It may not be effective in the long term, but I think it's very much worth doing. The privacy nightmare of uploading government docs is appalling and should be resisted by all who can, so I think you're doing great work. If it provokes regulators to push harder, they might just get enough attention from voters to motivate a change. That would be my hope anyway
petcat 6 hours ago [-]
> More and more sites (especially adult ones) are now forcing users to upload IDs or selfies to continue.
> they might just get enough attention from voters to motivate a change
Unfortunately, guaranteeing anonymous internet porno is a terrible political beachhead to motivate "voters" to do anything.
selcuka 1 hours ago [-]
> Unfortunately, guaranteeing anonymous internet porno is a terrible political beachhead to motivate "voters" to do anything.
Reworded press release: "We protect children from being forced to upload their photos (on their IDs) to adult web sites"
SunlitCat 56 minutes ago [-]
Another rewording:
"...to upload your photos (on your IDs)..." :D
15 minutes ago [-]
Spivak 5 hours ago [-]
You don't have to sell it like that. The bill that needs to be passed is default presumption that all websites on the internet not explicitly marked as such and who voluntarily accept a higher legal burden and standard of moderation may contain content not suitable for children. And that is up to parents to control their child's internet access to limit their usage to only these sites.
Because I don't actually care about pornography, if it magically disappeared I wouldn't really care, it's all the other "not suitable for kids" content I care about that will get caught up in these laws. I don't want to give gross concern troll political groups moralizing about their precious hypothetical children the legal tools to ban what they don't like.
Alive-in-2025 9 hours ago [-]
It's a great idea to get rid of, I'm shocked a company is this brave to do this. It's not in the interest of any adult to upload their ID so the government can track their web browsing. I didn't want to expose my kid to porn when they were 5, somehow it wasn't a problem because the avg browser use was guided by me, but also the browser blocked porn. When they were a bit older, a teenager, I also lightly guided their computer use.
notepad0x90 3 hours ago [-]
Even if this was a good idea, ID verification technology should not be outsourced to private parties. This is a service governments themselves must provide. I shouldn't need to upload an ID because the government already has it!
If they simply wanted age verification, the dumb and lazy way is to SSO through a government managed portal with OAUTH2 and you only share your age with the third party. You do a one time account setup (you already have to do this in the US for many government services at the federal level) with age verification, that's your gov portal login. This means the government will now which naughty sites you visit of course, but like I said, it is the lazy approach, and if you think about it, if they respect the laws then a law can be passed to prevent them from storing or using that association, if they didn't, they could still sniff your traffic and wiretap you.
A slightly smarter approach would be to directly auth against a government portal and be given a 24h expiring code for age verification, and the government will publish an updated list of codes to trusted businesses. Those codes could be leaked, but making it a felony should deter most cases, because who wants to go to prison to let some kids watch porn?
Smarter people than me can come up with smarter solution, that is really my point. Involving third-parties and requiring you to upload documents is done either out of extreme incompetence or opportunistic malice by elected officials (bribery).
kijin 3 hours ago [-]
South Korea has implemented something similar, but through private corporations, not directly by the government.
When you sign up with a South Korean online service that might contain age-restricted content, you provide your name, date of birth, and phone number. The service operator uses a special telecom-provided API to have a 6-digit code sent to your phone. (The code is generated by the telecom, not the service operator.) When you enter the code, the telecom confirms the name and date of birth. No need for random online services to ask for government IDs, because they're allowed to pass the burden of proof to telecoms who have already verified it offline.
You could probably do something similar via banks, schools, the social security system, or any other regulated industry that has KYC rules.
pogue 2 hours ago [-]
Hey @nextdns team. I'm a long time customer of NextDNS. I've been using your service for a few years now, but it seems a large amount of your primarily offered services & blocklist offerings are SEVERLY out of date. I detailed that here on Reddit:
https://www.reddit.com/r/nextdns/s/IX2mUogHPK
Your input on this thread would be greatly appreciated, as the community wants NextDNS to be the best service it can be.
I do appreciate the addition of the Age Verification Bypass, though. Many users on r/nextdns are trying to guess how it works. Proxing specific domain requests to show the user is from another country is our best guess. But I would still be very interested in the specifics.
Thanks.
