Tutorial NextDNS: a DoH/ DoT guide

As Lenny_Fox request a NextDNS guide with pictures, here we go - based on Your NextDNS settings thread.

First, info about NextDNS can be read at: official Website & GitHub

I use and recommend using their service in easiest way you can implement. For me that is on router level so i don't need any software on Clients.

Setup Webinterface:

setup.png

The red marked is the one i use in my Fritzbox router DNS settings. Also you should add both DNSv4 from right side ("DNS Servers") and DNSv6 from left side ("IPv6") into your router if for some reason the encrypted DNS has problems.
If that's done, take a look at top and if "All good!" is listed, your setup is finished! (y)

Now we will increase the setup to maximum protection

Security Webinterface:

security.png

Privacy Webinterface:

privacy.png

Parental Control Webinterface:

parental control.png

Denylist Webinterface:

denylist.png

Allowlist Webinterface:

allowlist.png

Settings Webinterface:

settings.png

Done!

Also don't forget to activate 2FA for your account!:

account.png
___________________________________________

Update February 2021:

Changes:
  • moving from NextDNS default list + Unchecky filterlist to "OISD" filterlist for less false positives and better maintained list
  • enable "Allow Affiliate & Tracking Links"
  • add "Dating" to Parental Control

Since Lenny_Fox asked for a NextDNS tutorial with pictures, here it goes - based on the thread Q&A - Your NextDNS settings

Information about NextDNS can be read on the official website and GitHub on.

I use and recommend implementing NextDNS in the simplest way possible in your own setup. For me, it's at the router level, so I don't need any software on the clients.

NextDNS web interface -> Setup:

Setup.png

The data marked in red are the ones I use in the DNS settings of my Fritzbox router.

Both DNSv4 from the right side ("DNS Servers") and DNSv6 from the left side ("IPv6") should be configured in the router if for some reason the encrypted DNS causes problems. This way you have a fallback.
Once this is done, the web interface should say "All good!" at the top and the basic setup is complete! (y)

Now we will increase the whole thing to maximum protection:

NextDNS web interface -> Security:

Security.png

NextDNS web interface -> Privacy:

Privacy.png

NextDNS web interface -> Parental Control:

Parental Control.png

NextDNS web interface -> Denylist:

Denylist.png

NextDNS web interface -> Allowlist:

Allowlist.png

NextDNS web interface -> Settings:

Settings.png

Done!

You should also activate two-factor authentication (2FA) for your account!:

2FA.png
 
Last edited by a moderator:

Lenny_Fox

Level 19
Verified
Oct 1, 2019
912
NextDNS is free, but I bought Adguard for desktop so must make it work harder.

Won't be using NextDNS anytime soon since its DoT is slower than Adguard DoT. Also, the YogaDNS (a front for NextDNS) doesn't support DoT
I had the same experience, initial page load of Next DNS is much slower than when using DNS of my ISP (Ziggo like Gandalf's)).
 

HarborFront

Level 57
Verified
Content Creator
Oct 9, 2016
4,682
Adguard/NextDNS DoT have issues with my VyprVPN. For the past two days it was ok. Now, it seems cannot open sites. Disabled DNS in Adguard for desktop and everything goes back to normal with VyprVPN. I think VyprVPN knows I'm using Adguard/NextDNS DoT and not their DNS servers

I think even ExpressVPN and some other VPN providers would not allow the user to set their own DNS servers. I think I give Adguard VPN for Windows a try after all it should be compatible with their Adguard for desktop DNS servers

Wow, after disabling DoT my laptop flies even when using double-hop VPNs

:love:
 
Last edited:

Gangelo

Level 4
Verified
Jul 29, 2017
184
Adguard/NextDNS DoT have issues with my VyprVPN. For the past two days it was ok. Now, it seems cannot open sites. Disabled DNS in Adguard for desktop and everything goes back to normal with VyprVPN. I think VyprVPN knows I'm using Adguard/NextDNS DoT and not their DNS servers

I think even ExpressVPN and some other VPN providers would not allow the user to set their own DNS servers. I think I give Adguard VPN for Windows a try after all it should be compatible with their Adguard for desktop DNS servers

Wow, after disabling DoT my laptop flies even when using double-hop VPNs

:love:

Are you using VyvprVPN continuously on your system or on demand (occassionally)?
I'm asking because if you are using your VPN on demand, there is a workaround with the DNS provider issue.
YogaDNS can have rules so that when your VyprVPN network adaptor gets activated, it can route your traffic through your ISP's DNS (default).
When you do not use your VPN it will direct traffic through the DNS of your choice automatically.

I had the same issue using my corporate VPN for work, I had to deactivate the DNS switch on Adguard for Windows to work.
YogaDNS gave me the solution.
 

HarborFront

Level 57
Verified
Content Creator
Oct 9, 2016
4,682
Are you using VyvprVPN continuously on your system or on demand (occassionally)?
I'm asking because if you are using your VPN on demand, there is a workaround with the DNS provider issue.
YogaDNS can have rules so that when your VyprVPN network adaptor gets activated, it can route your traffic through your ISP's DNS (default).
When you do not use your VPN it will direct traffic through the DNS of your choice automatically.

