Setup guide for NextDNS, a DoH proxy with advanced capabilities.
Sign up for NextDNS here and support this page!
Security settings protect your data from harm, theft, and unauthorized use.^why does this matter?
Use Threat Intelligence Feeds
:warning: This feature is still in beta and may cause false positives.
Enable AI-Driven Threat Detection
:bulb: Unlike the version embedded in some browsers, this does not associate your public IP address to threats and does not allow bypassing the block.
Enable Google Safe Browsing
:warning: If you use something other than the recommended blocklists, then you should leave this enabled.
Enable Cryptojacking Protection
Enable DNS Rebinding Protection
Enable Homograph Attacks Protection
Enable Typosquatting Protection
Enable DGA Protection
:warning: Blocking NRDs may cause false positives occasionally. Be selective when adding NRDs to your allowlist; and, if you do, NEVER give sensitive information to a NRD. If you plan to set-and-forget your configuration, disable this setting.
Block Newly Registered Domains (NRDs)
:warning: This feature is still in beta and may cause false positives.
:bulb: If you are using Dynamic DNS (DDNS), this setting will not block the DDNS services' own website or their update API.
Enable Block Dynamic DNS Hostnames
Block Parked Domains
Updated: 18 March 2024
:warning: Blocking TLDs may cause false positives since this feature blocks both site navigations and subrequests. However, the entries below should allow for everyday browsing while offering protection against commonly abused TLDs since they have no known legitimate uses.
.autos
.best
.bid
.bio
.boats
.boston
.boutique
.charity
.christmas
.dance
.fishing
.hair
.haus
.loan
.loans
.men
.mom
.name
.review
.rip
.skin
.support
.tattoo
.tokyo
.voto
:stop_sign: You can find additional TLDs on Most Abused TLDs, but you may need to allowlist sites on occasion. If you plan to set-and-forget your configuration, skip this setting.
Block Child Sexual Abuse Material
Privacy features limit the amount of data companies can collect about you.
Because privacy is a spectrum, what you need varies on your threat model, interest, and skillset.^why should I care? I have nothing to hide
Blocklists filter out ads, trackers, and malicious sites. Hundreds of volunteers contribute to these lists in the open-source community, and they are the undercover heroes who make blocking ads at scale possible.
We recommend you remove the NextDNS Ads & Trackers Blocklist and select the minimum number of useful lists.
A great question to ask is: "How much do I want to deal with the inconveniences of false positives?"
Here are the suggested blocklists, based on past issues and observations:
Blocklist | Rationale |
---|---|
HaGeZi - Multi NORMAL1 | Block tracker, ad, and badware requests without issues (set-and-forget). |
HaGeZi - Multi PRO2 | Block more requests, usually without issues (recommended). |
HaGeZi - Multi PRO++3 | Block more requests at the risk of site breakage. Report occasional site and app issues. |
:book: Check out Hagezi's own recommendations.
:bulb: You can use different blocklists on separate DNS profiles (e.g., NORMAL for your router and PRO++ for your web browser).
Hagezi block ads, trackers, native device trackers, badware, and more. He maintains a sensible allowlist, handles false positives quickly, and communicates known issues to blocklists maintainers. Hagezi's primary DNS lists combine respected community blocklists like OISD, Steven Black, 1Hosts, notrack, and more.
:question: You may wonder why other lists are not utilized. This is because many list maintainers:
Add all the device brands you use. There's no advantage in adding brands you don't have; however, there’s no disadvantage in adding unused brands, either.
Windows
Apple
Samsung
Xiaomi
Huawei
Amazon Alexa
Roku
Sonos
Block Disguised Third-Party Trackers
:bulb: Your IP address will automatically be hidden (via TCP proxying) to preserve your privacy.
:warning: Disabling causes false positives when opening some email links.
Allow Affiliate & Tracking Links
Enforce YouTube Restricted Mode
:warning: Enabling may cause unintended breakage.
Block Bypass Methods
Denylist entries are always blocked. The entries below may further harden some profiles while not interfering with everyday browsing.
Not currently in NextDNS's Native Tracking Protection list: 1
xp.apple.com (unblock for device updates!)
acfeedbackws.icloud.com
api-adservices.apple.com
feedbackws.fe.apple-dns.net
feedbackws.icloud.com
iadsdk.apple.com
notes-analytics-events.apple.com
notes-analytics-events.news.apple-dns.net
weather-analytics-events.apple.com
weather-analytics-events.news.apple-dns.net
syndication.twitter.com
events.gfe.nvidia.com
Allowlist entries always resolve. These entries may be needed for aggressive DNS profiles to relax their rules.