1vuio0pswjnm7 13 minutes ago [-]
This sounds like a company using DNS to proxy _other_ peoples' web traffic through _their_ proxies. Cloudflare started this way. That's why signing up for Cloudlfare requires using _Cloudflare's_ DNS servers
The so-called "DNS trick", which is defintely not a trick, is to redirect traffic though a proxy server. Whoever operates the proxy, e.g. Cloudflare, NextDNS, etc., has control over the HTTPS traffic and _could_ have access to the contents
HN commenters and other online commenters have criticised Cloudlfare in the past because it decrypts ("terminates") TLS connections and _could_ thereby have access to the contents of peoples' traffic
For any doubters, this access was confimed some years ago when a coding mistake by someone at CF in a scanner generated with ragel caused customers'_decrypted_ web traffic contained in memory on Cloudflare's proxies to spill out all over the web. It remained in search engine indexes for a while; the data had to be scrubbed from search engines and web archives which took several days at least
NextDNS purports to be a "DNS service" but proxying HTTPS opens a new can of worms
NB. No one is claiming that NextDNS or anyone else does or does not do anything. Only they know what they do. This comment is about _what becomes possible through control over DNS_. This is why I do not use third party DNS service and prefer to control own DNS
skyzouwdev 6 hours ago [-]
That’s a bold move. Handing over IDs to random sites is definitely a privacy nightmare, so I get why you built this. The real question is whether it buys time for users or just accelerates the push for stricter regulation. Either way, it sparks an important conversation
dlcarrier 5 hours ago [-]
At least outside of countries that already limit their citizens access to the internet, censorship regulations tend to apply only to providers, not end users, so it would be extremely difficult to go after an extraterritorial VPN provider. In the US, extraterritorial jurisdiction includes not just providers outside of the country, but providers outside of the state. For example, see: https://en.wikipedia.org/wiki/Marquette_National_Bank_of_Min....
echelon 5 hours ago [-]
> Handing over IDs to random sites is definitely a privacy nightmare
They just need to leak all of the elected official internet usage. You'll see this rolled back faster than it was implemented.
I really can't wait for the video titles of the porn our government officials watch to be read out loud by newscasters. That's going to be such sweet karma.
perihelions 9 hours ago [-]
As a remark, not a criticism, such a deliberate promotion is probably illegal in the UK market,
> "But Ofcom says platforms required to introduce "highly effective" methods to check user age must not host, share or permit content that encourages use of VPNs to get around age checks. The government has also told the BBC it would be illegal for platforms to do so."
NextDNS isn't a content platform required to have age checks, so no, that prohibition doesn't apply here and promoting the bypass feature isn't 'probably illegal'.
graemep 1 hours ago [-]
That only applies to those platforms that are required to do "highly effective age checks".
i.e. the top category of "harmful" site cannot point people to VPNs as a way to avoid age verification. Everyone else can tell people about VPNs as a way to avoid age verification. The media have been doing so for a start.
petcat 6 hours ago [-]
> must not host, share or permit content that encourages use of VPNs to get around age checks. The government has also told the BBC it would be illegal for platforms to do so
Holy. Crap. I knew the UK was going off the deep end with these laws, but this actually looks like China-level government reach.
Ms-J 5 hours ago [-]
Ignore the government crying. It is irrelevant when we spread the tech to get around their useless spying laws.
pas 6 hours ago [-]
next step is to try to make VPNs illegal (or require age verification for them, of course)
RiverCrochet 5 hours ago [-]
Age verification for VPNs would be awesome. I would rather hand ID over to a VPN provider than individual sites I visit.
tacticus 4 hours ago [-]
This would ensure you couldn't tie an Identity to an activity\user on a service which is of course why it's not where they're going
lttlrck 4 hours ago [-]
The VPN provider should hook into the existing government identify service.
walterbell 8 hours ago [-]
Can VPN/DNS providers independently market their services, if content providers cannot advertise VPN providers?
perihelions 8 hours ago [-]
> "content that encourages use of VPNs to get around age checks"
I think "...to get around age checks" is controlling. It isn't illegal to promote VPN's in that country; it's illegal to promote their usefulness in circumventing other laws.
neilcj 8 hours ago [-]
The law reads like it applies to platforms required to do the checks rather than third party service providers.
Which section of the Online Safety Act 2023 is that in, please?
buyucu 8 hours ago [-]
For people who don't live in the UK, why should they care about UK law?
ac29 7 hours ago [-]
NextDNS is a company not a person. The have infrastructure in the UK and presumably have UK customers, so they should care about UK law.
retype 6 hours ago [-]
The US also has multiple states that have enacted similar laws.
rendaw 2 hours ago [-]
"Under no circumstances should you use Mullvad VPN (https://mullvad.net/en), available for 5Eur/mo - also payable in Bitcoin, to avoid our age verification checks!"
buttocks 3 hours ago [-]
As a subscriber of NextDNS I say, first, this is cool, but second, don’t do it. I don’t want NextDNS to face some sort of judgment that will get it shut down. Just publish the “DNS tricks” so that people can DIY but don’t make it part of your service.
skybrian 10 hours ago [-]
Glancing at the front page, it looks like this product also has enforced SafeSearch and restricted mode to protect children, so... seems fine? They're doing the same thing themselves, and it's probably better since it's a local solution.
If you're running a product like this, it should be officially allowed to bypass age verification.
