Tutorial NextDNS: a DoH/ DoT guide

As Lenny_Fox request a NextDNS guide with pictures, here we go - based on Your NextDNS settings thread.

First, info about NextDNS can be read at: official Website & GitHub

I use and recommend using their service in easiest way you can implement. For me that is on router level so i don't need any software on Clients.

Setup Webinterface:

setup.png

The red marked is the one i use in my Fritzbox router DNS settings. Also you should add both DNSv4 from right side ("DNS Servers") and DNSv6 from left side ("IPv6") into your router if for some reason the encrypted DNS has problems.
If that's done, take a look at top and if "All good!" is listed, your setup is finished! (y)

Now we will increase the setup to maximum protection

Security Webinterface:

security.png

Privacy Webinterface:

privacy.png

Parental Control Webinterface:

parental control.png

Denylist Webinterface:

denylist.png

Allowlist Webinterface:

allowlist.png

Settings Webinterface:

settings.png

Done!

Also don't forget to activate 2FA for your account!:

account.png
___________________________________________

Update February 2021:

Changes:
  • moving from NextDNS default list + Unchecky filterlist to "OISD" filterlist for less false positives and better maintained list
  • enable "Allow Affiliate & Tracking Links"
  • add "Dating" to Parental Control

Since Lenny_Fox asked for a NextDNS tutorial with pictures, here it goes - based on the thread Q&A - Your NextDNS settings

Information about NextDNS can be read on the official website and GitHub on.

I use and recommend implementing NextDNS in the simplest way possible in your own setup. For me, it's at the router level, so I don't need any software on the clients.

NextDNS web interface -> Setup:

Setup.png

The data marked in red are the ones I use in the DNS settings of my Fritzbox router.

Both DNSv4 from the right side ("DNS Servers") and DNSv6 from the left side ("IPv6") should be configured in the router if for some reason the encrypted DNS causes problems. This way you have a fallback.
Once this is done, the web interface should say "All good!" at the top and the basic setup is complete! (y)

Now we will increase the whole thing to maximum protection:

NextDNS web interface -> Security:

Security.png

NextDNS web interface -> Privacy:

Privacy.png

NextDNS web interface -> Parental Control:

Parental Control.png

NextDNS web interface -> Denylist:

Denylist.png

NextDNS web interface -> Allowlist:

Allowlist.png

NextDNS web interface -> Settings:

Settings.png

Done!

You should also activate two-factor authentication (2FA) for your account!:

2FA.png
 
Last edited by a moderator:

SecurityNightmares

Level 37
Verified
Jan 9, 2020
2,661
what the hell is pubnub.pubnub according to nextdns 45% of my blocked web traffic is that site
Virustotal doesn't know this domain so it's maybe a random one which your browser (Chrome?) try to access and check your network connectivity.
I guess because of blocking it, the browser try again and again

Edit:
With your screenshot i see that you miss written the domain.
As oldschool already solve it i only add this info:

PubNub is a Realtime Communication Platform and realtime infrastructure-as-a-service (IaaS) company based in San Francisco, California. The company makes products for software and hardware developers to build realtime web, mobile, and Internet of Things (IoT) applications.
Pubnub is a Notification service / API like Google Cloud Messaging (GCM). You have an app that is using its services
 
Last edited:

Lenny_Fox

Level 21
Verified
Oct 1, 2019
1,060
1608678659391.png


Better enable DHCP reservation and assign names to the reserved IP's in your router. DHCP reservation is the best of both worlds of manual-static IP allocation to devices and automated-dynamic IP allocation. This way it is easier to track which device is causing this traffic (I assume that it is possible to see which IP generated that traffic in next DNS reports)
 

Lenny_Fox

Level 21
Verified
Oct 1, 2019
1,060
Something strange is happening with my ISP, when I use third-party DNS service (no matter which NextDNS, Quad9, OpenDNS, Cloud, Google) the first open of any website takes about 3 seconds longer. I checked the IP4 & IP6 properties of my Wifi adaptor (all empty, using default). Strangely when connecting to my VPN (BulletVPN), first connect time is faster than my ISP (Ziggo).

Any Dutch forum members on Ziggo also using NextDNS and having a noticeable delay for the first website to connect (e.g. CNN.com)?
 

SecurityNightmares

Level 37
Verified
Jan 9, 2020
2,661
Something strange is happening with my ISP, when I use third-party DNS service (no matter which NextDNS, Quad9, OpenDNS, Cloud, Google) the first open of any website takes about 3 seconds longer. I checked the IP4 & IP6 properties of my Wifi adaptor (all empty, using default). Strangely when connecting to my VPN (BulletVPN), first connect time is faster than my ISP (Ziggo).

