Skip to content

Setup guide for NextDNS, a DoH proxy with advanced capabilities

License

Notifications You must be signed in to change notification settings

yokoffing/NextDNS-Config

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 

Repository files navigation

GitHub issues GitHub GitHub Maintained GitHub commit activity GitHub last commit GitHub Maintained Hits


Guidelines 🔖

  1. Prevent overblocking by utilizing the law of diminishing returns (e.g., using sane, quality blocklists; allowing most TLDs; etc.).
  2. Pass the girlfriend test with few exceptions. These deviations are documented throughout the guide.

Create your account

Sign up for NextDNS here and support this page!


Security 👮

Security settings protect your data from harm, theft, and unauthorized use.^why does this matter?

Threat Intelligence Feeds 1

Enabled Use Threat Intelligence Feeds

AI-Driven Threat Detection 1

Note

NextDNS labels this feature as beta, although most users report it works well.

Enabled Enable AI-Driven Threat Detection

Google Safe Browsing 1 2 3 4

Tip

Unlike the version embedded in some browsers, this feature does not associate your public IP address to threats and does not allow bypassing the block.

Enabled Enable Google Safe Browsing

Cryptojacking Protection 1

Caution

Leave this feature enabled if you use something other than the recommended blocklists (see #31).

Disabled Enable Cryptojacking Protection

DNS Rebinding Protection 1 2

Enabled Enable DNS Rebinding Protection

IDN Homograph Attacks Protection 1 2

Enabled Enable Homograph Attacks Protection

Typosquatting Protection 1

Enabled Enable Typosquatting Protection

Domain Generation Algorithms (DGAs) Protection

Enabled Enable DGA Protection

Block Newly Registered Domains (NRDs) 1

Warning

Blocking NRDs may cause false positives occasionally. Be selective when adding NRDs to your allowlist; and, if you do, NEVER give sensitive information to a NRD. If you plan to set-and-forget your configuration, disable this setting.

Enabled Block Newly Registered Domains (NRDs)

Block Dynamic DNS Hostnames 1 2

Tip

Dynamic DNS (DDNS) services can still access their own website and update API when you use this setting.

Enabled Enable Block Dynamic DNS Hostnames

Block Parked Domains 1

Enabled Block Parked Domains

Block Top-Level Domains (TLDs) 1 2 3 4 5

Important

Blocking TLDs risks blocking legitimate sites along with malicious ones, since this feature stops both site navigations and subrequests. However, the entries below should allow for everyday browsing while offering protection against commonly abused TLDs.

Click me to view TLDs
.autos
.best
.bid
.boats
.boston
.boutique
.charity
.christmas
.dance
.fishing
.hair
.haus
.loan
.loans
.men
.mom
.name
.review
.rip
.skin
.support
.tattoo
.tokyo
.voto

You can find additional entries on Most Abused TLDs, but you may need to allowlist sites on occasion. If you plan to set-and-forget your configuration, skip this step.

Block Child Sexual Abuse Material

Enabled Block Child Sexual Abuse Material


Privacy 🔒

Privacy features limit the amount of data companies can collect about you.

Because privacy is a spectrum, what you need varies on your threat model, interest, and skillset.^why should I care? I have nothing to hide

Blocklists 1

Blocklists filter out ads, trackers, and malicious sites. Hundreds of volunteers contribute to these lists in the open-source community, and they are the undercover heroes who make blocking ads at scale possible.

We recommend you remove the NextDNS Ads & Trackers Blocklist and add the minimum number of useful lists.

Which blocklist should I use?

A great question to ask is: "How much do I want to deal with the inconveniences of false positives?"

Here are the suggested blocklists, based on past issues and observations:

Blocklists Rationale
HaGeZi -
Multi NORMAL1

OISD

Block tracker, ad, and badware requests without issues (set-and-forget).
HaGeZi -
Multi PRO2

OISD

Block more requests, usually without issues (recommended).
HaGeZi -
Multi PRO++3

OISD

Block more requests at the risk of site breakage.
Report occasional site and app issues.

Tip

Use different blocklists on separate DNS profiles (e.g., NORMAL for your router and PRO++ for your web browser).

Note

NextDNS does not offer Hagezi's Threat Intelligence Feed (TIF). We suggest using the OISD list, which contains some TIF sources missing from NextDNS security features.

You can also check out Hagezi's own recommendations.