> the age verification or age estimation must be of such a kind, and used in such a way, that it is highly effective at correctly determining whether or not a particular user is a child
Unfortunately, it's hard to tell what this passage means, and I suspect it doesn't apply here. (But does that mean there's no law covering age-verification bypassing services? That seems like an unlikely oversight, and the Online Safety Act's badly-drafted enough that I'm not comfortable making a broad assertion here.) Hopefully case law sorts this out a little.
cedws 1 hours ago [-]
I love NextDNS. Can you explain what exactly the DNS tricks are and where they do/don’t work?
pyuser583 7 hours ago [-]
I'm a parent, and I try to keep my kids from the Internet in general, but adult parts in particular.
VPN's are great for this. Just install the VPN, have it block access to adult sites, and have it alert me of any suspicious attempts.
It's bewildering how VPN companies have branded their technology as "anti-censorship" and "privacy-focused." VPN's are a censor's best friend.
DNS services are taking the opposite approach: they start by having a censorship feature (blocking malware, adult ads, etc), and now are adding anti-censorship options.
There's nothing about connecting to a different network, or using a different DNS provider, that is anti-censorship.
ronsor 7 hours ago [-]
> There's nothing about connecting to a different network, or using a different DNS provider, that is anti-censorship.
In a sense, it allows you to pick your censors, or no censors. "Anti-censorship" doesn't necessarily mean that nothing is blocked; it means you get to control what's blocked for yourself.
pjc50 3 hours ago [-]
Making your own filter choices should not be referred to as "censorship". Censorship is when the choice is taken away.
thaumasiotes 4 hours ago [-]
> VPN's are great for this. Just install the VPN, have it block access to adult sites, and have it alert me of any suspicious attempts.
> It's bewildering how VPN companies have branded their technology as "anti-censorship" and "privacy-focused." VPN's are a censor's best friend.
You're already using a router. That's where you would normally implement blocks.
A VPN necessarily does the same thing, and so you can implement routing blocks there too. But this is like saying that a virtual machine is a great technology to run software. OK. Why do you want a virtual one?
bongodongobob 7 hours ago [-]
VPNs have nothing to do with it. I guess yours has some kind of filtering service, but that's not at all related to a VPN. It's like buying a V8 engine because you wanted a turbo. V8's can have turbos, but it has nothing to do with being a V8.
syntaxing 9 hours ago [-]
Easily one of the best $20 I spend a year. Makes iOS so much more usable and I really love supporting the vision of the developers from NextDNS
drcongo 7 hours ago [-]
Same. I absolutely love NextDNS.
rany_ 5 hours ago [-]
How does this "DNS trick" work? That to me is a much more interesting detail.
shitloadofbooks 4 hours ago [-]
It likely overrides DNS resolution to CDN/POPs in countries which don't require age checking, or routes the traffic through TCP proxies so your traffic appears to come from a different country without these laws.
This will increase the latency of all traffic to that site though.
selcuka 55 minutes ago [-]
A DNS provider can not route your traffic through TCP proxies, so it must be the former.
atonse 2 hours ago [-]
I use NextDNS to BLOCK porn sites, etc from my kids’ devices. I hope you aren’t changing your ethos as a company, although I don’t know, maybe your customers are changing and causing you to pivot.
Because I don’t want any chance of this stuff affecting the blocks we use for minors, etc.
2 hours ago [-]
luxurytent 5 hours ago [-]
I don't have a strong opinion here, but I did want to say thank you for your service! I was previously running a pi-hole but switched my family and my household to NextDNS. Great $20/home spent
FiReaNG3L 8 hours ago [-]
Better than that at least in the UK, they are not handing the data to the government, but to unregulated, diverse third parties - what could go wrong.
cedws 1 hours ago [-]
Free VPNs are also at the top of the UK App Store. All of them look extremely dodgy, probably ran by foreign adversaries seizing the opportunity to slurp data.
OldfieldFund 4 hours ago [-]
it's all gonna get leaked every quarter
pkulak 6 hours ago [-]
That’s really cool. I thought you guys had stopped development altogether.
tky 4 hours ago [-]
Same; I switched to ControlD when it appeared NextDNS was on autopilot without support or fixes.
Ms-J 5 hours ago [-]
Thank you for doing this! You are helping spread freedom. If everyone were to create more tools like this, it would shape the future to our liking.
HocusLocus 4 hours ago [-]
Seeking DNS with 'furry exemption' for fully clothed furries.
j45 38 minutes ago [-]
Handing over Government IDs to private websites and apps is a highly risky and attractive target for identity theft and fraud.
baby_souffle 7 hours ago [-]
> We’re curious how the HN community feels about this. Is it the right way to protect privacy online, or will it just provoke regulators to push harder?
Both. May the mouse forever elude the cat in this game!
If you’re proxying all traffic, that’s going to get expensive and - in theory - makes you as easy to block as VPN providers. I wish you the best of luck!