Any Dutch forum members on Ziggo also using NextDNS and having a noticeable delay for the first website to connect (e.g. CNN.com)?
Do nslookup and tracert test with and without ISP DNS.
 

Gandalf_The_Grey

Level 47
Verified
Trusted
Content Creator
Apr 24, 2016
3,606
Something strange is happening with my ISP, when I use third-party DNS service (no matter which NextDNS, Quad9, OpenDNS, Cloud, Google) the first open of any website takes about 3 seconds longer. I checked the IP4 & IP6 properties of my Wifi adaptor (all empty, using default). Strangely when connecting to my VPN (BulletVPN), first connect time is faster than my ISP (Ziggo).

Any Dutch forum members on Ziggo also using NextDNS and having a noticeable delay for the first website to connect (e.g. CNN.com)?
No troubles here, but I don't use NextDNS and I turned off Quad9 as secure DNS in Edge.
Maybe there lies your problem?
Ziggo's default DNS are stiil the fasted for me.
 

SeriousHoax

Level 35
Verified
Mar 16, 2019
2,437
Continuing the discussion of the thread here since it's NextDNS related.

Only if you activate those filters with NEXTDNS right? Or default NEXTDNS filter already cover it? I usually don't use a lot of filters in NEXTDNS because if it breaks something, it's harder to disable than ublock/adguard. Actually i'm just using the default filte r +adguard DNS filter+ AdGuard Mobile Ads filter.Besides that, i'm not sure if all those lists (e.g. Easylist) works well to block in the DNS level. What do you think?
@Gangelo is right. NextDNS default + Adguard DNS filter basically covers most things. I'm also using this two only and don't think I need more because my adblocker extension (uBO) will cover the rest + cosmetic filters.
Were those tests made with only the default filter?
Enable these two options if you haven't already. This will do and also you may enable what @JoyousBudweiser suggested above for even more security.
1.PNG
There's also a bonus tracking protection feature called Native Tracking Protection. I have Xiaomi, Huawei and Samsung device in my home, so I've enabled this.
2.PNG3.PNG
 

HarborFront

Level 58
Verified
Content Creator
Oct 9, 2016
4,784
Dnssec ie secure dns lookup will take extra time to get the verification done, that's why you feel it slow. You don't need to enable it unless you are in need of ultra secure dns query replies.
The flag 'Secure DNS lookups' in my Ungoogled Chromium looks like no more existing. Not sure about Chrome/Brave. In place, it has the following to set your DoT/DoH server

1610095987601.png
 
Last edited:

HarborFront

Level 58
Verified
Content Creator
Oct 9, 2016
4,784
Continuing the discussion of the thread here since it's NextDNS related.


@Gangelo is right. NextDNS default + Adguard DNS filter basically covers most things. I'm also using this two only and don't think I need more because my adblocker extension (uBO) will cover the rest + cosmetic filters.

Enable these two options if you haven't already. This will do and also you may enable what @JoyousBudweiser suggested above for even more security.
View attachment 252678
There's also a bonus tracking protection feature called Native Tracking Protection. I have Xiaomi, Huawei and Samsung device in my home, so I've enabled this.
View attachment 252679View attachment 252680
After looking through the security/privacy filters in NextDNS they are more or less the same used in Adguard for desktop. Anything less you can obtain from filterlists.com or github. If I need the NextDNS app for desktop I would only use those features not available in Adguard and leave all the security/privacy filters to be handled by Adguard.

Just found out that setting NextDNS in my Adguard for desktop overrides the DNS server in my VPN
 
Last edited:

silversurfer

Level 72
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,108
The flag 'Secure DNS lookups' in my Ungoogled Chromium looks like no more existing. Not sure about Chrome/Brave. In place, it has the following to set your DoT/DoH server

Confirmed here on Brave, this flag "Secure DNS lookups" probably was removed since major chromium-based browsers offering built-in settings for DoH.

DoH.png
 

SeriousHoax

Level 35
Verified
Mar 16, 2019
2,437
After looking through the security/privacy filters in NextDNS they are more or less the same used in Adguard for desktop. Anything less you can obtain from filterlists.com or github. If I need the NextDNS app for desktop I would only use those features not available in Adguard and leave all the security/privacy filters to be handled by Adguard.

Just found out that setting NextDNS in my Adguard for desktop overrides the DNS server in my VPN
NextDNS is host based so different from Adguard desktop. You may get rid of host based filters on Adguard if you have enabled any while using NextDNS to reduce the load and possibly improve performance in page loading and CPU usage.
 

