My NextDNS Setup

July 23, 2024

5 views

NextDNS protects you from all kinds of security threats, blocks ads and trackers on websites and in apps and provides a safe and supervised Internet for kids — on all devices and on all networks.

Cover

Signup

Sign up for NextDNS here and support me!

https://nextdns.io/?from=wpp35fr3

Linked IP (Setup on my iPhone)

If you are unable to set up NextDNS using our apps, DNS-over-TLS, DNS-over-HTTPS or IPv6, then use the DNS servers below and link your IP. This is mostly for use on home networks and not recommended on mobile.

💡
By employing this method, your network IP will be automatically updated on NextDNS each time you restart your home network device.
Show advanced options

You can also programmatically update your linked IP by calling.

  • Navigate to Settings > Wi-Fi to reach the proxy configuration on your iPhone.
  • Select the name of the Wi-Fi network you're currently connected to.
  • Scroll down, and you'll find the "Configure Proxy" option at the bottom of the display.
  • Choose "Auto" and enter an address formatted like this: https://link-ip.nextdns.io/4957ba/9541288ae9febb35.

    • Setup Guide

    Follow the instructions below to set up NextDNS on your device, browser or router.

    NextDNS for Routers (This is my current setup)

    Only works on routers that can run executables.

    Head over to our open-source repository at https://github.com/nextdns/nextdns/wiki for installation instructions.

    IPv6

    1. Open the preferences for your router. Usually you can access it from your browser via a URL (like http://192.168.0.1/ or http://192.168.1.1/).
    2. Locate the DNS settings inside the interface.
    3. Remove all addresses (if any) then add 2a07:a8c0::49:57ba and 2a07:a8c1::49:57ba.
    4. Click Save (or similar).
    ⚠️
    Some routers may not support the IPv6 notation above. In that case, use 2a07:a8c0:0000:0000:0000:0000:0049:57ba and 2a07:a8c1:0000:0000:0000:0000:0049:57ba.

    IPv4 (with Linked IP)

    1. Open the preferences for your router. Usually you can access it from your browser via a URL (like http://192.168.0.1/ or http://192.168.1.1/).
    2. Locate the DNS settings inside the interface.
    3. Remove all addresses (if any) then add 45.90.28.14 and 45.90.30.14.
    4. Click Save (or similar).

    Security

    Protect yourself against malware and phishing attacks, cryptojacking and more.

    Determine your threat model and fine-tune your security strategy by enabling 10+ different types of protections.

    Use the most trusted threat intelligence feeds containing millions of malicious domains — all updated in real-time.

    Go beyond the domain — we analyze DNS questions and answers on-the-fly (in a matter of nanoseconds) in order to detect and block malicious behavior.

    With usually only a few hours between domain registration and the start of an attack, our threat intelligence system is built to catch malicious domains earlier than classic security solutions.

    Threat Intelligence Feeds

    Block domains known to distribute malware, launch phishing attacks and host command-and-control servers using a blend of the most reputable threat intelligence feeds — all updated in real-time.

    AI-Driven Threat Detection (Beta)

    Block millions of threats detected by our AI technology — a proprietary AI engine designed from the ground up for DNS with hundreds of signals, terabytes of training data and real-time decision making.

    Google Safe Browsing

    Block malware and phishing domains using Google Safe Browsing — a technology that examines billions of URLs per day looking for unsafe websites. Unlike the version embedded in some browsers, this does not associate your public IP address to threats and does not allow bypassing the block.

    Cryptojacking Protection

    Prevent the unauthorized use of your devices to mine cryptocurrency.

    DNS Rebinding Protection

    Prevent attackers from taking control of your local devices through the Internet by automatically blocking DNS responses containing private IP addresses.

    IDN Homograph Attacks Protection

    Block domains that impersonate other domains by abusing the large character set made available with the arrival of Internationalized Domain Names (IDNs) — e.g. replacing the Latin letter "e" with the Cyrillic letter "е".

    Typosquatting Protection

    Block domains registered by malicious actors that target users who incorrectly type a website address into their browser — e.g. gooogle.com instead of google.com.

    Domain Generation Algorithms (DGAs) Protection

    Block domains generated by Domain Generation Algorithms (DGAs) seen in various families of malware that can be used as rendezvous points with their command and control servers.

    Block Newly Registered Domains (NRDs)

    Block domains registered less than 30 days ago. Those domains are known to be favored by threat actors to launch malicious campaigns.

    Block Dynamic DNS Hostnames

    Dynamic DNS (or DDNS) services let malicious actors quickly set up hostnames for free and without any validation or identity verification. While legit DDNS hostnames are rarely accessed in every-day use, their malicious counterparts are heavily used in phishing campaigns — e.g. paypal‑login.duckdns.org.

    If you are using DDNS, note that this setting will not block the DDNS services' own website or their update API.

    Block Parked Domains

    Parked domains are single-page websites often laden with ads and devoid of any value. Parked domain monetization can sometimes get mixed up with suspicious practices and malicious content.

    Block Top-Level Domains (TLDs)

    Block all domains and subdomains belonging to specific TLDs.

    .work
.fit
.surf
.review
.asia
.tokyo
.cn
.monster
.info
.机构

    Block Child Sexual Abuse Material

    Block domains hosting child sexual abuse material with the help of Project Arachnid, operated by the Canadian Centre for Child Protection. No information is transmitted back to Project Arachnid when a domain is blocked.