5 hours ago [-]
tester89 7 hours ago [-]
At least for my discord, I still can't access channels marked NSFW, instead of showing me the verification screen it just says "failed to load messages".
wolfy1993 7 hours ago [-]
Likewise, unable to get it working myself (tested with reddit and bluesky - both ask for verification still).
Will be keeping an eye on this though, hopefully this can be an alternative to my Irish VPN in the future.
Telemakhos 4 hours ago [-]
Does this create any new liability for the sites that are legally required to check ID?
paradox460 10 hours ago [-]
Where is the setting configured? I just looked through my admin page and didn't see any switch for it
thewisenerd 10 hours ago [-]
i can see this in the settings page for a profile under the section "Bypass Age Verification"
Features that are only aimed at breaking the law will tend to backfire...
Imustaskforhelp 9 hours ago [-]
I am a user of nextdns and okay, this is really neato team! I find this really interesting.
If I may ask, what are the dns tricks, is there a blog post about what you added, I am sooo curious about what sorcery is nextdns using.
Edit: I searched on ddg and there was a ghacks.net link and a alternativeto.net article and sadly ghacks was taking a long time to load and I just read the alternativeto.net article and it was kinda cool, let me paste it here
NextDNS has introduced a new DNS-level feature that allows users to bypass age verification checks commonly found on adult websites. This update enables users to avoid submitting personal documents, such as photos or government-issued IDs, to unfamiliar websites when accessing age-restricted content.
To enable the feature, users can activate it directly within the NextDNS settings. The technical approach is straightforward: the DNS resolver intercepts requests to target websites and routes traffic through proxy servers in countries where age verification is not required by law. This means that while users visit the same websites, the sites perceive the traffic as originating from a country without mandatory ID checks.
These changes are particularly relevant for individuals in the European Union and the United Kingdom, regions where certain governments have introduced strict ID requirements for accessing adult content websites. Looking at community reaction, user feedback on Reddit and social media has been largely positive since the announcement, with some users ironizing that “NextDNS developers know their clientele!”.
---
TLDR/my-thoughts: Nextdns can use something similar to vpn and I am wondering how much more efficient is this for this usecase compared to a vpn, like I am sure that vpns can be banned by a country, see china.
But nextdns.io is still available in china?, how would that work, and so can this feature be actually expanded to make it a general purpose vpn too if need be but honestly a lot of vpn use cases might be for bypassing verification itself, so basically the only few use cases I can think of vpn is to bypass censorship and maybe verification and also changing vpn for lets say watching content that's available in other country
Can nextdns add other features too, like imagine you can use nextdns with netflix and change it to anime mode and you can get netflix as in of japan, I don't have netflix but I am just giving an example because that's a lot of times what I hear from all those youtube vpn shills
Or can they provide some vpn service itself while at it, and since nextdns still uses dns and dns can operate over https. I imagine that it might be even harder to detect such vpn traffic because I know for sure that some vpn's can be tracked implementation wise (as in wireguard)[i can be wrong, i usually am] but I am pretty sure that https can't be tracked in the same manner, and we can use dns over https in nextdns using this feature..
Can you guys maybe comment on what you think about it? adding general purpose vpns / japan/country switching/enabling vpns itself though I guess it might make you a vpn app which can have its own logs/rules and regulations and I am currently fine/really happy with protonvpn which I also think can run on top of https with their proxy option atleast in browser and maybe even in their apps I am not sure.
cricketsandmops 8 hours ago [-]
I've been using Getflix for years to have my location spoofed to another country. It is a pay product though. I've used it on Amazon and mainly use it for BBC Iplayer. I couldnt ever get netflix to play nice using it or a vpn, so for it I just tunnel to my traffic to a residential address i have in mexico
cprecioso 8 hours ago [-]
IIRC there was this service called Tunlr which offered VPN-like location spoofing with similar DNS tricks.
combyn8tor 6 hours ago [-]
so does it work like this?:
- Client makes a DNS request to ageblockedsite.com using NextDNS server
- NextDNS server returns an IP to a proxy server they control
- Client connects to the site through the proxy server
dizhn 5 hours ago [-]
That's actually pretty neat. I thought they need software running on the client to do the proxying but this scheme doesn't need it.
ignoramous 6 hours ago [-]
> If I may ask, what are the dns tricks, is there a blog post about what you added, I am sooo curious about what sorcery is nextdns using.
The way this works is, for preset domains, you always answer with the IP of your SNI proxy, which then forwards the connection to the real IP based on the domain in TLS's SNI extension. This "trick" only works for TLS connections that send SNI in the clear, and will not work with QUIC (HTTP/3) or with TLS v1.3 with ECH (encrypted client hello). For non-TLS connections, like cleartext HTTP/2 or HTTP/1, the proxy would look at the Host header. Similar heuristics may exist for other popular cleartext protocols.
