I did not make this! (but it's insanely useful)

I'm a lover of all things NextDNS, and (at)yokoffing on Github created this amazing and comprehensive guide to getting NextDNS up and running to get you the most bang for your buck - best "set it and forget it."

https://github.com/yokoffing/NextDNS-Config

Guidelines 🔖

1. Prevent overblocking by utilizing the law of diminishing returns (e.g., using sane, quality blocklists; allowing most TLDs; etc.).
2. Pass the girlfriend test with few exceptions. These deviations are documented throughout the guide.

Create your account

Sign up for NextDNS here!

Security 👮

Security settings protect your data from harm, theft, and unauthorized use.^[why does this matter?](https://thenewoil.org/en/guides/prologue/why)

Threat Intelligence Feeds 1

Use Threat Intelligence Feeds

AI-Driven Threat Detection 1

⚠️ This feature is still in beta and may cause false positives.

Enable AI-Driven Threat Detection

Google Safe Browsing 1 2 3 4

💡 Unlike the version embedded in some browsers, this does not associate your public IP address to threats and does not allow bypassing the block.

Enable Google Safe Browsing

Cryptojacking Protection 1

⚠️ If you use something other than the recommended blocklists, then you should leave this enabled.

Enable Cryptojacking Protection

DNS Rebinding Protection 1 2

Enable DNS Rebinding Protection

IDN Homograph Attacks Protection 1 2

Enable Homograph Attacks Protection

Typosquatting Protection 1

Enable Typosquatting Protection

Domain Generation Algorithms (DGAs) Protection

Enable DGA Protection

Block Newly Registered Domains (NRDs) 1

⚠️ Blocking NRDs may cause false positives occasionally. Be selective when adding NRDs to your allowlist; and, if you do, NEVER give sensitive information to a NRD. If you plan to set-and-forget your configuration, disable this setting.

Block Newly Registered Domains (NRDs)

Block Dynamic DNS Hostnames 1 2

⚠️ This feature is still in beta and may cause false positives.

💡 If you are using Dynamic DNS (DDNS), this setting will not block the DDNS services' own website or their update API.

Enable Block Dynamic DNS Hostnames

Block Parked Domains 1

Block Parked Domains

Block Top-Level Domains (TLDs) 1 2 3 4 5

⚠️ Blocking TLDs may cause false positives since this feature blocks both site nagviations and subrequests. However, the entries below should allow for everyday browsing while offering protection against commonly abused TLDs since they have no known legitimate uses.

.cfd
.discount
.gdn
.loan
.loans
.ooo
.sbs
.zip

🛑 Below are additional TLDs you may block, but you may need to allowlist sites on occasion. If you plan to set-and-forget your configuration, skip this setting.

📝 If you would rather block TLDs with an adblocker (e.g., easier to troubleshoot breakage), add the first two filterlists here.

Block Child Sexual Abuse Material

Block Child Sexual Abuse Material

Privacy 🔒

Privacy features limit the amount of data companies can collect about you.

Because privacy is a spectrum, what you need varies on your threat model, interest, and skillset.^*[why should I care? I have nothing to hide](https://aeon.co/essays/privacy-matters-because-it-empowers-us-all)*

Blocklists 1

Blocklists filter out ads, trackers, and malicious sites. Hundreds of volunteers contribute to these lists in the open-source community, and they are the undercover heroes who make blocking ads at scale possible.

We recommend you remove the NextDNS Ads & Trackers Blocklist and select the minimum number of useful lists.

Which blocklist should I use?

A great question to ask is: "How much do I want to deal with the inconveniences of false positives?"

Here are the suggested blocklists:

📖 Read the full analysis of Hagezi's lists here.

💡 Use different blocklists on separate DNS profiles (e.g., LIGHT for your router and PRO++ for your web browser).

Why Hagezi?

Hagezi block ads, trackers, native device trackers, badware, and more. He maintains a sensible allowlist, handles false positives quickly, an communicates known issues to blocklists maintainers. Hagezi's primary DNS lists combine respected community blocklists like OISD, Steven Black, 1Hosts, notrack, and more.

❓ You may wonder why other lists are not utilized. This is because many list maintainers:

• do not remove false positives and/or are no longer active 1 2
• already aggregate common blocklists into their own list (Easylist/Fanboy, AdGuard, Steven Black, etc.) 1 2 3 4
• offer no meaningful additional coverage when compared with the chart combinations above

Native Tracking Protection 1

Add all the device brands you use. There's no advantage in adding brands you don't have; however, there’s no disadvantage in adding unused brands, either.

Block Disguised Third-Party Trackers 1 2 3 4 5

Block Disguised Third-Party Trackers

Allow Affiliate & Tracking Links 1 2

💡 Your IP address will automatically be hidden (via TCP proxying) to preserve your privacy.

⚠️ Disabling causes false positives when opening some email links.

Allow Affiliate & Tracking Links

Parental Control 👨‍👩‍👦

YouTube Restricted Mode

Enforce YouTube Restricted Mode

Block Bypass Methods 1

⚠️ Enabling may cause unintended breakage.

Block Bypass Methods

Denylist ⛔

Denylist entries are always blocked. The entries below may further harden some profiles while not interfering with everyday browsing.

