Deploying NextDNS Router-Side to Strip Ads From Video Discovery Traffic

Last Tuesday my multi-region cron job finished its 4 AM pull and the logs lit up with 47 timeouts against streaming-platform metadata endpoints. Curl from my workstation worked fine. Curl from the same VLAN as the cron host hung. The difference was a Pi-hole instance my partner had spun up two days earlier — it was nuking telemetry CNAMEs that one of the platform SDKs uses for metadata fan-out. So the API replies looked successful but half the catalog data was missing.

That was the day I ripped out Pi-hole and put NextDNS on the router instead. Six months later, my discovery pipeline is faster, my home network has fewer ads, and my cron jobs are no longer collateral damage. This post is the boring infrastructure story of how I got there — what worked, what blew up, and the PHP and Python glue that kept the catalogue honest across eight geo regions.

Why router-level DNS beats per-device blocking

The browser-extension approach (uBlock, etc.) works on the page you are looking at. Pi-hole and AdGuard Home work on the LAN, but they require you to operate a box. NextDNS sits in the middle: it is a hosted resolver that speaks DoH, DoT, and plain UDP, and the configuration lives in a web dashboard. The router points all clients at it.