HarborFront

Level 58
Verified
Content Creator
Oct 9, 2016
4,784
NextDNS is host based so different from Adguard desktop. You may get rid of host based filters on Adguard if you have enabled any while using NextDNS to reduce the load and possibly improve performance in page loading and CPU usage.
NextDNS is free, but I bought Adguard for desktop so must make it work harder.

Won't be using NextDNS anytime soon since its DoT is slower than Adguard DoT. Also, the YogaDNS (a front for NextDNS) doesn't support DoT
 

SeriousHoax

Level 35
Verified
Mar 16, 2019
2,437
NextDNS is free, but I bought Adguard for desktop so must make it work harder.

Won't be using NextDNS anytime soon since its DoT is slower than Adguard DoT. Also, the YogaDNS (a front for NextDNS) doesn't support DoT
Hehe. That's an interesting way to look at it. Less load on the CPU + possibly slightly faster performance seems the better option to me. Anyway, no problem if you prefer it that way.

Yes, YogaDNS don't support DoT. It supports DoH which is what I'm using. The protocol is set as NextDNS in YogaDNS. NextDNS themselve prefers DoH. Any reason why you prefer DoT?
 

Tiamati

Level 11
Verified
Nov 8, 2016
513
There's also a bonus tracking protection feature called Native Tracking Protection. I have Xiaomi, Huawei and Samsung device in my home, so I've enabled thi
Any idea if this could affect the performance or security updates of those brand smartphones?

@Gangelo is right. NextDNS default + Adguard DNS filter basically covers most things. I'm also using this two only and don't think I need more because my adblocker extension (uBO) will cover the rest + cosmetic filters.
I added mobile filter cause i was using it to block adds in my smartphone. NextDNS default + Adguard DNS filter already cover those types of adds and trackers?

PLUS: any idea how cosmetic filter the blocked ads from NEXTDNS?

Enable these two options if you haven't already. This will do and also you may enable what @JoyousBudweiser suggested above for even more security.
Ty!
 

HarborFront

Level 58
Verified
Content Creator
Oct 9, 2016
4,784
Hehe. That's an interesting way to look at it. Less load on the CPU + possibly slightly faster performance seems the better option to me. Anyway, no problem if you prefer it that way.

Yes, YogaDNS don't support DoT. It supports DoH which is what I'm using. The protocol is set as NextDNS in YogaDNS. NextDNS themselve prefers DoH. Any reason why you prefer DoT?
Read my post #130 here

 

SecurityNightmares

Level 37
Verified
Jan 9, 2020
2,661
Any idea if this could affect the performance or security updates of those brand smartphones?
In worst case false positives block such updates yes. This was always the case with a lot of filter lists (not NextDNS related)

Performance wise it's reduced because the device will try connect again and again to blocked server which end in reduced battery and higher temperature.

Privacy wise the phone vendor can established connections anyway like with direct IP connections.
 

Jan Willy

Level 6
Jul 5, 2019
295
PLUS: any idea how cosmetic filter the blocked ads from NEXTDNS?
On DNS--level is cosmetic filtering not possible. It's just blocking or passing. I use for cosmetic filtering Adguard for Windows (desktop-app). It's a very personal choice, I know there are people who don't like cosmetic filtering or just think they don't need it. Anyway, it's not a matter of security or privacy.
 

Gangelo

Level 4
Verified
Jul 29, 2017
188
I added mobile filter cause i was using it to block adds in my smartphone. NextDNS default + Adguard DNS filter already cover those types of adds and trackers?
As I previously mentioned, yes you are covered because Adguard DNS filter includes the mobile ads filter. Also, the NextDNS recommended filter covers mobile ads.
These two filters combined are all you need.

PLUS: any idea how cosmetic filter the blocked ads from NEXTDNS?

Unfortunately, DNS filtering cannot do cosmetic changes and that is why it should be combined with a browser extension such as Adguard or Ublock Origin.
Despite the cosmetic side of things, extensions can filter specific elements in a webpage that DNS filtering cannot.
DNS filtering can block domains only.
 

Tiamati

Level 11
Verified
Nov 8, 2016
513
Unfortunately, DNS filtering cannot do cosmetic changes and that is why it should be combined with a browser extension such as Adguard or Ublock Origin.
Despite the cosmetic side of things, extensions can filter specific elements in a webpage that DNS filtering cannot.
DNS filtering can block domains only.
Tyvm! I'll disable mobile filter so

I use Edge for android with ABP activated, so browsing is not a problem. However some apps use their own "browsers" and eventually i deal with unsolved ads (blocked by DNS).
 
Top