Why Hagezi?

Hagezi block ads, trackers, native device trackers, and badware. He maintains a sensible allowlist, handles false positives quickly, and communicates known issues to blocklists maintainers. Hagezi's primary DNS lists combine multiple sources including respected community blocklists like OISD, Steven Black, 1Hosts, notrack, and more.

You may also wonder why other lists are not utilized. This is because many list maintainers:

  • do not remove false positives and/or are no longer active 1 2
  • already aggregate common blocklists into their own list (Easylist/Fanboy, AdGuard, Steven Black, etc.) 1 2 3 4
  • offer no meaningful additional coverage when compared with the chart combinations above

Native Tracking Protection 1

Add all the device brands you use.

Windows
Apple
Samsung
Xiaomi
Huawei
Amazon Alexa
Roku
Sonos

Block Disguised Third-Party Trackers 1 2 3 4 5

Enabled Block Disguised Third-Party Trackers

Allow Affiliate & Tracking Links 1 2

Tip

Your IP address will automatically be hidden (via TCP proxying) to preserve your privacy.

Warning

Disabling this setting prevents some email links from opening properly.

Enabled Allow Affiliate & Tracking Links


Parental Control 👨‍👩‍👦

YouTube Restricted Mode

Disabled Enforce YouTube Restricted Mode

Block Bypass Methods 1

Block tools that can bypass NextDNS filtering, such as VPNs, proxies, Tor software, and encrypted DNS services.

Caution

Enabling this setting causes unintended behavior.

Disabled Block Bypass Methods


Denylist ⛔

Denylist entries are always blocked. These entries may further harden some profiles while not interfering with everyday browsing.

iCloud Private Relay

iCloud Private Relay can override DNS settings on devices, preventing NextDNS from protecting them.

Some DoH providers block this feature automatically.

mask.icloud.com
mask-h2.icloud.com
mask-canary.icloud.com

And possibly:

apple-relay.cloudflare.com
apple-relay.fastly-edge.com
doh.dns.apple.com
doh.dns.apple.com.v.aaplimg.com
mask-api.icloud.com
mask.apple-dns.net

Allowlist ✅

Allowlist entries always resolve. These entries may be needed for aggressive DNS profiles to relax their rules.

NextDNS

Allow NextDNS itself in case a filterlist goes haywire and blocks your access.

nextdns.io
Click here to view more entries

Facebook / Instagram 1

graph.facebook.com
graph.instagram.com
i.instagram.com
b-graph.facebook.com

If you're still having issues, try these:

connect.facebook.com
connect.facebook.net
graph-fallback.facebook.com
z-m-graph.facebook.com
graph-fallback.instagram.com

Apple device updates 1 2 3

A known tracking domain, but it's needed for device updates.

xp.apple.com

Apple iMessage GIFs 1 / Spotlight Search 2

smoot.apple.com

Apple Store 1

amp-api-edge.apps.apple.com
amp-api-search-edge.apps.apple.com

Windows

This request is blocked when using NextDNS' Native Tracking list (Windows)

settings-win.data.microsoft.com

Xbox achievements

v10.events.data.microsoft.com
v20.events.data.microsoft.com

Xiaomi device updates

update.intl.miui.com

Xiaomi USB debugging (Security settings)

srv.sec.intl.miui.com

Google Nest usage metrics 1

logsink.devices.nest.com

Yahoo Mail 1

consent.yahoo.com
guce.oath.com
pr.comet.yahoo.com

Spectrum login 1

pov.spectrum.net

Zoom 1 2

logfiles.zoom.us
us04logfiles.zoom.us
us04zpns.zoom.us

YouTube history

s.youtube.com

Hulu 1

ads-fa-darwin.hulustream.com

Epic Games Launcher 1

eulatracking-public-service-prod06.ol.epicgames.com

NVIDIA Gefore Experience 1

gfe.nvidia.com
nvgs.nvidia.cn

Chick-Fil-A App 1

tmetrix.my.chick-fil-a.com
js.media-lab.ai

CBS News livestream 1 2

doppler-config.cbsivideo.com
production-cmp.isgprivacy.cbsi.com
pubads.g.doubleclick.net
tags.tiqcdn.com 

Paramount+ uses certain domains to display ads. These domains must be accessible to allow Paramount+ content to load (even for viewers with ad-free plans).

