can find it, ... That's a problem that's hard to solve in a phone app?
> frequent reconfirmation maybe?
Maybe popping up face ID camera tests? Can be annoying, I suppose, if you were in the middle of something
They just need to leak all of the elected official internet usage. You'll see this rolled back faster than it was implemented.
I really can't wait for the video titles of the porn our government officials watch to be read out loud by newscasters. That's going to be such sweet karma.
Additionally, intentionally aiding someone (especially a minor) in circumventing the law is very likely to not be legal, especially when legality is largely determined by a jury, and especially^2 when the facts of the case against you are the most egregious that the government can find, especially^3 when you are profiting from it. It will be something like a 12yo using your service to access something absolutely shocking, and you or someone else will be forced to read a detailed text description of it in front of a jury. This doesn't even begin to address civil liability.
I'm not saying what you are doing is 'wrong', I'm saying you should talk to a lawyer who specializes in this sort of thing before you are forced to.
Having had to deal with some clients with slightly sensitive data, I wish. Photocopies and printed screenshots lying around in the open, CC data copy-pasted manually to other fields or to generic excel sheets because otherwise "it disappears and we can't book late fees" etc. Not even only the "random third-party" companies vetted and specialised in ID verification, but then they get a new support contract down the road, and a fourth- or fifth-party agent who had the cheapest offer now has remote admin access to those desktops.
Probability is low, true. But all it takes is one compromised access.
We all choose our battles probably.
Wrong lmao. All forms of Government ID are PII and should be treated as sensitive.
https://www.esafety.gov.au/young-people/protecting-your-iden... Heres basic information from a government looking to enact these same laws.
>Nearly every app, social media platform or website asks you for at least some personally identifiable information. But this data can be stolen or misused. That’s why it’s important to keep it as private and secure as possible. If you have to share it, make sure it’s only used by trusted services with your knowledge and consent.
Wow thats great advice.
Its not the showing the ID its having it potentially tied to your accounts and usage. Having your ID tied to your selfie which could be leaked.
You are being absurd.
I don't agree with this requirement, but I'm also not so dishonest that I would pretend that it's a security issue.
This is a tech site so I imagine the average user has some deeper understanding than most(technically), but I guess imagination is off the table.
What this would do (requiring all sites) is basically be the end for any and all attempts against identity fraud protection. Indulge a bit of imagination for a moment. If EVERY site is now required to do some form of verification, than everyone's infrastructure now becomes prime targets for PII and troves of identity information, and wherein amazon, banks, and ID.me can be considered to be at or near the top (i'd hope) for keeping their machines tied down, the reality is that EVERYONE'S servers ARE NOT so will maintained. They WILL be attacked, and shims inserted to steal such identity information, as people have ZERO idea, as they're being shunted around to all thees angel-invested ID startups, as to what is or isn't legit, during signup. Wholly, identical pages/domains, as are often seen to steal traditional PCI information, will now be repurposed to this. Its not that the reputable ones are likely to fall, its the small vendors who don't understand that once a customer is EXPECTED to fork over ID to sign up, any hiccup in the process will be unnoticed, and it'll be ripe for abuse if the server/service is ever compromised.
Designing secure services are not 'just' one and done by any means, this whole thing boils down to whether security is a trivial, and a done thing or a very hard problem, and it has always been a very hard problem.
Its one thing to hand over credit cards with very little liability and a charge back ability, its totally another to use irrevocable IDs which cant be resent in the mail in a few days. Then theres the inter-nationality angle. I refuse to use overseas services, who dont recognize a 'drivers license' and want my passport. Sorry, not going to be stuck somewhere because my passport gets leaked and now we need to vist the only embassy 7 hours away before i return home (with kids in tow). Universal Id requirement is a cozy idea but it opens far too many incompatibilities, not to mention country-to-country.
Do you think it's inherently so unsafe to use your ID in an online context that it is never a net benefit? Yes/No
If you think it is unsafe, what alternative do you propose? If you don't have one, or your idea requires some kind of massive simultaneous buy in by all stakeholders and jurisdictions, give up, your opinion is irrelevant.
If you were able to do all of those things to prove your identity using your ID.. then any identity thief with a copy of your ID could use it to impersonate you in every one of those venues.
That means that somebody else can send your money wherever they wish.. create bank accounts to perform nefarious deeds that tie back to you.. book flights, and subscribe to services on your dime or on a stolen credit card behind your name so that after the chargebacks all debt collection activity aims at you. And finally convince the government to send your tax refunds to them.
In light of this what is absurd about being parsimonious with who and how we share copies of our ID, and why should virtually every website online be deputized into keeping copies of them to provide dog standard content services that might not always be suitable for all audiences?
https://conversion.ag/blog/top-websites-in-the-world/
Do any of these alternatives seem like something you would want to use?
#10 doesn’t require any age verification.
#12 doesn’t allow you to sign in at all unless you are a creator
#14 no verification needed
#25 requires you to use your Google or Twitter account or an email address.
#61 requires you to log in with your Google account.
#69 wants you to upload your drivers license or passport to a site called
https://saas-onboarding.incodesmile.com/multimedia214/flow/6...