    Privacy

    Block ads and trackers on websites and in apps — including the most devious ones.

    Use the most popular ads & trackers blocklists — millions of domains all updated in real-time.

    With Native Tracking Protection, block wide spectrum trackers that record your activity on a device at the operating system level.

    Detect and block third-party trackers disguising themselves as first-party to circumvent browsers' privacy protections like ITP.

    Blocklists

    Block ads & trackers using the most popular blocklists available — all updated in real-time.

    NameDescription
    hBlockImprove your security and privacy by blocking ads, tracking and malware domains.
    OISDInternet's #1 domain blocklist. Blocks Ads, Mobile Ads, Phishing, Malvertising, Malware, Tracking, Telemetry, CryptoJacking, Analytics, Spyware, Ransomware, Exploit, Fraud, Abuse, Scam, Spam, Hijack, Misleading Marketing.
    NextDNS Ads & Trackers BlocklistA comprehensive blocklist to block ads & trackers in all countries. This is the recommended starter blocklist.
    Goodbye AdsSpecially Designed for Mobile Ad Protection.
    ABPVN ListThe ABP advertising filter is built with the mission of improving the browsing experience for users and for the Vietnamese.
    hostsVNHosts block ads of Vietnamese - Hosts chặn quảng cáo của người Việt.

    Native Tracking Protection (Beta)

    Block wide spectrum trackers — often operating at the operating system level — that track your activity on a device. This could include all the websites you visit, everything you type or your location at all times.

    NameDescription
    WindowsAll versions
    AppleiOS, macOS, tvOS
    SamsungPhones, Tablets, Smart TVs
    XiaomiPhones & Tablets, Smart TVs, Routers
    HuaweiPhones & Tablets
    Amazon AlexaAlexa-enabled devices
    RokuAll Roku devices
    SonosSpeakers

    Block Disguised Third-Party Trackers

    Automatically detect and block third-party trackers disguising themselves as first-party to circumvent recent browser's privacy protections like ITP.

    Allow Affiliate & Tracking Links

    Allow affiliate & tracking domains common on deals websites, in emails or in search results. Those usually only get called after manually clicking on a link.

    Callout icon
    Your IP address will automatically be hidden from those websites to preserve your privacy.

    Parental Control

    Protect your kids and control what they can access online, and when.

    Block all websites containing porn, violence, piracy and more.

    Enforce SafeSearch — filter explicit results on all search engines, including images and videos.

    Enforce YouTube Restricted Mode — filter mature videos on YouTube and other websites.

    Block specific websites, apps and games — Facebook, Tinder, Fortnite and many more.

    With Recreation Time, only allow access to some websites, apps or games during specific times each day.

    Categories

    Restrict access to specific categories of websites and apps.

    SafeSearch

    Filter explicit results on all major search engines, including images and videos. This will also block access to search engines not supporting this feature.

    Block Bypass Methods

    Prevent or hinder the use of methods that can help bypass NextDNS filtering on the network. This includes VPNs, proxies, Tor-related software and encrypted DNS providers.

    Denylist

    Callout icon
    Denying a domain will automatically deny all its subdomains.
    gliavideo.com

    Allowlist

    Callout icon
    Allowing a domain will automatically allow all its subdomains. Allowing takes precedence over everything else, including security features.
    logrocket.com
umami.is
viblo.asia

    Settings

    Logs

    Fine tune your Logs settings.

    Privacy adjustments

    Retention

    2 years

    Storage location

    Switzerland

    Block Page

    Display a block page when a domain is being blocked. This may slightly increase page load time and an HTTPS warning may appear in some cases. When disabled, blocked queries will be answered with the unspecified address (0.0.0.0 or ::).

    Callout icon
    NextDNS Root CA Remove the HTTPS warning when loading the block page by installing and trusting our root CA at https://nextdns.io/ca. Read instructions on how to do this here.

    Performance

    Speed up your browsing.

    Anonymized EDNS Client Subnet

    Speed up the delivery of data from content delivery networks without exposing your IP address.

    Cache Boost

    Minimize DNS queries by enforcing a minimum TTL (Time to live).

    CNAME Flattening

    Prevent CNAME-chasing resolvers from making unnecessary queries and pollute the logs with intermediate domains.

    Web3 (Beta)

    Web3 refers to a decentralized and censorship-resistant online ecosystem comprised of innovative technologies such as blockchain-based domain registries (e.g. Ethereum Name Service) and distributed content storage and delivery networks (e.g. IPFS). When enabled, NextDNS will act as an unfiltered gateway to this new Web, letting you experience it firsthand without the need to install anything.

    As most browsers only support classic top-level domains at the moment, you should add a trailing slash ("/") when trying to access a Web3 domain directly (e.g. "vitalik.eth/" instead of "vitalik.eth").

    Access (Beta)

    Provide editing or viewing-only access to this profile to others.

    Callout icon
    You can tap "Duplicate My Home" to replicate all settings or to create a new profile based on the current one.
    ⚠️
    Kindly consult the configuration on my NextDNS and refrain from modifying any settings or accounts.

    Account login details are for viewing only

    Email: [email protected]

    Password: Demo123678459

    Click here to duplicate my settings: https://my.nextdns.io/4957ba/settings