If you own enough public IPs (like a /64 IPv6 or a /22 IPv4), you can vend time-limited unique IP per domain per client IP and support all transport protocols (and not just TLS/HTTP).
throwpoaster 8 hours ago [-]
[flagged]
can16358p 8 hours ago [-]
Speak for yourself please.
No one can dictate who can watch something or not.
crooked-v 8 hours ago [-]
Porn is just the excuse used to put more systems of control and oppression in place, as can be seen by US and UK conservatives attempting to get the mere existence of trans and LGBT people classified as 'obscene' and thus any mentions of them banned under the same laws.
888632798 8 hours ago [-]
What would the regime do without people like you?
ltbarcly3 7 hours ago [-]
Presenting government ID to random entities is literally what government ID's exist for. Paranoia about this is silly.
Additionally, intentionally aiding someone (especially a minor) in circumventing the law is very likely to not be legal, especially when legality is largely determined by a jury, and especially^2 when the facts of the case against you are the most egregious that the government can find, especially^3 when you are profiting from it. It will be something like a 12yo using your service to access something absolutely shocking, and you or someone else will be forced to read a detailed text description of it in front of a jury. This doesn't even begin to address civil liability.
I'm not saying what you are doing is 'wrong', I'm saying you should talk to a lawyer who specializes in this sort of thing before you are forced to.
pas 6 hours ago [-]
showing a plastic card in a store to buy the yearly Cum Companion Calendar or whatever is one thing, because the clerk likely is not a savant with eidetic memory, whereas online there's this little thing happening called data processing which starts with the only thing we usually don't want with our ID. copying.
HappMacDonald 15 minutes ago [-]
I wonder what the legality would be for the brick and mortar stores (especially the big chain ones) to just start asking customers for ID and then swiping them through scanners that can do all of the eidetic memory work for them?
Squeeeez 7 hours ago [-]
> Paranoia about this is silly.
Having had to deal with some clients with slightly sensitive data, I wish. Photocopies and printed screenshots lying around in the open, CC data copy-pasted manually to other fields or to generic excel sheets because otherwise "it disappears and we can't book late fees" etc.
Not even only the "random third-party" companies vetted and specialised in ID verification, but then they get a new support contract down the road, and a fourth- or fifth-party agent who had the cheapest offer now has remote admin access to those desktops.
Probability is low, true. But all it takes is one compromised access.
We all choose our battles probably.
protocolture 6 hours ago [-]
>Presenting government ID to random entities is literally what government ID's exist for.
Wrong lmao. All forms of Government ID are PII and should be treated as sensitive.
>Nearly every app, social media platform or website asks you for at least some personally identifiable information. But this data can be stolen or misused. That’s why it’s important to keep it as private and secure as possible. If you have to share it, make sure it’s only used by trusted services with your knowledge and consent.
Wow thats great advice.
prism56 7 hours ago [-]
Is it though? Unfortunately this could have been implemented much better with a decentralised approach.
Its not the showing the ID its having it potentially tied to your accounts and usage. Having your ID tied to your selfie which could be leaked.
smallnix 7 hours ago [-]
Please post a link to a picture of your national ID. /s
ltbarcly3 5 hours ago [-]
I've had to upload my ID card to send money, open a bank account online, verify my identity for a dating app, book an international flight, and ironically to register for the app to have an electronic version of my id on my phone, and weirdly to pay a traffic ticket (why do they care who pays it?), get a discount on my Amazon Prime subscription, and finally to reset my password for my ID.me login for government websites. So all of those are 'fine' I guess, but god forbid you upload it to a third party verification service (the same one that was used for one or more of the above cases where I uploaded my id) to watch pornography, that's where we draw the line?
You are being absurd.
I don't agree with this requirement, but I'm also not so dishonest that I would pretend that it's a security issue.
HappMacDonald 5 minutes ago [-]
So think through what you've just said.
If you were able to do all of those things to prove your identity using your ID.. then any identity thief with a copy of your ID could use it to impersonate you in every one of those venues.
That means that somebody else can send your money wherever they wish.. create bank accounts to perform nefarious deeds that tie back to you.. book flights, and subscribe to services on your dime or on a stolen credit card behind your name so that after the chargebacks all debt collection activity aims at you. And finally convince the government to send your tax refunds to them.
In light of this what is absurd about being parsimonious with who and how we share copies of our ID, and why should virtually every website online be deputized into keeping copies of them to provide dog standard content services that might not always be suitable for all audiences?
jofla_net 3 hours ago [-]
Its not the 'voluntary' services that may or may not want to see your ID, its the existence of any and all Mandatory legislation, which would be a nightmare.
This is a tech site so I imagine the average user has some deeper understanding than most(technically), but I guess imagination is off the table.
