Tutorial NextDNS: a DoH/ DoT guide

As Lenny_Fox request a NextDNS guide with pictures, here we go - based on Your NextDNS settings thread.

First, info about NextDNS can be read at: official Website & GitHub

I use and recommend using their service in easiest way you can implement. For me that is on router level so i don't need any software on Clients.

Setup Webinterface:

setup.png

The red marked is the one i use in my Fritzbox router DNS settings. Also you should add both DNSv4 from right side ("DNS Servers") and DNSv6 from left side ("IPv6") into your router if for some reason the encrypted DNS has problems.
If that's done, take a look at top and if "All good!" is listed, your setup is finished! (y)

Now we will increase the setup to maximum protection

Security Webinterface:

security.png

Privacy Webinterface:

privacy.png

Parental Control Webinterface:

parental control.png

Denylist Webinterface:

denylist.png

Allowlist Webinterface:

allowlist.png

Settings Webinterface:

settings.png

Done!

Also don't forget to activate 2FA for your account!:

account.png
___________________________________________

Update February 2021:

Changes:
  • moving from NextDNS default list + Unchecky filterlist to "OISD" filterlist for less false positives and better maintained list
  • enable "Allow Affiliate & Tracking Links"
  • add "Dating" to Parental Control

Since Lenny_Fox asked for a NextDNS tutorial with pictures, here it goes - based on the thread Q&A - Your NextDNS settings

Information about NextDNS can be read on the official website and GitHub on.

I use and recommend implementing NextDNS in the simplest way possible in your own setup. For me, it's at the router level, so I don't need any software on the clients.

NextDNS web interface -> Setup:

Setup.png

The data marked in red are the ones I use in the DNS settings of my Fritzbox router.

Both DNSv4 from the right side ("DNS Servers") and DNSv6 from the left side ("IPv6") should be configured in the router if for some reason the encrypted DNS causes problems. This way you have a fallback.
Once this is done, the web interface should say "All good!" at the top and the basic setup is complete! (y)

Now we will increase the whole thing to maximum protection:

NextDNS web interface -> Security:

Security.png

NextDNS web interface -> Privacy:

Privacy.png

NextDNS web interface -> Parental Control:

Parental Control.png

NextDNS web interface -> Denylist:

Denylist.png

NextDNS web interface -> Allowlist:

Allowlist.png

NextDNS web interface -> Settings:

Settings.png

Done!

You should also activate two-factor authentication (2FA) for your account!:

2FA.png
 
Last edited by a moderator:

JoyousBudweiser

Level 11
Verified
Aug 22, 2013
538
Do you use only NextDNS' own filterrs?
At the beginning use only lesser number of filters. Add filters only when you are comfortable with the existing filters. You will be in need of populating the "allow list" at certain point of your usage and once you have had the allow list cover all your essential items, you can add any number of filters without any issue. I have around 30 or so items in my allow list, and I have enabled around 10 filter lists without any issue. But it took me more than a month to fine tune my allow list.
 

Jan Willy

Level 6
Jul 5, 2019
295
As NextDNS team do great work with her list, using AdGuard's isn't needed anyway.
I agree. In NextDNS I only use Steven Black's list. This is in accordance with the default NextDNS filter list but without the Asian rules. Cosmetic filtering which NextDNS can't, takes place in Adguard Desktop. All in all a simple, light and effective solution.
 

JoyousBudweiser

Level 11
Verified
Aug 22, 2013
538
I'm using the NextDNS app on my laptop, not on my modem because it's an ISP device. It seems like my browsers run better without Secure DNS lookups flag enabled.

What are other users doing with this flag? :unsure:
Dnssec ie secure dns lookup will take extra time to get the verification done, that's why you feel it slow. You don't need to enable it unless you are in need of ultra secure dns query replies.
 
Last edited:

SecurityNightmares

Level 37
Verified
Jan 9, 2020
2,661
I've currently enabled the following blocklists and it seems to have been working well for me:
  • NextDNS
  • Easy Privacy
  • Fanboy's Enhanced Tracking
You can take a look in your account at statistics and see which list block how many domains.
I figure out that the default NextDNS block the most with the fewest errors.

But if that setup works for you, good :emoji_beer:
 

JoyousBudweiser

Level 11
Verified
Aug 22, 2013
538
Is there any way to set custom DoH of NextDNS on Simple DNSCrypt?
It can be done, but simple dnscrypt requires you to set dns ip address as 127.0.0.1 and windows 10 will then say there is no internet connection, then windows 10 apps from store will not work. Select nextdns from list then...
1.Navigate to C:\Program Files\bitbeans\Simple DNSCrypt x64\dnscrypt-proxy.
2. Open the dnscrypt-proxy.toml file in your notepad application. ( Open notepad with admin privileges)
3.Scroll to the bottom where it says [sources] and add the following:
[static."nextdns-custom-name"]
stamp='sdns://[your key from your dashboard]
server_names = ["nextdns-custom-name", "second_dns_reslover"]

example...

server_names = ['NextDNS-764621']

[static]
[static.'NextDNS-764621']
stamp = 'sdns://AgEAAAAAAAAACjQ1LjkwLjI4LjAADmRucy5uZXh0ZG5zLmlvBy42NjY2MjE

you can get this sdns number in your nextdns account, just go to setup >setup guide> choose routers...scroll down...to dns crypt...
 
Last edited:

Tiamati

Level 11
Verified
Nov 8, 2016
513
I can't recommend adding AdGuard lists to NextDNS any longer.
Watch their activity at fixing new problems and they just need to long (many days - weeks) which is just too long for DNS filtering.

As NextDNS team do great work with her list, using AdGuard's isn't needed anyway.

  • NextDNS
  • Easy Privacy
  • Fanboy's Enhanced Tracking

Do you know if the non-DNS lists work at DNS level? Adguard is the only one i know that have its own DNS block list. They created a dedicated DNS list for a reason, i guess.

Furthermore, what do you know about NEXTDNS company? Is it trustworthy ?

Edit: any reason to keep logs on? I don't know if they are needed to cache normally used domains.
 
  • Like
Reactions: Protomartyr

oldschool

Level 59
Verified
Mar 29, 2018
4,807
Do you know if the non-DNS lists work at DNS level?
I'm uncertain, but I assume if a list like Easy Privacy, etc. is on NextDNS list that it's written for DNS level.
Furthermore, what do you know about NEXTDNS company? Is it trustworthy ?
IDK. Maybe @security123 @Lenny_Fox or other users know more than I.
any reason to keep logs on?
If you want to know which lists are blocking requests, then yes - e.g. I found a domain was blocked by Fanboyz Tracking list and removed it.
 

SecurityNightmares

Level 37
Verified
Jan 9, 2020
2,661
Furthermore, what do you know about NEXTDNS company? Is it trustworthy ?
Trust is always a user decision. I trust them as they explain everything, provide config for everything, build secure DNS server and are active at GitHub & Reddit. They also response fast and friendly & without nonsense.

Logs: you can fully disable them but without you can't found any problems. Also you can change log location to EU, switzerland or US. I use EU as I'm living in Germany but wouldn't use US in any case.
 
Top