Show HN: NextDNS Adds "Bypass Age Verification"
177 nextdns 47 8/17/2025, 2:29:22 PM
We just shipped a new feature in NextDNS: Bypass Age Verification.
More and more sites (especially adult ones) are now forcing users to upload IDs or selfies to continue. We think that’s a terrible idea: handing over government documents to random sites is a huge privacy risk.
This new setting workarounds those verification flows via DNS tricks. It’s available today to all users, including free accounts.
We’re curious how the HN community feels about this. Is it the right way to protect privacy online, or will it just provoke regulators to push harder?
They just need to leak all of the elected official internet usage. You'll see this rolled back faster than it was implemented.
I really can't wait for the video titles of the porn our government officials watch to be read out loud by newscasters. That's going to be such sweet karma.
> they might just get enough attention from voters to motivate a change
Unfortunately, guaranteeing anonymous internet porno is a terrible political beachhead to motivate "voters" to do anything.
> "But Ofcom says platforms required to introduce "highly effective" methods to check user age must not host, share or permit content that encourages use of VPNs to get around age checks. The government has also told the BBC it would be illegal for platforms to do so."
https://www.bbc.com/news/articles/cn72ydj70g5o
Holy. Crap. I knew the UK was going off the deep end with these laws, but this actually looks like China-level government reach.
I think "...to get around age checks" is controlling. It isn't illegal to promote VPN's in that country; it's illegal to promote their usefulness in circumventing other laws.
If you're running a product like this, it should be officially allowed to bypass age verification.
VPN's are great for this. Just install the VPN, have it block access to adult sites, and have it alert me of any suspicious attempts.
It's bewildering how VPN companies have branded their technology as "anti-censorship" and "privacy-focused." VPN's are a censor's best friend.
DNS services are taking the opposite approach: they start by having a censorship feature (blocking malware, adult ads, etc), and now are adding anti-censorship options.
There's nothing about connecting to a different network, or using a different DNS provider, that is anti-censorship.
In a sense, it allows you to pick your censors, or no censors. "Anti-censorship" doesn't necessarily mean that nothing is blocked; it means you get to control what's blocked for yourself.
Both. May the mouse forever elude the cat in this game!
If you’re proxying all traffic, that’s going to get expensive and - in theory - makes you as easy to block as VPN providers. I wish you the best of luck!
No comments yet
No comments yet
https://my.nextdns.io/$id/settings
If I may ask, what are the dns tricks, is there a blog post about what you added, I am sooo curious about what sorcery is nextdns using.
Edit: I searched on ddg and there was a ghacks.net link and a alternativeto.net article and sadly ghacks was taking a long time to load and I just read the alternativeto.net article and it was kinda cool, let me paste it here
here is the article link : https://alternativeto.net/news/2025/8/nextdns-rolls-out-new-...
NextDNS has introduced a new DNS-level feature that allows users to bypass age verification checks commonly found on adult websites. This update enables users to avoid submitting personal documents, such as photos or government-issued IDs, to unfamiliar websites when accessing age-restricted content.
To enable the feature, users can activate it directly within the NextDNS settings. The technical approach is straightforward: the DNS resolver intercepts requests to target websites and routes traffic through proxy servers in countries where age verification is not required by law. This means that while users visit the same websites, the sites perceive the traffic as originating from a country without mandatory ID checks.
These changes are particularly relevant for individuals in the European Union and the United Kingdom, regions where certain governments have introduced strict ID requirements for accessing adult content websites. Looking at community reaction, user feedback on Reddit and social media has been largely positive since the announcement, with some users ironizing that “NextDNS developers know their clientele!”.
---
TLDR/my-thoughts: Nextdns can use something similar to vpn and I am wondering how much more efficient is this for this usecase compared to a vpn, like I am sure that vpns can be banned by a country, see china.
But nextdns.io is still available in china?, how would that work, and so can this feature be actually expanded to make it a general purpose vpn too if need be but honestly a lot of vpn use cases might be for bypassing verification itself, so basically the only few use cases I can think of vpn is to bypass censorship and maybe verification and also changing vpn for lets say watching content that's available in other country
Can nextdns add other features too, like imagine you can use nextdns with netflix and change it to anime mode and you can get netflix as in of japan, I don't have netflix but I am just giving an example because that's a lot of times what I hear from all those youtube vpn shills
Or can they provide some vpn service itself while at it, and since nextdns still uses dns and dns can operate over https. I imagine that it might be even harder to detect such vpn traffic because I know for sure that some vpn's can be tracked implementation wise (as in wireguard)[i can be wrong, i usually am] but I am pretty sure that https can't be tracked in the same manner, and we can use dns over https in nextdns using this feature..
Can you guys maybe comment on what you think about it? adding general purpose vpns / japan/country switching/enabling vpns itself though I guess it might make you a vpn app which can have its own logs/rules and regulations and I am currently fine/really happy with protonvpn which I also think can run on top of https with their proxy option atleast in browser and maybe even in their apps I am not sure.
- Client makes a DNS request to ageblockedsite.com using NextDNS server
- NextDNS server returns an IP to a proxy server they control
- Client connects to the site through the proxy server
It is likely they use some form of SNI-based proxying, similar to: https://github.com/celzero/midway
The way this works is, for any domain name, you always answer with the IP of your SNI proxy, which then forwards the connection to the real IP based on the domain in the TLS's SNI extension. This "trick" only works for TLS connections that send SNI in the clear, and will not work with QUIC (HTTP/3) or with TLS v1.3 with ECH (encrypted client hello). For non-TLS connections, like cleartext HTTP/2 or HTTP/1, the proxy would look at the Host header. Similar heuristics may exist for other popular cleartext protocols.
ControlD, a similar DNS provider, has supported redirections for a long time now: https://controld.com/features/traffic-redirection
If you own enough public IPs (like a /64 IPv6 or a /22 IPv4), you can vend time-limited unique IP per domain per client IP and support all transport protocols (and not just TLS/HTTP).
Additionally, intentionally aiding someone (especially a minor) in circumventing the law is very likely to not be legal, especially when legality is largely determined by a jury, and especially^2 when the facts of the case against you are the most egregious that the government can find, especially^3 when you are profiting from it. It will be something like a 12yo using your service to access something absolutely shocking, and you or someone else will be forced to read a detailed text description of it in front of a jury. This doesn't even begin to address civil liability.
I'm not saying what you are doing is 'wrong', I'm saying you should talk to a lawyer who specializes in this sort of thing before you are forced to.
Having had to deal with some clients with slightly sensitive data, I wish. Photocopies and printed screenshots lying around in the open, CC data copy-pasted manually to other fields or to generic excel sheets because otherwise "it disappears and we can't book late fees" etc. Not even only the "random third-party" companies vetted and specialised in ID verification, but then they get a new support contract down the road, and a fourth- or fifth-party agent who had the cheapest offer now has remote admin access to those desktops.
Probability is low, true. But all it takes is one compromised access.
We all choose our battles probably.
Wrong lmao. All forms of Government ID are PII and should be treated as sensitive.
https://www.esafety.gov.au/young-people/protecting-your-iden... Heres basic information from a government looking to enact these same laws.
>Nearly every app, social media platform or website asks you for at least some personally identifiable information. But this data can be stolen or misused. That’s why it’s important to keep it as private and secure as possible. If you have to share it, make sure it’s only used by trusted services with your knowledge and consent.
Wow thats great advice.
Its not the showing the ID its having it potentially tied to your accounts and usage. Having your ID tied to your selfie which could be leaked.