What this would do (requiring all sites) is basically be the end for any and all attempts against identity fraud protection. Indulge a bit of imagination for a moment. If EVERY site is now required to do some form of verification, than everyone's infrastructure now becomes prime targets for PII and troves of identity information, and wherein amazon, banks, and ID.me can be considered to be at or near the top (i'd hope) for keeping their machines tied down, the reality is that EVERYONE'S servers ARE NOT so will maintained.
They WILL be attacked, and shims inserted to steal such identity information, as people have ZERO idea, as they're being shunted around to all thees angel-invested ID startups, as to what is or isn't legit, during signup. Wholly, identical pages/domains, as are often seen to steal traditional PCI information, will now be repurposed to this. Its not that the reputable ones are likely to fall, its the small vendors who don't understand that once a customer is EXPECTED to fork over ID to sign up, any hiccup in the process will be unnoticed, and it'll be ripe for abuse if the server/service is ever compromised.
SoftTalker 1 hours ago [-]
It would be a great thing, because it would finally force us to have somthing better than "I can present a piece of plastic with my picture and some numbers on it" as proof of identity.
ltbarcly3 55 minutes ago [-]
ID verification is done by 3rd parties. Nobody wants to hold a photo of your ID because it's a compliance nightmare. You aren't uploading your ID to some porn site, you are uploading it to some real-person verification company.
scarface_74 4 hours ago [-]
You don’t see the difference between it getting out some place I travelled to, opened a bank account to, etc than if I visit grandmamidgetporn.com?
ltbarcly3 51 minutes ago [-]
Nobody uploads their ID to some porn site, they work with some reputable id verification company.
> they might just get enough attention from voters to motivate a change
Unfortunately, guaranteeing anonymous internet porno is a terrible political beachhead to motivate "voters" to do anything.
Reworded press release: "We protect children from being forced to upload their photos (on their IDs) to adult web sites"
"...to upload your photos (on your IDs)..." :D
Because I don't actually care about pornography, if it magically disappeared I wouldn't really care, it's all the other "not suitable for kids" content I care about that will get caught up in these laws. I don't want to give gross concern troll political groups moralizing about their precious hypothetical children the legal tools to ban what they don't like.
If they simply wanted age verification, the dumb and lazy way is to SSO through a government managed portal with OAUTH2 and you only share your age with the third party. You do a one time account setup (you already have to do this in the US for many government services at the federal level) with age verification, that's your gov portal login. This means the government will now which naughty sites you visit of course, but like I said, it is the lazy approach, and if you think about it, if they respect the laws then a law can be passed to prevent them from storing or using that association, if they didn't, they could still sniff your traffic and wiretap you.
A slightly smarter approach would be to directly auth against a government portal and be given a 24h expiring code for age verification, and the government will publish an updated list of codes to trusted businesses. Those codes could be leaked, but making it a felony should deter most cases, because who wants to go to prison to let some kids watch porn?
Smarter people than me can come up with smarter solution, that is really my point. Involving third-parties and requiring you to upload documents is done either out of extreme incompetence or opportunistic malice by elected officials (bribery).
When you sign up with a South Korean online service that might contain age-restricted content, you provide your name, date of birth, and phone number. The service operator uses a special telecom-provided API to have a 6-digit code sent to your phone. (The code is generated by the telecom, not the service operator.) When you enter the code, the telecom confirms the name and date of birth. No need for random online services to ask for government IDs, because they're allowed to pass the burden of proof to telecoms who have already verified it offline.
You could probably do something similar via banks, schools, the social security system, or any other regulated industry that has KYC rules.
Your input on this thread would be greatly appreciated, as the community wants NextDNS to be the best service it can be.
I do appreciate the addition of the Age Verification Bypass, though. Many users on r/nextdns are trying to guess how it works. Proxing specific domain requests to show the user is from another country is our best guess. But I would still be very interested in the specifics.
Thanks.
The so-called "DNS trick", which is defintely not a trick, is to redirect traffic though a proxy server. Whoever operates the proxy, e.g. Cloudflare, NextDNS, etc., has control over the HTTPS traffic and _could_ have access to the contents
HN commenters and other online commenters have criticised Cloudlfare in the past because it decrypts ("terminates") TLS connections and _could_ thereby have access to the contents of peoples' traffic
For any doubters, this access was confimed some years ago when a coding mistake by someone at CF in a scanner generated with ragel caused customers'_decrypted_ web traffic contained in memory on Cloudflare's proxies to spill out all over the web. It remained in search engine indexes for a while; the data had to be scrubbed from search engines and web archives which took several days at least
https://en.wikipedia.org/wiki/Cloudbleed
NextDNS purports to be a "DNS service" but proxying HTTPS opens a new can of worms
NB. No one is claiming that NextDNS or anyone else does or does not do anything. Only they know what they do. This comment is about _what becomes possible through control over DNS_. This is why I do not use third party DNS service and prefer to control own DNS
They just need to leak all of the elected official internet usage. You'll see this rolled back faster than it was implemented.