Just in case a filterlist goes haywire and blocks your access
nextdns.io
graph.facebook.com
graph.instagram.com
i.instagram.com
b-graph.facebook.com
If you're still having issues, try these:
connect.facebook.com
connect.facebook.net
graph-fallback.facebook.com
z-m-graph.facebook.com
graph-fallback.instagram.com
A known tracking domain, but it's needed for device updates
xp.apple.com
smoot.apple.com
amp-api-edge.apps.apple.com
amp-api-search-edge.apps.apple.com
This request is blocked when using NextDNS' Native Tracking list (Windows)
settings-win.data.microsoft.com
update.intl.miui.com
srv.sec.intl.miui.com
logsink.devices.nest.com
consent.yahoo.com
guce.oath.com
pr.comet.yahoo.com
pov.spectrum.net
logfiles.zoom.us
us04logfiles.zoom.us
us04zpns.zoom.us
s.youtube.com
ads-fa-darwin.hulustream.com
eulatracking-public-service-prod06.ol.epicgames.com
gfe.nvidia.com
nvgs.nvidia.cn
tmetrix.my.chick-fil-a.com
js.media-lab.ai
doppler-config.cbsivideo.com
production-cmp.isgprivacy.cbsi.com
pubads.g.doubleclick.net
tags.tiqcdn.com
Paramount+ uses certain domains to display ads. These domains must be accessible to allow Paramount+ content to load (even for viewers with ad-free plans).
:warning: However, because many sites use these domains for ads, allowing them could result in more ads being shown on other sites you visit.
imasdk.googleapis.com
pubads.g.doubleclick.net
Users have reported that the following domains also may need to be allowed:
cbsaavideo.com
cbsi.com
conviva.com
convivia.com
demdex.net
dns-clientinfo.cbsivideo.com
partnerad.l.doubleclick.net
saa.cbsi.com
summerhamster.com (yes, really)
udm.scorecardresearch.com
dcf.espn.com
glimmer.hearstapps.com
Storage location → Switzerland
:warning: Enabling may cause breakage if the NextDNS Root CA is not on your devices. This setting also breaks Paypal 2FA, iCloud Private Relay, Microsoft Teams, Yahoo! Mail, the NAVER app, Hoyolab app, and possibly banking apps.
Enable Block Page
Enable Anonymized EDNS Client Subnet
Enable Cache Boost
:warning: Enabling this feature could break compatibility with Yahoo! Mail and cause issues with some blocklists.
Enable CNAME Flattening
Enable Web3 → (optional)
Click here!
Not all ads can be blocked at the DNS level.1 2 You will need an ad blocker to block what's leftover.
This is because not all ads come from third-party domains; some ads come directly from the site you're visiting, like YouTube. DNS blockers stop the resolution of a domain, and content blockers filter page content. Click here to easily install a lightweight ad blocker.
Choosing a browser is about as intimate as choosing a starter Pokémon, so here's a few caveats:
We based the recommendations below on a combination of effectiveness, resource efficiency, features, and ease of use.
OS | Browser | Content Blocker |
---|---|---|
iOS | Safari | AdGuard |
Android | Brave | Built-in blocker |
Windows macOS Linux |
Firefox (with Betterfox) | uBlock Origin Built-in blocker or uBlock Origin |
At the end of the day, if you're using NextDNS + any browser with an ad blocker, you have more coverage than most people.
For the rich features it provides, NextDNS is very affordable at $19.90/year for unlimited devices. NextDNS pays for itself if it saves my family from a malicious incident.
The number of settings you toggle on will not affect your DNS latency.
Unless you use a separate profile for the browser, it is not neccessary. However, I recommend setting it in your web browser anyway.
The device will use the profile set by the NextDNS app or the installed root CA. However, if the device has not been configured to use a separate profile, then it will use the wifi/router configuration.1
DNS protocols like DoH/DoT/DoQ are designed to increase privacy and security by encrypting DNS queries. They prevent your ISP from seeing your web searches and browsing history, which significantly contributes to protecting your privacy.
However, encrypted DNS does not hide the IP addresses of the websites you visit from your ISP. So while they cannot see the content of the encrypted DNS query (i.e., your ISP can't see what specific domain you're trying to access), they can see that you're making a request to a particular DNS server like Cloudflare or AWS. And if you're constantly sending packets to a particular IP address, it's likely that you're visiting a website hosted at that address.
That being said, IVPN argues that you only need a VPN for three reasons:
Maintaining control over your privacy by hiding your real IP address from websites and peer-to-peer nodes, preventing ISPs and mobile network operators from tracking the domains and IPs you visit.
Protecting your connection from man in the middle and other common attacks on untrusted networks, such as Wi-Fi in airports, hotels, cafes, and libraries.
Circumventing censorship or geographical blocks on websites and content, allowing you to retrieve otherwise inaccessible information and media.
You don't need a VPN unless your threat model demands it. Here are VPN suggestions from Techlore and Tom Spark Reviews if it does.