I had the same issue using my corporate VPN for work, I had to deactivate the DNS switch on Adguard for Windows to work.
YogaDNS gave me the solution.
I always use double VPNs when surfing the net

Router VPN => Laptop VPN (VyprVPN) => Internet

Now I have Adguard VPN (beta) I have another laptop VPN option
 

HarborFront

Level 57
Verified
Content Creator
Oct 9, 2016
4,682
Ok I see. This is a different user case scenario.
In any case, we were facing the same issue with routing DNS through Adguard for Windows. It can be problematic with VPN's in general.
IMO, if you use DNS then don't use a VPN and vice versa unless the VPN has an option to allow you to do so. VyprVPN has this option to add custom regular DNS servers but not for DoT/DoH DNS. I think regular DNS servers should be ok for VPN.

But in Adguard case they have their own DNS servers in their app for a long time. Not sure why its VPN won't work with its DoT DNS server after all both are from Adguard
 

Tiamati

Level 10
Verified
Nov 8, 2016
478
moving from NextDNS default list + Unchecky filterlist to "OISD" filterlist for less false positives and better maintained list
Never heard about OISD before. Why this is any better than Adguard DNS filter? I read in their site that it is focused to avoid false positives, but If i consider the number of rules in the blocklist, it seems that OISD could have a bigger chance to show false positives than adguard. (569k rules from OISD vs 38k rules from Adgaurd)

enable "Allow Affiliate & Tracking Links"
Any reason for that?

add "Dating" to Parental Control
Hmmmm, it seems someone is trying to block his girlfriend access to dating sites hahaa :sneaky::sneaky::sneaky:
 

SecurityNightmares

Level 33
Verified
Jan 9, 2020
2,280
Never heard about OISD before. Why this is any better than Adguard DNS filter? I read in their site that it is focused to avoid false positives, but If i consider the number of rules in the blocklist, it seems that OISD could have a bigger chance to show false positives than adguard. (569k rules from OISD vs 38k rules from Adgaurd)
This list uses a lot sources: oisd | included lists and include a lot domains: https://oisd.nl/excludes.php
so false positives are ~zero!

AdGuard list sadly have some false positives and they answer awfully slow. Same sadly also for NextDNS (default list).

Any reason for that?
Less breakage and no disadvantage.

Hmmmm, it seems someone is trying to block his girlfriend access to dating sites hahaa :sneaky::sneaky::sneaky:
😄
My girlfriend doesn't use such sites so i can block them which increase security and privacy against abuse.
As a lot of these sites are suspicious, i decidee adding it to my guide. Of course you can change that (y)

Why are you not using Native Tracking Protection?

View attachment 254277
Because such will cripple down your systems.


Also, you might want to add those domains if you are not using Facebook services extensively. Didn't notice any downsides.

View attachment 254278
If you don't use Facebook, you can add the Facebook list in NextDNS which blocks a lot more then these two domains. (I use this list)
 

SecureKongo

Level 11
Feb 25, 2017
528
Because such will cripple down your systems.
In which way?

If you don't use Facebook, you can add the Facebook list in NextDNS which blocks a lot more then these two domains. (I use this list)
Thanks, didn't know that list exists until now. The thing is that this list will break any facebook related application which isn't an option for everyone as many people still use whatsapp for example.
 

Tiamati

Level 10
Verified
Nov 8, 2016
478
This list uses a lot sources: oisd | included lists and include a lot domains: https://oisd.nl/excludes.php
so false positives are ~zero!
Interesting list. I didn't notice they sources but they use a lot indeed.
Did you notice any delay in DNS answering after adding such an extensive list?

😄
My girlfriend doesn't use such sites so i can block them which increase security and privacy against abuse.
As a lot of these sites are suspicious, i decidee adding it to my guide. Of course you can change that (y)
:D clever idea
 

SecurityNightmares

Level 33
Verified
Jan 9, 2020
2,280
Did you notice any delay in DNS answering after adding such an extensive list?
All lists are "rendered" on NextDNS side so you only will get advantages of faster websites because of less tracking, ads, ... are loaded (y)

I looked for more info about "allow affiliate and tracking links" but i could not find any.
Did you find?
Yes. See: nextdns/metadata

I have it disabled and couldn't see any breakages yet.
This might help you: affiliate-tracking-domains · Issue #450 · nextdns/metadata
User crssi enabled this feature later: Allow Affiliate & Tracking Links · Issue #2 · crssi/NextDNS-Config
 

McMcbrad

Level 23
Oct 16, 2020
1,252
I have been experimenting with NextDNS and it is quite easy to deploy. You just need to go through a day or 2 of breakages so you can whitelist some websites, after that you don't need to do anything.
I will keep testing it for a week and will enable it on a router level, plus on my phone. I am maintaining 2 configurations I can setup on any device, one of them is default-deny, the other one is light security.

I will also remove Trend Micro from my phone, I was keeping it just for the web blocking.
 
Top