I really can't wait for the video titles of the porn our government officials watch to be read out loud by newscasters. That's going to be such sweet karma.
> "But Ofcom says platforms required to introduce "highly effective" methods to check user age must not host, share or permit content that encourages use of VPNs to get around age checks. The government has also told the BBC it would be illegal for platforms to do so."
https://www.bbc.com/news/articles/cn72ydj70g5o
i.e. the top category of "harmful" site cannot point people to VPNs as a way to avoid age verification. Everyone else can tell people about VPNs as a way to avoid age verification. The media have been doing so for a start.
Holy. Crap. I knew the UK was going off the deep end with these laws, but this actually looks like China-level government reach.
I think "...to get around age checks" is controlling. It isn't illegal to promote VPN's in that country; it's illegal to promote their usefulness in circumventing other laws.
Which section of the Online Safety Act 2023 is that in, please?
If you're running a product like this, it should be officially allowed to bypass age verification.
> the age verification or age estimation must be of such a kind, and used in such a way, that it is highly effective at correctly determining whether or not a particular user is a child
Unfortunately, it's hard to tell what this passage means, and I suspect it doesn't apply here. (But does that mean there's no law covering age-verification bypassing services? That seems like an unlikely oversight, and the Online Safety Act's badly-drafted enough that I'm not comfortable making a broad assertion here.) Hopefully case law sorts this out a little.
VPN's are great for this. Just install the VPN, have it block access to adult sites, and have it alert me of any suspicious attempts.
It's bewildering how VPN companies have branded their technology as "anti-censorship" and "privacy-focused." VPN's are a censor's best friend.
DNS services are taking the opposite approach: they start by having a censorship feature (blocking malware, adult ads, etc), and now are adding anti-censorship options.
There's nothing about connecting to a different network, or using a different DNS provider, that is anti-censorship.
In a sense, it allows you to pick your censors, or no censors. "Anti-censorship" doesn't necessarily mean that nothing is blocked; it means you get to control what's blocked for yourself.
> It's bewildering how VPN companies have branded their technology as "anti-censorship" and "privacy-focused." VPN's are a censor's best friend.
You're already using a router. That's where you would normally implement blocks.
A VPN necessarily does the same thing, and so you can implement routing blocks there too. But this is like saying that a virtual machine is a great technology to run software. OK. Why do you want a virtual one?
This will increase the latency of all traffic to that site though.
Because I don’t want any chance of this stuff affecting the blocks we use for minors, etc.
Both. May the mouse forever elude the cat in this game!
If you’re proxying all traffic, that’s going to get expensive and - in theory - makes you as easy to block as VPN providers. I wish you the best of luck!
Will be keeping an eye on this though, hopefully this can be an alternative to my Irish VPN in the future.
https://my.nextdns.io/$id/settings
If I may ask, what are the dns tricks, is there a blog post about what you added, I am sooo curious about what sorcery is nextdns using.
Edit: I searched on ddg and there was a ghacks.net link and a alternativeto.net article and sadly ghacks was taking a long time to load and I just read the alternativeto.net article and it was kinda cool, let me paste it here
here is the article link : https://alternativeto.net/news/2025/8/nextdns-rolls-out-new-...
NextDNS has introduced a new DNS-level feature that allows users to bypass age verification checks commonly found on adult websites. This update enables users to avoid submitting personal documents, such as photos or government-issued IDs, to unfamiliar websites when accessing age-restricted content.
To enable the feature, users can activate it directly within the NextDNS settings. The technical approach is straightforward: the DNS resolver intercepts requests to target websites and routes traffic through proxy servers in countries where age verification is not required by law. This means that while users visit the same websites, the sites perceive the traffic as originating from a country without mandatory ID checks.
These changes are particularly relevant for individuals in the European Union and the United Kingdom, regions where certain governments have introduced strict ID requirements for accessing adult content websites. Looking at community reaction, user feedback on Reddit and social media has been largely positive since the announcement, with some users ironizing that “NextDNS developers know their clientele!”.
---
TLDR/my-thoughts: Nextdns can use something similar to vpn and I am wondering how much more efficient is this for this usecase compared to a vpn, like I am sure that vpns can be banned by a country, see china.
But nextdns.io is still available in china?, how would that work, and so can this feature be actually expanded to make it a general purpose vpn too if need be but honestly a lot of vpn use cases might be for bypassing verification itself, so basically the only few use cases I can think of vpn is to bypass censorship and maybe verification and also changing vpn for lets say watching content that's available in other country
Can nextdns add other features too, like imagine you can use nextdns with netflix and change it to anime mode and you can get netflix as in of japan, I don't have netflix but I am just giving an example because that's a lot of times what I hear from all those youtube vpn shills
Or can they provide some vpn service itself while at it, and since nextdns still uses dns and dns can operate over https. I imagine that it might be even harder to detect such vpn traffic because I know for sure that some vpn's can be tracked implementation wise (as in wireguard)[i can be wrong, i usually am] but I am pretty sure that https can't be tracked in the same manner, and we can use dns over https in nextdns using this feature..