Apple tracking domains 1 2 3 4

Not currently in NextDNS's Native Tracking Protection list: 1

xp.apple.com (unblock for device updates!)
acfeedbackws.icloud.com
api-adservices.apple.com
feedbackws.fe.apple-dns.net
feedbackws.icloud.com
iadsdk.apple.com
notes-analytics-events.apple.com
notes-analytics-events.news.apple-dns.net
weather-analytics-events.apple.com
weather-analytics-events.news.apple-dns.net

Twitter tracker

syndication.twitter.com

NVIDIA Gefore Experience 1

events.gfe.nvidia.com

Allowlist ✅

Allowlist entries always resolve. These entries may be needed for aggressive DNS profiles to relax their rules.

NextDNS

Just in case a filterlist goes haywire and blocks your access

nextdns.io

Facebook / Instagram 1

graph.facebook.com
graph.instagram.com
i.instagram.com
b-graph.facebook.com

If you're still having issues, try these:

connect.facebook.com
connect.facebook.net
graph-fallback.facebook.com
z-m-graph.facebook.com
graph-fallback.instagram.com

Apple device updates 1 2 3 4

A known tracking domain, but it's needed for device updates

xp.apple.com

Apple iMessage GIFs 1 / Spotlight Search 2

smoot.apple.com

Apple Store 1

amp-api-edge.apps.apple.com
amp-api-search-edge.apps.apple.com

Windows

This request is blocked when using NextDNS' Native Tracking list (Windows)

settings-win.data.microsoft.com

Xiaomi device updates 1

update.intl.miui.com

Google Nest usage metrics 1

logsink.devices.nest.com

Yahoo Mail 1

consent.yahoo.com
guce.oath.com
pr.comet.yahoo.com

Spectrum login 1

pov.spectrum.net

Zoom 1 2

logfiles.zoom.us
us04logfiles.zoom.us
us04zpns.zoom.us

YouTube history 1

s.youtube.com

Hulu 1

ads-fa-darwin.hulustream.com

Epic Games Launcher 1

eulatracking-public-service-prod06.ol.epicgames.com

NVIDIA Gefore Experience 1

gfe.nvidia.com
nvgs.nvidia.cn

Chick-Fil-A App 1

tmetrix.my.chick-fil-a.com

imgur 1 2

js.media-lab.ai

CBS News livestream 1 2

doppler-config.cbsivideo.com
production-cmp.isgprivacy.cbsi.com
pubads.g.doubleclick.net
tags.tiqcdn.com 

FiveThirtyEight videos / National Geographic website 1

dcf.espn.com

Men's Health videos 1

glimmer.hearstapps.com

Ghostery Analytics (opt-in)

User data is removed. Contributes to the Human Web and WhoTracks.me data

collector-hpn.ghostery.net
collector-hpn.privacy.ghostery.net
d.ghostery.com

Settings ⚙️

Logs

Storage location → Switzerland

Block Page

⚠️ Enabling may cause breakage if the NextDNS Root CA is not on your devices. This setting also breaks iCloud Private Relay, Yahoo! Mail, and the NAVER app.

Enable Block Page

Anonymized EDNS Client Subnet 1

Enable Anonymized EDNS Client Subnet

Cache Boost 1

Enable Cache Boost

CNAME Flattening 1 2 3

⚠️ Enabling may cause breakage with Yahoo! Mail and cause issues with some blocklists.

Enable CNAME Flattening

Web3 1 2

Enable Web3 → (optional)

FAQ ❓

How do I signup for NextDNS?

Click here!

Should I pay for NextDNS?

For the rich features it provides, NextDNS is very affordable at $19.90/year for unlimited devices. NextDNS pays for itself if it saves my family from a malicious incident.

Why am I still seeing ads?

Not all ads can be blocked at the DNS level.1 2 You will need an ad blocker to block what's leftover.

This is because not all ads come from third-party domains; some ads come directly from the site you're visiting, like YouTube. DNS blockers stop the resolution of a domain, and content blockers filter page content. Click here to easily install a lightweight ad blocker.

Does the amount of features enabled affect the speed of NextDNS?1 2

The number of settings you toggle on will not affect your DNS latency.

Do I need to set DoH at browser-level if I already use NextDNS at system-level?

Unless you use a separate profile for the browser, it is not neccessary. However, I recommend setting it in your web browser anyway.

I have a router profile and a device profile. Which one does my device use?

The device will use the profile set by the NextDNS app or the installed root CA. However, if the device has not been configured to use a separate profile, then it will use the wifi/router configuration.1

What is the difference between security, privacy, and anonymity?

See article | video

Does NextDNS hide activity from my Internet Service Provider (ISP)?

No. NextDNS is only concerned about DNS traffic. You would need a quality VPN to hide all activity from your ISP.

I need a browser with ad blocking. Which one should I choose?

Choosing a browser is about as intimate as choosing a starter Pokémon, so here's a few caveats:

• The best browser on paper may not work well in real world usage (e.g., Brave is wonky with video playback on iOS).
• Browsers are tools! Use a variety of browsers depending on what you need to do.
• You should use various browsers (or browser profiles) for different areas of life (e.g., work, school, personal).

We based the recommendations below on a combination of effectiveness, resource efficiency, features, and ease of use.

Here are the suggested browsers for each operating system (OS):

Mobile

Desktop

Mentions 📚

User Comments

• See here

YouTube

• The ULTIMATE Guide to Mastering NextDNS! (July 2023) | clarifications

Articles

• Knot Resolver — with ad blocking (Dec 2022)
• Privacy Toolkit: NextDNS (Sept 2022)

Guides

• FMHY: DNS Adblocking → NextDNS → Guide
• hagezi/dns-blocklists → Online DNS services

Contributions

• Hagezi | mentions
• 1Hosts
• Easylist
• uBlock Origin
• AdGuard