⚠️ However, because many sites use these domains for ads, allowing them could result in more ads being shown on other sites you visit.

imasdk.googleapis.com
pubads.g.doubleclick.net

Users have reported that the following domains also may need to be allowed:

cbsaavideo.com
cbsi.com
conviva.com
convivia.com
demdex.net
dns-clientinfo.cbsivideo.com
partnerad.l.doubleclick.net
saa.cbsi.com
summerhamster.com (yes, really)
udm.scorecardresearch.com
dcf.espn.com
glimmer.hearstapps.com

Settings ⚙️

Logs

Storage location → Switzerland

Block Page

Caution

Enabling this setting may cause site navigation issues if the NextDNS Root CA is not on your devices. Also, this setting breaks Paypal 2FA, iCloud Private Relay, Microsoft Teams, Yahoo! Mail, the NAVER app, Hoyolab app, and possibly banking apps.

Disabled Enable Block Page

Anonymized EDNS Client Subnet 1

Enabled Enable Anonymized EDNS Client Subnet

Cache Boost 1

Enabled Enable Cache Boost

CNAME Flattening 1 2 3

Warning

Enabling this feature may break compatibility with Yahoo! Mail and cause issues with certain blocklists.

Disabled Enable CNAME Flattening

Web3 1 2

Enabled Enable Web3 → (optional)


FAQ ❓

How do I signup for NextDNS?

Click here to get started.

Why am I still seeing ads?

Not all ads can be blocked at the DNS level.1 2 You will need an ad blocker to block what's leftover.

This is because not all ads come from third-party domains; some ads come directly from the site you're visiting, like YouTube. DNS blockers stop the resolution of a domain, and content blockers filter page content. Click here to easily install a lightweight ad blocker.

I need a browser with ad blocking. Which one should I choose?

Choosing a browser is about as intimate as choosing a starter Pokémon, so here's a few caveats:

  • The best browser on paper may not work well in real world usage.
  • Browsers are tools! Use a variety of browsers depending on what you need to do.
  • You should use various browsers (or browser profiles) for different areas of life (e.g., work, school, personal).

We based the recommendations below on a combination of effectiveness, resource efficiency, features, and ease of use.

OS Browser Content Blocker
iOS Safari AdGuard
Android Brave Built-in blocker
Windows
macOS
Linux
Firefox (with Betterfox)

Brave

uBlock Origin

Built-in blocker or uBlock Origin

At the end of the day, if you're using NextDNS + any browser with an ad blocker, you have more coverage than most people.

Should I pay for NextDNS?

For the rich features it provides, NextDNS is very affordable at $19.90/year for unlimited devices. NextDNS pays for itself if it saves my family from a malicious incident.

Does the amount of features enabled affect the speed of NextDNS?1 2

The number of settings you toggle on will not affect your DNS latency.

Do I need to set DoH at browser-level if I already use NextDNS at system-level?

Unless you use a separate profile for the browser, it is not neccessary. However, I recommend setting it in your web browser anyway.

I have a router profile and a device profile. Which one does my device use?

The device will use the profile set by the NextDNS app or the installed root CA. However, if the device has not been configured to use a separate profile, then it will use the wifi/router configuration.1

What is the difference between security, privacy, and anonymity?

See article | video

Does NextDNS hide activity from my Internet Service Provider (ISP)?

Encrypted DNS queries boost privacy and security. This encryption stops your ISP from seeing what websites you search for and visit.

However, encrypted DNS does not hide website IP addresses from your ISP. While your ISP cannot see the specific domain you want to access, they can see that you contact DNS servers like Cloudflare or AWS. If you repeatedly send data to a certain IP address, your ISP can guess you are visiting a website at that address.

Do I need a VPN?

IVPN argues you only need a VPN for three reasons. Mainly, in order to:

  1. Hide your real IP address from websites and peer-to-peer networks, which prevents ISPs and mobile carriers from tracking your online activity.

  2. Guard against man in the middle and other common attacks on public Wi-Fi networks in places like airports, hotels, cafes, and libraries.

  3. Bypass censorship or geographic restrictions, allowing you to access blocked websites and content.

Ultimately, you don't need a VPN unless your threat model demands it. Here are VPN suggestions from Techlore and Tom Spark Reviews if it does.


Mentions 📚

User Comments

YouTube

Articles

Guides

Contributions

Free Website Counter
since 23 July 2022