Can you guys maybe comment on what you think about it? adding general purpose vpns / japan/country switching/enabling vpns itself though I guess it might make you a vpn app which can have its own logs/rules and regulations and I am currently fine/really happy with protonvpn which I also think can run on top of https with their proxy option atleast in browser and maybe even in their apps I am not sure.
- Client makes a DNS request to ageblockedsite.com using NextDNS server
- NextDNS server returns an IP to a proxy server they control
- Client connects to the site through the proxy server
It is likely they use some form of SNI-based proxy, similar to: https://github.com/celzero/midway
The way this works is, for preset domains, you always answer with the IP of your SNI proxy, which then forwards the connection to the real IP based on the domain in TLS's SNI extension. This "trick" only works for TLS connections that send SNI in the clear, and will not work with QUIC (HTTP/3) or with TLS v1.3 with ECH (encrypted client hello). For non-TLS connections, like cleartext HTTP/2 or HTTP/1, the proxy would look at the Host header. Similar heuristics may exist for other popular cleartext protocols.
ControlD, a similar DNS provider, has supported redirections for a long time now: https://controld.com/features/traffic-redirection
If you own enough public IPs (like a /64 IPv6 or a /22 IPv4), you can vend time-limited unique IP per domain per client IP and support all transport protocols (and not just TLS/HTTP).
No one can dictate who can watch something or not.
Additionally, intentionally aiding someone (especially a minor) in circumventing the law is very likely to not be legal, especially when legality is largely determined by a jury, and especially^2 when the facts of the case against you are the most egregious that the government can find, especially^3 when you are profiting from it. It will be something like a 12yo using your service to access something absolutely shocking, and you or someone else will be forced to read a detailed text description of it in front of a jury. This doesn't even begin to address civil liability.
I'm not saying what you are doing is 'wrong', I'm saying you should talk to a lawyer who specializes in this sort of thing before you are forced to.
Having had to deal with some clients with slightly sensitive data, I wish. Photocopies and printed screenshots lying around in the open, CC data copy-pasted manually to other fields or to generic excel sheets because otherwise "it disappears and we can't book late fees" etc. Not even only the "random third-party" companies vetted and specialised in ID verification, but then they get a new support contract down the road, and a fourth- or fifth-party agent who had the cheapest offer now has remote admin access to those desktops.
Probability is low, true. But all it takes is one compromised access.
We all choose our battles probably.
Wrong lmao. All forms of Government ID are PII and should be treated as sensitive.
https://www.esafety.gov.au/young-people/protecting-your-iden... Heres basic information from a government looking to enact these same laws.
>Nearly every app, social media platform or website asks you for at least some personally identifiable information. But this data can be stolen or misused. That’s why it’s important to keep it as private and secure as possible. If you have to share it, make sure it’s only used by trusted services with your knowledge and consent.
Wow thats great advice.
Its not the showing the ID its having it potentially tied to your accounts and usage. Having your ID tied to your selfie which could be leaked.
You are being absurd.
I don't agree with this requirement, but I'm also not so dishonest that I would pretend that it's a security issue.
If you were able to do all of those things to prove your identity using your ID.. then any identity thief with a copy of your ID could use it to impersonate you in every one of those venues.
That means that somebody else can send your money wherever they wish.. create bank accounts to perform nefarious deeds that tie back to you.. book flights, and subscribe to services on your dime or on a stolen credit card behind your name so that after the chargebacks all debt collection activity aims at you. And finally convince the government to send your tax refunds to them.
In light of this what is absurd about being parsimonious with who and how we share copies of our ID, and why should virtually every website online be deputized into keeping copies of them to provide dog standard content services that might not always be suitable for all audiences?
This is a tech site so I imagine the average user has some deeper understanding than most(technically), but I guess imagination is off the table.
What this would do (requiring all sites) is basically be the end for any and all attempts against identity fraud protection. Indulge a bit of imagination for a moment. If EVERY site is now required to do some form of verification, than everyone's infrastructure now becomes prime targets for PII and troves of identity information, and wherein amazon, banks, and ID.me can be considered to be at or near the top (i'd hope) for keeping their machines tied down, the reality is that EVERYONE'S servers ARE NOT so will maintained. They WILL be attacked, and shims inserted to steal such identity information, as people have ZERO idea, as they're being shunted around to all thees angel-invested ID startups, as to what is or isn't legit, during signup. Wholly, identical pages/domains, as are often seen to steal traditional PCI information, will now be repurposed to this. Its not that the reputable ones are likely to fall, its the small vendors who don't understand that once a customer is EXPECTED to fork over ID to sign up, any hiccup in the process will be unnoticed, and it'll be ripe for abuse if the server/service is ever compromised.